310 likes | 314 Views
This paper discusses Proteus, a virtualization technique for diversifying tamper-resistance in software, presented at the ACM Workshop on Digital Rights Management.
E N D
Proteus:Virtualization for Diversified Tamper-Resistance Bertrand AnckaertGhent University, Belgium Mariusz JakubowskiRamarathnam Venkatesan Microsoft Research, USA The 6th ACM Workshop on Digital Rights Management October 30, 2006 - Alexandria VA, USA
0101110 00111001010 00101011001000110001110110010111011011001011101010110100010110111111110001010110110011111001010111001110010111 1 11111111111111110 Tampering: Applications
It’s tough to win a battle • Incentive goes beyond fame • Software piracy: $31 billion • Virtual space resort: $100,000 • Virtual sword: 1 human life • … • Cat and mouse game • Cracker usually gets the last word • Protections have usually been broken relatively quickly
101101011100101101 101101011100101101 111000110011011011 101101011100101101 001001110101001101 101101011100101101 101101011100101101 101011001110010110 101101011100101101 110001011101010101 Can we win the war?
101101011100101101 Why not? What will keep a cracker from distributing the cracked program as a whole? • Requires more bandwidth • Software aging, tailored updates • Hardware dependencies • Contain private information …
Overview • Intro • Proteus: • Virtualization for • Diversified Tamper-Resistance
Proteus: definition (From OED)
Overview • Intro • Proteus, • Virtualization for • Diversified Tamper-Resistance
Virtualization • Choose ISA and micro-architecture • Many degrees of freedom • Use freedom for • Diversity • Tamper-resistance
Overall design VM DESCRIPTION ORIGINAL MSIL BINARY PROTEUS FRONTEND PROTEUS BACKEND Easily decompiled RESULTING BINARY CUSTOM BYTECODE BINARY CUSTOM VM
public static void main(string [] args){ Object [] array = {args}; InvokeVM(array, PC); } public Int32 foo(Int32 i, Int32 j){ Object [] array = {this, i, j); Object ret = InvokeVM(array, PC); return (Int32) ret; } REWRITTEN MSIL BINARY VM.dll CUSTOM BYTECODE BINARY CUSTOM VM Function Stubification Entry point of function
Complexity of an attack Virtualization: Design Principles Java Bytecode and MSIL • Tamper-Resistant ISA: • Complicate analysis • Prevent local modifications • Make observation hard • … • Traditional ISAs: • Performance, compaction • Portability, verifiability • Automatic garbage collection • … RISC CISC conflicts? Our Bytecode
CUSTOM BYTECODE BINARY PC Fetch Local Allocation Local Variables DecodeOperands ManipulateMethodState Arguments Evaluation Stack Caller CURRENT METHODFRAME Virtualization: VM Operation While (true) { ExecuteIns } DecodeOpcode EmulateIns While (true) { }
Virtualization: Choices We get to design our own • ISA • Instruction semantics (1) • Opcode encoding (2) • Operand encoding (3) • Fetch cycle (4) • Program representation and counter (5) • Micro-Architecture (6)
Overview • Intro • Proteus, • Virtualization for • Diversified Tamper-Resistance • Instruction Semantics (1) • Opcode and Operand Encoding (2 & 3) • Fetch Cycle (4) • Program Representation and Counter (5) • Micro-Architecture (6)
CUSTOM BYTECODE BINARY PC Fetch Local Allocation Local Variables DecodeOperands ManipulateMethodState Arguments Evaluation Stack Caller CURRENT METHODFRAME Choice: Instruction Semantics While (true) { } DecodeOpcode EmulateIns (5) (2) (4) (3) (6) (1)
SuperIns: ldloc ldc sub stloc Instruction Semantics ldloc newarr add pop newobj br ldc callvirt μOps
pop Instruction Semantics: Tamper-Resistance • Semantic overlap • Limited instruction set • nop • Invertible jump conditions Tradeoff ldloc ldc sub stloc SuperIns SuperIns: ldloc ldc sub stloc ldloc ldc sub stloc SuperIns SuperIns ldloc ldc sub stloc ldloc ldc sub stloc SuperIns
CUSTOM BYTECODE BINARY PC Fetch Local Allocation Local Variables DecodeOperands ManipulateMethodState Arguments Evaluation Stack Caller CURRENT METHODFRAME Choice: Opcode and Operand Encoding While (true) { } DecodeOpcode EmulateIns (5) (2) (4) (3) (6) (1)
Encoding Opcodes and Operands • Any prefix encoding • Tamper-resistant • physical overlap (unary encoding)1: add 01: mul 001: sub0001: div • variable length Tradeoff
0 1 1 0 SUB ADD MUL DIV Variable Encoding • Encoding does not need to be constant • Instructions to reorder subtrees • Bit sequences get different meaning in different interpretation states • Semantic overlap Root 0 1 Leaves
CUSTOM BYTECODE BINARY PC Fetch Local Allocation Local Variables DecodeOperands ManipulateMethodState Arguments Evaluation Stack Caller CURRENT METHODFRAME Choice: Fetch Filters While (true) { } DecodeOpcode EmulateIns (5) (2) (4) (3) (6) (1)
Fetch filters • Combine bit pattern with • Program counter • Other parts of the program • Key • …
CUSTOM BYTECODE BINARY PC Fetch Local Allocation Local Variables DecodeOperands ManipulateMethodState Arguments Evaluation Stack Caller CURRENT METHODFRAME Choice: Code Representation While (true) { } DecodeOpcode EmulateIns (5) (2) (4) (3) (6) (1)
SPLAY TREE (1) SPLAY TREE (2) 3 : 1: ldarg.0 ldarg.0 ldarg.0 ldc.i4.1 ldc.i4.1 3 bne.un.s sub 2 br 1 call 3: 1: ldarg.0 ldarg.0 4: ldarg.0 ldc.i4.1 mul ldc.i4.1 3 bne.un.s ret sub 2 br 1 call 2: 2: 4: ldc.i4.1 ldc.i4.1 mul ret ret ret Splay tree representation LINEAR : int32 Fac(int32) ldarg.0 ldc.i4.1 bne.un.s ldc.i4.1 ret ldarg.0 ldarg.0 ldc.i4.1 sub call int32 Fac(int32) mul ret
CUSTOM BYTECODE BINARY PC Fetch Local Allocation Local Variables DecodeOperands ManipulateMethodState Arguments Evaluation Stack Caller CURRENT METHODFRAME Choice: MicroArchitecture • ISA determined • Determine MicroArchitecture • Combine code and auto-generate code • Diversify result While (true) { } DecodeOpcode EmulateIns (5) (2) (4) (3) (6) (1)
Heuristic Benefits • Complicate analysis • Custom bytecode language • Variable instruction length • Variable encoding • Complicate local modifications • Semantic overlap • Physical overlap • Complicate global modifications • (blur distinction between code, data and addresses) • Complicate observing the execution • Constant relocation of the code\data
Ultimate goal: prevent class attacks Sufficient Diversification: Complexity of converting the attack to another instance ≥Complexity of attacking the other instance from scratch
101011001110010110 101011001110010110 Sufficient Diversification • Chain is as strong as its weakest link • If attacking an instance from scratch is easier than converting an existing attack, the weakest link is the tamper-resistance and not the diversification ≥ +
Conclusion • Virtualization gives us the freedom to choose the ISA and MicroArchitecture • This choice can be used for • Diversity • Tamper-resistance • And hopefully lead to a provable degree of protection