Presentation is loading. Please wait.

Presentation is loading. Please wait.

SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems Man-Ki Yoon, Sibin Mohan, Jaesik Choi, Jung-Eun Kim, Lui.

Published byAmberly Erin Lambert Modified over 9 years ago

Similar presentations

Presentation on theme: "SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems Man-Ki Yoon, Sibin Mohan, Jaesik Choi, Jung-Eun Kim, Lui."— Presentation transcript:

1 SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems Man-Ki Yoon, Sibin Mohan, Jaesik Choi, Jung-Eun Kim, Lui Sha Dept. of Computer Science, UIUC Information Trust Institute, UIUC Lawrence Berkeley National Lab Apr 9 th, 2013

2 Rethinking Real-Time Embedded System Security SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 2 Increased Capability More Networked Open, Standard Platform More Vulnerable to Security Attacks

3 SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 3 SecureCore Architecture Intrusion Detection, not prevention Most critical component: control application System recovery upon detection Behavior monitoring Predictable timing behaviors of real-time apps Profile using statistical learning Multicore-based core-to-core monitoring On-chip HW for processor state inspection Hypervisor-based protection/isolation SecureCore Architecture

4 Rest of the Talk System and Application Model Timing-based Intrusion Detection (Overview) SecureCore – Architecture Design – Timing-based Intrusion Detection (Detail) Implementation and Evaluation Limitations and Future Work SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 4

5 Multicore-based Real-Time Control System System and Application Model SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 5 Physical plant Time Controller Sensor data Actuation cmd Threat Model: Malicious code execution Embedded in the control code Activated after system initialization Irrelevant how it gained entry SecureCore MonitoredCore SecureCore Architecture

6 Timing-Based Intrusion Detection Idea: Deterministic timing of real-time applications – Any malicious activity consumes finite time to execute – Deviation from expected timing → Suspicious! SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 6 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Malicious Code Observed Legitimate

7 Timing-Based Intrusion Detection Idea: Deterministic timing of real-time applications – Any malicious activity consumes finite time to execute – Deviation from expected timing → Suspicious! SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 7 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Execution time variations Control flow path Input values System effects (e.g., shared resource)

8 Timing-Based Intrusion Detection Idea: Deterministic timing of real-time applications – Any malicious activity consumes finite time to execute – Deviation from expected timing → Suspicious! SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 8 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Execution time variations Control flow path Input values System effects (e.g., shared resource) Profile probabilistic execution time model Estimate Prob(e*) Capture even legitimate variations Statistical learning-based profiling/detection

9 Outline System and Application Models Timing-based Intrusion Detection (Overview) SecureCore – Architecture Design – Timing-based Intrusion Detection (Detail) Implementation and Evaluation Limitations and Future Work SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 9

10 SecureCore Architecture SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 10 Plant Complex Controller Complex Controller Safety Ctrl. Safety Ctrl. Decision Module Decision Module Sensor Data Actuation Command Simplex Architecture [Sha, 2001] For reliable & loss-less control Monitored CoreSecure Core OS Hypervisor Memory space separation Trust base I/O Proxy Manages I/O to/from the plant Prevent I/O data obfuscation I/O Proxy I/O Proxy Inter-Core Communication Inter-Core Communication Timing Trace Module Timing Trace Module Scratch Pad Memory Scratch Pad Memory Secure Monitor Secure Monitor Timing Trace Module (TTM) Read processor states when a trace instruction is executed Scratch Pad Memory (SPM) Stores a sequence of trace information Only visible to the secure core Secure Monitor Verify the legitimacy of an execution Use timing profile

11 Timing-Based Intrusion Detection Block-level monitoring – Narrowing estimation domain Less variation, better accuracy – Block boundary: check point Detect unexpected flow deviations SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 11 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6

12 How to Get Timing Profiles SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 12 Raw TracesTrace TreeProfiles Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Statistical Learning

13 Timing Trace Module SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 13 Trace Instructions SPM Layout -PID registration for preventing traces from being forged -BA: Base Address ( = PC of INST_REG_PID) -Read Timestamp and Program Counter from the processor registers -Addr i = BA – PC i (i.e., relative address from BA)

14 Raw Traces SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 14 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 INST_TRACE Addr 1 Addr 2 Addr 3 Addr 4 Addr 6 Addr 5 Addr 7 (Addr 1, t 5 ) (Addr 2, t 6 ) (Addr 4, t 7 ) (Addr 6, t 8 ) (Addr 7, t 9 ) (Addr 1, t 10 ) (Addr 2, t 11 ) (Addr 4, t 12 ) (Addr 5, t 13 ) (Addr 7, t 14 ) … (Addr 1, t 1 ) (Addr 3, t 3 ) (Addr 7, t 4 ) (Addr 2, t 2 )

15 Trace Tree SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 15 (Addr 1, t 5 ) (Addr 2, t 6 ) (Addr 4, t 7 ) (Addr 6, t 8 ) (Addr 7, t 9 ) (Addr 1, t 10 ) (Addr 2, t 11 ) (Addr 4, t 12 ) (Addr 5, t 13 ) (Addr 7, t 14 ) … (Addr 1, t 1 ) (Addr 3, t 3 ) (Addr 7, t 4 ) (Addr 2, t 2 ) Addr 1 Addr 3 Addr 2 Addr 7 Block 1 Block 2 Block 6 Addr 4 Addr 5 Addr 7 Block 6 Block 4 Addr 2 Addr 6 Addr 7 Addr 4 Block 6 Block 3 Block 5 t2-t1t2-t1 t 3 - t 2 t 4 - t 3 t6-t5t6-t5 t 11 -t 10 t7-t6t7-t6 t 12 -t 11 t 13 -t 12 t9-t8t9-t8 t8-t7t8-t7 t 14 -t 13 … … … … … … … Same execution block, but on different paths. Each has its own timing profile Same execution block, but on different paths. Each has its own timing profile From a trace tree, we can get Execution time samples (each node) Legitimate execution flows From a trace tree, we can get Execution time samples (each node) Legitimate execution flows

16 Timing Profile What is a good estimation of execution times? – Min & max, mean, … Not representative Cannot capture variations well – Probabilistic timing model Estimate the likelihoods of execution times! – Probability distribution Parametric vs. Non-parametric distribution – Unknown shape SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 16

17 (Figure is from CSCE 666 Pattern Analysis by Ricardo Gutierrez-Osuna at TAMU) Example Execution Time Profile Using Kernel Density Estimation (KDE) Non-parametric Probability Density Function Estimation SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 17 1 2 3 1.Given samples of execution times 2.Draw scaled distribution at each sample point 3.Sum them up -Kernel & bandwidth affect shape and smoothness -Gaussian kernel Estimated pdf Kernel function Bandwidth (Smoothing constant)

18 Intrusion Detection Using Timing Profiles SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 18 PDF of the Execution Time of an example block Highly likely Multiple peaks: different inputs or system effects How much deviation should we consider malicious? Threshold test Malicious Legitimate

19 Summary of Timing-Based Intrusion Detection SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 19 Complex Controller Complex Controller Secure Monitor Secure Monitor Monitored CoreSecure Core Timing Trace Module Timing Trace Module Scratch Pad Memory Scratch Pad Memory Addr 1 Addr 3 Addr 2 Addr 7 Block 1 Block 2 Block 6 Addr 4 Addr 5 Addr 7 Block 6 Block 4 Addr 2 Addr 6 Addr 7 Addr 4 Block 6 Block 3 Block 5 [Profile] Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 [Run-time Execution] (Addr 1, t i ) (Addr 2, t i+1 ) (Addr 4, t i+2 ) (Addr 6, t i+3 ) (Addr 7, t i+4 ) Trace Traverse and check

20 Outline System and Application Models Timing-based Intrusion Detection (Overview) SecureCore – Architecture Design – Timing-based Intrusion Detection (Detail) Implementation and Evaluation Limitations and Future Work SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 20

21 Implementation SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 21 CC SC DM SM Monitored Core Secure Core IOP LWE Linux 2.6.34 TTM SPM Hypervisor Inverted Pendulum (IP) Dynamics Simics (P4080) Host PC Serial (tty) Pseudo Terminal (pts) Byte channel Freescale P4080 on Simics Only two cores (Core 0 and 1) Cache (L1 and L2) and bus models for system effects ISA modification for trace instruction Inverted Pendulum Control Controller and dynamics (cart position, rod’s angle) Generated from Simulink IP model

22 Application Model IP Control + FFT (EEMBC) SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 22 FFT Init FFT Init FFT Phase #1 FFT Phase #1 FFT Phase #2 FFT Phase #2 FFT Phase #3 FFT Phase #3 IP Control PathID = 1, 2 PathID = 0 1 run if PathID = 0, 1 2 runs if PathID = 2 0+ 1 meter Malicious code Injected at the end of FFT Phase #3 Simple loop (some array copy) 440, 720, 1000 cycles for 1,3,5 loops (FFT Phase#3: ~260,000 cycles) Activated when the cart passes +0.7 m Execute randomly thereafter Loop execution Sends old actuation cmd Timing Profile ~10,000 runs (no malicious code activation) ‘ksdensity’ (Matlab) for Gaussian KDE Total exec time: 850,000 ~ 1,200,000 cycles (~1ms) Control period: 10 ms

23 Early Detection SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 23 No attack No protection Attack activated No attack No protection Simplex only Attack activated No attack No protection Simplex only Our method Attack activated

24 Intrusion Detection Accuracy SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 24 Criteria: False prediction rates – False positive: predict “malicious” when not – False negative: fail to detect a real attack PredictedReal 1/1024 (0.10%) 7/1015 (0.69%) 1 loop3 loops5 loops 827/1022 (81%)574/1046 (55%)130/1098 (12%) 578/1050 (55%)117/1011 (12%) 0/1024 (0%) False positive rates False negative rates Detect well More false alarms Miss oftenFewer false alarms

25 Limitations and Future Work Limitations – Low detection accuracy for short malicious code → More deterministic execution – Still high false positive → Long-term monitoring Other future work – Monitoring multiple applications on multiple cores – Monitoring of other behavioral aspects (e.g., Memory, I/O) – Multi-dimensional monitoring SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 25

26 Thank you SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 26

Download ppt "SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems Man-Ki Yoon, Sibin Mohan, Jaesik Choi, Jung-Eun Kim, Lui."

Similar presentations

The System-Level Simplex Architecture Stanley Bak Olugbemiga Adekunle Deepti Kumar Chivukula Mu Sun Marco Caccamo Lui Sha.

The System-Level Simplex Architecture Stanley Bak Olugbemiga Adekunle Deepti Kumar Chivukula Mu Sun Marco Caccamo Lui Sha.
Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
Combining Statistical and Symbolic Simulation Mark Oskin Fred Chong and Matthew Farrens Dept. of Computer Science University of California at Davis.

Combining Statistical and Symbolic Simulation Mark Oskin Fred Chong and Matthew Farrens Dept. of Computer Science University of California at Davis.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Chapter 12 CPU Structure and Function. CPU Sequence Fetch instructions Interpret instructions Fetch data Process data Write data.

Chapter 12 CPU Structure and Function. CPU Sequence Fetch instructions Interpret instructions Fetch data Process data Write data.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.

Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.
Multiple Processor Systems

Multiple Processor Systems
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Computational Astrophysics: Methodology 1.Identify astrophysical problem 2.Write down corresponding equations 3.Identify numerical algorithm 4.Find a computer.

Computational Astrophysics: Methodology 1.Identify astrophysical problem 2.Write down corresponding equations 3.Identify numerical algorithm 4.Find a computer.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.

Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.
Real-Time Kernels and Operating Systems. Operating System: Software that coordinates multiple tasks in processor, including peripheral interfacing Types.

Real-Time Kernels and Operating Systems. Operating System: Software that coordinates multiple tasks in processor, including peripheral interfacing Types.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Similar presentations

Ads by Google