Runtime protection via dataflow flattening

Software running on an open architecture, such as the PC, is vulnerable to inspection and modification. Since software may process valuable or sensitive information, many defenses against data analysis and modification have been proposed. This paper complements existing work and focuses on hiding data location throughout program execution. To achieve this, we combine three techniques: (i) periodic reordering of the heap, (ii) migrating local variables from the stack to the heap and (iii) pointer scrambling. By essentialy flattening the dataflow graph of the program, the techniques serve to complicate static dataflow analysis and dynamic data tracking. Our methodology can be viewed as a data-oriented analogue of control-flow flattening techniques. Dataflow flattening is useful in practical scenarios like DRM, information-flow protection, and exploit resistance. Our prototype implementation compiles C programs into a binary for which every access to the heap is redirected through a memory management unit. Stack-based variables may be migrated to the heap, while pointer accesses and arithmetic may be scrambled and redirected. We evaluate our approach experimentally on the SPEC CPU2006 benchmark suit

Oblivious Hashing: A Stealthy Software Integrity Verification Primitive

Abstract. We describe a novel software verification primitive called Oblivious Hashing. Unlike previous techniques that mainly verify the static shape of code, this primitive allows implicit computation of a hash value based on the actual execution (i.e., space-time history of computation) of the code. We also discuss its applications in local software tamper resistance and remote code authentication. 1

RANDOMIZED DETECTION FOR SPREAD-SPECTRUM WATERMARKING: DEFENDING AGAINST SENSITIVITY AND OTHER ATTACKS

Spread Spectrum (SS) has been a well-studied technique in signal processing. As a tool for watermarking in an adversarial context, however, this methodology needs caution and new variations. We suggest SS variants where the detection rule is randomized in the sense of having the watermark detector use secret coin flips to choose subsets of the watermarked data and perform correlation tests. We then form a pool of such estimates and pick the median value. We study the effect of such detection methods on sensitivity and estimation attacks, which suggest that randomization is a necessary tool to prevent these types of potentially debilitating adversarial methodologies. We also present other schemes for improving the robustness of SS methods, along with experimental results. Though we recognize the limitations of SS in the face of adversarial attacks, our methods attempt to maximize the potential of SS watermarking in such scenarios

Image Watermarking With Better Resilience

We present schemes for hardening image watermarks against adversarial jamming. Our techniques improve upon standard correlation- and spread spectrum-based methods, and withstand various image distortions and attacks intended to render watermarks unreadable. The watermarking schemes we propose explicitly locate and amplify watermark data remaining after attacks. Key ideas include embedding of watermarks in specially chosen domains, application of image enhancement, computation of responses over watermark subsets, and use of redundancy and search. For watermark detection, our schemes do not require the original image or any information about it

Implementation of Parallel Arithmetic In a Cellular Automaton

We describe an approach to parallel computation using particle propagation and collisions in a one-dimensional cellular automaton using a particle model ---a Particle Machine (PM). Such a machine has the parallelism, structural regularity, and local connectivity of systolic arrays, but is general and programmable. It contains no explicit multipliers, adders, or other fixed arithmetic operations; these are implemented using fine-grain interactions of logical particles which are injected into the medium of the cellular automaton, and which represent both data and processors. We sketch a VLSI implementation of a PM, and estimate its speed and size. We next discuss the problem of determining whether a rule set for a PM is free of conflicts. In general, the question is undecidable, but enough side information is available in practice to answer the question in polynomial time. We then show how to implement division in time linear in the number of significant bits of the result, complementing previous results for fixed-point addition and multiplication. The precision of the arithmetic is arbitrary, being determined by the particle groups used as input

Delayed and controlled failures in tamper-resistant systems

Abstract. Tamper-resistant software (TRS) consists of two functional components: tamper detection and tamper response. Although both are equally critical to the effectiveness of a TRS system, past research has focused primarily on the former, while giving little thought to the latter. Not surprisingly, many successful breaks of commercial TRS systems found their first breaches at the relatively naïve tamper-response modules. In this paper, we describe a novel tamper-response system that evades hacker detection by introducing delayed, probabilistic failures in a program. This is accomplished by corrupting the program’s internal state at well-chosen locations. Our tamper-response system smoothly blends in with the program and leaves no noticeable traces behind, making it very difficult for a hacker to detect its existence. The paper also presents empirical results to demonstrate the efficacy of our system.