enforcing executing-implies-verified with the integrity-aware processor michael lemay carl a. gunter...
DESCRIPTION
Injected malicious code into Programmable Logic Controller. – Can be blocked using code whitelisting. Stuxnet [Symantec Stuxnet Dossier 2011] 3 Clean OB1 Infected OB1TRANSCRIPT
![Page 1: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/1.jpg)
Enforcing Executing-Implies-Verified with the Integrity-Aware Processor
Michael LeMayCarl A. Gunter
University of Illinois at Urbana-ChampaignModified version of presentation for TRUST 2011
![Page 2: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/2.jpg)
• Motivation• Contributions• Design• Conclusions and future work
Outline
2
![Page 3: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/3.jpg)
• Injected malicious code into Programmable Logic Controller.
– Can be blocked using code whitelisting.
Stuxnet
[Symantec Stuxnet Dossier 2011] 3
Clean OB1 Infected OB1
![Page 4: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/4.jpg)
• Corporate desktop PCs• Chrome OS devices• Advanced electric meters• Power substation Intelligent Electronic Devices• …
Other Potential Applications
4
![Page 5: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/5.jpg)
• Existing approaches to malware detection and prevention exhibit limitations in the areas of:– Isolation– Visibility– Performance– Compatibility
Motivation for Integrity-Aware Hardware
5
![Page 6: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/6.jpg)
• Motivation• Contributions• Design• Conclusions and future work
Outline
6
![Page 7: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/7.jpg)
• Integrity-Aware Processor: Only processor architecture with hardware support for directly detecting the execution of unverified code.
• XIVE kernel for IAP: Most compact integrity kernel that is capable of enforcing executing-implies-verified.
Contributions
7
![Page 8: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/8.jpg)
• Motivation• Contributions• Design• Conclusions and future work
Outline
8
![Page 9: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/9.jpg)
Hypervisors
Operating System
Hypervisor
Hardware
[SeshadriLQP2007-SOSP] 9
Integrity Kernel
![Page 10: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/10.jpg)
Large Hypervisors
Xen~230 thousand
lines of code
Big attack surface!
[LittyLL2008-Oakland] 10
Integrity Kernel
![Page 11: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/11.jpg)
Hypervisor Vulnerabilities
[IBM X-Force 2010] 11
(See chart on page 50 of the report cited below)
![Page 12: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/12.jpg)
• Integer overflow in the decompression loop memory allocator might result in overrunning the buffer used for the decompressed image.
• Integer overflows and lack of checking of certain length fields can result in the loader reading its own address space beyond the size of the supplied kernel image file.
• An attacker who can supply a kernel image to be booted as a paravirtualised guest might be able to:– Escalate privilege, taking control of the management domain
and hence the entire machine.– Gain knowledge the contents of memory in the management
tools. Depending on the toolstack in use this might contain sensitive information such as domain management or VNC passwords.
Example: Xen security advisory CVE-2011-1583 (May 9, 2011)
12
![Page 13: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/13.jpg)
System Management Mode
System Management Mode
APM Control Register
Two orders of magnitudeslowdown observed comparedto protected mode.
[AzabNWJZS2010-CCS] [WangSG2010-RAID] 13
Hardware Electrical Connection
Integrity Kernel
(sleeping dog picture by Eduardo Habkost via Flickr, CC BY 2.0)
![Page 14: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/14.jpg)
• Motivation• Contributions• Related work• Design• Conclusions and future work
Outline
14
![Page 15: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/15.jpg)
Integrity-Aware Processor
15
Based onLEON3 SPARCv8
(figure from paper)
![Page 16: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/16.jpg)
IAP Complexities
16(figure from paper)
![Page 17: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/17.jpg)
• Isolation:– IAP includes specific hardware support for isolating
the integrity kernel, which is less complex than the MMU’s general protection mechanisms.
• Visibility:– IAP verification tracking mechanisms operate at TLB
and cache level, removing page table walk mechanisms from TCB.
IAP vs. MMU Hardware TCB
17
![Page 18: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/18.jpg)
TCB Comparison
XIVE contains 859 instructions18
![Page 19: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/19.jpg)
Hardware Prototype
19
![Page 20: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/20.jpg)
Performance
20(figure from paper)
![Page 21: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/21.jpg)
Plentiful Dark Silicon
Same area + same total heat dissipation + more transistors =lower % of simultaneously active transistors
37% slice overhead21% BlockRAM overhead
[SwansonT2011-IEEEComm] 21
![Page 22: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/22.jpg)
• Motivation• Contributions• Design• Conclusions and future work
Outline
22
![Page 23: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/23.jpg)
• Integrity-Aware Processor: Only processor architecture with hardware support for directly detecting the execution of unverified code.
• XIVE kernel for IAP: Most compact integrity kernel that is capable of enforcing executing-implies-verified.
Contributions
23
![Page 24: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/24.jpg)
• Adapt IAP to other architectures.• Explore integrity kernels for health information
technology.• Implement different types of policies within XIVE.
Future Work
24
![Page 25: Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified](https://reader036.vdocument.in/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ea6/html5/thumbnails/25.jpg)
Hash vs. Network Overhead
25(figure from paper)