Using Logic-Based Reduction for Adversarial Component Recovery* J. - - PowerPoint PPT Presentation

using logic based reduction for adversarial component
SMART_READER_LITE
LIVE PREVIEW

Using Logic-Based Reduction for Adversarial Component Recovery* J. - - PowerPoint PPT Presentation

Feb 11, 2024 359 likes •729 views

Air Force Institute of Technology Develop America's Airmen Today ... for Tomorrow Using Logic-Based Reduction for Adversarial Component Recovery* J. Todd McDonald, Eric D. Trias, Yong C. Kim, and Michael R. Grimaila Center for Cyberspace

slide-1
SLIDE 1

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

1

Air Force Institute of Technology

Using Logic-Based Reduction for Adversarial Component Recovery*

  • J. Todd McDonald, Eric D. Trias, Yong C. Kim,

and Michael R. Grimaila Center for Cyberspace Research Air Force Institute of Technology WPAFB, OH

*The views expressed in this article are those of the authors and do not reflect the official policy

  • r position of the United States Air Force, Department of Defense, or the U.S. Government
slide-2
SLIDE 2

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

2

Outline

  • Protection Context
  • Polymorphic Variation as Protection
  • Hiding Properties of Interest
  • Framework and Experimental Results
slide-3
SLIDE 3

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

3

Protection Context

  • Embedded Systems / “Hardware”
  • Increasingly represented as reprogrammable logic (i.e., software!)
  • We used to like hardware because it offered “hard” solutions for

protection (physical anti-tamper, etc.)

  • Our beginning point: what happens if hardware-based

protections fail?

  • Hardware protection: I try to keep you from physically getting the

netlist/machine code

  • Software protection: I give you a netlist/machine code listing and

ask you questions pertaining to some protection property of interest

  • Protection/exploitation both exist in the eye of the beholder
slide-4
SLIDE 4

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

4

Protection Context

  • Critical military / commercial systems vulnerable to

malicious reverse engineering attacks

  • Financial loss
  • National security risk
  • Reverse Engineering and

Digital Circuit Abstractions

slide-5
SLIDE 5

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

5

Polymorphic Variation as Protection

  • Experimental Approach:
  • Consider practical / real-world /

theoretic circuit properties related to security

  • Use a variation process to create

polymorphic circuit versions

  • Polymorphic = many forms of circuits

with semantically equivalent or semantically recoverable functionality

  • Characterize algorithmic effects:
  • Empirically demonstrate properties
  • Prove as intractable
  • Prove as undecidable
slide-6
SLIDE 6

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

6

Two Roads Met in the Woods… and I Went Down Both…

Semantic Changing Semantic Preserving

Black-Box Refinement Semantic Transformation Polymorphic Generation Polymorphic Generation

Program Encryption Random Program Model Obfuscation

What can I prove / not prove under RPM? What can I measure? What can I characterize? What are the limits if I am only allowed to retain functionality?

slide-7
SLIDE 7

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

7

Defining Obfuscation

  • Since we can’t hide all information leakage….
  • Can we protect intent?
  • Tampering with code in order to get specific results
  • Manipulating input in order to get specific results
  • Correlating input/output with environmental context
  • Can we impede identical

exploits on functionally equivalent versions?

  • Can we define and

measure any useful definition of hiding short of absolute proof and not based solely on variant size?

slide-8
SLIDE 8

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

8

Hierarchy of Obfuscating Transforms

Functional Hiding Control Hiding Component Hiding Signal Hiding Topology Hiding (Gate Replacement)

Logical View Physical Manifestation

Side Channel Properties

slide-9
SLIDE 9

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

9

Polymorphic Variation as Protection Algorithm and Variant Characterization: Selection: 1) Random 2) Deterministic 3) Mixture Replacement 1) Random 2) Deterministic 3) Mixture

slide-10
SLIDE 10

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

10

Framework and Experimental Results

  • When does (random/deterministic) iterative selection

and replacement: 1) Manifest hiding properties of interest? 2) Cause an adversarial reverse engineering task to become intractable or undecidable?

  • What role does logic reduction and adversarial

reversal play in the outcome (ongoing)

  • Are there circuits which will fail despite the best

variation we can produce? (yes)

slide-11
SLIDE 11

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

11

Components

  • Components are building

block for virtually all real- world circuits

  • Given:
  • circuit C
  • gate set G
  • input set I
  • integer k > 1, where k is the

number of components

  • Set M of components

{c1,…, ck} partitions G and I into k disjoint sets

  • f inputs and/or gates.
  • Four base cases
  • Based on input/output

boundary of component and the parent circuit

slide-12
SLIDE 12

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

12

Component Recovery

slide-13
SLIDE 13

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

13

Independent Components and Induced Redundancy

ORIGINAL WHITE-BOX VARIANTS REDUCED VARIANTS

slide-14
SLIDE 14

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

14

Observing Independent Component Hiding

slide-15
SLIDE 15

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

15

slide-16
SLIDE 16

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

16

slide-17
SLIDE 17

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

17

Case Study

slide-18
SLIDE 18

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

18

Conclusions

slide-19
SLIDE 19

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

19

Questions

?

slide-20
SLIDE 20

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

20

The ONLY true “Virtual Black Box”

Hiding Properties of Interest

5 6 7 4 2 3 1

“The How” Semantic Behavior

2 3 1 6 4 7

General Intuition and Hardness of Obfuscation

slide-21
SLIDE 21

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

21

Framework and Experimental Results

  • Is perfect or near topology recovery useful

(therefore, is topology hiding useful)?

  • In some cases, yes
  • Foundation for other properties (signal / component hiding)
  • For certain attacks, it is all that is required
  • Accomplishing topology hiding
  • Change basis type (normalizing distributions, removing all
  • riginal)
  • Guarantee every gate is replaced at least once
  • Multiple / overlapping replacement = diffusion Topology:

Gate fan-in Gate fan-out Gate type

slide-22
SLIDE 22

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

22

Experiment 1: Measuring “Replacement” Basis Change

c432

c432 120 gates ( 4 ANDs + 79 NANDs + 19 NORs + 18 XORs + 40 inverters ) Decomposed 230 gates ( 60 ANDs + 151 NANDs + 19 NORs + 40 inverters ) Decomposed NOR 843 gates ( 843 NORs)

slide-23
SLIDE 23

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

23

Experiment 1a: Measuring “Replacement” Basis Change

 = {NOR}   = {AND, NAND, OR, XOR, NXOR}

slide-24
SLIDE 24

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

24

Experiment 1b: Measuring “Replacement” Basis Change

 = {NAND}   = {AND, NOR, OR, XOR, NXOR}

slide-25
SLIDE 25

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

25

Experiment 2: Measuring “Replacement” Uniform Basis Distribution

ISCAS-85 c1355

C1355 506 gates ( 56 ANDs + 416 NANDs + 2 ORs + 32 buffers + 40 inverters ) Decomposed 550 gates ( 96 ANDs + 416 NANDs + 6 ORs + 32 buffers + 40 inverters ) Decomposed NAND 730 gates ( 730 NANDs )

slide-26
SLIDE 26

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

26

Experiment 2: Measuring “Replacement” Uniform Basis Distribution

 = {NAND}   = {AND, NAND, OR, NOR, XOR, NXOR} “Single 4000 Iteration Experiment”

slide-27
SLIDE 27

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

27

Experiment 2: Measuring “Replacement” Uniform Basis Distribution

 = {NAND}   = {AND, NAND, OR, NOR, XOR, NXOR} “Multiple 4000 Iteration Experiments”

Iteration 100

100 200 300 400 500 600 700 800 900 1 2 3 4 5 6 7 9 10 12 13 14 Experiment # of Gates XNOR XOR NOR OR NAND AND

slide-28
SLIDE 28

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

28

Experiment 2: Measuring “Replacement” Uniform Basis Distribution

 = {NAND}   = {AND, NAND, OR, NOR, XOR, NXOR} “Multiple 4000 Iteration Experiments”

Iteration 4000

500 1000 1500 2000 2500 3000 3500 4000 4500 5000 1 2 3 4 5 6 7 9 10 12 13 14 Experiment # of Gates XNOR XOR NOR OR NAND AND

slide-29
SLIDE 29

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

29

Experiment 3: Measuring “Replacement” Smart Random Selection

ISCAS-85 c432

Iterative Smart Random 2-Gate Selection Algorithm:

Selection Strategy: Replacement Strategy: Smart Two Gate Random Random Equivalent

slide-30
SLIDE 30

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

30

Experiment 3: Measuring “Replacement” Smart Random Selection

 = {NOR}   = {AND, NAND, OR, XOR, NXOR}

slide-31
SLIDE 31

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

31

Things We’ve Learned Along the Way

  • What algorithmic factors influence hiding properties

the most?

  • Iteration number
  • Selection size
  • Replacement circuit generation (redundant vs. non-redundant)
  • Ongoing work in:
  • Increasing selection size
  • Determinist generation
  • Integrated logic reduction
  • Formal models: term rewriting systems, abstract

interpretation, graph partitioning

slide-32
SLIDE 32

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

32

Obfuscation Comparison Models

slide-33
SLIDE 33

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

33

Experiment 1a: Measuring “Replacement”

600 600 675 600

% of ORIGINAL GATES

slide-34
SLIDE 34

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

34

Experiment 1a: Measuring “Replacement”

 = {NOR}   = {AND, NAND, OR, XOR, NXOR}

ISCAS-85 c1355

# of NORs # of Iterations ~7500

slide-35
SLIDE 35

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

35

Experiment 2: Measuring “Replacement”  = {NAND}   = {AND, NAND, OR, NOR, XOR, NXOR} “Single 4000 Iteration Experiment”

200 400 600 800 1000 1200

c1355nand-00000 c1355nand-00100 c1355nand-00200 c1355nand-00300 c1355nand-00400 c1355nand-00500 c1355nand-00600 c1355nand-00700 c1355nand-00800 c1355nand-00900 c1355nand-01000 c1355nand-01100 c1355nand-01200 c1355nand-01300 c1355nand-01400 c1355nand-01500 c1355nand-01600 c1355nand-01700 c1355nand-01800 c1355nand-01900 c1355nand-02000 c1355nand-02100 c1355nand-02200 c1355nand-02300 c1355nand-02400 c1355nand-02500 c1355nand-02600 c1355nand-02700 c1355nand-02800 c1355nand-02900 c1355nand-03000 c1355nand-03100 c1355nand-03200 c1355nand-03300 c1355nand-03400 c1355nand-03500 c1355nand-03600 c1355nand-03700 c1355nand-03800 c1355nand-03900

AND NAND OR NOR XOR XNOR

slide-36
SLIDE 36

Develop America's Airmen Today ... for Tomorrow Air University: The Intellectual and Leadership Center of the Air Force

Integrity - Service - Excellence

36

Experiment 2: Measuring “Replacement”  = {NAND}   = {AND, NAND, OR, NOR, XOR, NXOR} “Multiple 4000 Iteration Experiments”