Tamper Resistant Software An Implementation By David Aucsmith, IAL “This paper describes a...

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Tamper Resistant Software An Implementation By David Aucsmith, IAL “This paper describes a...

  • Slide 1

Tamper Resistant Software An Implementation By David Aucsmith, IAL This paper describes a technology for the construction of tamper resistant software. Presented by Weimin Yang 28 March 2001 Slide 2 Contents Overview Threat Model Design Principles Tamper Resistant Software Architecture Integrity Verification Kernel Interlocking Trust Slide 3 Overview Definition: Tamper resistant software is software which is resistant to observation and modification. Approach to develop tamper resistant software: Classify threat model Develop design principles Implement a set of tools Slide 4 Threat Model (I) Attack originates outside of the PC. Bounded by communication protocol Standard hacker attack. Best defended by correctly designed and implemented protocols and proper administration. Slide 5 Threat Model (II) Attack originates as software running on the platform. Bounded by operating system and BIOS Try to attack classes of software Virus or Trojan horse attack Slide 6 Threat Model (III) The perpetrator has complete control of the platform. Limited by technical expertise and financial resources. Raise a technological bar to providing poor return on their investment. Slide 7 Technological Bars To model(III) a.) Use standard debuggers and system diagnostic tools b.) Use special debuggers such as softIce c.) Use processor emulator and bus logic analyzers Slide 8 Design Principles Software to be tamper resistant must be immune from observation and modification, this require it contains secret component and ensure the recovery of that secret is difficult. Slide 9 Integrity Verification Kernel A small, armored segment of code which is designed to be included in a larger program and performs the following two functions: 1. Verifies the integrity of code segments or programs. 2. Utilizes five defenses: Interleaved tasks Distributed secrets Obfuscated code Installation unique modifications Non-deterministic behavior Slide 10 Installation unique modifications IVK is constructed at installation time. Each instance of program contains different IVK. To defend class attack. Slide 11 Interlocking Trust Integrity Verification Kernels System Integrity Program A program monitors the integrity of the security components of the computer system. Contains eIVK which has a known entry point Created at installation time Integrity Verification Protocol Used to establish a distributed trust environment. Slide 12 System overview Program1Program 2 Integrity Program IVK eIVKIVK 1a 1b 1c 2a 2b 2c Slide 13 Conclusion Based on analysis of threat model, author invent an Integrity Verification Kernel which hide secretes both in space and time. Further more, using interlocking mechanism make the secretes more difficult to be discovered. Slide 14 Why Installation unique modifications can be used to defend class attack? - Attacker may analysis a given program successfully but still cant predict any other program looks like. Slide 15