I have a question regarding a paper I am reading right now, which is a demonstration of an attack against some tampering resistant software, using self-hashing mechanism. This kind of self hashing is working because authors are making the assumption that the executed code is the same as the hashed code, which is true except against some manipulations against the way a processor is manipulating the memory.
In the paper, there is the following sentence which troubles me : "A critical (implicit) assumption of both the hashing in Aucsmith’s IVK and checksum systems employing networks is that processors operate such that D(x) = I(x), where D(x) is the bit-string result of a “data read” from memory address x, and I(x) is the bit-string result of an “instruction fetch” of corresponding length from x."
How do you state the difference between D(x) and I(x) ? What is the difference between a data read and an instruction fetch ?
Thanks for your help
The difference in these operations is when they occur and where the data is stored before use. Most processors have dedicated caches for instructions. This may mean that the data is fetched from main memory twice: once into a data cache for calculating the hash and again into the instruction cache.
I cannot find it now, but a year ago I read of a means of hiding malicious code on an Intel processor by causing a cache incoherency between these two caches. The processor would execute the malicious code, but any other tool reading the same memory as mere data would see good code. Here is a means of accomplishing this on an ARM chip.