Ameba Ownd

アプリで簡単、無料ホームページ作成

Specifying and verifying hardware for tamper resistant software

2022.01.14 16:36


->>>> Click Here to Download <<<<<<<-





















The company has reportedly been beefing up the technology that constrains the Intel versions of Mac OS X to run only on authorized machines, to this point a set of test Macs given to developers.


The company has also applied for a trademark on Rosetta, its technology for running existing Mac programs on the Intel chips. Be respectful, keep it civil and stay on topic. We delete comments that violate our policy , which we encourage you to read. Discussion threads can be closed at any time at our discretion.


It includes its own flash, RAM, processing unit, and other resources inside a single package, so it can fully control its own execution and ward off external attempts to tamper with it. The package is resistant to physical penetration and designed to resist many side channel attacks, including power analysis, timing analysis, and electromagnetic sniffing. The hardware is also resilient against many physical fault injection techniques including attempts to run outside normal operating conditions, such as wrong voltage, wrong clock speed, or wrong temperature.


In addition to being tamper-resistant, the security module in Omerta handsets helps protect against software-only attacks. Because it performs very few functions, it has a super small attack surface. And with passcode verification happening in the security module, even in the event of a full compromise elsewhere, the attacker cannot derive your disk encryption key without compromising the security module first. The paper concludes with speculation of additional uses of the developed technology and an evaluation of the technology's effectiveness.


Introduction One of the principal characteristics of the PC is that it is an open, accessible architecture. Both hardware and software can be accessed for observation and modification. Arguably, this openness has lead to the PC's market success. This same openness means that the PC is a fundamentally insecure platform.


Observation or modification can be performed by either a malevolent user or a malicious program. Yet there are classes of operations that must be performed securely on the fundamentally insecure PC platform.


These are applications where the basic integrity of the operation must be assumed, or at least verified, to be reliable such as financial transactions, unattended authorization and content management. What is required is a method which will allow the fundamentally insecure, open PC to execute software which cannot be observed or modified. This paper presents the notion of tamper resistant software.


Tamper resistant software is software which is resistant to observation and modification. It can be trusted, within certain bounds, to operate as intended even in the presence of a malicious attack.


Our approach has been to classify attacks into three categories and then to develop a series of software design principles that allow a scaled response to those threats. This paper describes the threat model, design principles, architecture and implementation of the IVK technology. Threat Model Malicious observation and manipulation of the PC can be classified into three categories, based on the origin of the threat. The origin of the threat is expressed in terms of the security perimeter that has been breached in order to effect the malicious act.


This translates generally to who the perpetrator is, outsider or insider. The perpetrator must breach communications access controls but must still operate under the constraints of the communications protocols.


This is the standard "hacker attack. The perpetrator has been able to introduce malicious code into the platform and the operating system has executed it. The attack has moved inside the communications perimeter but is still bounded by the operating system and BIOS.


That is, it must still utilize the operating system and BIOS interfaces. This is the common virus or Trojan horse attack. This attack faces no security perimeter and is limited only by technical expertise and financial resources.


The owner of the system is the perpetrator. Category I attacks do not require the use of tamper resistant software, rather, require correctly designed and implemented protocols and proper administration. As, by definition, the perpetrator has no direct access to the platform's hardware or software, Category I attacks are better defended by robust access control mechanisms.


Category II attacks are caused by the introduction of malicious software into the platform. The malicious software may have been introduced with or without the user's consent and may be explicitly or implicitly malicious. Examples of such software include viruses and Trojan horses as well as software used to discover secrets stored in other software on behalf of other parties such as another user's access control information. Viruses are a good example of a class attack. Viruses must assume certain coding characteristics to be constant among its target population such as the format of the execution image.


Other examples would include a Trojan horse program that searches a particular financial application in order to purloin credit card numbers because it knows where within that application such numbers are stored. It is the consistency of software across platforms that enables Category II attacks. Any defense against a Category III attack must, at best, merely raise a technological bar to a height sufficient to deter a perpetrator by providing a poor return on their investment.


That investment might be measured in terms of the tools necessary, and skills required, to observe and subsequently modify the software's behavior.


The technological bar, from low to high, would be: a No special analysis tools required. These include standard debuggers and system diagnostic tools. Tools here include specialized debuggers such as Softlce and software breakpoint-based analysis tools c Specialized hardware analysis tools.


These tools include processor emulators and bus logic analyzers. Our goal for tamper resistant software is to defend against Category II attacks and Category III attacks up to the level of specialized hardware analysis tools. We believe that this provides a reasonable compromise. It is axiomatic that threat follows value, thus this level of tamper resistance is adequate for low to medium value applications, and for high value applications where the user is unlikely to be a willing perpetrator such as applications involving the user's personal property.


This requirement implies that the software contains a secret component. Preventing operation on the secret component is the basis for the trust that the application has not been tampered with.


Were it not for the secret component, a perpetrator could substitute any software of their choosing for the correct software. It is the existence of this secret component that compels the user to use that specific software for that specific function rather that some other software. For example, the secret may be a cryptographic key used to encrypt a random challenge in an authentication protocol. Possession of the cryptographic key creates the trust that the software is legitimate. As another example, consider the need to guarantee that the software has completed a predetermined set of steps.


Faculty Searches in the CS Dep Shirley gave a great talk at A Faculty Opening in Information Join me in a Massey Dialog on Congratulations to Shirley on Akshay completes his MASc! Privadroid talk now available -- August 24, Congratulations to Wei Huang o All news items. To appear.