State of the Art

The initial work concerning the remote entrusting was developed by some consortium members in the TrustedFlow research activities [1, 2] . The initial work introduced the ideas on how to generate a continuous stream of signatures using software only. The remote entrusting methodology proposed in this project is novel and challenging, and presents a major advancement beyond the state of the art. However, some specific aspects of the proposed research activities have been dealt with in different contexts. Therefore, the following state of the art discussion is divided into several subsections corresponding to various research aspects that are related to RE-TRUST.

Software dependability state of the art

Software dependability is a mature and well-established research area that seeks solutions to the problem of software errors that can corrupt the integrity of an application. To this aim, several techniques have been developed and the most prominent are control-flow checking and data duplication.

Control-flow checking techniques are meant to supplement the original program code with additional controls verifying that the application is transitioning through expected valid "traces" [3, 4, 5]. In data duplication techniques, program variables are paired with a backup copy [6, 7, 8]. Write operations in the program are instrumented to update both copies. During each read access, the two copies are compared for consistency. There is one main difference regarding the "attack model," between software dependability and the current project. Software dependability assumes that modifications are accidental (random) errors (say bit flips), while remote entrusting deals with intentional and malicious software modifications.

Software tamper resistance state of the art

Among the several possible attacks, the focus is on the problem of authenticity, i.e., attacks aiming at tampering with application code/data for malicious purposes, like bypassing licensing, or forcing a modified (thus unauthorized) execution. Different solutions have been proposed in the literature to protect software from the above-mentioned rogue behaviors. Such solutions are surveyed in details in [9, 10] and briefly described in the following.

Obfuscation is used to make application code obscure so that it is complex to understand by a potential attacker who wants to reverse engineer the application. Obfuscation techniques, change source code structure without changing its functional behavior through different kinds of code transformations [ 11, 12]. Theoretical studies about complexity of reverse engineering and de-obfuscation are in early stage. It is well-known that for binaries that mix code and data disassembly and de-compilation are undecidable in the worst case [13]. On the other hand, some work reported that de-obfuscation (under specific and restrictive conditions) is an NP-easy problem [14]. Further, it was proven that a large number of functions cannot be obfuscated [15].

Replacement background state of the art

Dynamic replacement strategy relies on the assumption that tampering attempts can be made more complex if the attackers have to face newer versions continuously. This approach has some similarities with software aging [16], where new updates of a program are frequently distributed. This limits the spread of software "cracks" and it allows renewal of software protection techniques embedded in the application.

Another relevant area of related work is represented by techniques for protection of mobile agents [17, 18]. For instance, previous work proposed a scheme to protect mobile code using a ring-homomorphic encryption scheme based on CEF (computation with encrypted functions) with a non-interactive protocol [19 , 20 ]. However the existence of such homomorphic encryption function (also known as a privacy homomorphism) is still an open problem. Furthermore, some approaches mix obfuscation and mobility. For instance, in [21] agents are periodically re- obfuscated to ensure that the receiving host cannot access the agent state.

HW-based entrusting state of the art

Solution proposed by Trusted Computing initiatives [22, 23, 24, 25] rely both on a trusted hardware component on the motherboard (co-processor) and on a common architecture that enable a trusted server-side management application to attest the integrity of a machine and to establishing its "level of trust". This non run-time approach has been applied to assess integrity of a remote machine enhanced with a trusted coprocessor and a modified Linux kernel [26]. In that work a chain of trust is created. First BIOS and coprocessor measure integrity of the operating system at start-up, then the operating system measure integrity of applications, and so on. Other non run-time approaches rely on additional hardware to allow a remote authority to verify software and hardware originality of a system [27]. Beside Trusted Computing, another interesting approach is presented in [28]. This approach has some similarities to the HW/SW method proposed in this project, as it is based on commodity hardware tokens (e.g., smart cards) and remote execution of selected software components.

Bibliography

[1]	M. Baldi, Y. Ofek, M. Young, Idiosyncratic Signatures for Authenticated Execution of Management Code, 14th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management (DSOM 2003), Heidelberg, Germany, Oct. 2003.
[2]	M. Baldi, Y. Ofek, M. Yung, "The TrustedFlow™ Protocol - Idiosyncratic Signatures for Authenticated Execution," 4th Annual IEEE Information Assurance Workshop, West Point, NY, USA, June 2003.
Top

Software dependability state of the art
[3]	N. Oh, P.P. Shirvani, E.J. McCluskey, Control-flow checking by software signatures, IEEE Transactions on Reliability, Vol. 51(1), Mar. 2002.
[4]	J. Ohlsson, M. Rimen, Implicit signature checking, Proceedings of 25th International Symposium on Fault-Tolerant Computing, Jun. 1995
[5]	A. Benso, S. Di Carlo, G. Di Natale, P. Prinetto, L. Tagliaferri, Control-flow checking via regular expressions, Proceedings of 10th Asian Test Symposium, Nov. 2001
[6]	N. Oh, S. Mitra, E.J. McCluskey, ED4 I: error detection by diverse data and duplicated instructions, IEEE Transactions on Computers, Vol. 51(2), Feb. 2002
[7]	N. Oh, P.P. Shirvani, E.J. McCluskey, Error detection by duplicated instructions in super-scalar processors, IEEE Transactions on Reliability, Vol. 51(1), Mar. 2002
[8]	A. Benso, S. Chiusano, P. Prinetto, L. Tagliaferri, A C/C++ source-to-source compiler for dependable applications, Proceedings of International Conference on Dependable Systems and Networks (DSN), Jun. 2000.
Top

Software tamper resistance state of the art
[9]	C. Collberg, C. Thomborson, D. Low, Watermarking, Tamper-Proofing, and Obfuscation - Tools for Software Protection, IEEE Transactions on Software Engineering, vol. 28, 2002
[10]	G, Naumovich, N. Memon, Preventing piracy, reverse engineering, and tampering, IEEE Computer, vol. 36(7), pp. 64 -71, July 2003.
[11]	C. Wang, J. Davidson, J. Hill, and J. Knight. Protection of software-based survivability mechanisms, Proceeding of International Conference on Dependable Systems and Networks (DSN), Goteborg, Sweden, July 2001
[12]	E. Valdez and M. Yung, Software DisEngineering: Program Hiding Architecture and Experiments, Information Hiding, 1999
[13]	C. Linn, S. Debray, Obfuscation of Executable Code to Improve Resistance to Static Disassembly, Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), Oct. 2003
[14]	A. W. Appel, Deobfuscation is in NP, www.cs.princeton.edu/~appel/papers/deobfus.pdf
[15]	B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, K. Yang, On the (Im)possibility of Obfuscating Programs, Proceedings of CRYPTO 2001
Top

Replacement background state of the art
[16]	M. Jakobsson, K. Reiter. Discouraging Software Piracy Using Software Aging, Proceedings of 1st ACM Workshop on Security and Privacy in Digital Rights Management, Philadelphia, Pennsylvania, USA, November 2001, Lecture Notes in Computer Science (LNCS), vol. 2320, pp. 1-12, 2002.
[17]	G. McGraw, E.W. Felten, Mobile Code and Security, IEEE Internet computing, 1998 (Vol. 2, No. 6)
[18]	Oscar Esparza, Miguel Soriano, Jose L. Muñoz, Jordi Forné, Detecting and Proving Manipulation Attacks in Mobile Agent Systems, Lecture Notes in Computer Science, Volume 3284, Jan 2004, Pages 224 - 233.
[19]	T. Sander and Christian F. Tschudin, Towards Mobile Cryptography, IEEE Symposium on Security and Privacy, May 1998
[20]	T. Sander, C. F. Tschudin, Protecting mobile agents against malicious hosts, Lecture Notes in Computer Science, 1998
[21]	L. Badger et al., Self-protecting mobile agents obfuscation techniques evaluation report, NAI Labs Report, Nov. 2001, online at www.isso.sparta.com/research/documents/spma.pdf
Top

HW-based entrusting state of the art
[22]	S. Pearson, Trusted computing platforms, the next security solution, Technical Report HPL-2002-221, HP Laboratories, 2002
[23]	The Trusted Computing Group. On-line at https://www.trustedcomputinggroup.org
[24]	Next Generation Secure Computing Base, http://www.microsoft.com/resources/ngscb
[25]	R. York, A New Foundation for CPU Systems Security, ARM Limited, http://www.arm.com
[26]	R. Sailer, X. Zhang, T. Jaeger, L. van Doorn, Design and Implementation of a TCG-based Integrity Measurement Architecture, Proceedings of the 13th USENIX Security Symposium, San Diego, CA, USA, Aug. 2004
[27]	Rick Kennell, Leah H. Jamieson, Establishing the Genuinity of Remote Computer Systems, Proceedings of the 12th USENIX Security Symposium, 2003
[28]	A. Maña, J.López, J. Ortega, E. Pimentel, J.M. Troya, A Framework for Secure Execution of Software, International Journal of Information Security, Vol. 3(2), 2004
Top