conclusion.tex

%!TEX root = thesis.tex
\chapter{Conclusion and Further Works}
This study is set out to explore the concept of code obfuscation through cache memory architecture features. The reason and motivation of our studies is that the increase in deployment of private local memories like NUMA and hierarchical caches is accelerated by the development of modern computer architecture models, which is especially used by the mobile systems, in order to enhance performance and efficiency, but also decrease the power consumption. Because of possible opportunities and also vulnerabilities, we have focused on these architecture. We have considered through whole study that the usage of the private caches and memories like NUMA can be vulnerable and be exploited to evade an observer in the interconnection network of tightly coupled multiprocessor systems. Therefore, we have proposed three different solution for our tree excellent research question.

Firstly, we have designed an obfuscation method, which exploits the private caches to conceal information from the observer devices or CPUs for tightly coupled and multi-processor systems with write-back cache policy. The main essence of our method is exploiting the laziness of cache memories, whose laziness is actually arisen with performance optimization. At the end of the study, we gave a theoretical product which can obfuscate deobfuscate code, works within cache boundaries, and take cache eviction and replacement into account. We have called it "Cache Oriented Obfuscation" for. However, this attack has been designed only for the concerned theoretical system which has the tightly coupled, multiprocessor and Von Neumann architecture with write back cache policy and without cache coherency. 

For the second question, we have proposed a probabilistic attack to the systems which we concerned in the previous question and with snoopy coherent cache. The attack we have proposed involves exploitation of cache fetching vector direction, the coherency latency between caches and the laziness of cache with write-back policy. We have support ourself with latency simulation experiments. We have theoretically showed how possible it is to exploit these systems to obfuscate and hide malware. In order to calculate the overall obfuscation rate, we have given a formula; however, it gave a quantitative rate, which might not represent evasion possibility.

For the last question, we have introduced a method to solve implementation issues on Harvard architecture or equivalent designs. The solution which we have proposed to combine our attack with interpretation the information, which is stored in the data cache, from the code which is located in the executable cache. In other words, we used a interpreter as a virtual machine over the instruction cache in order to execute our gadgets. Instead of writing our own interpreter, the use of legitimate and known interpreters have been considered more suitable because they cannot be valid signature to be detectable. FORTH is one of the most adequate interpreter languages for our implementation and we have discussed implementation issues with FORTH. Thus, this question has been solved with novel approach as well as previous question.

Last but not least,The reason why security analysts and researchers must be stay tuned with these vulnerabilities has been proved in this thesis with elaborated prepared designs and experiments. We have made a significant progress in documenting and analyzing the theoretical foundation of obfuscation methods with support of cache memories as also possible as other private local memories like non uniform architecture. On the whole, we have proposed three theoretical attack which actually need to be blend during the implementation in the same attack, and then, it turned really strong obfuscation technique against today's detection mechanisms. It is strongly probable that the concerned modern architectures will be more and more popular day by day due to their advantages over performance and efficiency. Without a doubt, these features that are exploited by us is going to be also exploited by malicious authors, although there have been no sign whether they are abused or not yet.

\section*{The Future Works}

Because it is first and only one contribution of the cache based obfuscation techniques, the future works could be many and broad. However, to sum up, we will present several opinion in this section. The whole studies could be easily interpreted and documented with the non-uniform memory architecture, and we strongly believe it might efficient to show some NUMA specific features and limitations. 

Most importantly, we should research the possibilities to detect this kind of attacks autonomously. These studies will be complimentary to this thesis because the one of the main reasons of the thesis is to develop the proper defense mechanisms against them. Our opinion is the behavioral analysis on a interconnection network could be helpful. We also strongly believe some particular dynamic analysis methods could be efficient, as well as machine learning based deobfuscation methods on the static side of defense. 

The implementation issues with out of order CPU does not concerned in this thesis, but we could encounter several issues with Out of ordering. There are commonly four types of out of them which are I3O, 2I2O,  I3O, IOIO. They could affect our control flow designs and they must be analyzed in standalone research.

The consistency models are a bit mentioned in background studies, but also some models can give coherency between caches. The effect of all consistency models over the cache oriented obfuscation must be analyzed and documented. There could be several exploration opportunities or tune up for implementation with these architectures. 

For the cache coherency network, we could implement noise generator to increase latency, but the important point here is that they could be detectable one. However, we have already illustrated how the latency is important. If we could produce latency with another obfuscated malware or gadget from another node, so the noise generator is really interesting and powerful plug-in for our cache coherency attack in order to increase the attack probability.

Also, as we have mentioned before, Booksim 2.0 simulation tool can be improved with particular features to measure more specialized latency for our experiment. The traffic in our interconnection network is quite characteristic because the observer node is the one which produce regular scanning noise which is quite high, malicious node is the one quite silent and other nodes produce nominal noise.  Booksim v2.0 gives you ability to program your own plug-ins to generate your own traffic. This could give better understanding and more valid results in term of latency. 

One of the most important usage of the code obfuscation in term of security is to provide an enduring platform for software against crackers. Software developers use same principles with malicious authors to protect their authentication, validation or critical scoring values. We strongly believe that our cache oriented obfuscation can be a good candidate to protect their software frameworks, too. 

For next stage of our advance attack, concurrency between gadgets could be implemented. Because of the undeterministic features of parallel computing, the parallel working gadgets could raise the bar one more level against the behavioural identification.