Attack and Risk Analysis for Hardware Supported Software Copy Protection Systems

Weidong Shi Hsien-Hsin (Sean) Lee Chenghuai Lu Tao Zhang School of Electrical and Computer Engineering Georgia Institute of Technology
1

Content

Why Software Copy Protection So Hard Security In Silicon, the Future of Software Right
Protection? Issues of Enforcing Software Right In Hardware Memory Encryption, Security Should not Be Taken for Granted - Counter Mode Memory Encryption - Security of Selective Protection Conclusions

Causes of Reduce In Software Piracy

Economic: When software is more affordable

Legal: When copy right law is enforced rigorously.

Business model: When there is a new business

morel. Noticeably on-line games.

Technology: The contribution seems opposite.

P2P network, low cost IC chip (mod chip)

Know Your Enemy Hackers are sophisticated and knowledgeable

Widely available after breach, P2P network as a

distribution channel, MOD chip as a business

Not so successful to hide secret from hackers,

reverse engineer using software/hardware means

Not so successful preventing hackers from

bypassing hardware copy protection measures.

What is often heard, our approach is good

enough to provide DRM.
4

XBOX, Is It Good Enough

Nbridge + GPU Find out the key FPGA based Bus Tracer socket over HT Bus soldered by hackers HT (hypertransport) Secret Key South Bridge BIOS Flash (some BIOS codes are encrypted) P III

MOD Chip (PCB with micro-controller and Flash memory) BIOS hijack Low cost FPGA based bus snooping device

Consoles are much better protected than PCs designed with copy right protection in mind. 5

Security In Silicon

Encrypted software is hard to break and to

pirate.

Future CPU has the space to support software

decryption on the fly.

How Does It Look Like Decryted Software,Cache

Processor Core

Unprotected RAM
Crypto Engine EncryptK(Software)

Private Key

Software Key Table Secure Processor EncryptK(Software)

Unprotected Storage Software Encrypted by a Symmetric Key, K. Key K encrypted by public key of processor. ASPLOS 02, ICS 03, Micro 03, SOSP 03

All Sound So Good, But Wait a Minute

Security. Is this really secure? Performance, Performance, Performance.

- CBC encrypted software can be ten times slower. - 5 year CPU design cycle. Profound impact on design and performance.

Programming Model. Test and Verification. Debug. Software Distribution. User Privacy

Trade-off Between Security and Performance

Counter mode is faster than CBC. Much faster.

Micro 03

Aggregated integrity check on instructions is faster

than timely check on per instruction basis. Micro 03

Selective protection is faster than whole protection.

ASPLOS, 02, SOSP, 03
But what are the risks of using counter mode + aggregated integrity check + selective protection?
9

Counter Mode
Pros
Widely used, allow pad pre-computation. Proved to be secure by Bellare, etc (1997). If you break counter-mode, you break the underlying cipher.

Cons
Chosen ciphertext malleable. Flip bits in the ciphertext can induce flipped corresponding bits in the plaintext. Miss use of counter mode can jeopardize security. Timely, appropriate check on integrity is a MUST.
10

Counter Mode
Chosen ciphertext malleable
ciphertext
1 0 1 1 0 1 0 1 1

plaintext
0 1 0 1 0 0 1 1 0

How about other NIST block cipher based modes

such as CBC.
ciphertext, memory block n-1
0 0 1 1 0 1 0 1 1

ciphertext, memory block n

0 0 0 1 1 0 1 1

Block Cipher

plaintext

1 0 1 1 0 0 1 1 1

11

Dangerous Practice on Integrity Check When Using Counter Mode

Aggregated SW(instruction/data) integrity check. Allow processor/memory state change by unverified instructions/data. Allow processor/memory state change by data derived from unverified data. Data/instruction fetch issued to memory based on unverified instructions, or based on control flow determined by unverified data Data/instruction fetch issued to memory using address obtained from unverified data.

12

Attack On Counter Mode

Exploit regularity of RISC (reduced instruction set)
instruction set for incremental guesses.

Convert secret information into data/instruction fetch

address observable on SW execution/bus trace (reduce brute force search space)

Patching software with small piece of attack code,

e.g., binary search code

13

Attack On Counter Mode - Incremental Guess

Addr = 0x2001139c

0x9426814a

ciphertext
0x9426814a

plaintext
0x40c05411

Instruction
addq t5, 0x2, a1

Opcode 0x10

RA

Disp

Branch Format Memory Format Operate Format

Opcode Opcode Opcode

RA RA RA RB RB

Disp Disp Function RC

6-bit opcode, 64 possible opcodes. Flip bits of opcode ciphertext and trace program control.

14

Attack On Counter Mode - Incremental Guess

plaintext ciphertext opcode guess
Opcode 0x10 Opcode 0x25 Opcode 0x4 RA Disp

RA

Disp

RA

Disp

Flip bits of opcode ciphertext based on guessed opcode. The target is opcode 0x30 (opcode of jmp)
ciphertext
1 0 0 1 0 1

guessed opcode
0 0 0 1 0 0

ciphertext after bit flip

0 1 0 0 0 1 Opcode 0x11 Opcode 0x24(stf)

target opcode
1 1 0 0 0 0

ciphertext after flip decrypted opcode

RA

Disp

RA

Disp

15

Attack On Counter-mode - Incremental Guess

plaintext ciphertext opcode guess
Opcode 0x10 Opcode 0x25 Opcode 0x10 RA Disp

RA

Disp

RA

Disp

Flip bits of opcode ciphertext based on guessed opcode. The target is opcode 0x30 (opcode of jmp)
ciphertext
1 0 0 1 0 1

guessed opcode
0 1 0 0 0 0

ciphertext after bit flip target opcode

0 0 0 1 0 1 1 1 0 0 0 0

ciphertext after flip decrypted opcode

Opcode 0x5 Opcode 0x30

RA

Disp

RA

Disp
16

Attack On Counter-mode - Incremental Guess

plaintext
Opcode 0x10 Opcode 0x5 RA Disp 0x5411 Disp

ciphertext
decrypted opcode

RA

Opcode 0x30

RA

Disp 0x5411

Addr = 0x2001139c Addr = 0x200263e0

0x12001139c 0x9426814a

Decrypted instruction triggers fetch from a new address, which discloses 21 bits of plaintext.
17

Attack On Counter Mode Binary Search

Stick in a small piece of attacking codes. More
radical attack

Large percentage of information in memory is

predictable. predictable data/code, array of 0s, binary search code (constant starts from 2^16, if R2>2^16, try 2^24 next, At most 32 trials to compromise the secret)
R1 = a constant value; R2 = load some secret if (R1<R2) goto addr1 else goto addr2

Example, flip bits of known values to stick a piece of

Small enough to fit into one cache line. A cache line of uniform values widely exits.

18

Fight Against Attack on Counter Mode

Use chosen-ciphertext non-malleable encryption mode
Counter-mode, CBC, all stream cipher based modes are all malleable.

Hide program trace and fetch address. Hardware

obfuscation, CASES 2004. OVERHEAD, OVERHEAD!!!

Authenticate appropriately, PACT 2004

Change on processor/memory state prohibited by un-verified code/data or results obtained from un-verified code/data. Stall pipeline when it happens and wait result of integrity check. Code/data fetch from memory stalls and wait for integrity check if address computed from un-verified data Code/data fetch from memory stalls and wait for integrity check if control flow determined by un-verified data/code
19

Security of Selective Protection

Encrypt only necessary and important codes.
Valuable core software functions (concerns on reverse engineer).

BIOS, firmware (concerns on disclose of design

secret, machine emulator).

Valuable data, private data

20

Support for Selective Protection

Instruction Format Definition Start security mode after this instruction. A key is used to decrypt all the succeeding instructions Exit security mode. No decryption for succeeding instructions st $rt,offset($base) ld $rt,offset($base) Stores $rt into memory [$base+offset] Load $rt with memory [$base+offset]

Enter security

Exit security Secure store Secure load

Taken from ASPLOS 2002, SOSP 2003. XOM Boundary between protected an un-protected domains set by individual load/store instructions.

21

// not protected data and code unsigned int array_dat[] = { ... }; ... //protected code,encrypted/authenticated enter_security ... // load array_dat and secure_save unsigned int x; for (i=0; i<sizeof(array_dat)/4; i++) { load array_dat[i] to x; secure_store x to array_dat[i]; ... } ... exit_security

Encrypt Malicious Data into Code

Manipulate input or address used by secure load/store. Can generate arbitrary encrypted code or software patch with arbitrary code input.

22

// disclose results of computing to public struct node_t { unsigned int dat; ... node_t* pnext;} //protected code,encrypted/authenticated enter_security ... //process link-list //release results node_t* pnode = head of link_list; while (pnode) { secure_load pnode->dat to temp; save temp to un-encrypted memory; pnode = pnode->pnext; // regular load } exit_security

Disclose Secret by Altering Data Pointer

Data Next Data Next

Secret

Data NULL

23

Conclusions
Hardware cryptography based copy protection
maybe a direction for future software right protection.

Trade-off between security and performance not well

understood

Counter mode + aggregate integrity check is risky.

Selective protection is also risky without additional

protection.

24

Counter Mode
cache line cache line cache line cache line cache line memory block memory block memory block memory block memory block memory block counter counter counter counter counter counter

Crypto Engine

Processor Core
Secure Processor

Counter mode has to used properly to support Randomly Accessed Memory

25