Software Tamper Resistance Through Dynamic Program Monitoring

This paper describes a two instruction-stream (twoprocess) model for tamper resistance. One process (Monitor process, M-Process) is designed explicitly to monitor the control flow of the main program process (P-Process). The compilation phase compiles the software into two co-processes: P-process and M-process. The monitor process contains the control flow consistency conditions for the P-process. The P-process sends information on its instantiated control flow at a compiler specified fixed period to the M-process. If there is a violation of the control flow conditions captured within the M-process, the Mprocess takes an anti-tamper action such as termination of the P-process. By its very design, the monitor process is expected to be compact. Hence, we can afford to protect the M-process with a more expensive technique, a variant of Aucsmith’s scheme. This scheme has been implemented with the Gnu C compiler gcc. There are several other monitoring, obfuscation, and dynamic decryption techniques that are embedded in this system. We quantify the performance overhead of the scheme for a variety of programs. The performance of such an anti-tamper schema can be significantly improved by leveraging a decoupled processor architecture to support the decoupled Mand Pprocesses. We describe one instance of such a two-stream decoupled architecture that can make the scheme more robust and efficient.