Careful-Packing is an anti-tampering software protection technique that uses trusted computing to protect critical sections of code. It works by encrypting critical sections when not in use and only decrypting them in a trusted region when execution is needed. This prevents attackers from tampering with the code offline or online. The approach addresses challenges regarding denial of service attacks, concurrency, installation, and booting by techniques like heartbeat proofs, reference counting threads, sealed key installation, and encrypted key booting. An evaluation of a proof of concept keystroke monitoring implementation showed around 5% overhead for a single instance and linear scaling for multiple parallel instances.

1. Careful-Packing: A Practical and Scalable
Anti-Tampering Software Protection enforced by
Trusted Computing
Flavio Toffalini1,2
, Martín Ochoa2,3
, Jun Sun1,2
, and Jianying Zhou1
1
Singapore University of Technology and Design
2
ST Electronics-SUTD Cyber Security Laboratory
3
Cyxtera Technologies

2. Agenda
- Introduction
- Attacker’s goal and assumptions
- Careful-Packing’s approach
- Challenges
- Implementation
- Evaluation

3. The Problem
Secure Monitor:
- Antivirus
- Intrusion Detector
- Insider Threat Detector
Software
tampering

4. Careful-Packing’s goal
Avoiding an attacker to tamper with the software binary code.
void makeALotOfMoney() {
int x = 0;
for (int i = 0; i < maxIteraction; i++) {
int dollars = initialBudget();
If (dollars > 10)
// use a strategy
else
// use the super strategy..
x += dollars;
}
}
Software
Important piece of
code to protect
(critical section)

5. Attacker’s goal
Install a running compromised
client in a corporate network

6. Attacker model
- Tamper code offline: patching
- Tamper code online: patching & repair
- Debug/Emulate
Assumption: OS Task scheduler not compromised

7. Previous Approaches - Fully Trusted Computing (SGX)
How: memory regions physically isolated by hardware
Idea: move the entire process (or a piece of) in these areas
Limitation: (i) difficult interaction with the OS, (ii) limited available space
Untrusted memory Trusted memory
Process to protect

8. Previous Approaches - Purely Software Anti-Tampering (AT)
How: the software checks itself
Idea: using special functions (checkers) that inspect the memory
Limitation: these approaches rise the bar but not resolve the problem
Process to protect
Untrusted memory
Checkers

9. Careful-Packing’s Approach
Checkers inside a trusted region
Critical Sections outside
From trusted region monitors the
outside code!

10. Challenges
Denial of service (packing, heartbeat)
Concurrency
Installation phase
Booting phase

11. Packing
Critical Sections (CS) encrypted most of the time
CS plain only when the process needs to execution them

12. Heartbeat
TrustedUntrusted
Proof of correctness
Random choice
Insert proof of correctness inside a normal communication between client and server.
If the server does not receive a proof and/or the proof is wrong -> the attack is caught

13. Concurrency
The CS can be invoked by concurrency threads.
CS
PC Thread 1
PC Thread 2
CS = 1
A counter in the trusted module
traces how many threads are
using the a CS
decrypt(CS)
encrypt(CS)

14. Installation phase
Server: has a list of valid license keys and the critical sections associated
Client: identifies itself through one of its critical section
Client Server
(I) Installation Request (CS)
(II) Resp. License Key
(III) Key Sealing (II) Key Fetch
Key Repository
K1
K3
(0) Remote attestation

15. TrustedUntrusted
Boot phase
Client loads the sealed key to execute the packing mechanism
Key Sealed in the hard-drive

16. Proof of Concept Implementation
Monitoring agent (simple keystrokes and mouse tracing).
A client is executed on a client, collects data, and ships them to a central server.
Based on SGX for Windows platforms.
-10 LoC on top of the original program (only function call to checkers).
- Enclave size: ~300Kb

17. Evaluation - single instance
Around 5% with related to the original program

18. Evaluation - multiple parallel instances
Linear overhead with respect to the number of instances (no bottleneck)

19. Conclusion & Take away
- To some extent, it is possible to combine trusted computing technologies and anti-tampering
techniques to increase the security guarantees
- Extend careful-packing to protect variables (now we limit to the code)
- Fully untrusted environment: work on techniques that do not require a trusted scheduler

20. The End!
Thanks for your attention