Using Logic-Based Reduction for Adversarial Component ...
Transcript of Using Logic-Based Reduction for Adversarial Component ...
![Page 1: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/1.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 1
Air Force Institute of Technology
Using Logic-Based Reduction for
Adversarial Component Recovery*
J. Todd McDonald, Eric D. Trias, Yong C. Kim,
and Michael R. Grimaila
Center for Cyberspace Research
Air Force Institute of Technology
WPAFB, OH
*The views expressed in this article are those of the authors and do not reflect the official policy
or position of the United States Air Force, Department of Defense, or the U.S. Government
![Page 2: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/2.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 2
Outline
• Protection Context
• Polymorphic Variation as Protection
• Hiding Properties of Interest
• Framework and Experimental Results
![Page 3: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/3.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 3
Protection Context
• Embedded Systems / “Hardware” • Increasingly represented as reprogrammable logic (i.e., software!)
• We used to like hardware because it offered “hard” solutions for protection (physical anti-tamper, etc.)
• Our beginning point: what happens if hardware-based protections fail? • Hardware protection: I try to keep you from physically getting the
netlist/machine code
• Software protection: I give you a netlist/machine code listing and ask you questions pertaining to some protection property of interest
• Protection/exploitation both exist in the eye of the beholder
![Page 4: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/4.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 4
Protection Context
• Critical military / commercial systems vulnerable to
malicious reverse engineering attacks • Financial loss
• National security risk
• Reverse Engineering and
Digital Circuit Abstractions
![Page 5: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/5.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 5
Polymorphic Variation as Protection
• Experimental Approach:
• Consider practical / real-world /
theoretic circuit properties related to
security
• Use a variation process to create
polymorphic circuit versions
• Polymorphic = many forms of circuits
with semantically equivalent or
semantically recoverable functionality
• Characterize algorithmic effects:
• Empirically demonstrate properties
• Prove as intractable
• Prove as undecidable
![Page 6: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/6.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 6
Two Roads Met in the Woods…
and I Went Down Both…
Semantic
Changing Semantic
Preserving
Black-Box Refinement
Semantic Transformation
Polymorphic Generation
Polymorphic Generation
Program Encryption
Random Program Model
Obfuscation
What can I prove / not prove
under RPM?
What can I measure?
What can I characterize?
What are the limits if I am only
allowed to retain functionality?
![Page 7: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/7.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 7
Defining Obfuscation
• Since we can’t hide all information leakage….
• Can we protect intent?
• Tampering with code in order to get specific results
• Manipulating input in order to get specific results
• Correlating input/output with environmental context
• Can we impede identical exploits on functionally equivalent versions?
• Can we define and measure any useful definition of hiding short of absolute proof and not based solely on variant size?
![Page 8: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/8.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 8
Hierarchy of Obfuscating
Transforms
Functional Hiding
Control Hiding
Component Hiding
Signal Hiding
Topology Hiding (Gate Replacement)
Logical
View
Physical
Manifestation
Side Channel Properties
![Page 9: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/9.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 9
Polymorphic Variation as Protection
Algorithm and Variant Characterization:
Selection:
1) Random
2) Deterministic
3) Mixture
Replacement
1) Random
2) Deterministic
3) Mixture
![Page 10: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/10.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 10
Framework and Experimental Results
• When does (random/deterministic) iterative selection and replacement:
1) Manifest hiding properties of interest?
2) Cause an adversarial reverse engineering task to become intractable or undecidable?
• What role does logic reduction and adversarial reversal play in the outcome (ongoing)
• Are there circuits which will fail despite the best variation we can produce? (yes)
![Page 11: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/11.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 11
Components
• Components are building block for virtually all real-world circuits
• Given: • circuit C
• gate set G
• input set I
• integer k > 1, where k is the number of components
• Set M of components {c1,…, ck} partitions G and I into k disjoint sets of inputs and/or gates.
• Four base cases • Based on input/output
boundary of component and the parent circuit
![Page 12: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/12.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 12
Component Recovery
![Page 13: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/13.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 13
Independent Components
and Induced Redundancy
ORIGINAL WHITE-BOX VARIANTS
REDUCED VARIANTS
![Page 14: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/14.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 14
Observing Independent
Component Hiding
![Page 15: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/15.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 15
![Page 16: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/16.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 16
![Page 17: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/17.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 17
Case Study
![Page 18: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/18.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 18
Conclusions
![Page 19: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/19.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 19
Questions
?
![Page 20: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/20.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 20
The ONLY true “Virtual Black Box”
Hiding Properties of Interest
5
6
74
2
3
1
“The How” Semantic Behavior
2
3
1
6
4
7
General Intuition and Hardness of Obfuscation
![Page 21: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/21.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 21
Framework and Experimental Results
• Is perfect or near topology recovery useful
(therefore, is topology hiding useful)?
• In some cases, yes
• Foundation for other properties (signal / component hiding)
• For certain attacks, it is all that is required
• Accomplishing topology hiding
• Change basis type (normalizing distributions, removing all
original)
• Guarantee every gate is replaced at least once
• Multiple / overlapping replacement = diffusion Topology:
Gate fan-in
Gate fan-out
Gate type
![Page 22: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/22.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 22
Experiment 1: Measuring “Replacement”
Basis Change
c432
c432
120 gates ( 4 ANDs + 79 NANDs + 19 NORs + 18 XORs + 40 inverters )
Decomposed
230 gates ( 60 ANDs + 151 NANDs + 19 NORs + 40 inverters )
Decomposed
NOR
843 gates ( 843 NORs)
![Page 23: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/23.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 23
Experiment 1a: Measuring “Replacement”
Basis Change
= {NOR} = {AND, NAND, OR, XOR, NXOR}
![Page 24: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/24.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 24
Experiment 1b: Measuring “Replacement”
Basis Change
= {NAND} = {AND, NOR, OR, XOR, NXOR}
![Page 25: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/25.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 25
Experiment 2: Measuring “Replacement”
Uniform Basis Distribution
ISCAS-85 c1355
C1355
506 gates ( 56 ANDs + 416 NANDs + 2 ORs + 32 buffers + 40 inverters )
Decomposed
550 gates ( 96 ANDs + 416 NANDs + 6 ORs + 32 buffers + 40 inverters )
Decomposed
NAND
730 gates ( 730 NANDs )
![Page 26: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/26.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 26
Experiment 2: Measuring “Replacement”
Uniform Basis Distribution
= {NAND} = {AND, NAND, OR, NOR, XOR, NXOR}
“Single 4000 Iteration Experiment”
![Page 27: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/27.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 27
Experiment 2: Measuring “Replacement”
Uniform Basis Distribution
= {NAND} = {AND, NAND, OR, NOR, XOR, NXOR}
“Multiple 4000 Iteration Experiments”
Iteration 100
0
100
200
300
400
500
600
700
800
900
1 2 3 4 5 6 7 9 10 12 13 14
Experiment
# o
f G
ate
s
XNOR
XOR
NOR
OR
NAND
AND
![Page 28: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/28.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 28
Experiment 2: Measuring “Replacement”
Uniform Basis Distribution
= {NAND} = {AND, NAND, OR, NOR, XOR, NXOR}
“Multiple 4000 Iteration Experiments”
Iteration 4000
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
1 2 3 4 5 6 7 9 10 12 13 14
Experiment
# o
f G
ate
s
XNOR
XOR
NOR
OR
NAND
AND
![Page 29: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/29.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 29
Experiment 3: Measuring “Replacement”
Smart Random Selection
ISCAS-85 c432
Iterative Smart Random 2-Gate Selection Algorithm:
Selection Strategy: Replacement Strategy:
Smart Two Gate Random Random Equivalent
![Page 30: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/30.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 30
Experiment 3: Measuring “Replacement”
Smart Random Selection
= {NOR} = {AND, NAND, OR, XOR, NXOR}
![Page 31: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/31.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 31
Things We’ve Learned
Along the Way
• What algorithmic factors influence hiding properties
the most? • Iteration number
• Selection size
• Replacement circuit generation (redundant vs. non-redundant)
• Ongoing work in:
• Increasing selection size
• Determinist generation
• Integrated logic reduction
• Formal models: term rewriting systems, abstract
interpretation, graph partitioning
![Page 32: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/32.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 32
Obfuscation Comparison Models
![Page 33: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/33.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 33
Experiment 1a: Measuring
“Replacement”
600
600
675
600
% of ORIGINAL GATES
![Page 34: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/34.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 34
Experiment 1a: Measuring “Replacement”
= {NOR} = {AND, NAND, OR, XOR, NXOR}
ISCAS-85 c1355
# of NORs
# of Iterations ~7500
![Page 35: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/35.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 35
Experiment 2: Measuring “Replacement”
= {NAND} = {AND, NAND, OR, NOR, XOR, NXOR}
“Single 4000 Iteration Experiment”
0
200
400
600
800
1000
1200
c1355nand-0
0000
c1355nand-0
0100
c1355nand-0
0200
c1355nand-0
0300
c1355nand-0
0400
c1355nand-0
0500
c1355nand-0
0600
c1355nand-0
0700
c1355nand-0
0800
c1355nand-0
0900
c1355nand-0
1000
c1355nand-0
1100
c1355nand-0
1200
c1355nand-0
1300
c1355nand-0
1400
c1355nand-0
1500
c1355nand-0
1600
c1355nand-0
1700
c1355nand-0
1800
c1355nand-0
1900
c1355nand-0
2000
c1355nand-0
2100
c1355nand-0
2200
c1355nand-0
2300
c1355nand-0
2400
c1355nand-0
2500
c1355nand-0
2600
c1355nand-0
2700
c1355nand-0
2800
c1355nand-0
2900
c1355nand-0
3000
c1355nand-0
3100
c1355nand-0
3200
c1355nand-0
3300
c1355nand-0
3400
c1355nand-0
3500
c1355nand-0
3600
c1355nand-0
3700
c1355nand-0
3800
c1355nand-0
3900
AND
NAND
OR
NOR
XOR
XNOR
![Page 36: Using Logic-Based Reduction for Adversarial Component ...](https://reader031.fdocuments.net/reader031/viewer/2022022217/6213f7e3a1d1e56bb12bee91/html5/thumbnails/36.jpg)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 36
Experiment 2: Measuring “Replacement”
= {NAND} = {AND, NAND, OR, NOR, XOR, NXOR}
“Multiple 4000 Iteration Experiments”