ERIC: An Efficient and Practical Software Obfuscation Framework

Abstract

ERIC is an efficient and general software obfuscation framework designed to protect distributed software executables against both static and dynamic analysis. It leverages Physical Unclonable Functions (PUFs) to generate unique device identifiers used as secret keys, ensuring that encrypted binaries can only be decrypted and executed by a single authenticated device via a Hardware Decryption Engine (HDE). Prototyped on an FPGA extension of the RISC-V Rocket Chip, ERIC demonstrates practicality with minimal hardware overheads.

Report

ERIC: An Efficient and Practical Software Obfuscation Framework

Key Highlights

• Framework Goal: To protect software executables, particularly those distributed in cloud or edge environments, from reverse engineering via static or dynamic analysis.
• Dual Protection: The framework defends against static analysis by making only encrypted binaries available, and against dynamic analysis by tying execution to a single authenticated device.
• Hardware Root of Trust: The core security mechanism relies on Physical Unclonable Functions (PUFs) which serve as unique, hardware-derived secret keys for encrypting the software.
• ISA Independence: Both the hardware (HDE) and software (compiler) components of ERIC are designed to be Instruction Set Architecture (ISA)-independent, promoting generality.
• Prototype Implementation: A full end-to-end prototype was developed on an FPGA, integrating the necessary components into the popular open-source RISC-V Rocket Chip.

Technical Details

• Architecture: ERIC consists of two main components: a Hardware Decryption Engine (HDE) integrated into the target device and a custom LLVM-based compiler.
• HDE Functionality: The HDE efficiently decrypts encrypted software blocks during execution using the device's unique PUF output as the key.
• Compiler Role: The custom LLVM-based compiler seamlessly handles the encryption of RISC-V executables, supporting both partial and full encryption based on a unique device identifier (PUF response).
• Hardware Overheads: The HDE requires minor resource increases on the FPGA implementation, specifically 2.63% more Look-Up Tables (LUTs) and 3.83% more flip-flops compared to the baseline Rocket Chip.
• Software Overheads: The encryption process adds practical, manageable costs, increasing compile time by 15.22% and executable size by 1.59%.

Implications

• Enhanced RISC-V Security and IP Protection: ERIC offers a high-security, low-overhead solution for protecting proprietary algorithms and sensitive Intellectual Property (IP) running on RISC-V platforms. By integrating hardware security (PUF/HDE) directly into the Rocket Chip, it addresses major concerns regarding secure software deployment on open-source ISA architectures.
• Secure Cloud and Edge Deployment: The framework provides a crucial mechanism for ensuring that proprietary software deployed via cloud platforms or on remote edge devices cannot be analyzed, cloned, or executed by unauthorized parties, a critical requirement for commercial IoT and distributed computing.
• Hardware-Software Co-Design for Security: ERIC exemplifies a modern approach to system security where hardware modifications (HDE) are tightly coupled with the software toolchain (LLVM compiler) to enforce security policies efficiently. This model is expected to become standard in future trusted computing environments.