A User Centric Security Model for Tamper-Resistant Devices

8.3 Runtime Protection Mechanism
C
1
2
B
B 2
SG
3
Return
1
2
D
Figure 8.6: Control ow diagram of an example method B
The ControlFlowGraph in the property le (listing 8.1) is simply constructed by taking into
account every possible (legal) execution ow of a method. Taking the example method B, as
shown in gure 8.6 the rst jump can either be to method C or D depending upon the input
to method B (inputValue in listing 8.3). The rst two possible jumps shown in gure 8.6
are B→C and B→D, where → represents the direction of the jump. The construction of the
ControlFlowGraph (set of legal jumps) is constructed by XORing the method identiers
of individual jumps (B→C and B→D). The rst legal jump in the ControlFlowGraph would
be either Jump 1 = 0xF122 ⊕ 0xF123 (i.e. B→C) and Jump 1 = 0xF122 ⊕ 0xF124 (i.e.
B→D). The next possible jumps in the method B can be either C→SG or D→SG that are
represented in the ControlFlowGraph as Jump 3 = Jump 1 ⊕ 0xF125 and Jump 4 = Jump 2 ⊕
0xF125, respectively. Finally, for the third jump illustrated in gure 8.6 is SG→Return
that returns the execution back to the method that initiated the method B. Therefore, the
ControlFlowGraph of method B would be B cfa-Set = (Jump 1 , Jump 2 , Jump 3 , Jump 4 ).
The control ow analysis requires that the runtime security manager have a control ow
analysis variable cfa that stores the path taken by an application as cfa = Σ n j=1 C j.
Where C j represents the jumps taken during execution of an application. During the
execution of a method, when the JCVM encounters a jump to another method the runtime
security manager XORs the method identier with the current value of cfa and lookup
the ControlFlowGraph of the given method in the associated property le. If it nds a
matching value, the JCVM will proceed with the execution; if not it will terminate the
execution. Taking our example of the method B, when the JCVM encounters the rst jump
B→C the runtime security manager will calculate the cfa = 0xF122 ⊕ 0xF123 and compare
it with the values in the respective ControlFlowGraph. As the cfa matches with the value
Jump 1 , the runtime execution manager assumes the jump B→C is legal (permitted).
A potential problem with this scheme might be loop instructions that contain jumps to
multiple methods depending upon the loop condition. For example, for an odd value of `i'
jump to method B and for even values jump to method C. The loop iterates through
the values of `i' until it meets the condition that might be based on runtime values
(i.e. unpredictable at the time of the compilation of the application). However, we consider
that this problem is intrinsically managed by the scheme. Consider a control ow
graph of four methods: A, B, C, and D. Methods B and C are part of a loop as dis-
204