Presentation is loading. Please wait.

Presentation is loading. Please wait.

HOP: Hardware makes Obfuscation Practical Kartik Nayak

Published byRussell Stewart Modified over 6 years ago

Similar presentations

Presentation on theme: "HOP: Hardware makes Obfuscation Practical Kartik Nayak"— Presentation transcript:

1 HOP: Hardware makes Obfuscation Practical Kartik Nayak
With Christopher W. Fletcher, Ling Ren, Nishanth Chandran, Satya Lokam, Elaine Shi and Vipul Goyal

2 Compression 1 MB 1 KB Used by everyone, perhaps license it
No one should “learn” the algorithm - VBB Obfuscation Another scenario: Release patches without disclosing vulnerabilities

3 Known Results Heuristic approaches to obfuscation [KKNVT’15, SK’11, ZZP’04] Efficient No guarantees - “Confuse” the user Impossible to achieve program obfuscation in general [BGIRSVY’01]

4 Approaches Cryptography Secure Processors
Indistinguishability Obfuscation [BGIRSVY’01, GGHRSW’13] Not strong enough in practice Non standard assumptions Inefficient [AHKM’14] Cryptography 1. Intel SGX, AEGIS, XOM [SCGDD’03, LTMLBMH’00] Reveal access patterns Obfuscation against s/w only adversaries Secure Processors Using Trusted Hardware Tokens [GISVW’10, DMMN’11, CKZ’13] Boolean circuits Inefficient (FHE, NIZKs) Ascend, GhostRider [FDD’12, LHMHTS’15] Assume public programs

5 Key Contributions FHE, NIZKs Boolean circuits Efficient obfuscation of RAM programs using stateless trusted hardware token 1 Design and implement hardware system called HOP using stateful tokens 2 5x-238x better than a baseline scheme 8x-76x slower than an insecure system 3 Scheme Optimizations

6 Using Trusted Hardware Token
Sender (honest) Receiver (malicious) Store Key Obfuscate Input2 Input Input3 Output3 Output2 Output Execute

7 Stateful Token Oblivious RAM Authenticate memory
Maintain state between invocations Oblivious RAM load a5, 0(s0) add a5, a4, a5 add a5, a5, a5 Authenticate memory auth Run for a fixed time T oramSt

8 A scheme with stateless tokens is more challenging
Advantage: Enables context switching Given a scheme with stateless tokens, using stateful tokens can be viewed as an optimization

9 Stateless Token Oblivious RAM Authenticated Encryption
Does not maintain state between invocations Oblivious RAM load a5, 0(s0) add a5, a4, a5 add a5, a5, a5 Authenticated Encryption auth PID oramSt auth PID oramSt

10 Oblivious RAMs are generally not secure against rewinding adversaries
Stateless Token - Rewinding load a5, 0(s0) add a5, a4, a5 add a5, a5, a5 Oblivious RAM Time 0: load a5, 0(s0) Time 1: add a5, a4 a5 Rewind! auth’ PID oramSt’ Oblivious RAMs are generally not secure against rewinding adversaries

11 A Rewinding Attack! Rewind! Rewind! Access Pattern: 3, 3
A Rewinding Attack! Access Pattern: 3, 3 Access Pattern: 3, 4 4 3 1 4 3 4 7 2 T=0 T=1 T=1 T=0 T = 0: leaf 4, reassigned 2 T = 1: leaf 2, reassigned … Time 0: leaf 4, reassigned … Time 1: leaf 1, reassigned … Rewind! Rewind! T = 0: leaf 4, reassigned 7 T = 1: leaf 7, reassigned … Time 0: leaf 4, reassigned … Time 1: leaf 1, reassigned …

12 For rewinding attacks, ORAM uses PRFK(program digest, input digest)

13 Stateless Token – Rewinding on inputs
Oblivious RAM auth’ PID oramSt’

14 For rewinding on inputs, adversary commits input digest during initialization

15 Main Theorem: Informal
Our scheme UC realizes the ideal functionality in the Ftoken-hybrid model assuming ORAM satisfies obliviousness sstore adopts a semantically secure encryption scheme and a collision resistant Merkle hash tree scheme and Assuming the security of PRFs Proof in the paper.

16 1. Interleaving arithmetic and memory instructions
Efficient obfuscation of RAM programs using stateless trusted hardware token 1 Next: 1. Interleaving arithmetic and memory instructions 2. Using a scratchpad Scheme Optimizations 2 Design and implement hardware system called HOP 3

17 Optimizations to the Scheme – 1. ANM Scheduling
Types of instructions – Arithmetic and Memory Naïve schedule: A M A M A M … 1 cycle ~3000 cycles Memory accesses visible to the adversary 12000 extra cycles 1170: load a5,0(a0) 1174: addi a4,sp,64 1178: addi a0,a0,4 117c: slli a5,a5,0x2 1180: add a5,a4,a5 1184: load a4,-64(a5) 1188: addi a4,a4,1 118c: bne a3,a0,1170 M A M A M A M A M A M A Histogram – main loop

18 Optimizations to the Scheme – 1. ANM Scheduling
Types of instructions – Arithmetic and Memory Naïve schedule: A M A M A M … 1 cycle ~3000 cycles Memory accesses visible to the adversary 12000 extra cycles 1170: load a5,0(a0) 1174: addi a4,sp,64 1178: addi a0,a0,4 117c: slli a5,a5,0x2 1180: add a5,a4,a5 1184: load a4,-64(a5) 1188: addi a4,a4,1 118c: bne a3,a0,1170 M A What if a memory access is performed after “few” arithmetic instructions? A A A M AA A A4M schedule: A 2 extra cycles Histogram – main loop

19 Optimizations to the Scheme - 1. ANM Scheduling
Ideally, N should be program independent 𝑁= 𝑀𝑒𝑚𝑜𝑟𝑦 𝐴𝑐𝑐𝑒𝑠𝑠 𝐿𝑎𝑡𝑒𝑛𝑐𝑦 𝐴𝑟𝑖𝑡ℎ𝑚𝑒𝑡𝑖𝑐 𝐴𝑐𝑐𝑒𝑠𝑠 𝐿𝑎𝑡𝑒𝑛𝑐𝑦 = A A A A M A A M 6006 cycles of actual work 2996 A 2998 A < 6000 cycles of dummy work

20 Amount of dummy work < 50% of the total work
Our schedule incurs ≤ 2x- overhead relative to best schedule with no dummy work

21 Optimizations to the Scheme – 2. Using a Scratchpad
void bwt-rle(char *a) { bwt(a, LEN); rle(a, LEN); } void main() { char *inp = readInput(); for (i=0; i < len(inp); i+=LEN) spld(inp + i, LEN, 0); len = bwt-rle(inp + i); Program Why does a scratchpad help? Memory accesses served by scratchpad Why not use regular hardware caches? Cache hit/miss reveals information as they are program independent

22 For efficiency, use stateful tokens
HOP Architecture 512 KB Variant of Path ORAM - Freecursive ORAM - PMMAC - 64 byte block, - 4 GB memory 1. single stage 32b integer base 2. spld 16 KB For efficiency, use stateful tokens

23 Slowdown Relative to Insecure Schemes
8x-76x Slowdown to Insecure

24 Conclusion We are the first to design and prototype a secure processor with a matching cryptographically sound formal abstraction in the UC framework Thank You!

Download ppt "HOP: Hardware makes Obfuscation Practical Kartik Nayak"

Similar presentations

Multithreading processors Adapted from Bhuyan, Patterson, Eggers, probably others.

Multithreading processors Adapted from Bhuyan, Patterson, Eggers, probably others.
Vector Processing. Vector Processors Combine vector operands (inputs) element by element to produce an output vector. Typical array-oriented operations.

Vector Processing. Vector Processors Combine vector operands (inputs) element by element to produce an output vector. Typical array-oriented operations.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.

Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park.

Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park.
ObliviStore High Performance Oblivious Cloud Storage Emil StefanovElaine Shi

ObliviStore High Performance Oblivious Cloud Storage Emil StefanovElaine Shi
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Minimum Cost Blocking Problem in Multi-path Wireless Routing Protocols.

Minimum Cost Blocking Problem in Multi-path Wireless Routing Protocols.
Oblivious Data Structures Xiao Shaun Wang, Kartik Nayak, Chang Liu, T-H. Hubert Chan, Elaine Shi, Emil Stefanov, Yan Huang 1.

Oblivious Data Structures Xiao Shaun Wang, Kartik Nayak, Chang Liu, T-H. Hubert Chan, Elaine Shi, Emil Stefanov, Yan Huang 1.
ObliVM: A Programming Framework for Secure Computation

ObliVM: A Programming Framework for Secure Computation
ObliVM: A Programming Framework for Secure Computation

ObliVM: A Programming Framework for Secure Computation
GraphSC: Parallel Secure Computation Made Easy Kartik Nayak With Xiao Shaun Wang, Stratis Ioannidis, Udi Weinsberg, Nina Taft, Elaine Shi 1.

GraphSC: Parallel Secure Computation Made Easy Kartik Nayak With Xiao Shaun Wang, Stratis Ioannidis, Udi Weinsberg, Nina Taft, Elaine Shi 1.
1 Architectural Support for Copy and Tamper Resistant Software David Lie, Chandu Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell and.

1 Architectural Support for Copy and Tamper Resistant Software David Lie, Chandu Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell and.
Hardware Assisted Control Flow Obfuscation for Embedded Processors Xiaoton Zhuang, Tao Zhang, Hsien-Hsin S. Lee, Santosh Pande HIDE: An Infrastructure.

Hardware Assisted Control Flow Obfuscation for Embedded Processors Xiaoton Zhuang, Tao Zhang, Hsien-Hsin S. Lee, Santosh Pande HIDE: An Infrastructure.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.

Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.

Similar presentations

Ads by Google