automated software protection for the masses against side
play

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL - PowerPoint PPT Presentation

Oct 06, 2023 •216 likes •535 views

Nicolas Belleville Damien Courouss Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas INTRODUCTION Focus on power/EM based side channel

  1. Nicolas Belleville Damien Couroussé Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas

  2. INTRODUCTION • Focus on power/EM based side channel attacks • Objective: solution usable by anybody (not only security experts) on any code (not only block ciphers) • Software countermeasures • Masking • Automated masking for ANY code is hard • Masking scheme depends on underlying code • Hard to be efficient in terms of execution time for any code • Hiding • Generic principle • Do not remove leakage, but make it harder to exploit | 2 PHISIC 2018 | Belleville Nicolas

  3. INTRODUCTION • Focus on power/EM based side channel attacks • Objective: solution usable by anybody (not only security experts) on any code (not only block ciphers) • Software countermeasures • Masking • Automated masking for ANY code is hard • Masking scheme depends on underlying code • Hard to be efficient in terms of execution time for any code • Hiding • Generic principle • Do not remove leakage, but make it harder to exploit Code polymorphism: ability to change the observable behaviour of a software component without changing its functional properties | 3 PHISIC 2018 | Belleville Nicolas

  4. CODE POLYMORPHISM USING SPECIALISED DYNAMIC CODE GENERATION • Objective: making the executed code vary → use a generator to regenerate the code regularly • Performs code transformations guided by randomness • Produces a different code at every generation • Generators are specialized • Each function to be secured has its own generator • A generator works on an assembly-level representation of the function • Code transformations related to this representation: • Instructions shuffling • Register shuffling • Semantic equivalent • Insertion of noise instructions | 4 PHISIC 2018 | Belleville Nicolas

  5. PROBLEMS TO ANSWER • How to write a generator? • Runtime code generation is usually expensive • Is specialization capable of lowering the cost? • Runtime code generation needs W and X permissions • Code size varies from one generation to another • Semantic equivalent • Insertion of noise instructions | 5 PHISIC 2018 | Belleville Nicolas

  6. AUTOMATIC APPLICATION OF CODE POLYMORPHISM • Objective: • Start from a C file • Produce a new C file with polymorphism countermeasure applied to target functions Main idea: For each targetted function: - get a sequence of instructions - construct a generator from that - modify the sequence of instructions dynamically | 6 PHISIC 2018 | Belleville Nicolas

  7. AUTOMATIC APPLICATION OF CODE POLYMORPHISM • Objective: • Start from a C file • Produce a new C file with polymorphism countermeasure applied to target functions int f_critical(int a, int b) { File.c int c = a^b; a = a+b; a = a % c; return a; } | 7 PHISIC 2018 | Belleville Nicolas

  8. AUTOMATIC APPLICATION OF CODE POLYMORPHISM • Objective: • Start from a C file • Produce a new C file with polymorphism countermeasure applied to target functions int f_critical(int a, int b) { File.c int c = a^b; a = a+b; a = a % c; User annotates critical functions return a; } | 8 PHISIC 2018 | Belleville Nicolas

  9. AUTOMATIC APPLICATION OF CODE POLYMORPHISM • Objective: • Start from a C file • Produce a new C file with polymorphism countermeasure applied to target functions #pragma odo_polymorphic int f_critical(int a, int b) { File.c int c = a^b; a = a+b; a = a % c; return a; } | 9 PHISIC 2018 | Belleville Nicolas

  10. AUTOMATIC APPLICATION OF CODE POLYMORPHISM • Objective: • Start from a C file • Produce a new C file with polymorphism countermeasure applied to target functions #pragma odo_polymorphic int f_critical(int a, int b) { File.c int c = a^b; a = a+b; User chooses the polymorphism a = a % c; configuration return a; } | 10 PHISIC 2018 | Belleville Nicolas

  11. AUTOMATIC APPLICATION OF CODE POLYMORPHISM • Objective: • Start from a C file • Produce a new C file with polymorphism countermeasure applied to target functions #pragma odo_polymorphic int f_critical(int a, int b) { File.c int c = a^b; a = a+b; File is compiled with our a = a % c; modified compiler return a; } | 11 PHISIC 2018 | Belleville Nicolas

  12. AUTOMATIC APPLICATION OF CODE POLYMORPHISM • Objective: code code_f[CODE_SIZE]; • Start from a C file void SGPC_f_critical() { • Produce a new C file with polymorphism countermeasure applied to target raise_interrupt_rm_X_add_W(code_f); functions reg_t r[] = {0,1,2,3,4,5,6,...,12,13,14,15}; push_T2_callee_saved_registers(); eor_T2(r[4], r[1], r[0]); add_T2(r[0], r[1], r[0]); sdiv_T2(r[1], r[0], r[4]); File.c mls_T2(r[0], r[1], r[4], r[0]); pop_T2_callee_saved_registers(); raise_interrupt_rm_W_add_X(code_f); } int f_critical(int a, int b) { if (SHOULD_BE_REGENERATED()) SGPC_f_critical(); return code_f(a, b); } | 12 PHISIC 2018 | Belleville Nicolas

  13. AUTOMATIC APPLICATION OF CODE POLYMORPHISM • Objective: code code_f[CODE_SIZE]; • Start from a C file void SGPC_f_critical() { • Produce a new C file with polymorphism countermeasure applied to target raise_interrupt_rm_X_add_W(code_f); functions reg_t r[] = {0,1,2,3,4,5,6,...,12,13,14,15}; push_T2_callee_saved_registers(); eor_T2(r[4], r[1], r[0]); add_T2(r[0], r[1], r[0]); sdiv_T2(r[1], r[0], r[4]); File.c mls_T2(r[0], r[1], r[4], r[0]); pop_T2_callee_saved_registers(); raise_interrupt_rm_W_add_X(code_f); } int f_critical(int a, int b) { if (SHOULD_BE_REGENERATED()) SGPC_f_critical(); return code_f(a, b); } | 13 PHISIC 2018 | Belleville Nicolas

  14. AUTOMATIC APPLICATION OF CODE POLYMORPHISM • Objective: code code_f[CODE_SIZE]; • Start from a C file void SGPC_f_critical() { • Produce a new C file with polymorphism countermeasure applied to target raise_interrupt_rm_X_add_W(code_f); functions reg_t r[] = {0,1,2,3,4,5,6,...,12,13,14,15}; push_T2_callee_saved_registers(); eor_T2(r[4], r[1], r[0]); add_T2(r[0], r[1], r[0]); sdiv_T2(r[1], r[0], r[4]); File.c mls_T2(r[0], r[1], r[4], r[0]); pop_T2_callee_saved_registers(); raise_interrupt_rm_W_add_X(code_f); } int f_critical(int a, int b) { if (SHOULD_BE_REGENERATED()) SGPC_f_critical(); return code_f(a, b); } | 14 PHISIC 2018 | Belleville Nicolas

  15. AUTOMATIC APPLICATION OF CODE POLYMORPHISM • Objective: code code_f[CODE_SIZE]; • Start from a C file void SGPC_f_critical() { • Produce a new C file with polymorphism countermeasure applied to target raise_interrupt_rm_X_add_W(code_f); functions reg_t r[] = {0,1,2,3,4,5,6,...,12,13,14,15}; push_T2_callee_saved_registers(); eor_T2(r[4], r[1], r[0]); add_T2(r[0], r[1], r[0]); sdiv_T2(r[1], r[0], r[4]); File.c mls_T2(r[0], r[1], r[4], r[0]); pop_T2_callee_saved_registers(); raise_interrupt_rm_W_add_X(code_f); } int f_critical(int a, int b) { if (SHOULD_BE_REGENERATED()) SGPC_f_critical(); return code_f(a, b); } | 15 PHISIC 2018 | Belleville Nicolas

  16. AUTOMATIC APPLICATION OF CODE POLYMORPHISM • Objective: code code_f[CODE_SIZE]; • Start from a C file void SGPC_f_critical() { • Produce a new C file with polymorphism countermeasure applied to target raise_interrupt_rm_X_add_W(code_f); functions reg_t r[] = {0,1,2,3,4,5,6,...,12,13,14,15}; push_T2_callee_saved_registers(); eor_T2(r[4], r[1], r[0]); add_T2(r[0], r[1], r[0]); sdiv_T2(r[1], r[0], r[4]); File.c mls_T2(r[0], r[1], r[4], r[0]); pop_T2_callee_saved_registers(); raise_interrupt_rm_W_add_X(code_f); } int f_critical(int a, int b) { if (SHOULD_BE_REGENERATED()) SGPC_f_critical(); return code_f(a, b); } | 16 PHISIC 2018 | Belleville Nicolas

  17. CODE TRANSFORMATIONS USED AT RUNTIME • Register shuffling ● Permutation among all equivalent registers • Instruction shuffling ● Shuffling of independent instructions (use/def register analysis) • Use of semantic equivalent ● Random choice between sequences of instructions equivalent to the original instructions ● Semantic equivalents available for a limited number of instructions ● Ex: a xor b <=> (a xor r) xor (b xor r) • Insertion of noise instructions ● Useless instructions among frequently used ones (xor, sub, load, add) ● A probability model determines the number of noise instructions to be inserted (possibly 0) ● One insertion in between each pair of original instructions | 17 PHISIC 2018 | Belleville Nicolas

  18. REMAINING PROBLEMS • Memory write and execute permissions ● Code generation → both write and execute permissions on a memory segment → could be exploited to mount an attack • Code size varies ● Allocated memory should be large enough ● But not too large! PHISIC 2018 | Belleville Nicolas

  19. MANAGEMENT OF MEMORY PERMISSIONS • W and X permissions required for dynamic code generation • Use the specialisation of generator to change permissions • For each secured function, only one generator allowed to write in allocated buffer • Interrupt raised to change memory permissions between W only and X only ● When generation begins: X only to W only ● When generation ends: W only to X only ● Interrupt handler knows which generator is associated with which memory zone | 19 PHISIC 2018 | Belleville Nicolas

Recommend

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

Nicolas Belleville 1 Damien Courouss 1 Karine Heydemann 2 1 Univ Grenoble Alpes, CEA, List, F-38000 Grenoble, France Henri-Pierre Charles 1 firstname.lastname@cea.fr 2 Sorbonne Universit, CNRS, LIP6, F-75005, Paris, France

715 views • 53 slides
Software Protection Evaluation Bjorn De Sutter ISSISP 2017 Paris 1 Software Protection

Software Protection Evaluation Bjorn De Sutter ISSISP 2017 Paris 1 Software Protection

Software Protection Evaluation Bjorn De Sutter ISSISP 2017 Paris 1 Software Protection Evaluation Four criteria (Collberg et al) Potency : confusion, complexity, manual effort Resilience : resistance against (automated) tools

839 views • 68 slides
Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy

Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy

Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy Webb, Adriana Gregory, Mostafa Fatemi, Azra Alizad GTC 2018, San Jose, USA SIGNIFICANCE Breast cancer is most common and leading cause of death in

303 views • 13 slides
Towards Automated Software Project Planning Extending Palladio for the Simulation of Software

Towards Automated Software Project Planning Extending Palladio for the Simulation of Software

KPD Symposium 2013 Position Paper Towards Automated Software Project Planning Extending Palladio for the Simulation of Software Processes Oliver Hummel &amp; Robert Heinrich sdq.ipd.kit.edu SOFTWARE DESIGN AND QUALITY GROUP INSTITUTE FOR

233 views • 11 slides
Searching for the Best Tests An Introduction to Automated Software Testing with

Searching for the Best Tests An Introduction to Automated Software Testing with

Searching for the Best Tests An Introduction to Automated Software Testing with Search-Based Techniques Gregory M. Kapfhammer Department of Computer Science Allegheny College March 31, 2015 Software is Everywhere Software is

1.71k views • 144 slides
Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad Ureche, Cristian Zamfir, George Candea School of Computer and Communication Sciences Automated Software Testing Automated Industrial Techniques

1.25k views • 59 slides
The Business Side of a Software Architect Tomer Peretz, Orbotech About Me Chief Software

The Business Side of a Software Architect Tomer Peretz, Orbotech About Me Chief Software

The Business Side of a Software Architect Tomer Peretz, Orbotech About Me Chief Software Architect at Orbotech Presidency member at ILTAM 2 | The business side of a software architect Orbotech in the Electronics Value Chain Today Flat

464 views • 24 slides
Lecture on Automated Software Engineering Alloy: Analyzing Software Requirements, Design and

Lecture on Automated Software Engineering Alloy: Analyzing Software Requirements, Design and

Lecture on Automated Software Engineering Alloy: Analyzing Software Requirements, Design and Algorithms Martin Monperrus, Ph.D. version of Oct 15, 2012 Creative Commons Attribution License Copying and modifying are authorized as long as

818 views • 34 slides
Aspects of neutrino masses Jessica Turner UCL 13 December 2019 Outline Neutrino masses and

Aspects of neutrino masses Jessica Turner UCL 13 December 2019 Outline Neutrino masses and

Aspects of neutrino masses Jessica Turner UCL 13 December 2019 Outline Neutrino masses and mixing Consequences of neutrino masses Neutrino masses from gravity, what has been done Neutrino masses from gravity: the Schwinger Dyson

741 views • 52 slides
S V V .lu software verification &amp; validation Automated Software Testing in Cyber-Physical

S V V .lu software verification &amp; validation Automated Software Testing in Cyber-Physical

S V V .lu software verification &amp; validation Automated Software Testing in Cyber-Physical Systems Lionel Briand NUS, Singapore, 2019 Dependable Breakfast 2 SnT Center: Mandate 3 SnT Center: Overview 101 M 287 employees 51

1.36k views • 94 slides
Automated Software Transplantation ( ISSTA 2015 ) Earl T. Mark Yue Alexandru Justyna Barr

Automated Software Transplantation ( ISSTA 2015 ) Earl T. Mark Yue Alexandru Justyna Barr

Automated Software Transplantation ( ISSTA 2015 ) Earl T. Mark Yue Alexandru Justyna Barr Harman Jia Marginean Petke CREST, University College London Justyna Petke Automated Software Transplantation Genetic Improvement of Software

418 views • 22 slides
Neutral Networks of Real-World Programs and their Application to Automated Software Evolution

Neutral Networks of Real-World Programs and their Application to Automated Software Evolution

Neutral Networks of Real-World Programs and their Application to Automated Software Evolution Eric Schulte Department of Computer Science University of New Mexico Albuquerque, NM July 2014 Neutral Networks and Automated Software Evolution

1.51k views • 147 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
Automated Software Testing with Inferred Program Properties Tao Xie Dept. of Computer Science

Automated Software Testing with Inferred Program Properties Tao Xie Dept. of Computer Science

Automated Software Testing with Inferred Program Properties Tao Xie Dept. of Computer Science &amp; Engineering University of Washington Joint work with David Notkin July 2004 Motivation Existing automated test generation tools are

638 views • 43 slides
Automated Software Transplantation Earl T. Mark Yue Alexandru Justyna Barr Harman Jia

Automated Software Transplantation Earl T. Mark Yue Alexandru Justyna Barr Harman Jia

Automated Software Transplantation Earl T. Mark Yue Alexandru Justyna Barr Harman Jia Marginean Petke CREST, University College London Alexandru Marginean Automated Software Transplantation Humies 2016 Why Autotransplantation?

1.06k views • 87 slides
Automated Software Transplantation Earl T. Mark Yue Alexandru Justyna Barr Harman Jia

Automated Software Transplantation Earl T. Mark Yue Alexandru Justyna Barr Harman Jia

Automated Software Transplantation Earl T. Mark Yue Alexandru Justyna Barr Harman Jia Marginean Petke CREST, University College London Alexandru Marginean Automated Software Transplantation Why Autotransplantation? ~100 players

593 views • 20 slides
SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael Spreitzer, Gerald Palfinger,

SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael Spreitzer, Gerald Palfinger,

S C I E N C E P A S S I O N T E C H N O L O G Y SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael Spreitzer, Gerald Palfinger, Stefan Mangard IAIK, Graz University of Technology, Austria WiSec 2018,

723 views • 17 slides
SOFTDRIVE.NL, SOFTDRIVE.NL, CVMFS FOR THE CVMFS FOR THE MASSES MASSES DENNIS VAN DOK DENNIS

SOFTDRIVE.NL, SOFTDRIVE.NL, CVMFS FOR THE CVMFS FOR THE MASSES MASSES DENNIS VAN DOK DENNIS

SOFTDRIVE.NL, SOFTDRIVE.NL, CVMFS FOR THE CVMFS FOR THE MASSES MASSES DENNIS VAN DOK DENNIS VAN DOK Generic Components of the eScience Infrastructure Ecosystem 14th IEEE eScience Conference Amsterdam, Monday 2018-10-29 1 GRID

815 views • 18 slides
Pancreatic Mass: Solid or Cystic? Solid Pancreatic masses Cystic pancreatic masses -

Pancreatic Mass: Solid or Cystic? Solid Pancreatic masses Cystic pancreatic masses -

Workshop -ROSE in EUS guided FNA of Pancreatic Lesions Guys Hospital, London, 16 April 2018 Laxmi Batav Imperial College NHS Trust Pancreatic Mass: Solid or Cystic? Solid Pancreatic masses Cystic pancreatic masses - Ductal

332 views • 11 slides
Automated Software Transplantation QRS 2016 Talk by Mark Harman PhD work by Alexandru Marginean

Automated Software Transplantation QRS 2016 Talk by Mark Harman PhD work by Alexandru Marginean

Automated Software Transplantation QRS 2016 Talk by Mark Harman PhD work by Alexandru Marginean Collaborators Earl Barr, Yue Jia, Justyna Petke CREST, University College London Automated Software Transplantation QRS 2016 Talk by Mark

430 views • 28 slides
MassBrowser Unblock cking the Censored Web fo for the Masses, by the Masses Milad Nasr, Hadi

MassBrowser Unblock cking the Censored Web fo for the Masses, by the Masses Milad Nasr, Hadi

MassBrowser Unblock cking the Censored Web fo for the Masses, by the Masses Milad Nasr, Hadi Zolfaghari, Amir Houmansadr, Amirhossein Ghafari University of Massachusetts, Amherst 1 Internet Censorship 2 Censorship Circumvention Tools 3

827 views • 30 slides
Software NFs The good: The fmexibility of software The software development cycle The bad: The

Software NFs The good: The fmexibility of software The software development cycle The bad: The

Automated Synthesis of Adversarial Workloads for Network Functions Luis Pedrosa, Rishabh Iyer, Arseniy Zaostrovnykh, Jonas Fietz, Katerina Argyraki N etwork A rchitecture L aboratory Software NFs The good: The fmexibility of software The

710 views • 54 slides
Neutrino Masses from TeV Scale New Physics -- Tests of Neutrino Masses at the LHC Mu-Chun Chen,

Neutrino Masses from TeV Scale New Physics -- Tests of Neutrino Masses at the LHC Mu-Chun Chen,

Neutrino Masses from TeV Scale New Physics -- Tests of Neutrino Masses at the LHC Mu-Chun Chen, University of California at Irvine GGI Whats Nu?, June 26, 2012 Theoretical Challenges (i) Absolute mass scale: Why m &lt;&lt; m u,d,e ?

543 views • 29 slides
CLARO Automated image enhancement Claro - automated - professional - software - to optimize

CLARO Automated image enhancement Claro - automated - professional - software - to optimize

CLARO Automated image enhancement Claro - automated - professional - software - to optimize your images; Claro analyzes file formats like - TIFF - GIF - PSD - BMP - PDF - JPG - PNG - Photoshop EPS Claro analyzes image

421 views • 13 slides

More recommend