Despite the variety of choices regarding hardware and software, to date a large number of computer systems remain identical. Characteristic examples of this trend are Windows on x86 and Android on ARM. This homogeneity, sometimes referred to as “computing oligoculture”, provides a fertile ground for malware in the highly networked world of today.
One way to counter this problem is to diversify systems so that attackers cannot quickly and easily compromise a large number of machines. For instance, if each system has a different ISA, the attacker has to invest more time in developing exploits that run on every system manifestation.
It is not that each individual attack gets harder, but the spread of malware slows down. Further, if the diversified ISA is kept secret from the attacker, the bar for exploitation is raised even higher.
In our paper, we show that system diversification can be realized by enabling diversity at the lowest hardware/software interface, the ISA, with almost zero performance overhead. We also describe how practical development and deployment problems of diversified systems can be handled easily in the context of popular software distrbution models, such as the mobile app store model.
We propose native hardware support for diversifying systems by enabling instruction-set randomization (ISR), which aims to provide a unique random ISA for every deployed system. For instance, the opcode 0xa may denote the XOR operation on one machine, but may be invalid on another. We've demonstrated our proposal with an OpenSPARC FPGA prototype.
Software implementations are too slow (70% to 400% slowdowns) and more importantly, are insecure because they use much weaker encryption schemes and can be turned off.When implementing diversification we kept two things in mind however.
First, we want to minimize the hardware design effort – for instance, we do not want to create a new microarchitecture for each unique ISA. That would be too onerous to be practical. Second, we want to allow the construction of legitimate software easily, while selectively increasing the difficulty of malware creation.
Our secret ISA construction and the associated software model achieves both these goals. Basically by encrypting the code with “secret” keys, we are able to emulate the benefits of having a different ISA for each computer. We leverage a strong cryptographic scheme, such as AES, to encrypt program binaries and decrypt the binary just before execution. This method for generating diversity is far simpler than actually customizing the decoder on each chip to implement random mappings or changing the microarchitecture of every instance.
We also explored some ideas as to how entire ecosystems could be developed around the different types of proposed ISR. An advantage of these diversification approachesbased around ISR is that they employ practical cryptographic primitives and can bebuilt on top of established models. Moreover, they are orthogonal to and can be used alongside most other code-signing and security measures to further harden systems.
Instruction set randomization (ISR) provides a foundation for further security improvements. One such direction is offloading key-management to hardware so that the requirement of a trusted OS can be done away with, thus evicting thousands of lines of software code from the sphere of trust.
Yet another is to extend this encryption on data items which can open the way for truly obfuscated and practical “dark execution” which is particularly significant today when executing programs on remote clouds. Thus hardware ISR is a promising security primitive with many benefits.
To read more of this external content, download the complete paper from the author archives online at Columbia University.