lehrstuhl f r systemsicherheit
play

Lehrstuhl fr Systemsicherheit Virtual Machine-based Fingerprints - PowerPoint PPT Presentation

Jun 06, 2023 •43 likes •223 views

Lehrstuhl fr Systemsicherheit Virtual Machine-based Fingerprints SPRING 9 Bochum, 31.07 - 01.08.2014 Table of Contents 1. Background 1. Fingerprinting 2. Virtual Machines 2. Implemented Schemes 1. Permutation-based Fingerprints 2. Dynamic

  1. Lehrstuhl für Systemsicherheit Virtual Machine-based Fingerprints SPRING 9 Bochum, 31.07 - 01.08.2014

  2. Table of Contents 1. Background 1. Fingerprinting 2. Virtual Machines 2. Implemented Schemes 1. Permutation-based Fingerprints 2. Dynamic branch-based Fingerprints 3. Fingerprints based on Encoding Choice 3. Conclusion Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  3. Background Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  4. Fingerprinting I ● Two phases: 1. Embed an unique identifier (“mark”) into object 2. Identify the object by extracting the fingerprint mark ● Fingerprint mark identifies party that uses the object ● In contrast to watermarking (claim ownership) ● Software use case: given a copy of the software, find out who it has been sold to Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  5. Fingerprinting II ● Three types of fingerprints, determined by extraction phase: 1. Static 2. Dynamic 3. Abstract ● Balance properties : 1. Stealth 2. Data Rate 3. Resilience Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  6. Virtual Machines I ● Structure commonly used in software protection systems ● Basic idea : Translate (parts of) native code into a custom architecture and embed interpreter (VM) ● breaks existing tools ● non-trivial to attack generically ● hides original semantic and tamper-proofs ● Set of handlers describe semantics Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  7. Virtual Machines II bytecode VM context opcode parameters entry value 5A 0xdeadbeef vIP [pointer] 0x0f00 FE handler tbl [pointer] 0xbeef 0x0f00 32 native eax 0xdeadbeef 5A 0xcafebabe native ecx 0x1badc0de 0x0f00 FE ... ... 0xdead 0x0f00 07 0xbeef 0xdead 5A 0x1badf00d 0xb00b 32 FE 0xdead 0x0f00 00 vm_and_reg_reg vm_mov_reg_imm handler ... ... 5A vm_mov_reg_imm fetch operands ... ... calculate 7F vm_add_reg_reg update ctx 80 vm_xor_reg_reg dispatch next ... ... FF vm_mov_reg_reg handler table handler code Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  8. Implemented Schemes Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  9. Permutation-based Fingerprints ● Based on patent by Davidson and Myhrvold (1996) ● Embeds the mark in order of basic blocks of a function ● Mark extracted by comparing order in binary to canonical ordering ● But: Prone to subsequent application! ● Approach here: Embed mark in permutation of handler table ● Subsequent application results in non-functional program! Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  10. Permutation-based Fingerprints Extracted Canonical Form Perm. Handler Table 0040AFC4 00 0040640A FE 00407513 01 0040645A 39 0040645A 02 004064AB 01 0040699E 03 004064FF 12 canonical 004070A1 04 0040654F 2A 0040640A 05 004065A0 00 ... ... ... ... 00407F72 FF 0040AF72 42 lookup handler index 0040AFC4 00407513 0040645A 0040699E 004070A1 Code 0040640A ... 00407F72 Fingerprinted Binary Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  11. Branch-based Fingerprints ● Based on method by Linn et al., extension by Collberg et al. ● Mark encoded in (unstealthy!) series of unconditional branches ● Branch direction encodes one bit ● Extraction using Execution Trace ● Approach here: Transferred verbatim, but extraction phase problematic due to VM layer ● Circumvent VM layer without lowering its security? ● VM Trapdooring : constant (secret) seed when generating components Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  12. Branch-based Fingerprints handler table 00 jmp 35 vm_mov_reg_imm 01 jmp 07 vm_mov_reg_reg 02 jmp 08 0040645A 0 1 ... ... 0040699E 1 07 jmp target vm_mov_reg_imm 08 jmp 00 0040640A ... ... 0 1 ... 0 12 jmp 24 vm_mov_reg_reg ... ... 1 23 ... 24 jmp 02 ... ... ... 35 jmp 01 VM code virtualized code encoding fingerprint 0b1010101 intercept handler execution jmp target (IA-32) verify vIP update verify VM sequence mov_reg_imm tmp, target track target immediate track dst register mov_reg_reg vIP, tmp vm_mov_reg_imm observer vm_mov_reg_reg observer Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  13. FPs based on Encoding Choice ● Handler Duplication : duplicate handler code ● Multiple handlers encode same semantics ● Multiple opcodes per virtual instruction ● We have a choice when encoding bytecode ● Approach here: Group equivalent handlers and assign values to each member in a group (cf. Monden et al.) ● Every encoded virtual instruction embeds a few bits based on the handler it chooses ● Embed mark in all emitted instructions Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  14. FPs based on Encoding Choice handler table bytecode enc. bits opcode semantics opcode parameters 00 00 vm_mov_reg_imm ?? 0xdeadbeef 0x0f00 ... 01 vm_mov_reg_reg ?? 0xbeef 0x0f00 ... 02 vm_add_reg_imm ?? ... 03 vm_and_reg_reg ?? 0xcafebabe 0x0f00 01 04 vm_mov_reg_imm ?? 0xdead 0x0f00 10 05 vm_mov_reg_imm ?? 0xbeef 0xdead ... 06 vm_add_reg_imm ?? 0x1badf00d 0xb00b ... ... ... ?? 11 FF vm_mov_reg_imm ?? 0xdead 0x0f00 Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  15. Conclusion Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  16. Conclusion ● Schemes draw from resilience provided by VM ● Exploit specific VM traits, tied to VM layer ● Comes at the cost of increased time/space complexity ● Refrain from protecting performance-critical sections Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  17. Bibliography ● Robert I. Davidson and Nathan Myhrvold. Method and system for generating and auditing a signature for a computer program , September 24 1996. US Patent 5,559,884. ● Cullen Linn, Saumya Debray, and John Kececioglu. Enhancing Software Tamper- Resistance via Stealthy Address Computations . In Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC 2003). Citeseer, 2003. ● Akito Monden, Hajimu Iida, K-i Matsumoto, Katsuro Inoue, and Koji Torii. A Practical Method for Watermarking Java Programs . In Computer Software and Applications Conference, 2000. COMPSAC 2000. The 24th Annual International, pages 191-197. IEEE, 2000. ● Christian Collberg and Jasvir Nagra. Surreptitious Software . Upper Saddle River, NJ: Addision-Wesley Professional, 2010. ● Patrick Cousot and Radhia Cousot. An Abstract Interpretation-Based Framework for Software Watermarking . In ACM SIGPLAN Notices, volume 39, pages 173-185. ACM, 2004. Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

  18. Thank you for your attention! Any questions? @dwuid Implementing a Virtual Machine-based Fingerprinting Scheme HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | SPRING 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31.

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31.

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31. Juli 2014 Outline Background UDP-based Amplification TCP-based Amplification Comparison UDP- / TCP-based Amplification 2 AMPLIFICATION

731 views • 27 slides
Autonomous Vehicles - Relations to Human Intelligence Lehrstuhl fr Ergonomie Technische

Autonomous Vehicles - Relations to Human Intelligence Lehrstuhl fr Ergonomie Technische

Lehrstuhl fr Ergonomie Technische Universitt Mnchen Autonomous Vehicles - Relations to Human Intelligence Lehrstuhl fr Ergonomie Technische Universitt Mnchen Prof. Klaus Bengler 13.11.2015 Lehrstuhl fr Ergonomie Technische

523 views • 30 slides
iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Surveillance and operational security 14ws 1 lecture evaluation oral

916 views • 30 slides
Motivation / Problem Optimization of behavior in respect of explicit evaluation function

Motivation / Problem Optimization of behavior in respect of explicit evaluation function

Lehrstuhl fr Knstliche Intelligenz - Univ. Wrzburg Optimization of simulated biological multi-agent systems by means of evolutionary processes Alexander Hrnlein Christoph Oechslein Frank Puppe Lehrstuhl fr Knstliche Intelligenz -

693 views • 12 slides
Lehrstuhl fr Theoretische Informationstechnik Lehr- und Forschungseinheit 1 fr

Lehrstuhl fr Theoretische Informationstechnik Lehr- und Forschungseinheit 1 fr

Lehrstuhl fr Theoretische Informationstechnik Lehr- und Forschungseinheit 1 fr Nachrichtentechnik Let H and be finite-dimensional complex Hilbert spaces. We consider the channels W: A S(H) V: A S ( ) (W,V) is

364 views • 25 slides
Design and Architectures for Embedded Systems Maik Scheer Scheer ( (Lehrstuhl Lehrstuhl Prof.

Design and Architectures for Embedded Systems Maik Scheer Scheer ( (Lehrstuhl Lehrstuhl Prof.

Design and Architectures for Embedded Systems Maik Scheer Scheer ( (Lehrstuhl Lehrstuhl Prof. Dr. J. Prof. Dr. J. Henkel Henkel) ) Maik CES - - Chair for Embedded Systems Chair for Embedded Systems CES University of Karlsruhe, Germany

426 views • 41 slides
Network Models in Thermoacoustics Ph.D. Camilo Silva Prof. Wolfgang Polifke 1 Lehrstuhl fr

Network Models in Thermoacoustics Ph.D. Camilo Silva Prof. Wolfgang Polifke 1 Lehrstuhl fr

Lehrstuhl fr THERMODYNAMIK Network Models in Thermoacoustics Ph.D. Camilo Silva Prof. Wolfgang Polifke 1 Lehrstuhl fr THERMODYNAMIK Acoustics flame coupling Entropy-Acoustics coupling Acoustic BC downstream Acoustic BC upstream Fuel

1.15k views • 93 slides
Exploring DDoS Defense Mechanisms Patrick Holl Seminar Future Internet SS14-WS14/15 Lehrstuhl

Exploring DDoS Defense Mechanisms Patrick Holl Seminar Future Internet SS14-WS14/15 Lehrstuhl

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Exploring DDoS Defense Mechanisms Patrick Holl Seminar Future Internet SS14-WS14/15 Lehrstuhl Netzarchitekturen und Netzdienste Fakultt

622 views • 29 slides
iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 7 17ws 1 / 41 Outline Trust Transport Layer Security Packet filter

1.19k views • 43 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 18ss 1 / 36 Outline Introduction Trust architecture Protocols Attacks

663 views • 45 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 16ss 1 / 38 Outline Introduction Trust architecture Protocols Attacks

879 views • 47 slides
iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 6 16ss 1 / 34 Motivation: IPv4 Address Scarcity source:

784 views • 54 slides
iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 4 14ws 1 Outline Transport Layer UDP TCP MTCP / SCTP 2 Outline

720 views • 32 slides
S.T.A.R.S. Kickoff Dipl.-Inform. Rafael K. Kobylinski Lehrstuhl fr Angewandte Softwaretechnik

S.T.A.R.S. Kickoff Dipl.-Inform. Rafael K. Kobylinski Lehrstuhl fr Angewandte Softwaretechnik

S.T.A.R.S. Kickoff Dipl.-Inform. Rafael K. Kobylinski Lehrstuhl fr Angewandte Softwaretechnik Institut fr Informatik 19. October 2000 Agenda Current visionary scenario Top level design and team structure Registration and next

345 views • 21 slides
I4 Reading Group Tobias Distler Lehrstuhl f ur Informatik 4 Verteilte Systeme und

I4 Reading Group Tobias Distler Lehrstuhl f ur Informatik 4 Verteilte Systeme und

I4 Reading Group Tobias Distler Lehrstuhl f ur Informatik 4 Verteilte Systeme und Betriebssysteme Friedrich-Alexander-Universit at Erlangen-N urnberg May 13, 2016 Windows Azure Storage Goals Strong consistency Global and scalable

374 views • 3 slides
iLabX Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLabX Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLabX Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen August 19, 2019 Based on slides of Lukas Schwaighofer 1

783 views • 56 slides
The physics and astrophysics of merging neutron-star binaries Luciano Rezzolla Institute for

The physics and astrophysics of merging neutron-star binaries Luciano Rezzolla Institute for

The physics and astrophysics of merging neutron-star binaries Luciano Rezzolla Institute for Theoretical Physics, Frankfurt Frankfurt Institute for Advanced Studies, Frankfurt GSI-FAIR Colloquium Darmstadt 18 May 2016 Plan of the talk

865 views • 60 slides
Muonium Hyperne Structure Measurement in a Zero/High Magnetic Field at J-PARC

Muonium Hyperne Structure Measurement in a Zero/High Magnetic Field at J-PARC

Muonium Hyperne Structure Measurement in a Zero/High Magnetic Field at J-PARC Shoichiro Nishimura / KEK IMSS for the MuSEUM Collaboration MuSEUM Collaboration MuSEUM | Mu onium S pectroscopy E xperiment U sing M icrowave M. Abe, Y.

209 views • 20 slides
FUGIN ; Cloud-cloud collisions with the FUGIN data Kazufumi Torii

FUGIN ; Cloud-cloud collisions with the FUGIN data Kazufumi Torii

FUGIN ; Cloud-cloud collisions with the FUGIN data Kazufumi Torii NAOJ/NRO Fujita, S, Kohno, M., Nishimura, A., Fukui, Y. (Nagoya Univ.), Kuno, N.(Univ. of Tsukuba), Matsuo, M., Umemoto,T., Minamidani, T.

855 views • 39 slides
Kensuke Kakiuchi (Nagoya Univ./ The Univ. of Tokyo) Collaborators: Takeru K. Suzuki (The Univ. of

Kensuke Kakiuchi (Nagoya Univ./ The Univ. of Tokyo) Collaborators: Takeru K. Suzuki (The Univ. of

Dec.22, 2017 @Kagoshima Univ. Kensuke Kakiuchi (Nagoya Univ./ The Univ. of Tokyo) Collaborators: Takeru K. Suzuki (The Univ. of Tokyo/ Nagoya Univ.), Yasuo Fukui(Nagoya Univ.), Kazufumi Torii(NRO), Mami Machida(Kyusyu Univ.), Ryoji Matsumoto

711 views • 26 slides
P r o v i n g P r o p e r t i e s o f S o r t i n g P r o g r a ms

P r o v i n g P r o p e r t i e s o f S o r t i n g P r o g r a ms

P r o v i n g P r o p e r t i e s o f S o r t i n g P r o g r a ms : A C a s e S t u d y i n H o r n C l a u s e V e r i fj c a t i o n 1 1 E . D e A n g e l i s , F .

355 views • 22 slides
Introduction to General and Generalized Linear Models Introduction Henrik Madsen Poul Thyregod

Introduction to General and Generalized Linear Models Introduction Henrik Madsen Poul Thyregod

Introduction to General and Generalized Linear Models Introduction Henrik Madsen Poul Thyregod Informatics and Mathematical Modelling Technical University of Denmark DK-2800 Kgs. Lyngby January 2011 Henrik Madsen Poul Thyregod (IMM-DTU)

625 views • 25 slides
MODULARITY & COMPOSITION: AUTOMATING SYSTEM SYNTHESIS Jason Ziglar, PhD Candidate Bradley

MODULARITY & COMPOSITION: AUTOMATING SYSTEM SYNTHESIS Jason Ziglar, PhD Candidate Bradley

MODULARITY & COMPOSITION: AUTOMATING SYSTEM SYNTHESIS Jason Ziglar, PhD Candidate Bradley Department of Electrical and Computer Engineering Dr. Ryan Williams 1 , Dr. Al Wicks 2 1 Laboratory for Coordination at Scale 2 Applied Autonomy and

594 views • 13 slides
Treewidth reduction and algorithmic applications Treewidth reduction and algorithmic applications

Treewidth reduction and algorithmic applications Treewidth reduction and algorithmic applications

Content Treewdith Reduction Theorem The Algorithmic Motivation Proof Idea Concluding remarks Treewidth reduction and algorithmic applications Treewidth reduction and algorithmic applications Content Treewdith Reduction Theorem The

388 views • 34 slides

More recommend