06-03-2013, 01:18 PM
TAMPER RESISTANCE
TAMPER RESISTANCE.docx (Size: 27.96 KB / Downloads: 15)
Abstract
This paper describes a technology for the construction of tamper resistant software. It presents a threat model and design principles for countering a defined subset of the threat. The paper then presents an architecture and implementation of tamper resistant software based on the principles described.
The architecture consists of segment of code, called an Integrity Verification Kernel, which is self-modifying, self-decrypting, and installation unique. This code segment communicates with other such code segments to create an Interlocking Trust model.
The paper concludes with speculation of additional uses of the developed technology and an evaluation of the technology's effectiveness.
Introduction:
A three-year-term committee, the Tamper-resistance Standardization Research Committee (hereinafter referred to as TSRC) was established in 2003 within the Information Technology Research and Standardization Center (hereinafter referred to as INSTAC), which is one of the departments of the Japanese Standardization Association (hereinafter referred to as JSA). The purpose of TSRC is to establish the foundations of secure implementation of information technologies (IT) from the viewpoint of standardization by carrying out a study and tackling two research items as follows:
1. Systematic study of various tampering techniques;
2. Development of a method to describe tamper-resistance requirements;
3. Contribution to the international standardization with respect to tamper-resistance.
At an early stage of our activities, we recognized the difficulties in handling tamper-resistance issues due to the following points:
(a) Not all attack methods and protection methods can be discussed openly.
(b) A physical target module is required to develop tamper-resistant techniques.
© There is little discussion of evaluation methods for tamper-resistance in the literature.
Tamperproofing of cryptographic equipment
Many early cryptographic systems had some protection against the seizure of key material. Naval code books were weighted; rotor machine setting sheets were printed using water soluble ink; and some one-time pads were printed on cellulose nitrate, so that they would burn rapidly if lit [Kah67].
But such mechanisms relied on the vigilance of the operator, and systems were often captured in surprise attacks. So cryptographic equipment designed in recent years has often relied on technical means to prevent tampering. An example is the VISA security module, commonly used in banks to generate and check the personal identification numbers (PINs) with which customers authenticate themselves at automatic teller machines. It is basically a safe containing a microcomputer that performs all the relevant cryptographic operations; the safe has lid switches and circuitry which interrupts power to memory, thus erasing key material, when the lid is opened [VSM86]. The idea is to deny the bank's programmers access to customer PINs and the keys that protect them; so when a customer disputes a transaction, the bank can claim that the customer must have been responsible as no member of its staff had access to the PIN [And94].
Evaluating the level of tamper resistance offered by a given product is thus an interesting and important problem, but one which has been neglected by the security research community.
Breaking smartcards and microcontrollers
The typical smartcard consists of an 8-bit microprocessor with ROM, EEPROM and RAM, together with serial input and output, all in a single chip that is mounted on a plastic carrier. Key material is kept in the EEPROM.
Designers of EEPROM based devices face a problem: erasing the charge stored in the floating gate of a memory cell requires a relatively high voltage. If the attacker can remove this, then the information will be trapped.
Early smartcards received their programming voltage on a dedicated connection from the host interface. This led to attacks on pay-TV systems in which cards were initially enabled for all channels, and those channels for which the subscriber did not pay were deactivated by broadcast signals. By covering the programming voltage contact on their card with tape, or by clamping it inside the decoder using a diode, subscribers could prevent these signals affecting the card. They could then cancel their subscription without the vendor being able to cancel their service.
Non-invasive attacks
Unusual voltages and temperatures can affect EEPROM write operations. For instance, for the PIC16C84 microcontroller, a trick has become widely known that involves raising VCC to VPP - 0.5 V during repeated write accesses to the security bit. This can often clear it without erasing the remaining memory.
Physical attacks
Physical attacks on some microcontrollers are almost trivial. For example, the lock bit of several devices with on-chip EPROM can be erased by focusing UV light on the security lock cell, which is located sufficiently far from the rest of memory.
Advanced attack techniques
The techniques described above have been successfully used by class I attackers - amateur pay-TV hackers, students and others with limited resources. We will now briefly describe some of the techniques available in professionally equipped semiconductor laboratories, of which there are several hundred worldwide. Some of these are situated in universities (three in the UK, for example), and it has happened that class I attackers get access to professional equipment in the course of student projects.
Conclusion
It is prudent engineering practice to avoid single points of failure, and especially so where the likelihood of failure is unknown. This makes it all the more remarkable that the tamper resistance claims made for smartcards and other commercial security processors have gone untested for so long. The reader will by now be convinced that these claims should be treated with circumspection.
Public key techniques offer some solace, as the number of universal secrets can be greatly reduced - ideally, to a small number of certification keys, that can then be protected in depth. However, public key protocols have their own problems [AN95], and we should never forget that the great majority of actual security failures result from simple blunders in design, construction and operation [And94] [AB96]. There is no silver bullet.