15,617 research outputs found
Protection of software algorithms executed on secure modules
Loop structures in software code may reveal essential information about implemented algorithms and their parameters, even if the observer has no knowledge about which instructions are executed. Regular patterns can for instance be observed in power consumption, instruction fetches in external memory, or radiated EM energy. This paper addresses the use of dummy operations to obscure the details of the algorithm executed by the processor. We show that for a particular class of dummy insertion strategies, a Viterbi decoder can fairly reliably distinguish dummy fetches from real instruction fetches. In the second part of this paper, we study strategies to choose dummy fetches from a more general model. For certain situations, the optimum protection strategy appears to be deterministic (as opposed to random). Moreover, we show that in such a case, it is fundamentally not possible to enhance the security of the implementation by keeping the strategy for generating dummy fetches secret to the attacker. Author Keywords: Software protection; Secure processor; Viterbi decoder; Dummy instruction
FPGA based remote code integrity verification of programs in distributed embedded systems
The explosive growth of networked embedded systems has made ubiquitous and pervasive computing a reality. However, there are still a number of new challenges to its widespread adoption that include scalability, availability, and, especially, security of software. Among the different challenges in software security, the problem of remote-code integrity verification is still waiting for efficient solutions. This paper proposes the use of reconfigurable computing to build a consistent architecture for generation of attestations (proofs) of code integrity for an executing program as well as to deliver them to the designated verification entity. Remote dynamic update of reconfigurable devices is also exploited to increase the complexity of mounting attacks in a real-word environment. The proposed solution perfectly fits embedded devices that are nowadays commonly equipped with reconfigurable hardware components that are exploited to solve different computational problems
Identifying Native Applications with High Assurance
The work described in this paper investigates the problem
of identifying and deterring stealthy malicious processes on
a host. We point out the lack of strong application iden-
tication in main stream operating systems. We solve the
application identication problem by proposing a novel iden-
tication model in which user-level applications are required
to present identication proofs at run time to be authenti-
cated by the kernel using an embedded secret key. The se-
cret key of an application is registered with a trusted kernel
using a key registrar and is used to uniquely authenticate
and authorize the application. We present a protocol for
secure authentication of applications. Additionally, we de-
velop a system call monitoring architecture that uses our
model to verify the identity of applications when making
critical system calls. Our system call monitoring can be
integrated with existing policy specication frameworks to
enforce application-level access rights. We implement and
evaluate a prototype of our monitoring architecture in Linux
as device drivers with nearly no modication of the ker-
nel. The results from our extensive performance evaluation
shows that our prototype incurs low overhead, indicating the
feasibility of our model
CIDPro: Custom Instructions for Dynamic Program Diversification
Timing side-channel attacks pose a major threat to embedded systems due to
their ease of accessibility. We propose CIDPro, a framework that relies on
dynamic program diversification to mitigate timing side-channel leakage. The
proposed framework integrates the widely used LLVM compiler infrastructure and
the increasingly popular RISC-V FPGA soft-processor. The compiler automatically
generates custom instructions in the security critical segments of the program,
and the instructions execute on the RISC-V custom co-processor to produce
diversified timing characteristics on each execution instance. CIDPro has been
implemented on the Zynq7000 XC7Z020 FPGA device to study the performance
overhead and security tradeoffs. Experimental results show that our solution
can achieve 80% and 86% timing side-channel capacity reduction for two
benchmarks with an acceptable performance overhead compared to existing
solutions. In addition, the proposed method incurs only a negligible hardware
area overhead of 1% slices of the entire RISC-V system
- …