Protecting Reprogrammable Hardware with Polymorphic Circuit - - PowerPoint PPT Presentation

protecting reprogrammable hardware with polymorphic
SMART_READER_LITE
LIVE PREVIEW

Protecting Reprogrammable Hardware with Polymorphic Circuit - - PowerPoint PPT Presentation

Oct 09, 2022 145 likes •426 views

Air Force Institute of Technology Develop America's Airmen Today ... for Tomorrow Protecting Reprogrammable Hardware with Polymorphic Circuit Variation* J. Todd McDonald, Yong C. Kim, and Michael R. Grimaila Center for Cyberspace Research Air

slide-1
SLIDE 1

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

1

Air Force Institute of Technology

Protecting Reprogrammable Hardware with Polymorphic Circuit Variation*

  • J. Todd McDonald, Yong C. Kim,

and Michael R. Grimaila Center for Cyberspace Research Air Force Institute of Technology WPAFB, OH

*The views expressed in this article are those of the authors and do not reflect the official policy

  • r position of the United States Air Force, Department of Defense, or the U.S. Government
slide-2
SLIDE 2

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

2

Outline

  • Protection Context
  • Polymorphic Variation as Protection
  • Hiding Properties of Interest
  • Framework and Experimental Results
slide-3
SLIDE 3

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

3

Protection Context

  • Embedded Systems / “Hardware”
  • Increasingly represented as reprogrammable logic (i.e., software!)
  • We used to like hardware because it offered “hard” solutions for

protection (physical anti-tamper, etc.)

  • Our beginning point: what happens if hardware-based

protections fail?

  • Hardware protection: I try to keep you from physically getting the

netlist/machine code

  • Software protection: I give you a netlist/machine code listing and

ask you questions pertaining to some protection property of interest

  • Protection/exploitation both exist in the eye of the beholder
slide-4
SLIDE 4

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

4

Protection Context

  • Critical military / commercial systems vulnerable to

malicious reverse engineering attacks

  • Financial loss
  • National security risk
  • Reverse Engineering and

Digital Circuit Abstractions

slide-5
SLIDE 5

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

5

Polymorphic Variation as Protection

  • Experimental Approach:
  • Consider practical / real-world /

theoretic circuit properties related to security

  • Use a variation process to create

polymorphic circuit versions

  • Polymorphic = many forms of circuits

with semantically equivalent or semantically recoverable functionality

  • Characterize algorithmic effects:
  • Empirically demonstrate properties
  • Prove as intractable
  • Prove as undecidable
slide-6
SLIDE 6

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

6

Polymorphic Variation as Protection Algorithm and Variant Characterization: Selection: 1) Random 2) Deterministic Replacement 1) Random 2) Deterministic

slide-7
SLIDE 7

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

7

The ONLY true “Virtual Black Box”

Hiding Properties of Interest

5 6 7 4 2 3 1

“The How” Semantic Behavior

2 3 1 6 4 7

General Intuition and Hardness of Obfuscation

slide-8
SLIDE 8

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

8

Hiding Properties of Interest

  • Since we can’t hide all information leakage….
  • Can we protect intent?
  • Tampering with code in order to get specific results
  • Manipulating input in order to get specific results
  • Correlating input/output with environmental context
  • Can we impede identical

exploits on functionally equivalent versions?

  • Can we define and

measure any useful definition of hiding short of absolute proof and not based solely on variant size?

slide-9
SLIDE 9

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

9

Hiding Properties of Interest

Functional Hiding Control Hiding Component Hiding Signal Hiding Topology Hiding (Gate Replacement)

Logical View Physical Manifestation

Side Channel Properties

slide-10
SLIDE 10

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

10

Framework and Experimental Results

  • When does (random/deterministic) iterative selection

and replacement: 1) Manifest hiding properties of interest? 2) Cause an adversarial reverse engineering task to become intractable or undecidable?

  • What role does logic reduction and adversarial

reversal play in the outcome (ongoing)

  • Are there circuits which will fail despite the best

variation we can produce? (yes)

slide-11
SLIDE 11

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

11

Framework and Experimental Results

  • Is perfect or near topology recovery useful

(therefore, is topology hiding useful)?

  • In some cases, yes
  • Foundation for other properties (signal / component hiding)
  • For certain attacks, it is all that is required
  • Accomplishing topology hiding
  • Change basis type (normalizing distributions, removing all
  • riginal)
  • Guarantee every gate is replaced at least once
  • Multiple / overlapping replacement = diffusion Topology:

Gate fan-in Gate fan-out Gate type

slide-12
SLIDE 12

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

12

Experiment 1: Measuring “Replacement” Basis Change

c432

c432 120 gates ( 4 ANDs + 79 NANDs + 19 NORs + 18 XORs + 40 inverters ) Decomposed 230 gates ( 60 ANDs + 151 NANDs + 19 NORs + 40 inverters ) Decomposed NOR 843 gates ( 843 NORs)

slide-13
SLIDE 13

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

13

Experiment 1a: Measuring “Replacement” Basis Change

 = {NOR}   = {AND, NAND, OR, XOR, NXOR}

slide-14
SLIDE 14

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

14

Experiment 1b: Measuring “Replacement” Basis Change

 = {NAND}   = {AND, NOR, OR, XOR, NXOR}

slide-15
SLIDE 15

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

15

Experiment 2: Measuring “Replacement” Uniform Basis Distribution

ISCAS-85 c1355

C1355 506 gates ( 56 ANDs + 416 NANDs + 2 ORs + 32 buffers + 40 inverters ) Decomposed 550 gates ( 96 ANDs + 416 NANDs + 6 ORs + 32 buffers + 40 inverters ) Decomposed NAND 730 gates ( 730 NANDs )

slide-16
SLIDE 16

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

16

Experiment 2: Measuring “Replacement” Uniform Basis Distribution

 = {NAND}   = {AND, NAND, OR, NOR, XOR, NXOR} “Single 4000 Iteration Experiment”

slide-17
SLIDE 17

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

17

Experiment 2: Measuring “Replacement” Uniform Basis Distribution

 = {NAND}   = {AND, NAND, OR, NOR, XOR, NXOR} “Multiple 4000 Iteration Experiments”

Iteration 100

100 200 300 400 500 600 700 800 900 1 2 3 4 5 6 7 9 10 12 13 14 Experiment # of Gates XNOR XOR NOR OR NAND AND

slide-18
SLIDE 18

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

18

Experiment 2: Measuring “Replacement” Uniform Basis Distribution

 = {NAND}   = {AND, NAND, OR, NOR, XOR, NXOR} “Multiple 4000 Iteration Experiments”

Iteration 4000

500 1000 1500 2000 2500 3000 3500 4000 4500 5000 1 2 3 4 5 6 7 9 10 12 13 14 Experiment # of Gates XNOR XOR NOR OR NAND AND

slide-19
SLIDE 19

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

19

Experiment 3: Measuring “Replacement” Smart Random Selection

ISCAS-85 c432

Iterative Smart Random 2-Gate Selection Algorithm:

Selection Strategy: Replacement Strategy: Smart Two Gate Random Random Equivalent

slide-20
SLIDE 20

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

20

Experiment 3: Measuring “Replacement” Smart Random Selection

 = {NOR}   = {AND, NAND, OR, XOR, NXOR}

slide-21
SLIDE 21

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

21

Things We’ve Learned Along the Way

  • What algorithmic factors influence hiding properties

the most?

  • Iteration number
  • Selection size
  • Replacement circuit generation (redundant vs. non-redundant)
  • Ongoing work in:
  • Increasing selection size
  • Determinist generation
  • Integrated logic reduction
  • Formal models: term rewriting systems, abstract

interpretation, graph partitioning

slide-22
SLIDE 22

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

22

Questions

?

slide-23
SLIDE 23

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

23

Obfuscation Comparison Models

slide-24
SLIDE 24

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

24

Experiment 1a: Measuring “Replacement”

600 600 675 600

% of ORIGINAL GATES

slide-25
SLIDE 25

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

25

Experiment 1a: Measuring “Replacement”

 = {NOR}   = {AND, NAND, OR, XOR, NXOR}

ISCAS-85 c1355

# of NORs # of Iterations ~7500

slide-26
SLIDE 26

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

26

Experiment 2: Measuring “Replacement”  = {NAND}   = {AND, NAND, OR, NOR, XOR, NXOR} “Single 4000 Iteration Experiment”

200 400 600 800 1000 1200

c1355nand-00000 c1355nand-00100 c1355nand-00200 c1355nand-00300 c1355nand-00400 c1355nand-00500 c1355nand-00600 c1355nand-00700 c1355nand-00800 c1355nand-00900 c1355nand-01000 c1355nand-01100 c1355nand-01200 c1355nand-01300 c1355nand-01400 c1355nand-01500 c1355nand-01600 c1355nand-01700 c1355nand-01800 c1355nand-01900 c1355nand-02000 c1355nand-02100 c1355nand-02200 c1355nand-02300 c1355nand-02400 c1355nand-02500 c1355nand-02600 c1355nand-02700 c1355nand-02800 c1355nand-02900 c1355nand-03000 c1355nand-03100 c1355nand-03200 c1355nand-03300 c1355nand-03400 c1355nand-03500 c1355nand-03600 c1355nand-03700 c1355nand-03800 c1355nand-03900

AND NAND OR NOR XOR XNOR

slide-27
SLIDE 27

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

27

Experiment 2: Measuring “Replacement”  = {NAND}   = {AND, NAND, OR, NOR, XOR, NXOR} “Multiple 4000 Iteration Experiments”