Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kyushu University Koji Inoue ICECS'061 Supporting A Dynamic Program Signature: An Intrusion Detection Framework for Microprocessors Koji Inoue Department.

Similar presentations


Presentation on theme: "Kyushu University Koji Inoue ICECS'061 Supporting A Dynamic Program Signature: An Intrusion Detection Framework for Microprocessors Koji Inoue Department."— Presentation transcript:

1 Kyushu University Koji Inoue ICECS'061 Supporting A Dynamic Program Signature: An Intrusion Detection Framework for Microprocessors Koji Inoue Department of Informatics, Kyushu University Japan Science and Technology Agency

2 Kyushu University Koji Inoue ICECS'062 Background Trusted Program Malicious Program Clock Gating Signal Gating DVS ResizingDrowsy Operation Selective Activation Pipelining SuperScalar Branch Prediction Value Prediction On-chip Cache OOO Exe. ILP TLP MLP

3 Kyushu University Koji Inoue ICECS'063 The Goal of This Research Architectural Support for Run-Time Program Authentication Pipelining SuperScalar Branch Prediction Value Prediction On-chip Cache OOO Exe. ILP TLP MLP Clock Gating Signal Gating DVS ResizingDrowsy Operation Selective Activation

4 Kyushu University Koji Inoue ICECS'064 Outline Introduction Processor Level Intrusion Detection (Conventional) Supporting A Dynamic Signature Evaluation Security Strength Performance and Cost Overhead Conclusions

5 Kyushu University Koji Inoue ICECS'065 Search Malicious Programs Allow to Execute Only Authenticated Programs Virus Scan ( Pattern Matching ) Virus Scan ( Rule Matching ) Static Dynamic Certificate (w/ Key) Static Dynamic Problems  Require Virus Lists  Impossible to Detect Unkonwn Virus Problems  Corruption of key check programs  Hijack of the program execution control of authenticated programs What Is The Problem of Current Intrusion Detection? (1/2)

6 Kyushu University Koji Inoue ICECS'066 What Is The Problem of Current Intrusion Detection? (2/2) Dynamic Program Authentication[Wanger’01] Extract a Rule (or Behavior) From the Program Code Check the Rule at Run Time Program static analysis Behavior Model compile object code CPU Execution D. Wagner and D. Dean, "Intrusion Detection via Static Analysis," IEEE Symposium on Security and Privacy, May 2001 Problems Limits of The Extracted Rule Can NOT Detect Viruses Which Have The Same Rule

7 Kyushu University Koji Inoue ICECS'067 Outline Introduction Processor Level Intrusion Detection (Conventional) Supporting A Dynamic Signature Evaluation Security Strength Performance and Cost Overhead Conclusions

8 Kyushu University Koji Inoue ICECS'068 Determine an execution behavior for the program authentication from a secret key E.g., Memory-Access Pattern Control the execution behavior at compile time Monitor the execution behavior at run time E.g., Hardware Profiler Program Behavior Model compile object code Secret Key CPU Behavior Model ? Concept of Dynamic Program Signature

9 Kyushu University Koji Inoue ICECS'069 Program End of Execution Hijacking of Execution Control HW Profiler Address X is Accessed in Every N Instructions! N Instructions HW Profiler Attack Code Dynamic Execution Behavior for Program Authentication

10 Kyushu University Koji Inoue ICECS'0610 How Can We Control The Execution Behavior At Compile Time? Branches Unify the size of basic blocks Speculative/OOO Execution Monitor the sequence of committed instructions Basic Block A special instruction to generate a dynamic signature Unified Basic Block original

11 Kyushu University Koji Inoue ICECS'0611 Outline Introduction Processor Level Intrusion Detection (Conventional) Supporting A Dynamic Signature Evaluation Security Strength Performance and Cost Overhead Conclusions

12 Kyushu University Koji Inoue ICECS'0612 Security Strength The attacker knows the secret key information and algorithm how to determine the pre-defined behavior The attack codes are inserted at the compile time The attacker can predict the pre-defined behavior Provability: 1/(2 ADDRbit-width +2 N ) where N is the candidate of the unified basic-block size The size of malicious code is smaller than that of unified basic-block E.g., less than 5 or 30 instructions We can NOT detect malicious attacks if

13 Kyushu University Koji Inoue ICECS'0613 Evaluation Code size (Cost) Execution time (Performance) Experimental Environment ARMSimplescalar StrongARM model Support the dynamic signature Benchmark programs SPECint95 ( 129.compress ) Dynamic Signature Unified basic-block size : from 5 to 25 instructions #of key-load instructions in each basic block: 1 Performance/Cost Overhead (1/2)

14 Kyushu University Koji Inoue ICECS'0614 Code size x5 in maximum, and x1.7 in minimum Execution time overhead 50% in max. and 10% in min. Load for Key Nop Original Performance/Cost Overhead (2/2)

15 Kyushu University Koji Inoue ICECS'0615 Outline Introduction Processor Level Intrusion Detection (Conventional) Supporting A Dynamic Signature Evaluation Security Strength Performance and Cost Overhead Conclusions

16 Kyushu University Koji Inoue ICECS'0616 Summary Supporting Dynamic Program Signature Run-time execution authentication Detect the execution of malicious programs Overhead Evaluation (unified BB size = 5 inst.) Code size: about x1.7 Execution Time: about x1.1 Future Work Support secure compilation Explore the tradeoff between security and cost, performance, and also energy consumption Conclusions


Download ppt "Kyushu University Koji Inoue ICECS'061 Supporting A Dynamic Program Signature: An Intrusion Detection Framework for Microprocessors Koji Inoue Department."

Similar presentations


Ads by Google