enforcing executing-implies-verified with the integrity-aware processor michael lemay carl a. gunter...
Post on 08-Jan-2018
225 Views
Preview:
DESCRIPTION
TRANSCRIPT
Enforcing Executing-Implies-Verified with the Integrity-Aware Processor
Michael LeMayCarl A. Gunter
University of Illinois at Urbana-ChampaignModified version of presentation for TRUST 2011
• Motivation• Contributions• Design• Conclusions and future work
Outline
2
• Injected malicious code into Programmable Logic Controller.
– Can be blocked using code whitelisting.
Stuxnet
[Symantec Stuxnet Dossier 2011] 3
Clean OB1 Infected OB1
• Corporate desktop PCs• Chrome OS devices• Advanced electric meters• Power substation Intelligent Electronic Devices• …
Other Potential Applications
4
• Existing approaches to malware detection and prevention exhibit limitations in the areas of:– Isolation– Visibility– Performance– Compatibility
Motivation for Integrity-Aware Hardware
5
• Motivation• Contributions• Design• Conclusions and future work
Outline
6
• Integrity-Aware Processor: Only processor architecture with hardware support for directly detecting the execution of unverified code.
• XIVE kernel for IAP: Most compact integrity kernel that is capable of enforcing executing-implies-verified.
Contributions
7
• Motivation• Contributions• Design• Conclusions and future work
Outline
8
Hypervisors
Operating System
Hypervisor
Hardware
[SeshadriLQP2007-SOSP] 9
Integrity Kernel
Large Hypervisors
Xen~230 thousand
lines of code
Big attack surface!
[LittyLL2008-Oakland] 10
Integrity Kernel
Hypervisor Vulnerabilities
[IBM X-Force 2010] 11
(See chart on page 50 of the report cited below)
• Integer overflow in the decompression loop memory allocator might result in overrunning the buffer used for the decompressed image.
• Integer overflows and lack of checking of certain length fields can result in the loader reading its own address space beyond the size of the supplied kernel image file.
• An attacker who can supply a kernel image to be booted as a paravirtualised guest might be able to:– Escalate privilege, taking control of the management domain
and hence the entire machine.– Gain knowledge the contents of memory in the management
tools. Depending on the toolstack in use this might contain sensitive information such as domain management or VNC passwords.
Example: Xen security advisory CVE-2011-1583 (May 9, 2011)
12
System Management Mode
System Management Mode
APM Control Register
Two orders of magnitudeslowdown observed comparedto protected mode.
[AzabNWJZS2010-CCS] [WangSG2010-RAID] 13
Hardware Electrical Connection
Integrity Kernel
(sleeping dog picture by Eduardo Habkost via Flickr, CC BY 2.0)
• Motivation• Contributions• Related work• Design• Conclusions and future work
Outline
14
Integrity-Aware Processor
15
Based onLEON3 SPARCv8
(figure from paper)
IAP Complexities
16(figure from paper)
• Isolation:– IAP includes specific hardware support for isolating
the integrity kernel, which is less complex than the MMU’s general protection mechanisms.
• Visibility:– IAP verification tracking mechanisms operate at TLB
and cache level, removing page table walk mechanisms from TCB.
IAP vs. MMU Hardware TCB
17
TCB Comparison
XIVE contains 859 instructions18
Hardware Prototype
19
Performance
20(figure from paper)
Plentiful Dark Silicon
Same area + same total heat dissipation + more transistors =lower % of simultaneously active transistors
37% slice overhead21% BlockRAM overhead
[SwansonT2011-IEEEComm] 21
• Motivation• Contributions• Design• Conclusions and future work
Outline
22
• Integrity-Aware Processor: Only processor architecture with hardware support for directly detecting the execution of unverified code.
• XIVE kernel for IAP: Most compact integrity kernel that is capable of enforcing executing-implies-verified.
Contributions
23
• Adapt IAP to other architectures.• Explore integrity kernels for health information
technology.• Implement different types of policies within XIVE.
Future Work
24
Hash vs. Network Overhead
25(figure from paper)
top related