This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Hardware-Assisted Circumvention of Self-Hashing Software Tamper Resistance
April-June 2005 (vol. 2 no. 2)
pp. 82-92
Self-hashing has been proposed as a technique for verifying software integrity. Appealing aspects of this approach to software tamper resistance include the promise of being able to verify the integrity of software independent of the external support environment, as well as the ability to integrate code protection mechanisms automatically. In this paper, we show that the rich functionality of most modern general-purpose processors (including UltraSparc, x86, PowerPC, AMD64, Alpha, and ARM) facilitate an automated, generic attack which defeats such self-hashing. We present a general description of the attack strategy and multiple attack implementations that exploit different processor features. Each of these implementations is generic in that it can defeat self-hashing employed by any user-space program on a single platform. Together, these implementations defeat self-hashing on most modern general-purpose processors. The generality and efficiency of our attack suggests that self-hashing is not a viable strategy for high-security tamper resistance on modern computer systems.

[1] Microsoft, “Internet Explorer 6: Digital Certificates,” Jan. 2005, http://www.microsoft.com/resources/documentation/ ie/6/all/reskit/en-us/part2c06ie6rk.mspx .
[2] G.H. Kim and E.H. Spafford, “The Design and Implementation of Tripwire: A File System Integrity Checker,” Proc. Second ACM Conf. Computer and Comm. Security, pp. 18-29, 1994.
[3] D. Aucsmith, “Tamper Resistant Software: An Implementation,” Proc. First Int'l Workshop Information Hiding, pp. 317-333, May 1996.
[4] H. Chang and M. Atallah, “Protecting Software Code by Guards,” Proc. First ACM Workshop Digital Rights Management (DRM 2001), pp. 160-175, 2002.
[5] B. Horne, L. Matheson, C. Sheehan, and R. Tarjan, “Dynamic Self-Checking Techniques For Improved Tamper Resistance,” Proc. First ACM Workshop Digital Rights Management (DRM 2001), pp. 141-159, 2002.
[6] G. Wurster, P. van Oorschot, and A. Somayaji, “A Generic Attack on Checksumming-Based Software Tamper Resistance,” Proc. 2005 IEEE Symp. Security and Privacy, pp. 127-138, 2005.
[7] T. Sander and C. Tschudin, “Protecting Mobile Agents against Malicious Hosts,” Mobile Agents and Security, pp. 44-60, 1998.
[8] C.S. Collberg and C. Thomborson, “Watermarking, Tamper-Proofing, and Obfuscation: Tools for Software Protection,” IEEE Trans. Software Eng., vol. 28, no. 8, pp. 735-746, Aug. 2002.
[9] P.C. van Oorschot, “Revisiting Software Protection,” Information Security: Proc. Sixth Int'l Conf. (ISC 2003), pp. 1-13, Oct. 2003.
[10] H. Jin and J. Lotspiech, “Proactive Software Tampering Detection,” Information Security: Proc. Sixth Int'l Conf. (ISC 2003), pp. 352-365, Oct. 2003.
[11] G. Wurster, “A Generic Attack on Hashing-Based Software Tamper Resistance,” master's thesis, Carleton Univ., Canada, Apr. 2005.
[12] Sun Microsystems, “UltraSPARC III Cu User's Manual,” 4150 Network Circle, Santa Clara, Calif., Jan. 2004, http://www.sun. com/processors/manualsUSIIIv2.pdf .
[13] “The Linux Kernel Archives,” Kernel.Org Organization Inc., Oct. 2004, http:/www.kernel.org.
[14] Motorola, Programming Environments Manual: For 32-Bit Implementations of the PowerPC Architecture, Dec. 2001, http://e-www. motorola.com/brdata/PDFDB/ docsMPCFPE32B.pdf.
[15] Advanced Micro Devices, Inc., AMD64 Architecture Programmer's Manual. vol. 2, System Programming, Sept. 2003.
[16] IA-32 Intel Architecture Software Developer's Manual, Intel Corp., Denver C.O., 2003.
[17] ARM, “ARM Documentation— ARM Processor Cores,” Feb. 2005, http://www.arm.com/documentation/ARMProcessor_Cores index.html.
[18] Intel, IA-32 Intel Architecture Software Developer's Manual, vol. 3: System Programming Guide, ch. 3— Protected-Mode Memory Management, Denver C.O., 2003.
[19] Homepage of PaX, Mar. 2005, http:/pax.grsecurity.net/.
[20] Compaq Computer Corporation, Alpha Architecture Handbook, fouth ed., Oct. 1998.
[21] C. Linn, S. Debray, and J. Kececioglu, “Enhancing Software Tamper-Resistance Via Stealthy Address Computations,” Proc. 19th Ann. Computer Security Applications Conf. (ACSAC 2003), 2003.
[22] F. Hohl, “Time Limited Blackbox Security: Protecting Mobile Agents from Malicious Hosts,” Mobile Agents and Security, pp. 92-113, 1998.
[23] Y. Chen, R. Venkatesan, M. Cary, R. Pang, S. Sinba, and M. Jakubowski, “Oblivious Hashing: A Stealthy Software Integrity Verification Primitive,” Proc. Fifth Information Hiding Workshop (IHW), pp. 400-414, Oct. 2002.
[24] J. Gosler, “Software Protection: Myth or Reality?” Proc. Conf. Advances in Cryptology (CRYPTO '85), pp. 140-157, 1985.
[25] R. Kennell and L.H. Jamieson, “Establishing the Genuinity of Remote Computer Systems,” Proc. 12th USENIX Security Symp., pp. 295-308, Aug. 2003.
[26] P.A. Loscocco, S.D. Smalley, P.A. Muckelbauer, R.C. Taylor, S.J. Turner, and J.F. Farrell, “The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments,” Proc. 21st Nat'l Information Systems Security Conf., 1998.
[27] M. Peinado, Y. Chen, P. England, and J. Manferdelli, “NGSCB: A Trusted Open System,” Microsoft Corporation, Jan. 2005, http://research.microsoft.com/yuqunc/papers ngscb.pdf.
[28] G.E. Suh, D. Clarke, B. Gassend, M. vanDijk, and S. Devadas, “AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing,” Proc. 17th Ann. Int'l Conf. Supercomputing, pp. 160-171, 2003.
[29] S.W. Smith and S. Weingart, “Building a High-Performance, Programmable Secure Coprocessor,” Computer Networks, vol. 31, no. 9, pp. 831-860, 1999.
[30] Trusted Computing Group, Oct. 2004, http://www. trustedcomputingroup.comhome .
[31] D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz, “Architectural Support for Copy and Tamper Resistant Software,” Proc. Ninth Int'l Conf. Architectural Support for Programming Languages and Operating Systems, pp. 168-177, 2000.
[32] J. Claessens, B. Preneel, and J. Vandewalle, “(How) Can Mobile Agents Do Secure Electronic Transactions on Untrusted Hosts? A Survey of the Security Issues and the Current Solutions,” ACM Trans. Internet Technology, vol. 3, no. 1, pp. 28-48, 2003.
[33] U. Shankar, M. Chew, and J. Tygar, “Side Effects Are Not Sufficient to Authenticate Software,” Proc. 13th USENIX Security Symp., pp. 89-102, Aug. 2004.
[34] R. Kennell and L.H. Jamieson, “An Analysis of Proposed Attacks against Genuinity Tests,” technical report, Purdue Univ., Aug. 2004.
[35] E. Brickell, J. Camenisch, and L. Chen, “Direct Anonymous Attestation,” Proc. 11th ACM Conf. Computer and Comm. Security, B. Pfitzmann and P. Liu, eds., pp. 132-144, Oct. 2004.
[36] A. Seshadri, A. Perrig, L. van Doorn, and P. Khosla, “SWATT: Software-Based Attestation for Embedded Devices,” Proc. 2004 IEEE Symp. Security and Privacy, pp. 272-282, May 2004.
[37] R. Sailer, T. Jaeger, X. Zhang, and L. van Doorn, “Attestation-Based Policy Enforcement for Remote Access,” Proc. 11th ACM Conf. Computer and Comm. Security, B. Pfitzmann and P. Liu, eds., pp. 308-317, Oct. 2004.
[38] Trusted Computing Group, “Trusted Platfrom Module (TPM) Main Specification,” version 1.2, revision 62, Oct. 2001, http:/www.trustedcomputinggroup.org.
[39] Y. Miretskiy, A. Das, C.P. Wright, and E. Zadok, “AVFS: An On-Access Anti-Virus File System,” Proc. 13th USENIX Security Symp., pp. 73-88, Aug. 2004.
[40] J. Nick, L. Petroni, T. Fraser, J. Molina, and W.A. Arbaugh, “Copilot— A Coprocessor-Based Kernel Runtime Integrity Monitor,” Proc. 13th USENIX Security Symp., pp. 179-194, Aug. 2004.
[41] H. Goto, M. Mambo, K. Matsumura, and H. Shizuya, “An Approach to the Objective and Quantitative Evaluation of Tamper-Resistant Software,” Information Security: Proc. Third Int'l Workshop (ISW 2000), J.S.J. Pieprzyk and E. Okamoto, eds., pp. 82-96, Dec. 2000.
[42] C. Wang, “A Security Architecture for Survivability Mechanisms,” PhD dissertation, Univ. of Virginia, Charlottesville, Oct. 2000.
[43] MIPS32 Architecture for Programming, MIPS Technologies, Mountain View, Calif., Mar. 2001.

Index Terms:
Index Terms- Tamper resistance, self-hashing, checksumming, operating system kernels, processor design, application security, software protection.
Citation:
Paul C. van Oorschot, Anil Somayaji, Glenn Wurster, "Hardware-Assisted Circumvention of Self-Hashing Software Tamper Resistance," IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 2, pp. 82-92, April-June 2005, doi:10.1109/TDSC.2005.24
Usage of this product signifies your acceptance of the Terms of Use.