Software-based Integrity Protection

Question 1

What is the definition of a MATE attacker?

Answer 1

MATE refers to a class of the attackers whose access extends to the environment on which software is being executed, thus they can tamper with the program’s logic, interfere with their execution, extract and manipulate their sensitive data.

Question 2

What are pre and post distribution elements of an integrity protection system?

Answer 2

pre distribution:
- compute invariants

post distribution

• monitor
• detect
• respond
• secure storage

Question 3

how does software based integrity protection realize the elements of an integrity protection system?

Answer 3

• Protection operations need to be shipped into the desired program
• Such operations need to be obfuscated to resist against potential attacks

Question 4

how does hardware based integrity protection realize the elements of an integrity protection system?

Answer 4

• A dedicated security hardware module undertakes protection operations
• operation integrity is guaranteed (hardened)
• dedicated security utilities such as cryptographic operations, secure data provisioning, remote attestation are provided
• users can implement own desired operations atop the hardware

Question 5

What are pros and cons of software based integrity protection?

Answer 5

pros:

• applicable almost to any problem context
• no dependency to hardware

cons:
- hard to implement and deploy
- hard to quantify security
- secure until broken

Question 6

What are pros and cons of hardware based integrity protection?

Answer 6

pros:

• easier to deploy
• offer an acceptable security

cons:

• hardware needed
• vendor lock-in
• side-channel attacks
• special equipment can bypass

Question 7

Describe Chang and Atallah’s Self-Checksumming Scheme

Answer 7

Idea: Augment the program with functions that compute hashes over code regions to compare to expected values

Hardening 1: Construct a network of checkers and responders so that checkers check each other and responders repair tampered regions (or provide some kind of reaction)

Hardening 2: Hide hash numbers so they won’t give away the location of checkers, blend the response mechanism with the program logic

Question 8

What are cyclic checkers and how are they set up?

Answer 8

• checkers check themselves in a cycle
• challenge: precomputing hash values in cycles
• solution: utilize place holder patching to close the cycle

Question 9

Describe an attack on Chang and Atallah’s Self-Checksumming scheme + possible countermeasures

Answer 9

1. Use pattern matching to detect checker
2. Patch conditions
3. Precompute jumps (hardening 2!)
   Countermeasures: obfuscation, cyclic checking

Question 10

Describe the “generic attack against self-hashing algorithms”

Answer 10

• Copy program P to P_orig
• Modify P as desired to a hacked version P’
• Modify the kernel such that data reads are directed to P_orig, instruction reads to P’ (Split TLB attack: I-TLB, D-TLB)

Question 11

Describe a countermeasure against the “generic attack against self-hashing algorithms”

Answer 11

Self-modifying code: If the fetch and read memories are disjoint, the unmodified code will be executed! -> “Self modification guards”

Question 12

Describe another generic attack on self-checksumming protections

Answer 12

Guards follow a predictable routine:

• instantiate hash variable
• self read and modify hash variable
• branch condition on hash value

Use a combination of backward and forward taint analysis to detect SC guards:

• backward taint: code read/written by instruction? locate source
• forward taint: locate usages in instruction operands

Question 13

What are pros and cons of self-checksumming techniques?

Answer 13

pros:
- potentially 100% coverage

cons:

• architecture dependent
• memory split attack
• taint-based attack
• pattern matching attacks

Question 14

What is the idea behind State inspection?

Answer 14

Check the integrity of computation instead of code (-> self-checksumming)

Question 15

What are some parts of program state that have been used for state inspection?

Answer 15

• function return values
• stack trace
• hardware performance counters
• execution trace hash

Question 16

How does Stlns4CS work?

Answer 16

• Instantiate target class
• Invoke method
• Check result against known value
• Cycles in checking and execution by checking if a particular function is already in the stack trace before executing a check

Question 17

How does protection against changeware by stack trace verification work?

Answer 17

• check stack traces at given points in program

- only allow legitimate stack traces

Question 18

How does protection based on hardware performance counters work?

Answer 18

phase1

• capture HPC profiling information
• detect equations and hidden relations using Eurequa
• inject verifiers with a threshold

phase2

• collect runtime information
• evaluate equations
• respond

Question 19

What is the idea of oblivious hashing?

Answer 19

Verify integrity of computation by hashing execution traces (instruction sequence + memory references)

Question 20

What is a major limitation of oblivious hashing?

Answer 20

It only works for input independent computations

Question 21

What are data dependent instructions (DDI)?

Answer 21

Instructions where at least one operand depends on input data

Question 22

What are control flow dependent instructions (CFDI)?

Answer 22

Instructions where the condition leading to a branch the instruction resides in depends on input data

Question 23

What are data independent instructions (DII)?

Answer 23

Instructions that are control flow dependent (CFDI) but not data dependent (DDI)

Question 24

What is the idea behind short range oblivious hashing (SROH)?

Answer 24

Extend OH to protect data independent instructions (DII):

Some blocks in a CFG are executed if and only if a sequence of mutually adjacent blocks have been executed before - and these form a path.
-> protect data independent instructions in those paths

Intuition: if some block was executed, which predecessor block(s) must have been executed as well?

• > we introduce one hash variable for each fo these paths
• instantiate variable at start of path
• verify at end of path

Question 25

How can we compose the two different type of software integrity protections?

Answer 25

SC guards are data-independent hence either OH or SROH can protect them

• > protect SC guards with OH / SROH
• > protect rest with SC

Question 26

What is the motivation behind VirtSC?

Answer 26

SC has problems:

• awkwardness of installing, patching placeholders (architecture dependent, hinders obfuscation, limits other protections)
• awkwardness of self-modifying code

Question 27

How does VirtSC work? What are the benefits?

Answer 27

Compose Virtualization obfuscation and SC

• improved composability with other protections
• no self-modifying code -> better stealth