A proposed Trusted-Flow system
architecture with aspect-oriented
implementation
Paolo Falcarin, Mario Baldi
Riccardo Scandariato, Maurizio Morisio
(Politecnico di Torino)
Trento, June, 28th 2004
Tamper resistance approaches
 Integrity-checking


Static self-checking
Dynamic self-checking
[Horne01, Chen02]
 Making Reverse-Engineering complex



Customization
Obfuscation
Anti-debugging
[Aucsmith96]
[Collberg02]
 Code identification


Watermarking
Code signature
[Barak01, Collberg99]
Politecnico di Torino
Paolo Falcarin
Trento, IP-Flow meeting, June 28th, 2004
2
Our approach
 Self-checking relies on code checkers
 whose
position is hidden in the application
 whose behavior is obfuscated
 Our solution extends the power of code
checkers in two ways
 remote
verification that self-checking has
been performed
 continuous
code
replacement of self-checking
Politecnico di Torino
Paolo Falcarin
Trento, IP-Flow meeting, June 28th, 2004
3
A First Prototype at Turin Polytechnic
Code checker
TFC
TFG
TFG is periodically updated
Entrusted software
Politecnico di Torino
Paolo Falcarin
Trento, IP-Flow meeting, June 28th, 2004
4
Aspect-Oriented Programming
 Aspect is “extra-code” that modularizes the
implementation of a crosscutting concern
 An Aspect encapsulates pointcuts and advices
A Pointcut defines at which points (Join Points) in
the execution of the program, extra code should be
inserted
 An Advice defines the extra-code that runs when a
join-point is matched

 The final code is obtained merging base code
and aspect code


At compile time with an aspect compiler
At run time with a dynamic AOP platform
Politecnico di Torino
Paolo Falcarin
Trento, IP-Flow meeting, June 28th, 2004
5
Why AOP ?
 Software-tampering detection is a
crosscutting concern
 Aspect Oriented Programming (AOP)



Modularizes self-checking code in an aspect
Eases the design of different self-checking
techniques
Aspect behavior is continuously updated with
mobile code
 Dynamic self-checking vs. adversary



With analysis tools
Knowledge of our algorithm
Most details of our implementation
Politecnico di Torino
Paolo Falcarin
Trento, IP-Flow meeting, June 28th, 2004
6
A Proof of Concept: Chat System
 Java Chat server/reflector with TFC


TFC generates aspects code
TFC pushes code to oblivious clients
 Java Chat client with TFG


AOP to intercept calls to application methods
Mobile Code (aspects) is woven by AOP
platform
 Aspect contains



Session key
TFG and encryption algorithm
Pointcuts to application code
Politecnico di Torino
Paolo Falcarin
Trento, IP-Flow meeting, June 28th, 2004
7
Threats & Countermeasures
 Discovery
Static inspection to find self-checking code
 Mobile code against static inspection

 Disablement


Disable checking
Disablement stops tag generation
TFC can block untrusted client
 Replacement



Disable checking but sending correct info
Replacement must be applied before TFG expires
Overlapping aspects checking each other
Politecnico di Torino
Paolo Falcarin
Trento, IP-Flow meeting, June 28th, 2004
8
Future Work
 Implementation with JVMTI API in Java 1.5



Full control on JVM events through agent
Agent in C language using JNI
Can avoid using AOP platforms, but
 More complicated implementation
 No more help from pointcuts
 Need to implement dynamic downloading of code in C
Access to memory info can be used to apply and
update signature to bytecode at run time
 Ideal solution: new dynamic AOP platforms relying on
JVMTI

Politecnico di Torino
Paolo Falcarin
Trento, IP-Flow meeting, June 28th, 2004
9
Related Work links









[Chen02]
Y. Chen, R. Venkatesan, M. Cary, R. Pang, S. Sinha, M. Jakubowski, “Oblivious hashing: Silent Verification of
Code Execution”. In Proceedings of 5th international workshop on information hiding (IHW 2002),
Noordwijkerhout, The Netherlands, 7–9 October 2002.
[Collberg02]
C. Collberg, C. Thomborson and D. Low, “Watermarking, Tamper-Proofing, and Obfuscation-- Tools for
Software Protection,” IEEE Transactions on Software Engineering, vol. 28, 2002.
[TCPA]
S. Pearson, B. Balacheff, D. Plaquin, and G. Proudler, “Trusted Computing Platforms: TCPA Technology in
Context”
[Barak01]
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, K. Yang, On the (Im)possibility of
Obfuscating Programs - CRYPTO 2001
[Horne01]
B. Horne, L. Matheson, C. Sheehan, and R. E. Tarjan, Dynamic Self-Checking Techniques for Improved Tamper
Resistance. On ACM Workshop on Security and Privacy in Digital Rights Management, 2001.
[Aucsmith96]
D. Aucsmith. Tamper resistant software: An implementation. In R.J. Anderson, editor, Information Hiding,
Lecture Notes in Computer Science 1174. Springer-Verlag, 1996.
[Collberg99]
C. Collberg and C. Thomborson. Software watermarking: Models and dynamic embeddings. In Principles of
Programming Languages, San Antonio,USA, January 1999.
[PROSE]
PROSE homepage. http://prose.ethz.ch/
[Aspectj]
AspectJ homepage. On-line at http://eclipse.org/aspectj/
Politecnico di Torino
Paolo Falcarin
Trento, IP-Flow meeting, June 28th, 2004
10