David Lie
Patrick Lincoln
Dan Boneh
John Mitchell
Mark Horowitz
Abstract
Although there have been attempts to develop code transformations that yield tamper-resistant software, no reliable software-only methods are known. This paper studies the hardware implementation of a form of execute-only memory (XOM) that allows instructions stored in memory to be executed but not otherwise manipulated. To support XOM code we use a machine that supports internal compartments---a process in one compartment cannot read data from another compartment. All data that leaves the machine is encrypted, since we assume external memory is not secure. The design of this machine poses some interesting trade-offs between security, efficiency, and flexibility. We explore some of the potential security issues as one pushes the machine to become more efficient and flexible. Although security carries a performance penalty, our analysis indicates that it is possible to create a normal multi-tasking machine where nearly all applications can be run in XOM mode. While a virtual XOM machine is possible, the underlying hardware needs to support a unique private key, private memory, and traps on cache misses. For efficient operation, hardware assist to provide fast symmetric ciphers is also required.
- 1 Business Software Alliance, 2000. h t t p ://~m , bsa. org.]]Google Scholar
- 2 The Trusted Computing Platform Allicance, 2000. h t t p ://~, trustedpc, com.]]Google Scholar
- 3 It. Anderson, E. Biham, and L. Knudsen. Serpent: A proposal for the advanced encryption standard. Technical report, National Institute of Standards and Technology (NIST), March 2000. Available at h t t p ://c s r c , n i s t . gov/encryption/aes/round2/r2algs, htm.]]Google Scholar
- 4 D. Boneh, D. Lie, P. Lincoln, J. Mitchell, and M. Mitchell. Hardware support for tamper-resistant and copy-resistant software. Technical Report CS-TN-00-97, Stanford University Computer Science, 2000.]] Google ScholarDigital Library
- 5 J. Burke, J. McDonald, and T. Austin. Architectural support for fast symmetric-key cryptography. In Proceedings of the 9th International Conference Architectural Support for Programming Languages and Operating Systems, 2000.]] Google ScholarDigital Library
- 6 S. Chari, C. Jutla, J. Rao, and P. Rohatgi. Towards sound approacJaes to counteract power analysis attacks. In Proceedings of CRYPTO'99: 19th Annual International Cryptology Conference, volume 1666, pages 398-412, 1999.]] Google ScholarDigital Library
- 7 J. Daemen and V. Rijmen. AES proposal: Rijndael. Technical report, National Institute of Standards and Technology (NIST), March 2000. Available at http://csrc, n i s t . gov/encryption/aes/round2/r2algs, h~m.]]Google Scholar
- 8 H. Eberle and C. Thacker. A 1Gbit/second GaAs DES chip. In Proceedings of the IEEE Custom Integrated Circuits Conference, pages 19.7.1-19.7.4, May 1992.]]Google Scholar
- 9 Wave Corporation Embassy Technology, 2000. h t t p ://m , wave. com.]]Google Scholar
- 10 T. Gilmont, J.-D. Legat, and J.-J. Quisquater. An architecture of security management unit for safe hosting of multiple agents. In Proceedings of the International Workshop on Intelligent Communications and Multimedia Terminals, pages 79-82, November 1998.]]Google Scholar
- 11 T. Gilmont, J.-D. Legat, and J.-J. Quisquater. Hardware security for software privacy support. Electronics Letters, 35(24):2096--2097, November 1999.]]Google ScholarCross Ref
- 12 R.P. Goldberg. Survey of virtual machine research. /BEE Computer Magazine, 7(6):35-45, June 1974.]]Google Scholar
- 13 B. Kaliski Jr. and M. Robshaw. Message authentication with MD5. CryptoBytes, 1(1):5-8, 1995.]]Google Scholar
- 14 P. Kocher, J. Jalfe, and B. Jun. Differential power analysis. In Proceedings of CRYPTO'g9: lgth Annual International Cryptology Conference, volume 1666, pages 388-397, 1999.]] Google ScholarDigital Library
- 15 H. Krawczyk, M. Bellare, and It. Canetti. HMAC: Keyed-hashing for message authentication. http://w~u~, i e t f . o r g /r f c /r f c 2 1 0 4 , t x t , February 1997.]] Google ScholarDigital Library
- 16 K. Krewell. Quicktake: Willamette revealed. Technical report, Calmers Microprocessor, February 2000. Available at w~m. MPRonline. com.]]Google Scholar
- 17 B. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authenticaton in distributed systems: Theory and practice. In Proccedings of the 13th ACM Symposium on Operating Systems, volume 10, pages 265-310, 1992.]]Google ScholarDigital Library
- 18 A. Maynard, C. Donnelly, and B. Olszewski. Contrasting characteristics and cache performance of technical and multi-user commercial workloads. In Proceedings of the 6th International Conference Architectural Support for Programming Languages and Operating Systems, pages 145-156, 1994.]] Google ScholarDigital Library
- 19 A.J. Menzies, P.C. van Oorschot, and S.A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.]]Google Scholar
- 20 National Bureau of Standards. NBS FIPS PUB 46, "Data Encryption Standard". National Bureau of Standards, U.S. Department of Commerce, January 1977.]]Google Scholar
- 21 S. Polonsky, D. Knebel, P. Sanda, M. McManns, W. Huott, A. Pelella, D. Manzer, S. Steen, S. Wilson, and Y.Chan. Non-invasive timing analysis of IBM G6 microprocessor L1 cache using backside time-resolved hot electron luminescence. In Proceedings of the IEEE International Solid-state Circuits Conference, pages 222-224, 2000.]] Google ScholarDigital Library
- 22 ANSI X9.17 (Revised). American national standard for financial institution key management (wholesale). American Bankers Association, 1985.]]Google Scholar
- 23 J. Saltzer and M. Schroeder. The protection of information in computer systems. IEEE, 63(9):1278-1308, September 1975.]]Google ScholarCross Ref
- 24 B. Sehneier. Applied Cryptography. John Wiley & Sons, 2nd edition, 1996.]]Google Scholar
- 25 W. Tuchman. Hellman presents no shortcut solutions to DES. IEEE Spectrum, 16(7):40-41, July 1979.]]Google ScholarCross Ref
- 26 J. Tygar and B. Yee. Dyad: A system for using physically secure coprocessors. Technical l~eport CMU-CS-91-140R, Carnegie Mellon University, May 1991.]]Google Scholar
- 27 B. Weeks, M. Bean, T. Rozylowicz, and C. Ficke. Hardware performance simulations of round 2 advanced encryption standard algorithms. Technical report, National Security Agency, August 2000. Available at h t t p ://c s r c .n i s t .gov/encryption/aes/round2/r2anlsys, htm.]]Google Scholar
Index Terms
- Architectural support for copy and tamper resistant software
Recommendations
Architectural support for copy and tamper resistant software
Special Issue: Proceedings of the ninth international conference on Architectural support for programming languages and operating systems (ASPLOS '00)Although there have been attempts to develop code transformations that yield tamper-resistant software, no reliable software-only methods are know. This paper studies the hardware implementation of a form of execute-only memory (XOM) that allows ...
Architectural support for copy and tamper resistant software
ASPLOS IX: Proceedings of the ninth international conference on Architectural support for programming languages and operating systemsAlthough there have been attempts to develop code transformations that yield tamper-resistant software, no reliable software-only methods are know. This paper studies the hardware implementation of a form of execute-only memory (XOM) that allows ...
Architectural support for copy and tamper resistant software
Although there have been attempts to develop code transformations that yield tamper-resistant software, no reliable software-only methods are know. This paper studies the hardware implementation of a form of execute-only memory (XOM) that allows ...
Comments