Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified.

Published byWillis Ball Modified over 8 years ago

Similar presentations

Presentation on theme: "Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified."— Presentation transcript:

1 Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified version of presentation for TRUST 2011

2 Motivation Contributions Design Conclusions and future work Outline 2

3 Injected malicious code into Programmable Logic Controller. – Can be blocked using code whitelisting. Stuxnet [Symantec Stuxnet Dossier 2011] 3 Clean OB1 Infected OB1

4 Corporate desktop PCs Chrome OS devices Advanced electric meters Power substation Intelligent Electronic Devices … Other Potential Applications 4

5 Existing approaches to malware detection and prevention exhibit limitations in the areas of: – Isolation – Visibility – Performance – Compatibility Motivation for Integrity-Aware Hardware 5

6 Motivation Contributions Design Conclusions and future work Outline 6

7 Integrity-Aware Processor: Only processor architecture with hardware support for directly detecting the execution of unverified code. XIVE kernel for IAP: Most compact integrity kernel that is capable of enforcing executing- implies-verified. Contributions 7

8 Motivation Contributions Design Conclusions and future work Outline 8

9 Hypervisors Operating System Hypervisor Hardware [SeshadriLQP2007-SOSP] 9 Integrity Kernel

10 Large Hypervisors Xen ~230 thousand lines of code Big attack surface! [LittyLL2008-Oakland] 10 Integrity Kernel

11 Hypervisor Vulnerabilities [IBM X-Force 2010] 11 (See chart on page 50 of the report cited below)

12 Integer overflow in the decompression loop memory allocator might result in overrunning the buffer used for the decompressed image. Integer overflows and lack of checking of certain length fields can result in the loader reading its own address space beyond the size of the supplied kernel image file. An attacker who can supply a kernel image to be booted as a paravirtualised guest might be able to: – Escalate privilege, taking control of the management domain and hence the entire machine. – Gain knowledge the contents of memory in the management tools. Depending on the toolstack in use this might contain sensitive information such as domain management or VNC passwords. Example: Xen security advisory CVE-2011-1583 (May 9, 2011) 12

13 System Management Mode APM Control Register Two orders of magnitude slowdown observed compared to protected mode. [AzabNWJZS2010-CCS] [WangSG2010-RAID] 13 Hardware Electrical Connection Integrity Kernel (sleeping dog picture by Eduardo Habkost via Flickr, CC BY 2.0)Flickr

14 Motivation Contributions Related work Design Conclusions and future work Outline 14

15 Integrity-Aware Processor 15 Based on LEON3 SPARCv8 (figure from paper)

16 IAP Complexities 16 (figure from paper)

17 Isolation: – IAP includes specific hardware support for isolating the integrity kernel, which is less complex than the MMU’s general protection mechanisms. Visibility: – IAP verification tracking mechanisms operate at TLB and cache level, removing page table walk mechanisms from TCB. IAP vs. MMU Hardware TCB 17

18 TCB Comparison XIVE contains 859 instructions 18

19 Hardware Prototype 19

20 Performance 20 (figure from paper)

21 Plentiful Dark Silicon Same area + same total heat dissipation + more transistors = lower % of simultaneously active transistors 37% slice overhead 21% BlockRAM overhead [SwansonT2011-IEEEComm] 21

22 Motivation Contributions Design Conclusions and future work Outline 22

23 Integrity-Aware Processor: Only processor architecture with hardware support for directly detecting the execution of unverified code. XIVE kernel for IAP: Most compact integrity kernel that is capable of enforcing executing- implies-verified. Contributions 23

24 Adapt IAP to other architectures. Explore integrity kernels for health information technology. Implement different types of policies within XIVE. Future Work 24

25 Hash vs. Network Overhead 25 (figure from paper)

Download ppt "Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified."

Similar presentations

Computer-System Structures Er.Harsimran Singh www.ProgrammingPlaza.com.

Computer-System Structures Er.Harsimran Singh
Virtualization Technology

Virtualization Technology
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
WHAT IS AN OPERATING SYSTEM? An interface between users and hardware - an environment architecture ” Allows convenient usage; hides the tedious stuff.

WHAT IS AN OPERATING SYSTEM? An interface between users and hardware - an environment "architecture ” Allows convenient usage; hides the tedious stuff.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,

Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,
Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.

Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
File Management Systems

File Management Systems
OS2-1 Chapter 2 Computer System Structures. OS2-2 Outlines Computer System Operation I/O Structure Storage Structure Storage Hierarchy Hardware Protection.

OS2-1 Chapter 2 Computer System Structures. OS2-2 Outlines Computer System Operation I/O Structure Storage Structure Storage Hierarchy Hardware Protection.
Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,

Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,
1 Disco: Running Commodity Operating Systems on Scalable Multiprocessors Edouard Bugnion, Scott Devine, and Mendel Rosenblum, Stanford University, 1997.

1 Disco: Running Commodity Operating Systems on Scalable Multiprocessors Edouard Bugnion, Scott Devine, and Mendel Rosenblum, Stanford University, 1997.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.

CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.
Protection and the Kernel: Mode, Space, and Context.

Protection and the Kernel: Mode, Space, and Context.

Similar presentations

Ads by Google