The Use of Software-Based IntegrityChecks in Software Tamper

Resistance TechniquesGinger Myles

gmyles@us.ibm.com

IBM Almaden Research Center

[1]

Talk Overview

Integrity check overview

Use of integrity checks in tamper resistance techniques

Attack on integrity checks

[2]

Attack Model

Software executing on a potentially hostile host.

Adversary has full control over the software’s execution.

Adversary can use any program analysis tools to detectand circumvent the checks.

Executable

Benign

The Hackers Toolbox

⇐

⇐⇐⇒

[3]

Software Tamper Resistance

Detect that the program has been altered.

Cause the program to fail when tampering has beendetected.

[4]

Integrity Check Overview

What are they?A mechanism used to identify the integrity of theprogram and/or the environment in which it isexecuting.

Checker

Executable

⇒⇒

[5]

Integrity Check Overview

What are they?Static - integrity is checked only once during start-upDynamic - integrity is checked repeatedly as theprogram executes

Checker

Executable

⇒⇒

[6]

Integrity Check Overview

How are they used?Generally used as part of a larger tamper resistancescheme.

Assertion Check Based (BAD!) Use Based (Better)

ic = performCheck(); ic = performCheck();

if(ic != PREDICTED VALUE) {fail;} decryptSegment(ic, k);

[7]

Integrity Check Overview

Why are they used?Program integrity verification

Prevent license check removalProtect a watermark from damage or removal

Executable

CodeObfuscator

Executable

Watermark

Extractor ⇒?⇒⇓

⇒ ⇒

[8]

Integrity Check Overview

Why are they used?Environmental integrity verification

Detect the use of debuggers or emulators· Protect the keys embedded in DRM systems· Sensitive code that it is only decrypted for

execution

DisabledExecutable

Debugger

ExecutableDRM Protected

Debugger

⇒kk

⇒ ⇒

[9]

Program Integrity Verification

Code ChecksumProbably the oldest methodStraight forward implementationQuite efficient

Execution Executable

ic

ic

[10]

Program Integrity Verification

Code Checksum – The NegativesReading the code segment is generally atypical.

ExecutableExecution

ic

ic

ic

ic

[11]

Program Integrity Verification

Code Checksum – The NegativesHackers pinpoint checks through breakpoints orcode inspection.Only verifies static properties.

May not detect temporary instruction patches orother run-time attacks.

[12]

Program Integrity Verification

Oblivious Hashing [Chen et al., 2002]Dynamic - based on execution trace.Monitor both instructions and memory references.Compute hash value from execution trace.

Trace

SequenceInstruction

Memory

In

I1

I2

.

.

.

M1

Mn

M2

.

.

.

[13]

Program Integrity Verification

Oblivious HashingHashing locations must be extensive and spreadthroughout program.To protect a function all functions on thecalling-hierarchy must be protected.Trace should include memory references made byeach instruction and the instruction itself.

SequenceInstruction

Memory

h1

In

I1 M1

Mn

M2I2

.

.

.

.

.

.

hn

h2

[14]

Environment Integrity Verification

Detection of debuggers and other similar simulationtools

Use a checksum to detect a breakpoint.Measure elapsed time to execute a sequence ofinstructions.Look for tool specific hooks.

[15]

Environment Integrity Verification

The NegativesLevel of checksum granularity will effect success ofdetecting a breakpoint.Detection is tool specific.

[16]

Real Uses of Integrity Checks

Check and Guard System [Chang and Atallah, 2001]Network of guards.Each guard responsible for performing some type ofintegrity check.Protect each other and the program in aninterlocking fashion.Some guards can repair altered code.

C

[17]

Real Uses of Integrity Checks

Check and Guard SystemRepairing guard inserted prior to code.Checksumming guard inserted at a point when codewill be present in program image.Strongly connected guard graph increases theefforts required by the attacker.

C

[18]

Real Uses of Integrity Checks

Testers and Correctors [Horne et al., 2002]Collection of testers which each hash a singlecontiguous section of code.Testers are sprinkled throughout code and triggeredby normal program execution.

ExecutionExecutable

tester

tester

tester

tester

testertester

tester

[19]

Real Uses of Integrity Checks

Testers and Correctors [Horne et al., 2002]Compares hash value with correct value.Incorrect value triggers response mechanism viasimple function call.

[20]

Real Uses of Integrity Checks

Testers and CorrectorsEach hash interval contains a corrector.Corrector set to a value such that the interval hashesto a fixed value.

ExecutableExecution

tester

tester

tester

tester

tester

tester

tester

[21]

Real Uses of Integrity Checks

Branch-Based Tamper Resistance [Myles, Jin, 2005]Based on Branch Function obfuscation [Linn andDebray, 2003]:

Designed to disrupt static disassembly.Exploits assumption that a function call returns tothe instruction immediately following the callinstruction.Execution is rerouted through the branch function.The correct target is identified based on the calllocation.· T [h(ji)] = ti − ji

Return address on the stack is overwritten.

[22]

Real Uses of Integrity Checks

Branch-Based Tamper Resistance

Program Execution

Function

Branch Function

Key Storage

Branch

...

...

...

k0

k1

k2

Key: Link proper program execution and the keyevolution.

[23]

Real Uses of Integrity Checks

Branch-Based Tamper ResistanceIntegrity Check Branch Functions

1. Perform an integrity check of the program orenvironment producing the value vi.

2. Generate the next key using a secure one-wayhash function, the previous key, and the integritycheck value.

ki+1 = SHA1(vi, ki)3. Use ki+1 to identify the instruction where execution

will resume.

[24]

Real Uses of Integrity Checks

Branch-Based Tamper ResistanceIntegrity Check Branch Function Construction

Modified Application

key generation

integrity check

Integrity Check Branch Function

ICBF

Original Application

di+1 = T [h(ki+1)]

retnew = retold +di+1

f1

f2

f3

f1

f2

f3

+ ⇒

(vi, ki, AM)

viki

ki+1ki+1

[25]

Real Uses of Integrity Checks

Branch-Based Tamper ResistanceBranch Instruction Replacement

ICBF_1( )

submov

movaddmovjmp

addpopret

pushmovcmpcall

movaddmovjmp

movsubmov

movpushpushcall

addpopret

ICBF_1

ICBF_1

0

4

3

21

pushmovcmpjge

movpushpushcall

1

2

3

4

0

Modified Application

ICBF_2

ICBF_2

ICBF_1( )

Protected Application

ICBF_2( )

mov

f1

f2

f3

f1

d2 → k2

d1 → k1

⇒ ⇒

f2...

.

.

.

.

.

.

f3...

.

.

.

[26]

Real Uses of Integrity Checks

Branch-Based Tamper ResistanceAble to construct an intertwined network of ICBF’s

C

[27]

Attacks on Integrity Checks

Circumvention of self-hashing has been accomplishedon UltraSparc, x86, PowerPC, AMD64, and ARMarchitectures [van Oorschot et al., 2005].

Implicit assumption that a data read from memoryaddress x is the same as an instruction fetch from x.I(x) 6= D(x) will verify code that is never executedand the executed is never checked.Manipulate virtual to physical address mappingssuch that each virtual address refers to two differentphysical addresses

code references and data referencesDone through segmentation and translationlookaside buffers.

[28]

Wrap-up

We looked at a common type of integrity checkinghow it is used in real tamper resistance techniquesandhow it can be circumvented.

[29]

Wrap-up

Questions I’m considering:Is there hope for strictly software-based techniques?Is there a way we can determine the level ofprotection provided by the different types of integritychecks?

[30]

Wrap-up

Questions I’m considering:Is there hope for strictly software-based techniques?Is there a way we can determine the level ofprotection provided by the different types of integritychecks?

Begin building an incremental strength evaluationscheme for software tamper resistancetechniques.

[30]

Wrap-up

Questions I’m considering:Is there hope for strictly software-based techniques?Is there a way we can determine the level ofprotection provided by the different types of integritychecks?

Begin building an incremental strength evaluationscheme for software tamper resistancetechniques.With the Check and Guard system or theBranch-Based technique strength can becustomized or checks can be replaced oncediscovered they are breakable.

[30]

References

Protecting Software Code by Guards, Chang and Atallah, Proc. of 1stACM Workshop on Security and Privacy in Digital RightsManagement, 2001.

Oblivious Hashing: A Stealthy Software Integrity Verification Primitive,Chen, Venkatesan, Cary, Pang, Sinha, and Jakubowski, Proc. of 5thInternational Workshop on Information Hiding, 2002.

Towards Better Software Tamper Resistance, Jin and Myles, Proc. ofInformation Security: 8th International Conference, 2005.

Self-Validating Branch-Based Software Watermarking, Myles and Jin,Proc. of 7th International Workshop on Information Hiding, 2005.

Hardware-Assisted Circumvention of Self-Hashing Software TamperResistance, van Oorschot, Somayaji, and Wurster, IEEE Transactions onDependeble and Secure Computing, 2005.

[31]