memoization attacks and memoization attacks and copy
play

Memoization Attacks and Memoization Attacks and Copy Protection in - PowerPoint PPT Presentation

Feb 14, 2023 •16 likes •336 views

Memoization Attacks and Memoization Attacks and Copy Protection in Copy Protection in Partitioned Applications Partitioned Applications Charles W. ODonnell 1 , G. Edward Suh 2 Marten van Dijk 1 , Srinivas Devadas 1 1 Massachusetts Institute

  1. Memoization Attacks and Memoization Attacks and Copy Protection in Copy Protection in Partitioned Applications Partitioned Applications Charles W. O’Donnell 1 , G. Edward Suh 2 Marten van Dijk 1 , Srinivas Devadas 1 1 Massachusetts Institute of Technology 2 Cornell University IEEE Workshop on Information Assurance June 22, 2007

  2. Motivation Motivation Central concern: Intellectual Property (IP) Protection of applications Prevent piracy, hide sensitive algorithms, etc Stop attacker from reproducing functionality of “protected” software code Only some small regions of application may need protection Operational functionality: ultimate test of security Unimportant: contents of protected code Important: How protected code is used, How attacker can bypass code and still get “useful” results One solution: Fully encrypt application Requires: Secure CPU/Co-Processor, remote servers Prevents piracy by requiring a key to execute addi r3,r4,16 lw r5,0(r15) sub r6,r5,r3 Speed/power/etc overheads sw 4(r15),r6 addi r11,r6,r5 Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 2/25

  3. Partitioned Applications Partitioned Applications Partitioned Application: only encrypt portions of application Public Code May provide same security Tradeoff security vs. speed Private Code addi r3,r4,16 lw r5,0(r15) Public Code sub r6,r5,r3 sw 4(r15),r6 addi r11,r6,r5 Private Code Architecture guarantees secret execution of encrypted code Only memory accesses in and out of encrypted code region are visible More details later Central Question: Deciding which regions of an application to encrypt Key Point: Naïve separation insecure Designers must make a balanced decision based on how encrypted region will be used in the application at large Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 3/25

  4. Presentation Outline Presentation Outline Model Define partitioned application and a very limited adversary Memoization Attacks Describe problem and method of attack Implementing a Memoization Attack Practical issues when performing attack Attack results on real applications Indicators of Insecurity Simple omens for when a Memoization Attack will succeed Indicator accuracy results on real applications Related Work Long standing research problem Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 4/25

  5. Partitioned Applications Details Partitioned Applications Details Application code Private encrypted private regions Processor Code unencrypted public regions Decrypt Core Public Code Private Public Private regions Memory Memory Executes secretly Example Secure Architecture Access special private memory secretly Can access regular public memory Simplifying assumptions: Procedures are fundamental region units No private state between calls (Common case) For experiments: in-order memory, no cache Adversary observes memory bus to attack Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 5/25

  6. Observing a Partitioned Application Observing a Partitioned Application Execution Trace Memory read( ) A Public Memory t write( ) B A B call-priv( ) A args( ) A Private Memory read( ) B write( ) C C read( ) C write( ) D exit() Private Call D E read( ) D write( ) E Public Memory Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 6/25

  7. What an Adversary Knows What an Adversary Knows Adversary can observe memory accesses But what does he “ know ” about secret region? Unlimited possible models… We analyze weakest form of adversary, no priors This still enough to perform a successful attack Our adversary: Can only observe application execution for reasonable (polynomial) amount of time Has only limited (polynomial) storage space Has only limited (polynomial) computational power Our experiments used one standard x86 server (no farm jobs, etc) Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 7/25

  8. Memoization Attacks Memoization Attacks x Procedures only a set of input-output mappings y 1 1 x y f 2 2 x y 3 3 Observe application, remembering inputs and outputs in table Then replace private code and emulate However, such a simple table is not enough. . . Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 8/25

  9. Implementing a Memoization Attack Implementing a Memoization Attack Two main problems Input self-determination Keeping the “ Interaction Table ” small Input self-determination Private procedure Two possible input sets {a = ?, [Z] = ?} F(a) : {a = ?, [Y] = ?} if (a): b ← [Z] else: Naïve solution too costly b ← [Y] return (2*b) {a = ?, [Y] = ?, [Z] = ?} Emulating procedure requires order information Temporal Memoization Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 9/25

  10. Temporal Memoization Temporal Memoization Call 1 Call 2 Call 3 Call 4 r1 = fff4 r1 = fff4 r1 = fff4 r1 = fff4 r2 = 7 r2 = 7 r2 = 3 r2 = 7 ... ... ... ... read[A]=5 read[A]=5 read[D]=1 read[A]=6 read[B]=12 read[B]=12 read[E]=24 read[B]=30 read[C]=54 read[C]=64 read[F]=20 read[G]=50 set r11 = 8 write[Z]=0 write[Z]=8 write[X]=0 set r11 = 1 set r11 = 1 set r11 = 4 Emulation: step 1 2 3 4 r1 = fff4 A = 5 B = 12 C = 64 reads r2 = 7 writes - - - Z = 8 , r11 = 1 Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 10/25

  11. Interaction Table Compression Interaction Table Compression Keeping the Interaction Table small Call 1 Call 2 Table can become huge r1 = fff4 r1 = fff4 Contains many redundancies r2 = 7 r2 = 7 ... ... read(A,5) read(A,5) read(B,12) read(B,12) read(C,54) read(C,64) write(Z,0) write(Z,8) r11 = 1 r11 = 1 Instead of table columns, think of execution trace tree Branches in tree occur on reads since they solely determine control flow Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 11/25

  12. Interaction Tree Construction Interaction Tree Construction Observed Calls r1 fff4 1 r1 = fff4 read(A) read( A, 5 ) read( B, 30) read( C, 54) write( Z, 8) A ... 5 10 read(B) read(C) 2 r1 = fff4 r1 = fff4 read( A, 10) r2 = 7 read( C, 54) read( A, 5 ) read( B, 30) read( B, 30) B C 30 77 54 write( Z, 4) read( C, 54) write(Z,0) ... write( Z, 8) read(C) read(B) read(C) 3 r1 = fff4 read( A, 5 ) read( B, 77) C B write( Z, 0) C 54 30 54 read( C, 54) write(Z,4) write(Z,8) ... ... ... ... Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 12/25

  13. Compressing the Interaction Tree Compressing the Interaction Tree r1 fff4 Tree still redundant read(A) A 5 10 read(B) read(C) B C 30 77 54 write(Z,0) read(C) read(B) read(C) C B C 54 30 54 write(Z,4) write(Z,8) ... ... ... Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 13/25

  14. Compressing the Interaction Tree Compressing the Interaction Tree r1 fff4 Tree still redundant read(A) Introduce path A numbers 5 10 read(B) read(C) (more in paper) B 30 77 write(Z,4) write(Z,0) read(C) ... read(C) C 54 write(Z,8) ... read(B) ... Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 14/25

  15. Results of Memoization Attacks Results of Memoization Attacks Memoization Attacks can work on some , but not all applications. Two “types” effected most ( defined by context ): Partially repeated input sets (external workloads ) � Repeats functionality or input workload Compositing input sets (external workloads ) � If a few input sets to application cover the input space of single procedure, bounded set of possible inputs � If application inputs filtered before reaching private call � More dangerous since non-intuitive Public Public Private Application Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 15/25

  16. Effectiveness on Repeated Workloads Effectiveness on Repeated Workloads SPEC CPU2000 Parser: special_command() - Memoization Attack always succeeds � Repeats same functionality, changes internal settings is_equal() – Memoization Attack always succeeds � Only run over dictionary data (checks for special tokens) Size of structures manageable: Parser: Parser: Size Metric special_command() is_equal() Number of tree nodes 283 5 (compressed) Size on disk 26,972 Bytes 2,042,968 Bytes Maximum depth of 743 5 expanded tree Memoization Attacks and Copy Protection in Partitioned Applications, Charles W. O’Donnell, et al., IAW2007 16/25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ATOM: Automatic Transaction-Oriented Memoization Hugo Rito and Jo ao Cachopo INESC-ID

ATOM: Automatic Transaction-Oriented Memoization Hugo Rito and Jo ao Cachopo INESC-ID

ATOM: Automatic Transaction-Oriented Memoization Hugo Rito and Jo ao Cachopo INESC-ID Instituto Superior T ecnico September 11, 2009 Overview of Memoization Functional Programming Memoization Overview of Memoization Functional

753 views • 56 slides
Memoization & Greedy: Wrapping up programmatical approaches with thanks to Kosie Van Der

Memoization & Greedy: Wrapping up programmatical approaches with thanks to Kosie Van Der

Memoization Greedy Algorithms Example Memoization & Greedy: Wrapping up programmatical approaches with thanks to Kosie Van Der Merwe Tslil Clingman 2nd August Tslil Clingman Memoization and Greedy Memoization Greedy Algorithms

583 views • 27 slides
12. Dynamic Programming Memoization, Optimal Substructure, Overlapping Sub-Problems,

12. Dynamic Programming Memoization, Optimal Substructure, Overlapping Sub-Problems,

12. Dynamic Programming Memoization, Optimal Substructure, Overlapping Sub-Problems, Dependencies, General Procedure. Examples: Rod Cutting, Rabbits, Edit Distance [Ottman/Widmayer, Kap. 7.1, 7.4, Cormen et al, Kap. 15] 260 Fibonacci Numbers

1.15k views • 88 slides
Problem: Inefficiency of recomputing subresults Solution: Memoization Two example sentences and

Problem: Inefficiency of recomputing subresults Solution: Memoization Two example sentences and

Problem: Inefficiency of recomputing subresults Solution: Memoization Two example sentences and their potential analysis: Store intermediate results: Remembering subresults (Part I): (1) He [gave [the young cat] [to Bill]]. a) completely

192 views • 3 slides
19. Dynamic Programming I (again) Memoization, Optimal Substructure, Overlapping

19. Dynamic Programming I (again) Memoization, Optimal Substructure, Overlapping

Fibonacci Numbers 19. Dynamic Programming I (again) Memoization, Optimal Substructure, Overlapping Sub-Problems, n if n < 2 F n := Dependencies, General Procedure. Examples: Fibonacci, Rod if n 2 . F n 1 + F n 2 Cutting,

562 views • 17 slides
TERN: Stable Deterministic Multithreading through Schedule Memoization Heming Cui Jingyue Wu

TERN: Stable Deterministic Multithreading through Schedule Memoization Heming Cui Jingyue Wu

TERN: Stable Deterministic Multithreading through Schedule Memoization Heming Cui Jingyue Wu Chia-che Tsai Junfeng Yang Computer Science Columbia University New York, NY, USA 1 Nondeterministic Execution Same input many schedules

232 views • 21 slides
Programming Languages Streams and Memoization Adapted from Dan Grossmans PL class, U. of

Programming Languages Streams and Memoization Adapted from Dan Grossmans PL class, U. of

Programming Languages Streams and Memoization Adapted from Dan Grossmans PL class, U. of Washington Review A thunk is a function of no arguments used to explicitly delay a result. (delay expression) => returns a thunked version

425 views • 8 slides
19. Dynamic Programming I Memoization, Optimal Substructure, Overlapping Sub-Problems,

19. Dynamic Programming I Memoization, Optimal Substructure, Overlapping Sub-Problems,

19. Dynamic Programming I Memoization, Optimal Substructure, Overlapping Sub-Problems, Dependencies, General Procedure. Examples: Fibonacci, Rod Cutting, Longest Ascending Subsequence, Longest Common Subsequence, Edit Distance, Matrix Chain

1.63k views • 135 slides
Lecture #20: Tree Recursions, Memoization, Tree Structures Last modified: Tue Mar 18 16:17:50

Lecture #20: Tree Recursions, Memoization, Tree Structures Last modified: Tue Mar 18 16:17:50

Lecture #20: Tree Recursions, Memoization, Tree Structures Last modified: Tue Mar 18 16:17:50 2014 CS61A: Lecture #20 1 Example: Escape from a Maze Consider a rectangular maze consisting of an array of squares some of which are occupied by

432 views • 22 slides
Lecture #20: Tree Recursions, Memoization, Tree Example: Escape from a Maze Structures

Lecture #20: Tree Recursions, Memoization, Tree Example: Escape from a Maze Structures

Lecture #20: Tree Recursions, Memoization, Tree Example: Escape from a Maze Structures Consider a rectangular maze consisting of an array of squares some of which are occupied by large blocks of concrete: 14 13 12 11 10 9 8 7 6 5 4

180 views • 3 slides
F LASH B ACK Immersive Virtual Reality on Mobile Devices via Rendering Memoization Kevin

F LASH B ACK Immersive Virtual Reality on Mobile Devices via Rendering Memoization Kevin

F LASH B ACK Immersive Virtual Reality on Mobile Devices via Rendering Memoization Kevin Boos David Chu Eduardo Cuervo MobiSys 2016 2 high graphic complexity low latency high framerate photo-realistic, wide

788 views • 44 slides
Programming Languages Thunks, Laziness, Streams, Memoization Adapted from Dan Grossmans PL

Programming Languages Thunks, Laziness, Streams, Memoization Adapted from Dan Grossmans PL

Programming Languages Thunks, Laziness, Streams, Memoization Adapted from Dan Grossmans PL class, U. of Washington Youve been lied to Everything that looks like a function call in Racket is not necessarily a function. Everything

358 views • 17 slides
Dynamic programming memoization decorator memoized systematic subproblem computation

Dynamic programming memoization decorator memoized systematic subproblem computation

Dynamic programming memoization decorator memoized systematic subproblem computation --(7, 5) |--(6, 5) | |--(5, 5) | --(5, 4) | |--(4, 4) Bin inomial coefficient | --(4, 3) identical computations | |--(3, 3)

316 views • 19 slides
Backtracking and Memoization Lecture 12 Tuesday, February 26, 2019 L A T EXed: December 27,

Backtracking and Memoization Lecture 12 Tuesday, February 26, 2019 L A T EXed: December 27,

Algorithms & Models of Computation CS/ECE 374, Spring 2019 Backtracking and Memoization Lecture 12 Tuesday, February 26, 2019 L A T EXed: December 27, 2018 08:25 Chan, Har-Peled, Hassanieh (UIUC) CS374 1 Spring 2019 1 / 22

343 views • 31 slides
Programming Languages Streams Wrapup, Memoization, Type Systems, and Some Monty Python Adapted

Programming Languages Streams Wrapup, Memoization, Type Systems, and Some Monty Python Adapted

Programming Languages Streams Wrapup, Memoization, Type Systems, and Some Monty Python Adapted from Dan Grossmans PL class, U. of Washington Quick Review of Constructing Streams Usually two ways to construct a stream. Method 1: Use

706 views • 45 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
The strategic role of public authority in the control of countereinfing. A differential game

The strategic role of public authority in the control of countereinfing. A differential game

The strategic role of public authority in the control of countereinfing. A differential game approach. Marta Biancardi* Andrea Di Liddo* Giovanni Villani** *Department of Economics - University of Foggia Largo Papa Giovanni Paolo II, 1 71100

518 views • 26 slides
CS CS 683 683 - Se Securi rity and Pri rivacy Fall 2019 Fa Instr Ins truc uctor: Ka

CS CS 683 683 - Se Securi rity and Pri rivacy Fall 2019 Fa Instr Ins truc uctor: Ka

CS CS 683 683 - Se Securi rity and Pri rivacy Fall 2019 Fa Instr Ins truc uctor: Ka Karim El Elde defr frawy http://www.cs.usfca.edu/~keldefrawy/teaching/fall2019 /cs683/cs683_main.htm 1 Ou Outline The players/actors

519 views • 51 slides
1 !'#'()' )

1 !'#'()' )

497 views • 17 slides
Ending Software Patents in Australia Ben Sturmfels ben@sturm.com.au Detailed notes for this

Ending Software Patents in Australia Ben Sturmfels ben@sturm.com.au Detailed notes for this

Ending Software Patents in Australia Ben Sturmfels ben@sturm.com.au Detailed notes for this talk: sturm.com.au/2011/talks/swpat-monash/ Why are software patents relevant to you? About me What is a patent? What is a software patent? How did

515 views • 16 slides
Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda

Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda

Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda We'll speak about obfuscation techniques which commercial (and not only) obfuscators use and how symbolic equation systems could help to

612 views • 50 slides
Traditional Commercial Software Development Open Source Development Producing consumer-oriented

Traditional Commercial Software Development Open Source Development Producing consumer-oriented

Traditional Commercial Software Development Open Source Development Producing consumer-oriented software is often done in much the same way as for tangible mass-produced Dr. James A. Bednar products, such as furniture or cars. E.g., a company:

526 views • 5 slides
HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from "Hardware Protection

HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from "Hardware Protection

HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from "Hardware Protection thr Obfuscation) Circuit modification techniques designed to conceal or lock the functionality and/or circuit structure The modifications are designed

157 views • 11 slides
Dismantling droids for breakfast - The current state of app reverse engineering Siegfried

Dismantling droids for breakfast - The current state of app reverse engineering Siegfried

Dismantling droids for breakfast - The current state of app reverse engineering Siegfried Rasthofer SECURE SOFTWARE ENGINEERING GROUP #whoami 3rd year PhD-Student at Secure Software Engineering Group Darmstadt, Germany (Prof. Dr.

458 views • 22 slides

More recommend