infoshield: a security architecture for protecting information usage in memory
DESCRIPTION
InfoShield: A Security Architecture for Protecting Information Usage in Memory. Weidong Shi – Georgia Tech Josh Fryman – Intel Corporation Guofei Gu – Georgia Tech Hsien–Hsin Lee – Georgia Tech Youtao Zhang – University of Pittsburgh Jun Yang – University of California, Riverside. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/1.jpg)
1
InfoShield: A Security Architecture forInfoShield: A Security Architecture forProtecting Information Usage in MemoryProtecting Information Usage in Memory
Weidong Shi – Georgia TechGeorgia TechJosh Fryman – Intel CorporationGuofei Gu – Georgia TechGeorgia TechHsien–Hsin Lee – Georgia TechGeorgia TechYoutao Zhang – University of PittsburghJun Yang – University of California, Riverside
![Page 2: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/2.jpg)
InfoShield
2
OverviewOverview Information Theft Information Protection Mechanisms InfoShield Architecture Characterization of Network Applications Conclusion
![Page 3: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/3.jpg)
InfoShield
3
Information Theft Example - OverflowInformation Theft Example - Overflow
Array BufferSecret Key
ReadBuffer(offset, size, buf)Crypto Functions
Data
Code
Kernel Space
offset offset+size
During normal operation…
offset offset+size
When an attack is launched…
![Page 4: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/4.jpg)
InfoShield
4
Information TheftInformation Theft Invalid Input – induce victim applications to
disclose secrets (in)voluntarilyinteger, pointer, array index overflow
Information Theft Trojanintercept, snoop security keys, passwords
Memory Scankeyword, fixed offset
Buffer Overflow - similar to invalid input, but
through format string attacks
![Page 5: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/5.jpg)
InfoShield
5
Against Information Theft – Prior ArtAgainst Information Theft – Prior Art Ad-hoc Solutions
Approaches: boundary checking, model checking, stack guard, etc. Issues: indirect solution, passive solution
Access Control [Hydra, 75]
Approaches: process space isolation, user/kernel isolation, etc. Issues: high level, coverage too broad, imprecise, insecure
![Page 6: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/6.jpg)
InfoShield
6
Information Flow Analysis - Prior ArtInformation Flow Analysis - Prior Art Information Flow (IF) Analysis
Classic IF model [Denning & Denning,77] Runtime IF analysis/tracking [RIFLE, 04]
Restrict Flow of Information Information with high security level cannot be disclosed to output channel with low security level
Issues Over-protection, too restrictive, every piece of derived information carries private information.
![Page 7: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/7.jpg)
InfoShield
7
InfoShield: Protecting Information Usage InfoShield: Protecting Information Usage Runtime Check of Usage of Sensitive Information
password, cryptographic keys, …
Restrict Information Usage Who can access: sensitive data must be accessed and operated by functions who are entitled to use them. How can be accessed: sensitive data guaranteed to be used in the way defined by application semantic
Require ISA Extension and Architectural Support
![Page 8: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/8.jpg)
InfoShield
8
inst S: ld r4, (secret)… …inst S: ld r4, (secret)… …
InfoShield BasicsInfoShield Basicsinst1:inst2:inst3:inst4:… …
inst define secret usageSecret
…inst X: st r5, (secret)… …
Shield usage
Memory
![Page 9: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/9.jpg)
InfoShield
9
inst X: st r5, (secret)… …
…inst X: st r5, (secret)… …
InfoShield BasicsInfoShield Basics
Form “Authentication Chain” for Protecting Usage
inst1:inst2:inst3:inst4:… …
inst define secret usageSecret
inst S: ld r4, (secret)… …inst define secret usage
Shield usage Memory
![Page 10: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/10.jpg)
InfoShield
10
InfoShield Basics InfoShield Basics inst1:inst2:inst3:inst4:… …
inst define secret usageSecret
inst X: ld r5, (secret)… …
inst S: ld r4, (secret)… …inst define secret usage
…inst X: st r5, (secret)… …
Memory
Hacker’s instructions
Inst H: ld r4, (secret)
“Inst H” is not in the protection chain
Mallory
![Page 11: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/11.jpg)
InfoShield
11
InfoShield: InfoShield: Information Usage SafetyInformation Usage Safety Concept of Information Usage Safety Given That Application Is Properly Designed,
Guarantee that information is used in the way it is meant to be used. Ensure that private data is not misused or illegally accessed. Protect the integrity of dynamic usage of user private data based on the program semantic. Or in another word
Authenticates the Usage of Information
![Page 12: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/12.jpg)
InfoShield
12
InfoShield: Safeguard Sensitive DataInfoShield: Safeguard Sensitive Data Read/write to sensitive data is dynamically checked throughout the program execution to guarantee they are used,
in the order as defined by the application by only the instructions that are supposed to use it
Architectural Model ISA Extension – sensitive data declaration,
runtime access control
Architectural support – security-aware register table and runtime checking
![Page 13: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/13.jpg)
InfoShield
13
InfoShield: Architectural SupportInfoShield: Architectural Support Secure-aware Register (SR) Table
where sensitive data are stored who can access the sensitive data
After a code region completes, modify SR Table ISA Support
SR Table management instructions sensitive data clear, copy
![Page 14: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/14.jpg)
InfoShield
14
InfoShield IllustrationInfoShield Illustration sensitive data
SR Table
Addrlow Addrhigh PClow PChigh
Code Region 1
Code Region 2
Code Region 3
Define Next RegionDefine Sensitive Data
Define Next Region
Access Sensitive Data
Access Sensitive Data
![Page 15: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/15.jpg)
InfoShield
15
sensitive data
SR Table
Addrlow
Addrhigh PClow PChigh
Code Region 1
Code Region 2
Code Region 3
InfoShield IllustrationInfoShield Illustration
Define Next Region
Access Sensitive DataTest Branch
True: Define Region 3
Access Sensitive Data
![Page 16: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/16.jpg)
InfoShield
16
sensitive data
SR Table
Addrlow
Addrhigh PClow PChigh
Code Region 1
Code Region 2
Code Region 4
InfoShield IllustrationInfoShield Illustration
Access Sensitive DataTest Branch
False: Define Region 4
Access Sensitive Data
![Page 17: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/17.jpg)
InfoShield
17
ISA Extension ExampleISA Extension Example
R1<-0x200R2<-0x208
R3<-0xB00CR4<-0xB014
SAG R0SAP R0,R1,R2,R3,R4
0xB00C
0xB014
200 208 B00C B014
sensitive data
Addrlow Addrhigh PClow PChigh
0x200
0x208
SR Table
R0 <- 1
SAG: Set Address GuardSAP: Set Address Protection
![Page 18: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/18.jpg)
InfoShield
18
ISA Extension ExampleISA Extension Example
R2<- 0xC008R3<-0xC00C
Ld Rx, [0x200]SAS R0, R2,R30xB010
0xB00C
0xC008
0xC00C
200 208 B00C B014200 208 C008 C00C
sensitive data
0x200
0x208
Addrlow Addrhigh PClow PChigh
SR Table
![Page 19: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/19.jpg)
InfoShield
19
Other ISA ExtensionOther ISA Extension
Sensitive Data Copy. Definition: copy a block of sensitive data
(memory to memory DMA) Purpose: garbage collection
Sensitive Data Clear. Definition: reclaim dead sensitive data region. Purpose: program fault handling, garbage collection.
![Page 20: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/20.jpg)
InfoShield
20
Move Checking Off the Critical PathMove Checking Off the Critical Path
ROB(or architectural equivalent)
SRTable
Cache andMemory
Hierarchy
Load/Store Queue
EA, ROB slot
EA, ROB slot, PC
Data/Exceptions
![Page 21: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/21.jpg)
InfoShield
21
Application ProfileApplication Profile Emulation environment
x86 full system emulator, Bochs. Linux Server (RH6.0 distribution)
Profiled applicationsopenssh server,sftp server, apache serverwu-ftp server, imap server, ftp client, pine client, and lynx web browser.
Sensitive information Password Openssh/sftp private key AES encryption/decryption key
![Page 22: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/22.jpg)
InfoShield
22
Bochs HackBochs Hack
Profiled applications
Instrument applications (memory tainting) to expose
where the sensitive data are stored when they are created and when they are destroyed
Bochs: For each process (identified via process unique CR3 value in x86) number of memory reads that fetch sensitive data number of instructions that directly manipulate loaded sensitive data
![Page 23: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/23.jpg)
InfoShield
23
Dynamic Sensitive Data Loads/All Data Loads
Percentage of Sensitive Data Loads/All Loads
0.00001
0.0001
0.001
0.01
0.1
1
10
Per
cent
age
%
![Page 24: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/24.jpg)
InfoShield
24
Dynamic Instructions Operating On Sensitive Data/All Instructions
Percentage of Dynamic Inst Operating On Sensitive Data/All Instrutions
0.00001
0.0001
0.001
0.01
0.1
1
Per
cent
age
%
![Page 25: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/25.jpg)
InfoShield
25
ConclusionsConclusions Many documented real-world information
thefts steal sensitive data via violation of information usage.
InfoShield enforces runtime sensitive data to be accessed or used the way as definedby program semantic.
For real-world applications, accesses to password or security keys are relatively small.
![Page 26: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/26.jpg)
InfoShield
26
Thank YouThank You
![Page 27: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/27.jpg)
27
Backup FoilBackup Foil
![Page 28: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/28.jpg)
InfoShield
28
InfoShield: InfoShield: AssumptionsAssumptions Computing platform itself is physically secured.
Integrity of software guaranteed. Dynamic libraries certified and signed with digital signatures. Software running in non-debug mode.
![Page 29: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/29.jpg)
InfoShield
29
Information Theft Example -TrojanInformation Theft Example -Trojan
ApplicationSocket DLL
Socket DLL
Trojan
![Page 30: InfoShield: A Security Architecture for Protecting Information Usage in Memory](https://reader035.vdocument.in/reader035/viewer/2022062521/56816867550346895ddecd05/html5/thumbnails/30.jpg)
InfoShield
30
Information flow safety Computational safety Information use safety
Encrypted resultscarry info of the
key and considered un-safe to be disclosed.
Encrypted result iscomputationally safe to
be disclosed. It is not feasible to extract
key from the encrypteddata.
Encrypted results aresafe to be disclosed if it
is based on correct execution of the function and there is no miss-use
of the key.
A Crypto Function That Encrypts Input Data Using A Key.
The key is considered as private dataThe encrypted data considered as non-secret.
ComparisonsComparisons