Attacking an Obfuscated Cipher by Injecting Faults

Size: px

Start display at page:

Download "Attacking an Obfuscated Cipher by Injecting Faults"

Marsha Potter
5 years ago
Views:

1 Attacking an Obfuscated Ciphe by Injecting Faults Matthias Jacob 1, Dan Boneh 2, and Edwad Felten 1 1 Pinceton Univesity {mjacob,felten}@cs.pinceton.edu 2 Stanfod Univesity dabo@cs.stanfod.edu Abstact. We study the stength of cetain obfuscation techniques used to potect softwae fom evese engineeing and tampeing. We show that some common obfuscation methods can be defeated using a fault injection attack, namely an attack whee duing pogam execution an attacke injects eos into the pogam envionment. By obseving how the pogam fails unde cetain eos the attacke can deduce the obfuscated infomation in the pogam code without having to unavel the obfuscation mechanism. We apply this technique to extact a secet key fom a block ciphe obfuscated using a commecial obfuscation tool and daw conclusions on peventing this weakness. 1 Intoduction In ecent yeas the advent of mass distibution of digital content fueled the demand fo tools to pevent softwae and digital media fom illegal copying. The goal is to make it hade fo a malicious peson to evese enginee o modify a given piece of softwae. One well known technique fo peventing illegal use of digital media is watemaking fo audio and video content [1] which had only limited success. Anothe common appoach is to only distibute encypted content (see, e.g., CSS [2], Intetust [3], MS Windows Media Technologies [4], Adobe EBooks [5]). Uses un content playes on thei machines and these playes enfoce access pemissions associated with the content. In most of these systems the softwae playe contains some secet infomation that enables it to decypt the content intenally. Clealy the whole point is that the use should not be able to emulate the playe and decypt the content by heself. As a esult, the secet infomation that enables the playe to decypt the content must be hidden somehow in the playe s binay code. We note that hadwae solutions, whee the decyption key is embedded in tampe-esistant hadwae [6,7,8], have had some success [9,10], but clealy a softwae only solution, assuming it is secue, is supeio because it is moe cost efficient and easie to deploy. This bings us to one of the main challenges facing content potection vendos: is it possible to hide a decyption key in the implementation of a block ciphe (e.g. AES) in such a way that given the binay code it is had to extact the decyption key. In othe wods, suppose D k (c) is an algoithm fo decypting J. Feigenbaum (Ed.): DRM 2002, LNCS 2696, pp , c Spinge-Velag Belin Heidelbeg 2003

2 Attacking an Obfuscated Ciphe by Injecting Faults 17 the ciphetext c using the key k. Is it possible to modify the implementation of D k (c) so that extacting k by evese engineeing is sufficiently had? If hiding the key in a binay is possible, it has a cucial advantage ove altenative key hiding techniques: in ode to decypt content the binay needs to be executed, and efficient access contol mechanisms exist in the opeating system in ode to pevent unauthoized execution, wheeas hiding a stoed key in memoy is difficult [11]. Key obfuscation is a vey old question aleady mentioned in the classic pape of Diffie and Hellman [12]. Code obfuscation is a common technique fo potecting softwae against evese engineeing and is commonly used fo hiding popietay softwae systems and sensitive system components such as a ciphe. Commecial obfuscation tools often wok by taking as input abitay pogam souce code, and they output obfuscated binay o souce code that is hade to evese enginee and thus to manipulate than the oiginal softwae [13,14,15,16,17]. Howeve, it is unclea whethe obfuscation techniques can be stong enough to potect sensitive softwae systems such as a ciphe implementation. In this pape we investigate a commecial state-of-the-at obfuscated cyptosystem [18] that hides a secet key. An ideal obfuscation tool tuns pogam code into a black-box, and theefoe it is impossible to find out any popeties of the pogam. In pactice howeve, obfuscation tools often only appoximate the ideal case. When obfuscating a cyptosystem the obfuscato embeds a secet key into the pogam code and obfuscates the code. It should be had to figue out any popeties about the key by just investigating the code. Howeve, we show how to extact the secet key fom the system in only a few cyptogaphic opeations and come to the conclusion that cuent obfuscation techniques fo hiding a secet key ae not stong enough to esist cetain attacks. Ou attack is based on diffeential fault analysis [19] in which an attacke injects eos into the code in ode to get infomation about the secet key. The impact of this attack is compaable to an attack on an RSA implementation based on the Chinese Remainde Theoem that equies only one faulty RSA signatue in ode to extact the pivate key [20]. Fault attacks ae a theat on tampe-esistant hadwae [9], and in this pape we show that an advesay can also inject faults to extact a key fom obfuscated softwae. Based on ou expeience in attacking an obfuscated cyptosystem we popose techniques fo stengthening code obfuscation to make fault attacks moe difficult and make a fist step in undestanding the limits of pactical softwae obfuscation. 2 Attacking an Obfuscated Ciphe Implementation In this section we descibe ou attack on a state-of-the-at obfuscato [18] illustated in Figue 1. We wee given the obfuscated souce code fo both DES encyption and decyption of the iteated block ciphe. Ou goal was to evese enginee the system only based on knowledge of this obfuscated souce code. Fo the given obfuscated code the attacke does not lean moe popeties about the

3 18 Matthias Jacob, Dan Boneh, and Edwad Felten + Key Obfuscato Fig. 1. Opeation of the obfuscato on the ound-based ciphe: It tansfoms the key and the oiginal souce code into code that implements evey ound as a lookup table of pecomputed values. The intemediate esults afte each ound ae encoded pogam by investigating the obfuscated souce code than by just disassembling the binay because most of the pogam is composed of lookup tables. In this paticula appoach the obfuscation method hides the secet key of a ound-based ciphe in the code. Because a ound-based ciphe exposes the secet key evey time it combines the key with the input data of a ound, the obfuscato injects andomness and edundancies and efines the esulting boolean opeations into lookup tables. Instead of executing algoithmic code, the pogam steps though a chain of pecomputed values in lookup tables and etieves the coect esult. Theefoe it is difficult to obtain any infomation about the single ounds by just looking at the souce code o binay code, but in ou attack we obtain infomation by obseving and changing data duing the encyption pocess. 2.1 Obfuscating an Iteated Block Ciphe The obfuscation pocess of the ciphe implementation is shown in Figue 1. The obfuscato tansfoms the oiginal souce code and the key into a ciphe in which the key is embedded and hidden in the ounds. The single ounds of the ciphe ae unolled, but the boundaies of each ound ae clealy ecognizable. The ciphe contains n ounds πi k fo each i =1,.., n with the key k. Including the initial pemutation λ the ciphe computes the function E k (M) := [ λ 1 π k n π k n 1... π k 1 λ ] (M). Howeve, intepetation of any intecepted intemediate esults is difficult since the obfuscato maps the oiginal intemediate esults afte each ound to a new epesentation. This tansfomation is descibed in detail in [18]. In the following paagaphs we give an algebaic definition fo the tansfomation into the 96-bit intemediate epesentation of the obfuscato in [18]. In the fist step we define some basic opeations. x m i extacts bits i though i + m fom a bit sting. EP(x) computes the DES expansion pemutation. x 1 x 2...x n m i = x i x i+1...x i+m x 1 x 2...x n i = x i EP i (x) =EP(x) 6 6i

4 Attacking an Obfuscated Ciphe by Injecting Faults 19 R k R k = EP(R k ),i = EP i(r k ) The t-box T,i k (L,R k ) computes the i-th DES s-box in ound fo i =0..7 and appends R(L,R k ) which takes the fist and sixth bit fom R,i k and appends two andom bits fom L. The bits fom L ae used to fowad the left hand side infomation in the t-boxes, and the fist and sixth bit fom R,i k to econstuct R k fom the s-box esult in ode to fowad it to ound + 1 as the left hand side input. T,i(L k,r k )=S,i(R k,i) k R(L,R,i) k T k (L,R k )=T k,γ (0) (L,R k ) T k,γ (1) (L,R k )... T k,γ (11) (L,R k ) Fo i = T,i k (L, R k ) outputs eithe andom dummy values o bits fom L. In ode to obfuscate the esult γ pemutes the ode of the t-boxes on T = {T,0...T k,11}. k Additionally, φ applies a bijective non-linea encoding on 4-bit blocks x j fo j = whee φ (x) =(φ,1 (x 1 ),φ,2 (x 2 ),..., φ,24 (x 24 )) and x = x 1 x 2...x 24. Since a single t- box consists of 8 bit outputs, two diffeent bijective non-linea encodings belong to one t-box. In ode to do the second step the obfuscated DES implementation needs to be able to ecove the oiginal ight hand side input to ound, and this gets implemented using function α,i k (y) which takes the fowaded bits x 1 and x 2 that descibe the ow of the s-box. α k,i(y, x 1,x 2 )=EP 1 i ((S k,i) 1 (y, x 1,x 2 )) L = L 0 L 1 L 2... L 7 R = R 0 R 1 R 2... R 7 The second step then implements the function τ k,i in which µ (n) descibes the coesponding position of the bit in the output of the t-boxes, and PB is the DES p-box opeation: τ,i k (x)(li,r i ) =α,i(x k 4 8γ,x (i) 8γ (i)+4, x 8γ(i)+5) }{{} [ depends on R 1 only EP i PB (x 4 γ(0) x 4 γ... (1) x 4 γ }{{ (11) ) } depends on R 1 only (x µ(0)... x µ(32) ) ] }{{} depends on L 1 only τ k (x) =τ k,0(x) τ k,1(x)... τ k,11(x) ψ and φ ae diffeent non-linea bijective encodings on 4-bit blocks, and δ

5 20 Matthias Jacob, Dan Boneh, and Edwad Felten δ (L, R )=γ (µ ((L 0 24 ),R )) µ (x 0 x 1...x 47,y 0...y 47 )=y 0...y 5 x µ 1 x µ 1 γ (z 0 z 1...z 95 )=z γ 1 The obfuscated t-box is (22) x µ 1 (0) x µ 1 (23)...x µ 1 (1) y 6...y 11 x µ 1 (47) (2) x µ 1 (0)...z (γ 1 (0)+5) z 6z 7...z γ 1 (11)...z (γ 1 T k (x) =(φ T k ψ 1 1 )(x). Hence the tansfomed function is: E k (x) = [ (λ 1 δn 1 ψn 1 (( ) ( (( ψ n δ n τnφ k 1 n φn Tn k ψn 1))... ψ1 δ 1 τ1 k φ 1 ) ( 1 φ1 T1 k ψ0 1 ) (ψ0 δ 0 βλ) )] (x) with β(l, R) =L EP(R) By setting ψ 0 δ 0 βλ =0 τ k = ψ δ τ k φ 1 =1,.., n λ 1 δn 1 ψn 1 = n +1 the esulting encyption opeation is E k (x) = [ τ n+1 k (τ k n T n k ) (... τ k 1 T 1 k ) ] τ k 0 (x) (3)...y 42...y 47 (11)+5) z 94z 95 Evey component τ i k and T i k is implemented within a sepaate lookup table. Fo convenience set and obtain τ k = { τ k =0,= n +1 τ k T k =1,.., n E k (x) = [ τ n+1 k τ n k... τ 0 k ] (x) Figue 2 shows the deobfuscation poblem. Given one DES ound and the obfuscated intemediate epesentations an attacke wants to find out the intemediate epesentation which is encoded by the unknown function σ. This σ is the invese of the encoded input to the t-box (by ψ), the pemutation of the t-boxes γ, and the andom distibution of the left hand side µ : σ (L,R )=ψ (δ (L,EP(R ))) E k (x) contains the key k implicitly in τ k (in [18] τ k τ n+1 k to M 3 and all othe τ k hides the decomposition into its components σ 1 0 coesponds to M 1, to M 2 ). In othe wods, the implementation of τ k 1, πk, and σ. Hence, ecoveing the key boils down to the poblem of extacting π k out of τ. In any futhe explanations we emove λ fom any computation since it does not play any ole in the attack and can be easily inveted. Theefoe τ 0 k = ψ 0 and τ n+1 k = ψ n.

6 Attacking an Obfuscated Ciphe by Injecting Faults 21 L 1 32 σ 1 ( L ) 1,R 1 96 R 1 32 f k 32 L 96 σ (L,R) R Fig. 2. Round with the function f k hiding the key k. σ is the intemediate epesentation and L and R ae the left hand and the ight hand side of the intemediate esult espectively. The ounds π k coespond to π k = f k (R 1 L 1,R 1) fo =1..n 2.2 Attacking an Obfuscated Iteated Block Ciphe In an example fo a naive appoach fo attacking the obfuscated ciphe an advesay encypts some abitay plaintext and intecepts intemediate esults to obtain σ (L,R ). The advesay stats the attack by encypting plaintexts p that have one single bit set, and aftewad examines the obfuscated intemediate esults afte the fist ound π1 k duing encyption. By heuistically computing the diffeences between (τ 1 τ 0 )(p) and (τ 1 τ 0 )(0) fo p 0 we find that (τ 1 τ 0 )(p) changes deteministically fo all p that have one bit set in the left hand side of the plaintext L 0 due to the constuction of the t-boxes. Howeve, since the advesay is not able to compute σ 1 1 in ode to etieve R 1 any knowledge of R 0 and L 0 is meaningless if she wants to extact the key. An attack that woks on the fist ound by ecoveing σ1 1 of the ciphe is the statistical bucketing attack [18]. This attack exploits some popeties of the DES s-boxes and equies about 2 13 encyptions. In contast ou attack woks fo any ound-based block ciphe and equies only dozens of encyptions. We now descibe how we use a simplified diffeential cyptanalysis called diffeential fault analysis [19] to ecove the key in a few opeations. In this attack an advesay flips bits in the input to the last ound function fn k and computes the diffeent outputs to find out the ound function fn k of the last ound n. When injecting single bit faults into the last ound using chosen ciphetexts only dozens of cyptogaphic opeations ae necessay in ode to find fn. k The implementation of this attack equies less infomation about the intemediate epesentation than the naive attack since an attacke only needs to flip a single bit in the obfuscated intemediate epesentation, and it is not necessay to figue out any invese mappings σ 1. Also, this attack is independent fom the DES stuctue and can be applied to any ound-based block ciphe. We ty to apply deteministic changes to σ n 1 (L n 1,R n 1 ), the state going into the last ound, and then un the last ound opeation.

7 22 Matthias Jacob, Dan Boneh, and Edwad Felten L n 1 R n f n k 32 L n R n Fig. 3. Last ound with the ound function f k n. In the last ound the ight hand side and the left hand side of the output ae usually not cossed ove Figue 3 shows the last ound of the ciphe. An attacke knows R n = R n 1 fom the ciphetext which is also the input to the ound function of the last ound. In addition an attacke can modify R n 1 even if the mapping of σ n 1 is unknown by changing R n in the ciphetext, decypting the ciphetext, and encypting the esulting plaintext aftewad. Theefoe we have two peconditions fo the attack: Fist, both encyption and decyption opeations need to be available, and second, the attacke needs to be able to modify the ciphetext abitaily. Using this technique we can find out the positions of µ (i) fo i = which descibe the bits fo the left-hand side. Fom the definition of T,i k it is clea, that if the attacke keeps the ight-hand side input constant, the obseved changes in the input to the t-boxes uniquely efe to changes in the left-hand side of the input. The attacke is not able to set L n 1 to 0 since she would need to know the ound function and hence the key. Theefoe, R n =0 and L n 1 = fn(0) k L n. Now the attacke builds a table of (c) :=σ n 1 (c, 0) σ n 1 (0, 0) fo c = Since σ contains the unknown non-linea bijection δ 1 it is not possible to build a linea opeato in. Howeve, using the table the attacke can always econstuct the left-hand side of the input in the scenaio whee the ight-hand side is 0. Futhemoe, diffeent bits of the left-hand side L n 1 can coespond to the same t-box, and in this case the encoding depends on two bits. Theefoe, in the fist pat the attacke tests which bits coespond to the same t-box and then ties all possible bit combinations into this t-box. In this way the attacke gets all possible values fo σ induced by the left-hand side L n 1. Detemining the oiginal value L n 1 f k n(0) given the intemediate epesentation is just a table lookup. The idea now is to inject faults into the input to the s-box and obseve the output. Unfotunately, the attacke does not know how the ight-hand side gets encoded in σ. In ode to get aound this poblem the attacke feeds a value x into R n 1 that is diffeent fom 0 and then esets L n 1 to 0. Finally, L n contains f k n(x) f k n(0), and the attacke can extact the key fo the last ound

8 Attacking an Obfuscated Ciphe by Injecting Faults 23 using diffeential cyptanalysis. Getting the DES key fom the ound key equies a2 8 bute-foce seach. The poblem is that if the ight hand side R n 1 changes to some value 0 the t-box inputs collide with the 16 bits of the left-hand side L n 1. Theefoe it is not possible to decode the left-hand side L n 1 uniquely since complete new values might show up in the t-boxes that ae taking as input bits fom the left-hand side. Howeve, if the attacke sets only one bit in R n 1 at most two diffeent t-box outputs ae affected, and hence the attacke can simply count the occuences of the encoded 4-bit values at a cetain position in σ. We descibe the algoithm fo the attack when the specification of the ound function is known. We will explain at the end of the algoithm how the algoithm needs to be changed to attack an unknown ound function. Fo convenience we use D k (c) to descibe the decyption of ciphetext c using key k, and E k i (p) =(L i,r i ) to descibe iteation of plaintext p fo i ounds in the encyption opeation using key k. s n (k) = s 1 n(k)... s 8 n(k) is the key schedule fo key k in ound n, m is the size of the input wod, and the sboxes sb n (x) =sb 1 n(x 1 )... sb 8 n(x 8 ): f k n(x 1... x 8 ):=sb 1 n(x 1 s 1 n(k))... sb 8 n(x 8 s 8 n(k)) In ou simplified model the in- and outputs of the s-box have the same size, and the system computes the xo of the key and the input to the s-box. The algoithm consists of 3 basic opeations: A Set opeation changes any abitay vaiable. When we do a Compute we execute an opeation in the iteated block ciphe. This can be encyption, decyption, o just a single ound of the ciphe. Deive computes values on known vaiables without executing the ciphe. Figue 4 illustates the single steps of the algoithm. Ou attack algoithm woks as follows: 1. Initialization: (Figue 4 top left) Set L n := 0, R n := 0 Compute σ n 1 (L n 1,R n 1 )=E k n 1(D k (L n,r n )) Result: L n 1 = f k n(0), R n 1 =0 Deive Ω = σ n 1 (L n 1,R n 1 )=σ n 1 (f k n(0), 0) 2. Reconstuct (x): (Figue 4 top ight) Fo j =0to 23: Set m(j) :=0 Fo i =0to 31: Set L n := 2 i, R n := 0 Compute σ n 1 (L n 1,R n 1 )=E k n 1(D k (L n,r n )) Set (L n ):=σ n 1 (L n 1,R n 1 ) Ω Fo j =0to 23: If ( (L n ) 4 4j 0) Set b[j][m(j)] := i Set m(j) :=m(j)+1

9 24 Matthias Jacob, Dan Boneh, and Edwad Felten fn k (0) 0 fn k (0) 2 i 0 f n k f n k 0 0 i i fn k ( ) i 2 f k n ( 0) i 2 f n k f n k 0 i 2 2 i fn k ( ) fn k ( 0) i 2 Fig. 4. Attacking the last ound of the iteated block ciphe. Boxes having a white backgound indicate that the attacke changed values. The pictue on the top left shows the initialization of the algoithm (step 1). Aftewad, on the top ight we change L n to 2 i in ode to econstuct ψ n 1(x) (step 2). In the bottom left we set 2 i to be input to the ound function. The fault injection takes place on the bottom ight (step 3): We eset L n 1 to f k n(0) and obtain the diffeence f k n(2 i ) f k n(0) in L n Fo j =0to 23: Fo l =0to 2 m(j) 1: Set e := 0 Fo k =0to m(j): If (((l >>k)&1)=1) Set e := e +2 b[j][k] Set L n := e, R n := 0 Compute σ n 1 (L n 1,R n 1 )=E k n 1(D k (L n,r n )) Set (L n ):=σ n 1 (L n 1,R n 1 ) Ω 3. Reset L n 1 to fn(0): k (Figue 4 bottom left) Fo i =0to 31: Set L n := 0, R n := 2 i Compute σ n 1 (L n 1,R n 1 )=En 1(D k k (L n,r n )), Result: L n 1 = fn(2 k i ), R n 1 =2 i Deive w := σ n 1 (L n 1,R n 1 ) Ω = σ n 1 (fn(2 k i ), 2 i ) σ n 1 (0, 0) Fo x in 1 Fo j =0to 23 If ( (x) 4 4j = ) w 4 4j w 4 4j := 0 Compute (L n,r n)=(τ n τ n+1)(w) =(σn 1 1 πk n)(w) Result: L n fn(2 k i ) fn(0), k R n 2 i

10 Attacking an Obfuscated Ciphe by Injecting Faults Do diffeential cyptanalysis to extact the key fo the ound function f k n: l s = L n 4 4(s 1), s = EP(R n) 6 6(s 1) Fo s =1to 8: d s =0 Fo s =1to 8: Fo i =0to 31: Compute c s [i]: sb s n( s [i] c s [i]) = l s [i] Compute d s [i] =d s [i]+1 Set c s := c s [max m i=1 ds [i]] 5. Reconstuct the oiginal key: k:= c 1 c 2... c 8 Compute s n (k) 1 to etieve oiginal key bute-foce seach on the emaining bits of the key. Step 2 of the algoithm econstucts (x), in step 3 we inject the fault by esetting L n 1 to fn(0) k and computing L n = fn(r k n ) fn(0). k In steps 4 and 5 we compute the key given a ound function fn k by concatenating the components going into the s-boxes, inveting the key schedule, and unning a bute-foce seach on the emaining key bits. If the key schedule s n (k) fo ound n is unknown, we cannot do step 5 to get the key out. In this case we have to compute the key fo ound n and then use this key to attack ound n 1 until we extact all ound keys. If the ound function fi k is unknown, we can fist ty out diffeent known ound functions (e.g. Skipjack, Blowfish, DES etc) fo fi k. If none of them woks, we have to do cyptanalysis to ecove the s-boxes fom scatch. We make the basic assumption that the ound function is based on an s-box with fixed inputs. This attack is fully automated and can be un without any knowledge of the system. Given the plaintext length as 2n and the length of the intemediate epesentation as 4m the attack in steps 1-5 extacts the key in O(max(m, n)) cyptogaphic opeations, and theefoe undemines the secuity of the obfuscation system. 2.3 Summaizing the Attack We exploit two weaknesses in this attack: Fist, the boundaies of the ounds ae identifiable and potection of intemediate esults against tampeing is not stong enough. This means that a) hiding the ounds can stengthen the implementation and b) data needs to be safe against leaking of infomation duing execution. In this attack we show that faults in ciphes ae a cheap and efficient technique to extact a secet key fom an obfuscated ciphe implementation in softwae. Ou attack on obfuscated ciphe implementations in softwae equies only a few cyptogaphic opeations, and theefoe an advesay can un the attack on any inexpensive hadwae.

11 26 Matthias Jacob, Dan Boneh, and Edwad Felten We had to modify the oiginal algoithm fo diffeential fault analysis [19] in seveal steps. The main diffeence is that it is not possible to inject andom faults since the intemediate epesentation is obfuscated and has multiple points of failue. Howeve, it is still possible to find out a sufficient amount of infomation about the obfuscated intemediate epesentation that make it possible fo an attacke to inject faults. In the undelying attack model it is the goal to decypt some media steam on diffeent machines at the same time. To do this we assume that copy potection of the decyption system is sufficiently stong, and theefoe an attacke has to extact the secet key. In the cuent implementation ou attack equies that a decyption system colludes with an encyption system, but actually an attacke only needs to obtain plaintexts fo 2m chosen plaintexts and the decyption system. O, since the system is a symmetic block ciphe, we un the attack on the encyption system and need 2m chosen ciphetexts fom the decyption opeation. Futhemoe, it is an open question how difficult it is to tun an obfuscated decyption system into an encyption system. In this case having the decyption system is sufficient fo the attack. In the ecommended vaiant the system executes the encyption opeation E (x) =(f 1 Eg)(x) and the decyption opeation D (x) =(g 1 Df)(x) whee f and g ae non-linea bijective encodings. The cuent attack is now impossible, but the disadvantage is that given a ciphetext it is only possible to decypt when f, g, and the key k ae known, o the obfuscated decyption pogam is being used. It is not implementing DES anymoe. It is cucial to fix the weaknesses in the system o implement othe techniques to pevent any common attacks that ecove the secet key. In the following sections we exploe what we can do about the weaknesses and investigate how to stengthen obfuscation techniques against common attacks. 3 Theoetical Consideations The weaknesses in this attack ae specific to the implementation of the obfuscated ciphe. We wee able to use specific popeties of the DES ciphe and the obfuscation method in ode to extact the secet key. Howeve, theoetical consideations do not necessaily limit any stonge obfuscation techniques. Hee we give a simple agument why the geneal poblem of etieving embedded data fom a cicuit is NP-had, and theefoe no efficient geneal deobfuscato exists fo this poblem. In MATCH-FIXED-INPUT we ae given two cicuits, one of which has additional input k. It is the goal to find a k such that the two cicuits ae equivalent. Definition: MATCH-FIXED-INPUT: Given cicuits two C(x, k) and C (x) whee x {0, 1} n and k {0, 1} c whee c N is constant, find k {0, 1} c such that x : C(x, k )=C(x). Theoem: MATCH-FIXED-INPUT is NP-had.

12 Attacking an Obfuscated Ciphe by Injecting Faults 27 Poof: We educe SAT to MATCH-FIXED-INPUT which is almost tivial. In ode to test satisfiability of cicuit D(x), set C(x, k) = D(k) and C (x) = tue, and un MATCH-FIXED-INPUT. IfMATCH-FIXED-INPUT etuns a k such that C(x, k )=C (x), then accoding to the definition thee exists an x such that D(x) = tue. IfMATCH-FIXED-INPUT does not etun a k, then fo all x D(x) = false. Hence, we educe SAT to MATCH-FIXED-INPUT. Fo pactical puposes, howeve, this theoetical obsevation is not much of a elevance since the poblem is had in the wost case but can still be easy fo pactical puposes. On the aveage the poblem MATCH-FIXED-INPUT is NPhad, but in seveal cases heuistic methods can extact the fixed input as in the example of this obfuscated DES ciphe. 4 Stengthening Obfuscation In this section we biefly discuss vaious mechanisms fo defending against ou attack using softwae faults. We fist descibe some common attacke goals when attacking obfuscated code: Hide data in the pogam: The attacke wants to find out cetain data values. This case subdivides into the possibility of tacing values duing untime and discoveing static values in the code. Potect the pogam fom contolled manipulation: In this case the attacke wants to foce the pogam to behave in a cetain way, e.g. to emove copy potection mechanisms o to cause damage on a system. Hide algoithms of the pogam: Accoding to Keckhoff s pinciple cyptogaphic algoithms ae usually public, but in some cases it is useful to hide cetain popeties by which an attacke can ecognize the algoithm, i.e. distinguish fo example between AES, IDEA o Blowfish [21,22,23]. Often when obfuscating a ciphe, commecial tools fist encode the plaintext using some hidden encoding function, then un the ciphe, and finally decode the ciphetext using some othe hidden decoding function. Moe pecisely, the encyption pocess looks like E k (x) =(F E k G 1 )(x) whee E k is the oiginal DES encyption [18]. Note that F and G must be one-to-one functions so that decyption is possible. The decyption pocess is simila: D k (x) = (G D k F 1 )(x). This pe- and post-encoding makes chosen ciphetext attacks moe difficult since an advesay fist needs to ecove G. As a esult, these encoding makes ou fault attack hade to mount. One can still potentially attack the system by using a fault attack against innes levels of the Feistel ciphe. 4.1 Defending against a Fault-Based Attack We mention a few mechanisms fo potecting obfuscated systems fom a fault attack. One appoach is to potect all intemediate esults using checksums. These checksums ae fequently checked by the obfuscated code. We efe to this

13 28 Matthias Jacob, Dan Boneh, and Edwad Felten appoach as local checking. Clealy the code fo checking these checksums must be hidden in the total pogam code so that an attacke cannot disable these checkes. One appoach fo using checksums to ensue code integity is explained in [24]. In this appoach we compute checksums fo pats of the pogam and veify them duing pogam execution. In the exteme we veify a checksum fo evey single instuction and evey data element. Anothe appoach fo checking the computation of obfuscated code is to use global checking. The idea is to execute the obfuscated pogam k times (e.g. k = 3) by inteleaving the k executions. At the end of the computation the code veifies that all k executions esulted in the same value. As befoe, the checke must be obfuscated in the code so that it cannot be tageted by the attacke. This global checking appoach makes ou attack hade since the attacke now has to modify intenal data consistently in all k executions of the code. The poblem with the checking appoaches is the vulneability of the checke since it is unpotected against any tampeing attack. One appoach to make the checke moe obust is to obfuscate it and have it veify its own integity epeatedly while it is checking the pogam. This vaiant educes the maximum time inteval an attacke has to un the modified pogam. In any case the attacke needs to modify to system at moe than one place. We note that if the integity check fails the pogam should not stop execution immediately since this will tell an attacke whee the checke is. Anothe appoach fo making the fault attack moe difficult is to divesify the obfuscation mechanism. In othe wods, each use gets a vesion of the code that is obfuscated diffeently (e.g. by using diffeent encoding functions). In divesification we add andomness to the obfuscation methods, and theefoe two obfuscated pogams ae always diffeent afte obfuscation. Especially vulneable places in a pogam such as the intemediate esults of the iteated ound-based ciphe need to be divesified. 5 Related Wok Infomally tampe-esistance of a softwae implementation measues to what extent the implementation esists abitay o delibeate modifications. Fo example, an implementation can be potected fom emoving a copy potection mechanism. Thus, obfuscation is a common technique fo impoving tampe-esistance. Baak et al. [25] give a fomal definition of obfuscation using a black-box appoach which is the ideal case. They show that in thei model, that obfuscation is not possible. Encypting the executable binay [26] is the most common appoach fo hiding code. In binay encyption the pogam is encypted and decypts itself duing untime. The poblem is that the pogam is available in the clea at some point befoe it gets executed on the pocesso, and it can be intecepted. Futhemoe, the system needs to hide the decyption key, and that educes ecusively to the key obfuscation poblem itself. A common appoach fo obfuscation is to obstuct common static pogam analysis [27,28,29]. The main technique fo doing this is to inset of additional

14 Attacking an Obfuscated Ciphe by Injecting Faults 29 code that ceates pointe aliasing situations. Applying static pogam analysis to analyze a pogam containing possible pointe aliasing tuns out to be NPhad [30]. This obfuscation technique only potects against attacks by static pogam analysis. It is still possible to do dynamic attacks with a debugge o any type of tampeing. The goal of obfuscation is to hide as many pogam popeties as possible. The pinciple of impoving tampe-esistance by obfuscation is that if an attacke cannot find the location fo manipulating a value, it is impossible to change this value. In addition an obfuscato can eliminate single points of failue. On the othe hand obfuscation neve potects against existential modification. Collbeg et al define some metics fo obfuscation in [28]. They classify obfuscation schemes by the confusion of a human eade ( potency ), the successfulness of automatic deobfuscation ( esilience ), the time/space ovehead ( cost ), and the blending of obfuscated code with oiginal code ( stealth ). But obfuscation of a secet key equies stonge popeties of obfuscation, since any definition of tampe-esistance is missing. A pogam that is a good obfuscato in these metics can still have a single point of failue, and theefoe it does not potect the pogam against fault attacks. Tampe-esistance can also be impoved by techniques othe than obfuscation. We aleady mentioned self-checking of code as one possibility [24,31,16]. Potection by softwae guads is anothe technique to pevent tampeing [32]. Softwae guads ae secuity modules that implement diffeent tasks of a pogam and thus eliminate single points of failue. In addition a pogam can implement anti-debugging techniques in ode to pevent tampeing with a debugge [33]. Anti-debugging insets instuctions into a pogam o changes popeties in ode to confuse a debugge. Fo example a pogam can abitaily set beak points o misalign code. Futhemoe, vitual softwae pocessos ae ae a technique fo making tampeing difficult [13]. Vitual softwae pocessos un the oiginal pogam on a softwae pocesso, and in ode to evese enginee the oiginal pogam, an attacke needs to compomise any potection mechanism of the vitual softwae pocesso as well. Goldeich and Ostovsky show in [34] that softwae potection against eavesdopping can be educed to oblivious simulation of RAMs. In thei definition a RAM is oblivious if two diffeent inputs with the same unning time ceate equivalent sequences of memoy accesses. Oblivious RAM potects against any passive attack and theefoe stengthens an obfuscato because it is impossible to find out the memoy locations a pogam accesses. Howeve, it does not potect against the fault injection attack. Cuent hadwae dongles ae based on the idea of oblivious RAM, since the code implementing the license check sits on the dongle. 6 Open Poblems In othe aeas of infomation hiding techniques, such as watemaking, benchmak pogams ae available to measue the stength of a technique to hide

15 30 Matthias Jacob, Dan Boneh, and Edwad Felten infomation. Fo example, StiMaks [35] uses a vaiety of diffeent geneic attacks on a watemaked image to make the watemak illegible. It is an open poblem to build such a benchmak fo code obfuscation and tampe esistance tools. Such a benchmak would take as input some tampe esistant code and attempt to beak the tampe esistance. Cuently no such benchmak exists and thee is no clea model fo building such a benchmak. One of the main open poblems in code obfuscation is to come up with a model fo obfuscation that can be ealized in pactice. [25] defines obfuscation using a black-box model that hides all popeties of a pogam. They show that it is not possible to achieve obfuscation in that model. Fo pactical puposes a black box model might not always be necessay. In the example of the obfuscated DES ciphe in this pape we only need to make sue that it is impossible to get infomation about the secet key. The open eseach poblem is to find the most geneal definition fo obfuscation that can be ealized in pactice. 7 Conclusion Code obfuscation povides some potection against attackes who want to find out secet data o popeties of a pogam, but it is not sufficient as a standalone system. In this study we evaluate the usability of obfuscation when hiding a secet key in an iteated ound-based softwae ciphe. We find weaknesses in a commecial state-of-the-at obfuscato. Ou attack enables automated extaction of the secet key fom the obfuscated pogam code. We discuss a few methods fo defending against these attacks. Refeences 1. Cave, S.A., Wu, M., Liu, B., Stubblefield, A., Swatzlande, B., Wallach, D.S., Dean, D., Felten, E.W.: Reading between the lines: Lessons fom the SDMI challenge. In: Poceedings of the 10th USENIX Secuity Symposium. (2001) 2. CSS: (2002) 3. Intetust: (2002) 4. Micosoft Windows Media Technologies: (2002) 5. Adobe EBooks: (2002) 6. Abaham, D.G., Dolan, G.M., Double, G.P., Stevens, J.V.: Tansaction Secuity System. IBM Systems Jounal 30 (1991) Dallas Semiconducto: Soft Micocontolle Data Book. (1993) 8. Tusted Computing Platfom Alliance: (2002) 9. Andeson, R., Kuhn, M.: Low cost attacks on tampe esistant devices. In: Poceedings of the 5th Intenational Secuity Potocols Confeence. (1997) Koche, P., Jaffe, J., Jun, B.: Diffeential powe analysis. Lectue Notes in Compute Science 1666 (1999) Shami, A., van Someen, N.: Playing hide and seek with stoed keys. Lectue Notes in Compute Science 1648 (1999) Diffie, W., Hellman, M.: New diections in cyptogaphy. IEEE Tansactions on Infomation Theoy IT-22 (1976)

16 Attacking an Obfuscated Ciphe by Injecting Faults Micosoft Copoation: Wold Intellectual Popety Oganization, WO 02/01327 A2 (2002) 14. Cloakwae Copoation: Wold Intellectual Popety Oganization, WO 00/77596 A1 (2000) 15. Intetust Copoation: US Patent Office, US 6,157,721 (2000) 16. Intel Copoation: US Patent Office, US 6,205,550 (2000) 17. RetoGuad Java Obfuscato: (2002) 18. Chow, S., Johnson, H., van Ooschot, P.C., Eisen, P.: A White-Box DES Implementation fo DRM Applications. In: Poceedings of Wokshop on Digital Rights Management (2002) 19. Biham, E., Shami, A.: Diffeential fault analysis of secet key cyptosystems. Lectue Notes in Compute Science 1294 (1997) Boneh, D., DeMillo, R.A., J.Lipton, R.: On the impotance of checking cyptogaphic potocols fo faults. Lectue Notes in Compute Science 1233 (1997) Schneie, B.: Applied Cyptogaphy. Wiley (1994) 22. Menezes, A.J., Van Ooschot, P.C., Vanstone, S.A.: Handbook of applied cyptogaphy. CRC Pess (1997) 23. Daemen, J., Rijmen, V.: Rijndael fo AES. In NIST, ed.: The Thid Advanced Encyption Standad Candidate Confeence, National Institute fo Standads and Technology (2000) Aucsmith, D.: Tampe-esistant softwae: An implementation. Lectue Notes in Compute Science 1174 (1996) Baak, B., Goldeich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating pogams. Lectue Notes in Compute Science 2139 (2001) gugq, scut: Amouing the ELF: Binay encyption on the UNIX platfom. Phack Inc. 58 (2001) 27. Wang, C., Davidson, J., Hill, J., Knight, J.: Potection of softwae-based suvivability mechanisms. Poceedings of the 2001 Dependable Systems and Netwoks (DSN 01) (2001) 28. Collbeg, C., Thomboson, C., Low, D.: Manufactuing cheap, esilient, and stealthy opaque constucts. In: The 25th Symposium on Pinciples of Pogamming Languages (POPL 98), Association fo Computing Machiney (1998) Steensgaad, B.: Points-to analysis in almost linea time. In: The 23th Symposium on Pinciples of Pogamming Languages (POPL 96), Association fo Computing Machiney (1996) Landi, W.: Undecidability of static analysis. ACM Lettes on Pogamming Languages and Systems 1 (1992) Hone, B., Matheson, L., Sheehan, C., Tajan, R.E.: Dynamic self-checking techniques fo impoved tampe-esistance. Lectue Notes in Compute Science 2320 (2001) Chang, H., Atallah, M.J.: Potecting softwae code by guads. Lectue Notes in Compute Science 2320 (2001) Cesae, S.: Linux anti-debugging techniques (fooling the debugge). Secuity Focus (2000) 34. Goldeich, O., Ostovsky, R.: Softwae potection and simulation on oblivious RAMs. Jounal of the Association fo Computing Machiney 43 (1996) Petitcolas, F.A.P., Andeson, R.J., Kuhn, M.G.: Attacks on copyight making systems. Lectue Notes in Compute Science 1525 (1998)

Conversion Functions for Symmetric Key Ciphers

Conversion Functions for Symmetric Key Ciphers Jounal of Infomation Assuance and Secuity 2 (2006) 41 50 Convesion Functions fo Symmetic Key Ciphes Deba L. Cook and Angelos D. Keomytis Depatment of Compute Science Columbia Univesity, mail code 0401