Dynamic SelfChecking Techniques for Improved Tamper Resistance

1
Dynamic Self-Checking Techniques for Improved
Tamper Resistance

• Bill Horne, Lesley Matheson, Casey Sheehan,
  Robert E. Tarjan
• STAR Lab, InterTrust Technologies

2
Introduction

• Self-checking (Self-validation or integrity
  checking)
• While running, checks itself
• Static
• Check its integrity only once, during start-up
• Dynamic
• Repeatedly verifies its integrity as it is
  running
• Another protection techniques
• Thwart reverse engineering
• Customization, obfuscation
• Thwart debuggers and emulators
• Watermarking, fingerprinting

3
Related Work

• Obfuscation
• To thwart reverse engineering
• Customization
• Create many very different versions
• Software watermarking
• Allow tracking of misused program copies
• Self-checking
• Tamper-proofing, integrity checking, and
  anti-tampering technology

4
Design Objectives

• Goal
• Eliminate single points of failure
• Functionality
• Comprehensive and Timely Dynamic Detection
• Separate, Flexible Response
• Modular Components
• Platform Independence
• Insignificant Performance Degradation
• Goal is to have no more than a 5 impact on
  performance
• Easy Integration
• Suitable for a Large Codebase

5
Threat Model (1/2)

• Discovery
• Static Inspection
• Stealthy and obfuscation
• Use of Debuggers and Similar Software Tools
• Detects standard debuggers and responds
  appropriately
• Detection of Reads into the Code
• Obfuscation
• Generalization
• Customization
• Collusion
• Corrector
• Inspection of Installation Patches
• Corrector

6
Threat Model (2/2)

• Disablement
• Modifying the Testers
• Redundant, overlapping coverage
• Modifying the Response Mechanism
• Need more robust tamper-response mechanism
• Modifying Correctors
• Multiple overlapping hash computations
• Temporary Modifications
• Minimize this thread

7
Algorithm Design

• Tester
• Interval L2 cache size
• Interleaved tasks
• Correctors and Intervals
• Tamper Response

8
Tester Design (1/2)

• Design Objectives
• Lightweight Hash Functions
• Multiple Hash Functions
• Summarizable Hash Functions
• Stealthy Testers
• Obfuscation, short tester
• Resistance to Auto-collusion
• Short customized testers
• Obfuscated Address Calculation
• Complex addressing modes
• Harmless to Development
• stamped

9
Tester Design (2/2)

• Tester Construction and Customization
• 2,916,864 distinct tester implementations
• Less than 50 bytes
• Tester Placement
• Source-level tester placement
• Profiling tools

10
Interval Construction

• Corrector Placement
• Uniform distribution
• Dead code
• Interval Definition
• Corrector nk-1
• Assignment of Testers to Intervals
• Random permutation