Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands June 21, 2018
Outline 1 Masking Countermeasure 2 Control Flow Integrity 3 Intrusion Detection 2 / 22
Rotating S-box Masking (RSM) Countermeasure ❼ A relatively simple and efficient countermeasure. ❼ S-boxes are implemented in ROM. ❼ Secure against VPA, CPA, and resilient against MIA. 3 / 22
RSM – Nonlinear Part ❼ Select randomly 16 8-bit constants m 0 − 15 . x ′ = x ⊕ m . (1) ❼ 16 rotating S-boxes S ′ 0 − 15 ( x ′ ) . ❼ Such S-boxes contain a mechanism to unmask the input data, perform the basic S ( x ) (where x is an 8-bit unmasked data) and remask it. S ′ j ( x ′ ) = S ( m j ⊕ x ′ ) ⊕ m j + 1 mod 16 , j ∈ [ 0 , 15 ] . (2) SB ′ j ( x ′ ) = SB ( M j ⊕ X ′ ) ⊕ M j + 1 mod 16 , ∀ j ∈ [ 0 , 15 ] . (3) ❼ At each step, S B ′ unmasks the value, performs SB and then remasks with M j + 1 . ❼ The order of using constants is always the same. 4 / 22
RSM – Linear Part ❼ From 16 8-bit masks, create five sets of 16 128-bit constants. ❼ The first set are constants M 0 − 15 where M 0 = m o , m 1 ,... m 15 . ❼ The second set of constants are MMS j = MC ○ SR ( M j ) ⊕ M j , ∀ j ∈ [ 0 , 15 ] . ❼ The third set of constants are MS j = SR ( M j ) , ∀ j ∈ [ 0 , 15 ] . ❼ The fourth and fifth sets of constants are the same to the previous two but with inverse functions. 5 / 22
RSM – All Together ❼ Mask input with mask X ′ 1 = X ⊕ M j . ❼ After S-box, X ′ sbox = SB ( X ) ⊕ M j + 1 . ❼ To mask linear parts, we need only XOR. ❼ Simultaneously unmask the data at the end of each round and remask with new constant. X ′ 2 = MC ○ SR ( SB ( X ) ⊕ M j + 1 ) ⊕ K round . (4) = MC ○ SR ( SB ( X )) ⊕ MC ○ SR ( M j + 1 ) ⊕ K round . (5) ❼ Now we XOR this value with MMS j 6 / 22
RSM – All Together ❼ For the final round, since there is no MC operation, we have SR ( SB ( X ) ⊕ M j + 14 mod 16 ) ⊕ K round , j ∈ [ 0 , 15 ] . (6) ❼ That value is unmasked with the constants from the third set MS j . 7 / 22
Outline 1 Masking Countermeasure 2 Control Flow Integrity 3 Intrusion Detection 8 / 22
Control Flow Integrity ❼ Ideally, Control Flow Integrity (CFI) prevents flows of control that were not intended by the original program (control flow hijacking). ❼ Control flow hijacking – attacker can exploit memory corruption to redirect the control flow to an arbitrary memory location. ❼ Languages providing complete memory and type safety generally do not need to be protected by CFI. 9 / 22
Control Flow Integrity ❼ Every instruction that is the target of legitimate control flow transfer has a unique ID. ❼ Checks are inserted before control flow instructions so only valid targets are allowed. ❼ CFI will cause non-negligible performance overhead due to the introduced checks. ❼ To improve the performance, sometimes we can reduce the number of IDs in the program (note, this will affect the precision). 10 / 22
Control Flow Integrity ❼ Conceptually, most CFI follow the following process: 1 Analysis phase where Control Flow Graph (CFG) is constructed. This graph approximates the set of legitimate control flow transfers. 2 Enforcement phase where during the runtime CFG is used to ensure that all executed branches correspond to edges of CFG. 11 / 22
Analysis Phase ❼ CFG is computed by analyzing either the source code or binary of a program. ❼ Here, limitations of static program analysis can lead to over-approximation of control flow transfers. ❼ As a result, some nonessential edges are included in CFG. ❼ The CFG cannot be perfectly precise for nontrivial programs. 12 / 22
Enforcement Phase ❼ Ensure that control flow transfers which are potentially controlled by an attacker correspond to edges in the CFG produced by the analysis phase. ❼ Control flow transfer can be divided into: 1 Forward control flow transfers – those that move control to a new location inside a program. 2 Backward control flow transfers – those that return control to a prior location inside a program. 13 / 22
Forward Control Flow Transfers ❼ Direct jump – a jump to a constant, statically determined target address. Most local control flow, such as loops or if-then-else cascaded statements, use direct jumps to manage control. ❼ Direct call – a call to a constant, statically determined target address. Static function calls, for example, use direct call instructions. ❼ Indirect jump – a jump to a computed, i.e., dynamically determined target address. Example is switch-case statements using a dispatch table. ❼ Indirect call – call to a computed, i.e., dynamically determined target address. 14 / 22
Indirect Calls ❼ Function pointers – often used to emulate object-oriented method dispatch in classical record data structures, or for passing callbacks to other functions. ❼ vtable dispatch – the preferred way to implement dynamic dispatch to C++ methods. A C++ object keeps a pointer to its vtable, a table containing pointers to all virtual methods of its dynamic type. ❼ Smalltalk-style send-method dispatch – requires a dynamic type look-up. Such a dynamic dispatch using a send-method in Smalltak, Objective-C, or JavaScript requires walking the class hierarchy (or the prototype chain in JavaScript) and selecting the first method with a matching identifier. 15 / 22
Outline 1 Masking Countermeasure 2 Control Flow Integrity 3 Intrusion Detection 16 / 22
Intrusion Detection ❼ Systems that automatically detect intrusions into computer systems. ❼ Network intrusion detection systems (NIDS). ❼ Host-based intrusion detection systems (HIDS). ❼ If a system has ability to respond to intrusion, we call it intrusion prevention system. 17 / 22
Intrusion Detection ❼ Detect malicious activities. ❼ Raise alarms. ❼ Log events. ❼ React to attacks. 18 / 22
Network Intrusion Detection System ❼ Monitor traffic to and from devices in the network. ❼ Such systems can be online and offline. 19 / 22
Host-based Intrusion Detection System ❼ Runs on individual hosts or devices in the network. ❼ A host-based system has the ability to monitor key system files and any attempt to overwrite these files. 20 / 22
Signature-based Intrusion Detection ❼ Detect attacks by looking for specific patterns. ❼ Excellent technique for known attacks but may not work for new attacks. ❼ It is fast, lightweight, and has low false positive rate. ❼ SNORT – real-time traffic analysis and packet logging. ❼ Aho-Corasick algorithm. 21 / 22
Anomaly-based Intrusion Detection ❼ Automatic forming of “normal” behavior. ❼ Machine learning techniques to create model of “normal” behavior. ❼ Compare such models with the new observations. ❼ Since new behavior is likely to be detected as attack, often we have problem with false positives. 22 / 22
Recommend
More recommend