Systems Security: Countermeasures II Stjepan Picek - - PowerPoint PPT Presentation

systems security countermeasures ii
SMART_READER_LITE
LIVE PREVIEW

Systems Security: Countermeasures II Stjepan Picek - - PowerPoint PPT Presentation

Apr 16, 2023 316 likes •543 views

Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands June 21, 2018 Outline 1 Masking Countermeasure 2 Control Flow Integrity 3 Intrusion Detection 2 / 22 Rotating S-box Masking

slide-1
SLIDE 1

Systems Security: Countermeasures II

Stjepan Picek s.picek@tudelft.nl

Delft University of Technology, The Netherlands June 21, 2018

slide-2
SLIDE 2

Outline

1 Masking Countermeasure 2 Control Flow Integrity 3 Intrusion Detection

2 / 22

slide-3
SLIDE 3

Rotating S-box Masking (RSM) Countermeasure

❼ A relatively simple and efficient countermeasure. ❼ S-boxes are implemented in ROM. ❼ Secure against VPA, CPA, and resilient against MIA.

3 / 22

slide-4
SLIDE 4

RSM – Nonlinear Part

❼ Select randomly 16 8-bit constants m0−15.

x′ = x ⊕ m. (1)

❼ 16 rotating S-boxes S′

0−15(x′).

❼ Such S-boxes contain a mechanism to unmask the input data,

perform the basic S(x) (where x is an 8-bit unmasked data) and remask it. S′

j (x′) = S(mj ⊕ x′) ⊕ mj+1 mod 16,j ∈ [0,15].

(2) SB′

j (x′) = SB(Mj ⊕ X ′) ⊕ Mj+1 mod 16,∀j ∈ [0,15].

(3)

❼ At each step, SB′ unmasks the value, performs SB and then

remasks with Mj+1.

❼ The order of using constants is always the same.

4 / 22

slide-5
SLIDE 5

RSM – Linear Part

❼ From 16 8-bit masks, create five sets of 16 128-bit constants. ❼ The first set are constants M0−15 where M0 = mo,m1,...m15. ❼ The second set of constants are

MMSj = MC ○ SR(Mj) ⊕ Mj,∀j ∈ [0,15].

❼ The third set of constants are MSj = SR(Mj),∀j ∈ [0,15]. ❼ The fourth and fifth sets of constants are the same to the

previous two but with inverse functions.

5 / 22

slide-6
SLIDE 6

RSM – All Together

❼ Mask input with mask X ′

1 = X ⊕ Mj.

❼ After S-box, X ′

sbox = SB(X) ⊕ Mj+1.

❼ To mask linear parts, we need only XOR. ❼ Simultaneously unmask the data at the end of each round and

remask with new constant. X ′

2 = MC ○ SR(SB(X) ⊕ Mj+1) ⊕ Kround.

(4) = MC ○ SR(SB(X)) ⊕ MC ○ SR(Mj+1) ⊕ Kround. (5)

❼ Now we XOR this value with MMSj

6 / 22

slide-7
SLIDE 7

RSM – All Together

❼ For the final round, since there is no MC operation, we have

SR(SB(X) ⊕ Mj+14 mod 16) ⊕ Kround,j ∈ [0,15]. (6)

❼ That value is unmasked with the constants from the third set

MSj.

7 / 22

slide-8
SLIDE 8

Outline

1 Masking Countermeasure 2 Control Flow Integrity 3 Intrusion Detection

8 / 22

slide-9
SLIDE 9

Control Flow Integrity

❼ Ideally, Control Flow Integrity (CFI) prevents flows of control

that were not intended by the original program (control flow hijacking).

❼ Control flow hijacking – attacker can exploit memory

corruption to redirect the control flow to an arbitrary memory location.

❼ Languages providing complete memory and type safety

generally do not need to be protected by CFI.

9 / 22

slide-10
SLIDE 10

Control Flow Integrity

❼ Every instruction that is the target of legitimate control flow

transfer has a unique ID.

❼ Checks are inserted before control flow instructions so only

valid targets are allowed.

❼ CFI will cause non-negligible performance overhead due to the

introduced checks.

❼ To improve the performance, sometimes we can reduce the

number of IDs in the program (note, this will affect the precision).

10 / 22

slide-11
SLIDE 11

Control Flow Integrity

❼ Conceptually, most CFI follow the following process:

1 Analysis phase where Control Flow Graph (CFG) is

  • constructed. This graph approximates the set of legitimate

control flow transfers.

2 Enforcement phase where during the runtime CFG is used to

ensure that all executed branches correspond to edges of CFG.

11 / 22

slide-12
SLIDE 12

Analysis Phase

❼ CFG is computed by analyzing either the source code or

binary of a program.

❼ Here, limitations of static program analysis can lead to

  • ver-approximation of control flow transfers.

❼ As a result, some nonessential edges are included in CFG. ❼ The CFG cannot be perfectly precise for nontrivial programs.

12 / 22

slide-13
SLIDE 13

Enforcement Phase

❼ Ensure that control flow transfers which are potentially

controlled by an attacker correspond to edges in the CFG produced by the analysis phase.

❼ Control flow transfer can be divided into:

1 Forward control flow transfers – those that move control to a

new location inside a program.

2 Backward control flow transfers – those that return control to

a prior location inside a program.

13 / 22

slide-14
SLIDE 14

Forward Control Flow Transfers

❼ Direct jump – a jump to a constant, statically determined

target address. Most local control flow, such as loops or if-then-else cascaded statements, use direct jumps to manage control.

❼ Direct call – a call to a constant, statically determined target

  • address. Static function calls, for example, use direct call

instructions.

❼ Indirect jump – a jump to a computed, i.e., dynamically

determined target address. Example is switch-case statements using a dispatch table.

❼ Indirect call – call to a computed, i.e., dynamically determined

target address.

14 / 22

slide-15
SLIDE 15

Indirect Calls

❼ Function pointers – often used to emulate object-oriented

method dispatch in classical record data structures, or for passing callbacks to other functions.

❼ vtable dispatch – the preferred way to implement dynamic

dispatch to C++ methods. A C++ object keeps a pointer to its vtable, a table containing pointers to all virtual methods of its dynamic type.

❼ Smalltalk-style send-method dispatch – requires a dynamic

type look-up. Such a dynamic dispatch using a send-method in Smalltak, Objective-C, or JavaScript requires walking the class hierarchy (or the prototype chain in JavaScript) and selecting the first method with a matching identifier.

15 / 22

slide-16
SLIDE 16

Outline

1 Masking Countermeasure 2 Control Flow Integrity 3 Intrusion Detection

16 / 22

slide-17
SLIDE 17

Intrusion Detection

❼ Systems that automatically detect intrusions into computer

systems.

❼ Network intrusion detection systems (NIDS). ❼ Host-based intrusion detection systems (HIDS). ❼ If a system has ability to respond to intrusion, we call it

intrusion prevention system.

17 / 22

slide-18
SLIDE 18

Intrusion Detection

❼ Detect malicious activities. ❼ Raise alarms. ❼ Log events. ❼ React to attacks.

18 / 22

slide-19
SLIDE 19

Network Intrusion Detection System

❼ Monitor traffic to and from devices in the network. ❼ Such systems can be online and offline.

19 / 22

slide-20
SLIDE 20

Host-based Intrusion Detection System

❼ Runs on individual hosts or devices in the network. ❼ A host-based system has the ability to monitor key system

files and any attempt to overwrite these files.

20 / 22

slide-21
SLIDE 21

Signature-based Intrusion Detection

❼ Detect attacks by looking for specific patterns. ❼ Excellent technique for known attacks but may not work for

new attacks.

❼ It is fast, lightweight, and has low false positive rate. ❼ SNORT – real-time traffic analysis and packet logging. ❼ Aho-Corasick algorithm.

21 / 22

slide-22
SLIDE 22

Anomaly-based Intrusion Detection

❼ Automatic forming of “normal” behavior. ❼ Machine learning techniques to create model of “normal”

behavior.

❼ Compare such models with the new observations. ❼ Since new behavior is likely to be detected as attack, often we

have problem with false positives.

22 / 22