1 / 31

Proteus: Virtualization for Diversified Tamper-Resistance

This paper discusses Proteus, a virtualization technique for diversifying tamper-resistance in software, presented at the ACM Workshop on Digital Rights Management.

jessel
Download Presentation

Proteus: Virtualization for Diversified Tamper-Resistance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Proteus:Virtualization for Diversified Tamper-Resistance Bertrand AnckaertGhent University, Belgium Mariusz JakubowskiRamarathnam Venkatesan Microsoft Research, USA The 6th ACM Workshop on Digital Rights Management October 30, 2006 - Alexandria VA, USA

  2. 0101110 00111001010 00101011001000110001110110010111011011001011101010110100010110111111110001010110110011111001010111001110010111 1 11111111111111110 Tampering: Applications

  3. It’s tough to win a battle • Incentive goes beyond fame • Software piracy: $31 billion • Virtual space resort: $100,000 • Virtual sword: 1 human life • … • Cat and mouse game • Cracker usually gets the last word • Protections have usually been broken relatively quickly

  4. 101101011100101101 101101011100101101 111000110011011011 101101011100101101 001001110101001101 101101011100101101 101101011100101101 101011001110010110 101101011100101101 110001011101010101 Can we win the war?

  5. 101101011100101101 Why not? What will keep a cracker from distributing the cracked program as a whole? • Requires more bandwidth • Software aging, tailored updates • Hardware dependencies • Contain private information …

  6. Overview • Intro • Proteus: • Virtualization for • Diversified Tamper-Resistance

  7. Proteus: definition (From OED)

  8. Overview • Intro • Proteus, • Virtualization for • Diversified Tamper-Resistance

  9. Virtualization • Choose ISA and micro-architecture • Many degrees of freedom • Use freedom for • Diversity • Tamper-resistance

  10. Overall design VM DESCRIPTION ORIGINAL MSIL BINARY PROTEUS FRONTEND PROTEUS BACKEND Easily decompiled RESULTING BINARY CUSTOM BYTECODE BINARY CUSTOM VM

  11. public static void main(string [] args){ Object [] array = {args}; InvokeVM(array, PC); } public Int32 foo(Int32 i, Int32 j){ Object [] array = {this, i, j); Object ret = InvokeVM(array, PC); return (Int32) ret; } REWRITTEN MSIL BINARY VM.dll CUSTOM BYTECODE BINARY CUSTOM VM Function Stubification Entry point of function

  12. Complexity of an attack Virtualization: Design Principles Java Bytecode and MSIL • Tamper-Resistant ISA: • Complicate analysis • Prevent local modifications • Make observation hard • … • Traditional ISAs: • Performance, compaction • Portability, verifiability • Automatic garbage collection • … RISC CISC conflicts? Our Bytecode

  13. CUSTOM BYTECODE BINARY PC Fetch Local Allocation Local Variables DecodeOperands ManipulateMethodState Arguments Evaluation Stack Caller CURRENT METHODFRAME Virtualization: VM Operation While (true) { ExecuteIns } DecodeOpcode EmulateIns While (true) { }

  14. Virtualization: Choices We get to design our own • ISA • Instruction semantics (1) • Opcode encoding (2) • Operand encoding (3) • Fetch cycle (4) • Program representation and counter (5) • Micro-Architecture (6)

  15. Overview • Intro • Proteus, • Virtualization for • Diversified Tamper-Resistance • Instruction Semantics (1) • Opcode and Operand Encoding (2 & 3) • Fetch Cycle (4) • Program Representation and Counter (5) • Micro-Architecture (6)

  16. CUSTOM BYTECODE BINARY PC Fetch Local Allocation Local Variables DecodeOperands ManipulateMethodState Arguments Evaluation Stack Caller CURRENT METHODFRAME Choice: Instruction Semantics While (true) { } DecodeOpcode EmulateIns (5) (2) (4) (3) (6) (1)

  17. SuperIns: ldloc ldc sub stloc Instruction Semantics ldloc newarr add pop newobj br ldc callvirt μOps

  18. pop Instruction Semantics: Tamper-Resistance • Semantic overlap • Limited instruction set • nop • Invertible jump conditions Tradeoff ldloc ldc sub stloc SuperIns SuperIns: ldloc ldc sub stloc ldloc ldc sub stloc SuperIns SuperIns ldloc ldc sub stloc ldloc ldc sub stloc SuperIns

  19. CUSTOM BYTECODE BINARY PC Fetch Local Allocation Local Variables DecodeOperands ManipulateMethodState Arguments Evaluation Stack Caller CURRENT METHODFRAME Choice: Opcode and Operand Encoding While (true) { } DecodeOpcode EmulateIns (5) (2) (4) (3) (6) (1)

  20. Encoding Opcodes and Operands • Any prefix encoding • Tamper-resistant • physical overlap (unary encoding)1: add 01: mul 001: sub0001: div • variable length Tradeoff

  21. 0 1 1 0 SUB ADD MUL DIV Variable Encoding • Encoding does not need to be constant • Instructions to reorder subtrees • Bit sequences get different meaning in different interpretation states • Semantic overlap Root 0 1 Leaves

  22. CUSTOM BYTECODE BINARY PC Fetch Local Allocation Local Variables DecodeOperands ManipulateMethodState Arguments Evaluation Stack Caller CURRENT METHODFRAME Choice: Fetch Filters While (true) { } DecodeOpcode EmulateIns (5) (2) (4) (3) (6) (1)

  23. Fetch filters • Combine bit pattern with • Program counter • Other parts of the program • Key • …

  24. CUSTOM BYTECODE BINARY PC Fetch Local Allocation Local Variables DecodeOperands ManipulateMethodState Arguments Evaluation Stack Caller CURRENT METHODFRAME Choice: Code Representation While (true) { } DecodeOpcode EmulateIns (5) (2) (4) (3) (6) (1)

  25. SPLAY TREE (1) SPLAY TREE (2) 3 : 1: ldarg.0 ldarg.0 ldarg.0 ldc.i4.1 ldc.i4.1 3 bne.un.s sub 2 br 1 call 3: 1: ldarg.0 ldarg.0 4: ldarg.0 ldc.i4.1 mul ldc.i4.1 3 bne.un.s ret sub 2 br 1 call 2: 2: 4: ldc.i4.1 ldc.i4.1 mul ret ret ret Splay tree representation LINEAR : int32 Fac(int32) ldarg.0 ldc.i4.1 bne.un.s ldc.i4.1 ret ldarg.0 ldarg.0 ldc.i4.1 sub call int32 Fac(int32) mul ret

  26. CUSTOM BYTECODE BINARY PC Fetch Local Allocation Local Variables DecodeOperands ManipulateMethodState Arguments Evaluation Stack Caller CURRENT METHODFRAME Choice: MicroArchitecture • ISA determined • Determine MicroArchitecture • Combine code and auto-generate code • Diversify result While (true) { } DecodeOpcode EmulateIns (5) (2) (4) (3) (6) (1)

  27. Heuristic Benefits • Complicate analysis • Custom bytecode language • Variable instruction length • Variable encoding • Complicate local modifications • Semantic overlap • Physical overlap • Complicate global modifications • (blur distinction between code, data and addresses) • Complicate observing the execution • Constant relocation of the code\data

  28. Ultimate goal: prevent class attacks Sufficient Diversification: Complexity of converting the attack to another instance ≥Complexity of attacking the other instance from scratch

  29. 101011001110010110 101011001110010110 Sufficient Diversification • Chain is as strong as its weakest link • If attacking an instance from scratch is easier than converting an existing attack, the weakest link is the tamper-resistance and not the diversification ≥ +

  30. Conclusion • Virtualization gives us the freedom to choose the ISA and MicroArchitecture • This choice can be used for • Diversity • Tamper-resistance • And hopefully lead to a provable degree of protection

  31. Questions?

More Related