1 InfoShield: A Security Architecture for Protecting Information Usage in Memory Georgia Tech Weidong Shi – Georgia Tech Josh Fryman – Intel Corporation.

Slides:



Advertisements
Similar presentations
Chapter 5 The LC-3 Instruction Set Architecture l ISA Overview l Operate instructions l Data Movement instructions l Control Instructions l LC-3 data path.
Advertisements

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
INSTRUCTION SET ARCHITECTURES
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.
A Low-Cost Memory Remapping Scheme for Address Bus Protection Lan Gao *, Jun Yang §, Marek Chrobak *, Youtao Zhang §, San Nguyen *, Hsien-Hsin S. Lee ¶
Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.
A Security-Aware Routing Protocol for Wireless Ad Hoc Networks
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
1 Architectural Support for Copy and Tamper Resistant Software David Lie, Chandu Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell and.
Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 12 - Databases, Controls, and Security.
Functions and Procedures. Function or Procedure u A separate piece of code u Possibly separately compiled u Located at some address in the memory used.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Mitigation of Buffer Overflow Attacks
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
Exploitation possibilities of memory related vulnerabilities
4-Oct Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Sept  direct mode: OK for static addresses  indirect register mode:
JMU GenCyber Boot Camp Summer, Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
DATA COMPROMISE Controlling the flow of sensitive electronic information remains a major challenge, ranging from theft to accidental violation of policies.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Chapter 10 Chapter 10 Implementing Subprograms. Implementing Subprograms  The subprogram call and return operations are together called subprogram linkage.
Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer.
LECTURE 3 Translation. PROCESS MEMORY There are four general areas of memory in a process. The text area contains the instructions for the application.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.
Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in.
A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
HDFI: Hardware-Assisted Data-flow Isolation
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
A Closer Look at Instruction Set Architectures
Cryptographic Hash Function
Taint tracking Suman Jana.
A Closer Look at Instruction Set Architectures: Expanding Opcodes
Functions and Procedures
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Memory and Address Protection Covert Channels
User-mode Secret Protection (SP) architecture
System Calls David Ferry CSCI 3500 – Operating Systems
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
Overview of Database Security
Sai Krishna Deepak Maram, CS 6410
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
Meltdown & Spectre Attacks
Presentation transcript:

1 InfoShield: A Security Architecture for Protecting Information Usage in Memory Georgia Tech Weidong Shi – Georgia Tech Josh Fryman – Intel Corporation Georgia Tech Guofei Gu – Georgia Tech Georgia Tech Hsien–Hsin Lee – Georgia Tech Youtao Zhang – University of Pittsburgh Jun Yang – University of California, Riverside

InfoShield 2 Overview  Information Theft  Information Protection Mechanisms  InfoShield Architecture  Characterization of Network Applications  Conclusion

InfoShield 3 Information Theft Example - Overflow Array BufferSecret Key ReadBuffer(offset, size, buf)Crypto Functions Data Code Kernel Space offsetoffset+size During normal operation… offsetoffset+size When an attack is launched…

InfoShield 4 Information Theft  Invalid Input – induce victim applications to disclose secrets (in)voluntarily integer, pointer, array index overflow  Information Theft Trojan intercept, snoop security keys, passwords  Memory Scan keyword, fixed offset  Buffer Overflow - similar to invalid input, but through format string attacks

InfoShield 5 Against Information Theft – Prior Art  Ad-hoc Solutions  Approaches: boundary checking, model checking, stack guard, etc.  Issues: indirect solution, passive solution  Access Control [Hydra, 75]  Approaches: process space isolation, user/kernel isolation, etc.  Issues: high level, coverage too broad, imprecise, insecure

InfoShield 6 Information Flow Analysis - Prior Art  Information Flow (IF) Analysis  Classic IF model [Denning & Denning,77]  Runtime IF analysis/tracking [RIFLE, 04]  Restrict Flow of Information  Information with high security level cannot be disclosed to output channel with low security level  Issues  Over-protection, too restrictive, every piece of derived information carries private information.

InfoShield 7 InfoShield: Protecting Information Usage  Runtime Check of Usage of Sensitive Information  password, cryptographic keys, …  Restrict Information Usage  Who can access: sensitive data must be accessed and operated by functions who are entitled to use them.  How can be accessed: sensitive data guaranteed to be used in the way defined by application semantic  Require ISA Extension and Architectural Support

InfoShield 8 inst S:ld r4, (secret) … inst S:ld r4, (secret) … InfoShield Basics inst1: inst2: inst3: inst4: … inst define secret usage Secret … inst X:st r5, (secret) … Shield usage Memory

InfoShield 9 inst X:st r5, (secret) … inst X:st r5, (secret) … InfoShield Basics Form “Authentication Chain” for Protecting Usage inst1: inst2: inst3: inst4: … inst define secret usage Secret inst S:ld r4, (secret) … inst define secret usage Shield usage Memory

InfoShield 10 InfoShield Basics inst1: inst2: inst3: inst4: … inst define secret usage Secret inst X:ld r5, (secret) … inst S:ld r4, (secret) … inst define secret usage … inst X:st r5, (secret) … Memory Hacker’s instructions Inst H: ld r4, (secret) “Inst H” is not in the protection chain Mallory

InfoShield 11 InfoShield: Information Usage Safety  Concept of Information Usage Safety  Given That Application Is Properly Designed,  Guarantee that information is used in the way it is meant to be used.  Ensure that private data is not misused or illegally accessed.  Protect the integrity of dynamic usage of user private data based on the program semantic. Or in another word Authenticates the Usage of Information

InfoShield 12 InfoShield: Safeguard Sensitive Data  Read/write to sensitive data is dynamically checked throughout the program execution to guarantee they are used,  in the order as defined by the application  by only the instructions that are supposed to use it  Architectural Model  ISA Extension – sensitive data declaration, runtime access control  Architectural support – security-aware register table and runtime checking

InfoShield 13 InfoShield: Architectural Support  Secure-aware Register (SR) Table  where sensitive data are stored  who can access the sensitive data  After a code region completes, modify SR Table  ISA Support  SR Table management instructions  sensitive data clear, copy

InfoShield 14 InfoShield Illustration sensitive data SR Table Addr low Addr high PC low PC high Code Region 1 Code Region 2 Code Region 3 Define Next Region Define Sensitive Data Define Next Region Access Sensitive Data

InfoShield 15 sensitive data SR Table Addr low Addr high PC low PC high Code Region 1 Code Region 2 Code Region 3 InfoShield Illustration Define Next Region Access Sensitive Data Test Branch True: Define Region 3 Access Sensitive Data

InfoShield 16 sensitive data SR Table Addr low Addr high PC low PC high Code Region 1 Code Region 2 Code Region 4 InfoShield Illustration Access Sensitive Data Test Branch False: Define Region 4 Access Sensitive Data

InfoShield 17 ISA Extension Example R1<-0x200 R2<-0x208 R3<-0xB00C R4<-0xB014 SAG R0 SAP R0,R1,R2,R3,R4 0xB00C 0xB B00CB014 sensitive data Addr low Addr high PC low PC high 0x200 0x208 SR Table R0 <- 1 SAG: Set Address Guard SAP: Set Address Protection

InfoShield 18 ISA Extension Example R2<- 0xC008 R3<-0xC00C Ld Rx, [0x200] SAS R0, R2,R3 0xB010 0xB00C 0xC008 0xC00C B00CB C008C00C sensitive data 0x200 0x208 Addr low Addr high PC low PC high SR Table

InfoShield 19 Other ISA Extension  Sensitive Data Copy.  Definition: copy a block of sensitive data (memory to memory DMA)  Purpose: garbage collection  Sensitive Data Clear.  Definition: reclaim dead sensitive data region.  Purpose: program fault handling, garbage collection.

InfoShield 20 Move Checking Off the Critical Path ROB(or architectural equivalent) SR Table Cache and Memory Hierarchy Load/Store Queue EA, ROB slot EA, ROB slot, PC Data/Exceptions

InfoShield 21 Application Profile  Emulation environment x86 full system emulator, Bochs. Linux Server (RH6.0 distribution)  Profiled applications openssh server,sftp server, apache server wu-ftp server, imap server, ftp client, pine client, and lynx web browser.  Sensitive information  Password  Openssh/sftp private key  AES encryption/decryption key

InfoShield 22 Bochs Hack  Profiled applications Instrument applications (memory tainting) to expose  where the sensitive data are stored  when they are created and when they are destroyed  Bochs : For each process (identified via process unique CR3 value in x86)  number of memory reads that fetch sensitive data  number of instructions that directly manipulate loaded sensitive data

InfoShield 23 Dynamic Sensitive Data Loads/All Data Loads

InfoShield 24 Dynamic Instructions Operating On Sensitive Data/All Instructions

InfoShield 25 Conclusions  Many documented real-world information thefts steal sensitive data via violation of information usage.  InfoShield enforces runtime sensitive data to be accessed or used the way as defined by program semantic.  For real-world applications, accesses to password or security keys are relatively small.

InfoShield 26 Thank You

27 Backup Foil

InfoShield 28 InfoShield: Assumptions  Computing platform itself is physically secured.  Integrity of software guaranteed.  Dynamic libraries certified and signed with digital signatures.  Software running in non-debug mode.

InfoShield 29 Information Theft Example -Trojan Application Socket DLL Trojan

InfoShield 30 Information flow safetyComputational safetyInformation use safety Encrypted results carry info of the key and considered un-safe to be disclosed. Encrypted result is computationally safe to be disclosed. It is not feasible to extract key from the encrypted data. Encrypted results are safe to be disclosed if it is based on correct execution of the function and there is no miss-use of the key.  A Crypto Function That Encrypts Input Data Using A Key.  The key is considered as private data  The encrypted data considered as non-secret. Comparisons

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.