Ruben Mechelinck, Daniel Dorfmeister, Bernhard Fischer, Stefan Brunthaler, Stijn Volckaert

Talk: GlueZilla: Efficient and Scalable Software to Hardware Binding using Rowhammer

Introduction

Talk: gluezilla: efficient and scalable software to hardware binding using rowhammer. GlueZilla uses Rowhammer & PUFs to bind software to hardware, combating industrial reverse engineering & counterfeiting. Ensures secure execution on specific machines.

Abstract

Industrial-scale reverse engineering affects the majority of companies in the mechanical and plant engineering sector and imposes significant economic damages. Reverse engineering mitigations try to increase the cost involved in reverse engineering until it surpasses the cost of actual development. Although these mitigations exist, economic damage has not been impacted, indicating that they have failed to address the problem. At present, most industrial-scale reverse engineering efforts are spent on replicating hardware components since software can often be copied verbatim without any reverse engineering effort. In this talk, we discuss GlueZilla, our recently published system that binds software to hardware through user-space rowhammer PUFs on commodity hardware. GlueZilla relies on unclonable machine features and thereby forces counterfeiters to reverse-engineer both the hardware and the software, driving up the reverse-engineering cost. In GlueZilla, a program has two fully functional modes of operation. In the intentional mode, GlueZilla performs the expected operations as described by the original source code, whereas in the unintentional mode, the execution differs at unsuspicious-looking junction points. For example, the program could follow conditional branches in the wrong direction, or call different targets at call sites. The unintentional mode should not exhibit obvious signs that something is wrong with the program, e.g., program crashes. The goal of GlueZilla is to only allow execution of the intentional mode on one selected associated machine instance. To this end, GlueZilla transforms the program at compile time to exhibit the unintended behavior by default. At run time, it uses targeted rowhammer-induced bit flips at the junction points to recreate the intentional execution mode in memory, as shown in Figure 1. GlueZilla uses rowhammer because of its unique properties.Since the rowhammer-induced bit flip pattern is unclonable, GlueZilla ensures the intentional execution mode is only reconstructed on the associated machine. If the software runs on any other machine, including exact clones of the associated machine, the required bit flips are absent and the program remains in its unintentional mode. For the same reason, dynamic analyses are ineffective on cloned machines as the intended operations are not performed on cloned machines. Rowhammer, furthermore, allows for stealthy memory changes in the whole memory region without explicit write operations performed by the CPU. This eliminates various dynamic analysis techniques which typically rely on the CPU to intercept certain operations or code changes. Dynamic tools that modify the memory layout also interfere with GlueZilla as the junction points will no longer reside in the required rowhammer-susceptible memory locations. Additionally, the static binary is only an image of the unintentional program and lacks information about the code changes required to recreate the intentional code, rendering static binary analysis unprofitable. The published version of GlueZilla has a few clear disadvantages. Numerous factors, such as temperature and chip aging, might undermine the reliability of bit flips. The current design does not tolerate unreliable bit flips because they might result in an incomplete transition to the intentional program form. Furthermore, Rowhammer can only flip bits in one direction, thus leaving the whole intentional program in memory throughout execution. This makes GlueZilla susceptible to memory snapshotting attacks. We will conclude this talk by discussing our ongoing work that aims to eliminate these weaknesses by using a microarchitectural attack that invalidates the in-memory copy of the program, whilst leaving its functionality intact.

Review

This talk introduces GlueZilla, a novel system designed to combat industrial-scale reverse engineering, particularly focusing on the replication of hardware components. The authors argue that existing mitigations have largely failed to curb economic damages because software is easily copied, leaving hardware as the primary target for reverse engineering efforts. GlueZilla aims to address this by tightly binding software to specific hardware instances, thereby forcing counterfeiters to reverse-engineer both the hardware and the software, significantly increasing their costs. The core innovation lies in using user-space Rowhammer Physical Unclonable Functions (PUFs) on commodity hardware to achieve this binding. GlueZilla operates by transforming a program at compile time to exhibit an "unintentional mode" of operation by default, where execution deviates at critical junction points (e.g., wrong conditional branches or call targets) without causing crashes. The "intentional mode," which performs as expected, is only activated at runtime on a selected, associated machine instance. This activation is achieved through targeted, Rowhammer-induced bit flips at these junction points, which reconstruct the intentional execution path in memory. The choice of Rowhammer is strategic: its unique, unclonable bit flip patterns ensure that the intentional mode is exclusively recreated on the associated machine, rendering the software ineffective on any other system, including exact clones. Furthermore, Rowhammer facilitates stealthy memory changes without explicit CPU writes, making it challenging for dynamic analysis tools that rely on intercepting operations or modifying memory layouts. Static binary analysis is also thwarted, as the compiled binary only reflects the unintentional program, lacking information about the Rowhammer-induced code changes. While GlueZilla presents an intriguing and robust approach to hardware-software binding, the abstract acknowledges several critical disadvantages. The reliability of Rowhammer-induced bit flips can be compromised by factors such as temperature and chip aging, and the current design does not tolerate incomplete transitions to the intentional program. A more significant limitation is Rowhammer's unidirectional bit flipping, which leaves the entire intentional program in memory throughout execution, making it vulnerable to memory snapshotting attacks. The talk concludes by outlining ongoing work to address these weaknesses, specifically mentioning the use of microarchitectural attacks to invalidate the in-memory copy of the program while preserving its functionality. Despite these current limitations, GlueZilla offers a highly innovative direction in anti-reverse engineering, leveraging microarchitectural vulnerabilities for security purposes.

Full Text

Comments

You need to be logged in to post a comment.