Architectural Support for Copy and Tamper Resistant Software Lie, Thekkath, Mitchell, Lincoln, Boneh, Mitchell, Horowitz ASPLOS 2000 Outline: why are we reading this? why copy protection is hard; alternate designs what properties do they guarantee how would you use xom in a larger system how do they do it what attacks don't work what attacks do work what could you use this for Why are we reading this paper? The wind may be blowing this way Microsoft Palladium, Trusted Computing Platform Alliance How will secure platforms affect our lives? Can we use them to do something useful? Can you provide copy protection in s/w alone? They imply you need hardware, seems like a pain, why do you need it? Are there existing techniques for copy protection? Program knows what CPU serial number it is licensed for. License code printed on the Microsoft Windows CD case. Windows XP checking your configuration. Dongles. License servers. Can you build a closed system for copy protection? E.g. a game console. Physically secure (sealed). CPU and memory within the security perimeter. Unique ID sealed inside (public). Vendor's public key sealed inside. When you buy s/w on the web, vendor generates license. License mentions your console ID, game name, digitally signed. Console won't play a game w/o the license. Crucial issue is tamper-proof, not privacy. Why isn't the above enough? You can play the game on a PC or emulator. Doesn't work in an open PC-like platform. Want to run both protected and ordinary programs. O/S too complex, user can modify it, don't want to trust it. PC is physically *not* tamper-proof, and user is the adversary. What properties does XOM guarantee? Vendor encrypts program with CPU's private key. Vendor also ensures integrity. Each block of instructions includes keyed hash over address + instrs. CPU executes program in a "compartment". When CPU is running program: It can read/write its own memory and registers. When CPU is running something else: No access to protected program's memory or registers. Protected against O/S and memory system! (Note we must have a well-defined idea of "the program": integrity.) What can we do with these properties? Vendor can make program that only your CPU can read/execute. I probably have to buy it over the Internet. I give vendor my CPU's public key and my Visa number. Umm, how do they know I didn't make up the public key???? My CPU must have a certificate from Intel... Can you have one program that can play copy-protected MP3 files? CPU ID. Checks over Internet with license server. Must share unique key w/ license server. OK: program is read-protected. One key for all MP3 files? Or you get the right one from license server? Can we think of apps other than DRM? keep sensitive data secret store Kerberos tickets on a time-shared machine, don't trust root. Amazon keeps SSL private key secure from hackers. Or run something in browser, something at Amazon, to protect credit card #s. hmm, secure I/O channel to user???? must be via O/S. ensure I'm running to the real ssh, netscape, whatever maybe sshd on my server rejects connections from unknown ssh binaries. this is a bit hard, again, o/s controls i/o ensure seti@home participants don't lie non-attacks what if i make my own cpu chip? what if i make my own cpu chip with a private key I know? It won't have a certificate from Intel? what if i give away my private key so you can run my programs? why can't I physically read priv key or program from cpu? why can't o/s read/write the program's registers? memory? why can't o/s fake network traffic to e.g. license server? real attacks replay stale memory force traps at bad times w/ incorrect memory blocks or register contents o/s controls display and keyboard and you want a "secure ssh" this is probably a real problem o/s controls disk and network i/o less of a problem, can use crypto what if the program to be run has bugs How does it work? What do instructions look like in memory? What does data look like in memory? What extra state does the CPU maintain? How does O/S manage to save state (ctxt switch) w/o being able to read/write data? How does a system call work?