Software Tamper Resistance Paper Appeared at ACSAC 2005
Posted 12 December 2005
The paper Strengthening software self-checksumming via self-modifying code, co-authored by Jonathon T. Giffin, Mihai Christodorescu, and Louis Kruger, appeared at the 21st Annual Computer Security Applications Conference (ACSAC). Jonathon Giffin presented the paper at the conference, which was held December 6–8 in Tucson, Arizona.
Recent research has proposed self-checksumming as a method by which a program can detect any possibly malicious modification to its code. Wurster et al. developed an attack against such programs that renders code modifications undetectable to any self-checksumming routine. The attack replicated pages of program text and altered values in hardware data structures so that data reads and instruction fetches retrieved values from different memory pages. A cornerstone of their attack was its applicability to a variety of commodity hardware: they could alter memory accesses using only a malicious operating system. In the ACSAC paper, the authors showed that self-checksumming programs can detect the page-replication attack with self-modifying code. The detection is efficient, adding less than 1 microsecond to each checksum computation in experiments on three processor families, and is robust up to attacks using either costly interpretive emulation or specialized hardware.