Tamper Resistant Software An Implementation By David Aucsmith, IAL “This paper describes a technology for the construction of tamper resistant software.” Presented by Weimin Yang 28 March 2001
Contents Overview Threat Model Design Principles Tamper Resistant Software Architecture –Integrity Verification Kernel –Interlocking Trust
Overview Definition: “Tamper resistant software is software which is resistant to observation and modification.” Approach to develop tamper resistant software: –Classify threat model –Develop design principles –Implement a set of tools
Threat Model (I) Attack originates outside of the PC. –Bounded by communication protocol –Standard “hacker attack”. –Best defended by correctly designed and implemented protocols and proper administration.
Threat Model (II) Attack originates as software running on the platform. –Bounded by operating system and BIOS –Try to attack classes of software –Virus or Trojan horse attack
Threat Model (III) The perpetrator has complete control of the platform. –Limited by technical expertise and financial resources. –Raise a technological bar to providing poor return on their investment.
Technological Bars To model(III) a.) Use standard debuggers and system diagnostic tools b.) Use special debuggers such as softIce c.) Use processor emulator and bus logic analyzers
Design Principles Software to be tamper resistant must be immune from observation and modification, this require it contains secret component and ensure the recovery of that secret is difficult.
Integrity Verification Kernel “A small, armored segment of code which is designed to be included in a larger program and performs the following two functions:” 1. Verifies the integrity of code segments or programs. 2. Utilizes five defenses: –Interleaved tasks –Distributed secrets –Obfuscated code –Installation unique modifications –Non-deterministic behavior
Installation unique modifications IVK is constructed at installation time. –Each instance of program contains different IVK. –To defend class attack.
Interlocking Trust Integrity Verification Kernels System Integrity Program –A program monitors the integrity of the security components of the computer system. –Contains eIVK which has a known entry point –Created at installation time Integrity Verification Protocol –Used to establish a distributed trust environment.
System overview Program1Program 2 Integrity Program IVK eIVKIVK 1a 1b 1c 2a 2b 2c
Conclusion Based on analysis of threat model, author invent an Integrity Verification Kernel which hide secretes both in space and time. Further more, using interlocking mechanism make the secretes more difficult to be discovered.
Why Installation unique modifications can be used to defend class attack? - Attacker may analysis a given program successfully but still can’t predict any other program looks like.