1 / 25

Enforcing Executing-Implies-Verified with the Integrity-Aware Processor

This presentation discusses the motivation, design, and conclusions of the Integrity-Aware Processor (IAP) which is capable of directly detecting the execution of unverified code. The IAP offers improvements in isolation, visibility, performance, and compatibility compared to existing malware detection and prevention approaches. It also introduces XIVE, the most compact integrity kernel that enforces executing-implies-verified.

sidneyi
Download Presentation

Enforcing Executing-Implies-Verified with the Integrity-Aware Processor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified version of presentation for TRUST 2011

  2. Outline • Motivation • Contributions • Design • Conclusions and future work

  3. Stuxnet • Injected malicious code into Programmable Logic Controller. • Can be blocked using code whitelisting. Infected OB1 Clean OB1 [Symantec Stuxnet Dossier 2011]

  4. Other Potential Applications • Corporate desktop PCs • Chrome OS devices • Advanced electric meters • Power substation Intelligent Electronic Devices • …

  5. Motivation for Integrity-Aware Hardware • Existing approaches to malware detection and prevention exhibit limitations in the areas of: • Isolation • Visibility • Performance • Compatibility

  6. Outline • Motivation • Contributions • Design • Conclusions and future work

  7. Contributions • Integrity-Aware Processor: Only processor architecture with hardware support for directly detecting the execution of unverified code. • XIVE kernel for IAP: Most compact integrity kernel that is capable of enforcing executing-implies-verified.

  8. Outline • Motivation • Contributions • Design • Conclusions and future work

  9. Hypervisors Operating System Integrity Kernel Hypervisor Hardware [SeshadriLQP2007-SOSP]

  10. Large Hypervisors Big attack surface! Xen ~230 thousandlines of code Integrity Kernel [LittyLL2008-Oakland]

  11. Hypervisor Vulnerabilities (See chart on page 50 of the report cited below) [IBM X-Force 2010]

  12. Example: Xen security advisory CVE-2011-1583 (May 9, 2011) • Integer overflow in the decompression loop memory allocator might result in overrunning the buffer used for the decompressed image. • Integer overflows and lack of checking of certain length fields can result in the loader reading its own address space beyond the size of the supplied kernel image file. • An attacker who can supply a kernel image to be booted as a paravirtualised guest might be able to: • Escalate privilege, taking control of the management domain and hence the entire machine. • Gain knowledge the contents of memory in the management tools. Depending on the toolstack in use this might contain sensitive information such as domain management or VNC passwords.

  13. System Management Mode Operating System System Management Mode Two orders of magnitude slowdown observed comparedto protected mode. APM Control Register Integrity Kernel Hardware Electrical Connection Hardware (sleeping dog picture by Eduardo Habkost via Flickr, CC BY 2.0) [AzabNWJZS2010-CCS] [WangSG2010-RAID]

  14. Outline • Motivation • Contributions • Related work • Design • Conclusions and future work

  15. Integrity-Aware Processor Based onLEON3 SPARCv8 (figure from paper)

  16. IAP Complexities (figure from paper)

  17. IAP vs. MMU Hardware TCB • Isolation: • IAP includes specific hardware support for isolating the integrity kernel, which is less complex than the MMU’s general protection mechanisms. • Visibility: • IAP verification tracking mechanisms operate at TLB and cache level, removing page table walk mechanisms from TCB.

  18. TCB Comparison XIVE contains 859 instructions

  19. Hardware Prototype

  20. Performance (figure from paper)

  21. Plentiful Dark Silicon Same area + same total heat dissipation + more transistors =lower % of simultaneously active transistors 37% slice overhead 21% BlockRAM overhead [SwansonT2011-IEEEComm]

  22. Outline • Motivation • Contributions • Design • Conclusions and future work

  23. Contributions • Integrity-Aware Processor: Only processor architecture with hardware support for directly detecting the execution of unverified code. • XIVE kernel for IAP: Most compact integrity kernel that is capable of enforcing executing-implies-verified.

  24. Future Work • Adapt IAP to other architectures. • Explore integrity kernels for health information technology. • Implement different types of policies within XIVE.

  25. Hash vs. Network Overhead (figure from paper)

More Related