Software-based Integrity Protection Flashcards

1
Q

What is the definition of a MATE attacker?

A

MATE refers to a class of the attackers whose access extends to the environment on which software is being executed, thus they can tamper with the program’s logic, interfere with their execution, extract and manipulate their sensitive data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are pre and post distribution elements of an integrity protection system?

A

pre distribution:
- compute invariants

post distribution

  • monitor
  • detect
  • respond
  • secure storage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

how does software based integrity protection realize the elements of an integrity protection system?

A
  • Protection operations need to be shipped into the desired program
  • Such operations need to be obfuscated to resist against potential attacks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

how does hardware based integrity protection realize the elements of an integrity protection system?

A
  • A dedicated security hardware module undertakes protection operations
  • operation integrity is guaranteed (hardened)
  • dedicated security utilities such as cryptographic operations, secure data provisioning, remote attestation are provided
  • users can implement own desired operations atop the hardware
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are pros and cons of software based integrity protection?

A

pros:

  • applicable almost to any problem context
  • no dependency to hardware

cons:
- hard to implement and deploy
- hard to quantify security
- secure until broken

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are pros and cons of hardware based integrity protection?

A

pros:

  • easier to deploy
  • offer an acceptable security

cons:

  • hardware needed
  • vendor lock-in
  • side-channel attacks
  • special equipment can bypass
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe Chang and Atallah’s Self-Checksumming Scheme

A

Idea: Augment the program with functions that compute hashes over code regions to compare to expected values

Hardening 1: Construct a network of checkers and responders so that checkers check each other and responders repair tampered regions (or provide some kind of reaction)

Hardening 2: Hide hash numbers so they won’t give away the location of checkers, blend the response mechanism with the program logic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are cyclic checkers and how are they set up?

A
  • checkers check themselves in a cycle
  • challenge: precomputing hash values in cycles
  • solution: utilize place holder patching to close the cycle
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Describe an attack on Chang and Atallah’s Self-Checksumming scheme + possible countermeasures

A
  1. Use pattern matching to detect checker
  2. Patch conditions
  3. Precompute jumps (hardening 2!)
    Countermeasures: obfuscation, cyclic checking
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe the “generic attack against self-hashing algorithms”

A
  • Copy program P to P_orig
  • Modify P as desired to a hacked version P’
  • Modify the kernel such that data reads are directed to P_orig, instruction reads to P’ (Split TLB attack: I-TLB, D-TLB)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Describe a countermeasure against the “generic attack against self-hashing algorithms”

A

Self-modifying code: If the fetch and read memories are disjoint, the unmodified code will be executed! -> “Self modification guards”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe another generic attack on self-checksumming protections

A

Guards follow a predictable routine:

  • instantiate hash variable
  • self read and modify hash variable
  • branch condition on hash value

Use a combination of backward and forward taint analysis to detect SC guards:

  • backward taint: code read/written by instruction? locate source
  • forward taint: locate usages in instruction operands
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are pros and cons of self-checksumming techniques?

A

pros:
- potentially 100% coverage

cons:

  • architecture dependent
  • memory split attack
  • taint-based attack
  • pattern matching attacks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the idea behind State inspection?

A

Check the integrity of computation instead of code (-> self-checksumming)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are some parts of program state that have been used for state inspection?

A
  • function return values
  • stack trace
  • hardware performance counters
  • execution trace hash
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How does Stlns4CS work?

A
  • Instantiate target class
  • Invoke method
  • Check result against known value
  • Cycles in checking and execution by checking if a particular function is already in the stack trace before executing a check
17
Q

How does protection against changeware by stack trace verification work?

A
  • check stack traces at given points in program

- only allow legitimate stack traces

18
Q

How does protection based on hardware performance counters work?

A

phase1

  • capture HPC profiling information
  • detect equations and hidden relations using Eurequa
  • inject verifiers with a threshold

phase2

  • collect runtime information
  • evaluate equations
  • respond
19
Q

What is the idea of oblivious hashing?

A

Verify integrity of computation by hashing execution traces (instruction sequence + memory references)

20
Q

What is a major limitation of oblivious hashing?

A

It only works for input independent computations

21
Q

What are data dependent instructions (DDI)?

A

Instructions where at least one operand depends on input data

22
Q

What are control flow dependent instructions (CFDI)?

A

Instructions where the condition leading to a branch the instruction resides in depends on input data

23
Q

What are data independent instructions (DII)?

A

Instructions that are control flow dependent (CFDI) but not data dependent (DDI)

24
Q

What is the idea behind short range oblivious hashing (SROH)?

A

Extend OH to protect data independent instructions (DII):

Some blocks in a CFG are executed if and only if a sequence of mutually adjacent blocks have been executed before - and these form a path.
-> protect data independent instructions in those paths

Intuition: if some block was executed, which predecessor block(s) must have been executed as well?

  • > we introduce one hash variable for each fo these paths
  • instantiate variable at start of path
  • verify at end of path
25
Q

How can we compose the two different type of software integrity protections?

A

SC guards are data-independent hence either OH or SROH can protect them

  • > protect SC guards with OH / SROH
  • > protect rest with SC
26
Q

What is the motivation behind VirtSC?

A

SC has problems:

  • awkwardness of installing, patching placeholders (architecture dependent, hinders obfuscation, limits other protections)
  • awkwardness of self-modifying code
27
Q

How does VirtSC work? What are the benefits?

A

Compose Virtualization obfuscation and SC

  • improved composability with other protections
  • no self-modifying code -> better stealth