a security kernel for protected
play

A Security Kernel for Protected Module Architectures Alexandru - PowerPoint PPT Presentation

Jan 10, 2023 •230 likes •513 views

1 A Security Kernel for Protected Module Architectures Alexandru Madalin Ghenea Master of Engineering: Computer Science Promotor: Prof. Frank Piessens Advisors: Jan Tobias Mhlberg Jo Van Bulck 2 Introduction Growing trend towards

  1. 1 A Security Kernel for Protected Module Architectures Alexandru – Madalin Ghenea Master of Engineering: Computer Science Promotor: Prof. Frank Piessens Advisors: Jan Tobias Mühlberg Jo Van Bulck

  2. 2 Introduction • Growing trend towards Internet of Things • Large variety of application domains: ▫ Automotive ▫ Medical applications ▫ Home automation ▫ Industrial control systems ▫ Electronic payment • Need for security solutions for networked, resource-constrained embedded systems

  3. 3 Protected Module Architectures (PMAs) • Reduced Trusted Computing Base (TCB) • Small TCB, isolation, key derivation => PMA • Large spectrum of PMA solutions ▫ Both for high end and low end devices ▫ Software and hardware solutions

  4. 4 Sancus • Security architecture for resource-constrained networked embedded devices • Strong security guarantees with only hardware TCB • Dedicated C compiler • FPGA prototype based on MSP430 processor Noorman, Job, et al. "Sancus 2.0: A Low-Cost Security Architecture for IoT Devices." (2017).

  5. 5 Sancus security guarantees • Software Module (SM) isolation ▫ Program-Counter Based Memory Access Control (PCBMAC) ▫ Single entry point per module ▫ Isolated stacks ▫ protect layout, SP ▫ unprotect Noorman, Job, et al. "Sancus 2.0: A Low-Cost Security Architecture for IoT Devices." (2017).

  6. 6 Sancus security guarantees • Remote attestation ▫ encrypt plaintext, associated data, ciphertext (output), tag (output) [,key] ▫ decrypt ciphertext, associated data, tag, plaintext (output),[,key] Noorman, Job, et al. "Sancus 2.0: A Low-Cost Security Architecture for IoT Devices." (2017).

  7. 7 Sancus security guarantees • Local attestation ▫ attest address, expected hash ▫ get-id address ▫ attest-caller ▫ get_caller_id Noorman, Job, et al. "Sancus 2.0: A Low-Cost Security Architecture for IoT Devices." (2017).

  8. 8 Sancus potential disadvantages • Susceptible to call-stack shortcutting attacks • Increased hardware costs • Cryptographic instructions not interruptible • Security primitives cannot be modified without hardware changes

  9. 9 Sancus Security kernel - Hypothesis • Study the feasibility of creating a security kernel that protects against call-stack shortcutting attacks • Study properties obtained from transferring the cryptographic component from hardware to software while trying to maintain the same security guarantees

  10. 10 Call-stack shortcutting attack Control Module requests Smoke sensor logs sensor data sensor data from Smoke sensor 1 2 Sensor Control Smoke data 4 3 Module sensor logger Smoke sensor sends Sensor data logger 3 sensor data to Control confirms that it has Module logged sensor data Sensor logger sends wrong sensor data

  11. 11 Call-stack shortcutting attack 2 3 1 A B C 4 5 6 2 3 1 A B C 4

  12. 12 Implementation • Inter-SM communication component (ISMC) that protects against call-stack shortcutting attacks. • Shadow call stack implementation • For each Inter-SM call: ▫ The Caller ID and return address of the module pushed in the shadow stack of the ISMC ▫ After the callee returns to ISMC, the return address is popped and control is returned to the caller • All Inter-SM communication is done via the kernel. • Builds upon existing primitives: ▫ get-id address ▫ get_caller_id

  13. 13 Call-stack shortcutting - solution Sensor Control Smoke data Module sensor logger 1 8 7 2 3 6 4 5 Inter-SM Communication module

  14. 14 Evaluation of ISMC • Sancus platform with MSP430 running at 20 MHz with 64 bit SPONGENT • Benchmarking using 3 scenarios: ▫ A simple call between 2 SMs ▫ Cascade call with 3 SMs ▫ Scenario 2 • Compared ISMC against the original version of Sancus • Measured ISMC with and without Secure Boot

  15. 15 Evaluation of ISMC Benchmark Init. First run Additional run Overhead overhead overhead Call between two SMs via 50,871 3,174 705 ISMC with Secure Boot (156%) (26%) (288%) Call between two SMs via 53,847 80,792 729 ISMC without Secure Boot (165%) (680%) (388%) Cascade call with 3 SMs via 67,053 20,748 1,676 ISMC with Secure Boot (138%) (76%) (346%) Cascade call with 3 via ISMC 67,983 132,495 1,696 without Secure Boot (140%) (489%) (350%) Scenario 2 via ISMC with 77,655 47,929 3,698 Secure Boot (142%) (95%) (352%) Scenario 2 via ISMC without 78,213 195,317 3,738 Secure Boot (143%) (387%) (356%)

  16. 16 Evaluation of ISMC Benchmark Init. First run Additional run Overhead overhead overhead Call between two SMs via 2.55 ms 0.16 ms 0.03 ms ISMC with Secure Boot Call between two SMs via 2.70 ms 4.04 ms 0.03 ms ISMC without Secure Boot Cascade call with 3 SMs via 0.08 ms 3.35 ms 1.04 ms ISMC with Secure Boot Cascade call with 3 via 3.4 ms 6.62 ms 0.08 ms ISMC without Secure Boot Scenario 2 via ISMC with 3.89 ms 2.39 ms 0.18 ms Secure Boot Scenario 2 via ISMC 3.92 ms 9.76 ms 0.18 ms without Secure Boot

  17. 17 Evaluation of ISMC Mühlberg , Jan Tobias, et al. "An implementation of a high assurance smart meter using protected module architectures." IFIP International Conference on Information Security Theory and Practice . Springer International Publishing, 2016.

  18. 18 Software local Attestation • Does not use any hardware cryptographic primitives • Registration based mechanism ▫ register_sm ▫ is_registered ▫ is_registered_with_layout • SM protection enabled by the security kernel • Expected hashes stored in the security kernel • Measurement computed only once per SM

  19. 19 Software local Attestation • Possibility to change measurement implementation • Step towards interruptibility • Sufficient for remote attestation if secure communication is provided

  20. 20 Evaluation • Baseline: Sancus platform with MSP430 running at 20 MHz with 64 bit SPONGENT implementation • Software attestation using: ▫ SPONGENT 128 bit security ▫ SHA-2 256 bit

  21. 21 Hashing micro-benchmarks

  22. 22 Software Attestation macro-benchmarks … Client 1 SM Client 2 SM Client n SM Server SM

  23. 23 Software Attestation benchmark SPONGENT hw. vs SHA-2 sw.

  24. 24 Conclusions - ISMC • ISMC protects against call-stack shortcutting attacks • ISMC adds significant overhead, but could be used for many applications

  25. 25 Conclusions – Software Local Attestation • Software local attestation overhead depends on the measurement implementation • Software attestation can be more efficient when using large number of callers • Reduced hardware costs • Step towards interruptibility • Possibility to change measurement implementation after deployment

  26. 26 Future work • Evaluate the software local attestation mechanism with more measurement implementations • Extend kernel with a remote attestation mechanism • Extend kernel to provide compatibility with real- time applications

  27. 27 Thank you for your attention!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security While protection has been discussed throughout the class kernel vs. user mode,

Security While protection has been discussed throughout the class kernel vs. user mode,

Security While protection has been discussed throughout the class kernel vs. user mode, protected memory, file permissions these mechanisms have generally been focused on protection from accidental misuse (software bugs, novice

463 views • 13 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris james.l.morris@oracle.com Introduction Who am I? Kernel security subsystem maintainer Started kernel development w/ FreeS/WAN in 1999 which led to Netfilter,

798 views • 48 slides
Improving Kernel Security Kernel Summit 2015, Seoul Kees (Case) Cook keescook@chromium.org

Improving Kernel Security Kernel Summit 2015, Seoul Kees (Case) Cook keescook@chromium.org

Improving Kernel Security Kernel Summit 2015, Seoul Kees (Case) Cook keescook@chromium.org James Morris james.l.morris@oracle.com https://outflux.net/slides/2015/ks/security.pdf What I mean by Security More than access control

735 views • 27 slides
Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security & Privacy Georgia Tech Kernel Memory Corruption Vulnerability

493 views • 24 slides
Section 8 2/22/12 Agenda Malloc/Free Process Memory Image memory protected kernel virtual

Section 8 2/22/12 Agenda Malloc/Free Process Memory Image memory protected kernel virtual

CSE 351 Section 8 2/22/12 Agenda Malloc/Free Process Memory Image memory protected kernel virtual memory from user code stack %rsp What is the heap for? How do we use it? run-time heap uninitialized data (. bss ) initialized data (.

714 views • 26 slides
Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016

Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016

Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016 Vaishali Thakkar (vaishali.thakkar@oracle.com) 1 Self Introduction Linux Kernel developer at Oracle Working in kernel security engineering group

659 views • 46 slides
Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis Introduction Limited to Windows, and aimed at IA32: Outline of protected mode and the kernel Attack vectors Useful tools Examples

672 views • 36 slides
P Protected biometrics for Identity Trust Protected biometrics for Identity Trust P t t t d

P Protected biometrics for Identity Trust Protected biometrics for Identity Trust P t t t d

P Protected biometrics for Identity Trust Protected biometrics for Identity Trust P t t t d bi t d bi t i t i f f Id Id tit T tit T t t RISE - Awareness of Biometrics and Security Ethics y By Nicolas DELVAUX

625 views • 20 slides
Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014 tm@azimuthsecurity.com @kernelpool About Me Senior Security Researcher at Azimuth Security Masters degree in Information Security

1.24k views • 76 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux Kernel Widespread Deployed on: powerful (high performance compute clusters) sensitive (bank, gov. systems, ..) safety critical

995 views • 29 slides
The DragonBeam Framework: Hardware-Protected Security Modules for In-Place Intrusion Detection

The DragonBeam Framework: Hardware-Protected Security Modules for In-Place Intrusion Detection

The DragonBeam Framework: Hardware-Protected Security Modules for In-Place Intrusion Detection Man-Ki Yoon, Mihai Christodorescu, Lui Sha, Sibin Mohan University of Illinois at Urbana-Champaign Qualcomm Research Silicon Valley June 6, 2016

928 views • 46 slides
Lecture 2: Introduction to Computer Security RK Shyamasundar Dangers Being Protected Against

Lecture 2: Introduction to Computer Security RK Shyamasundar Dangers Being Protected Against

Lecture 2: Introduction to Computer Security RK Shyamasundar Dangers Being Protected Against Damage to information Integrity Disruption of service Availability Theft of physical Integrity resources like money Theft of

588 views • 41 slides
The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/kspp.pdf Kernel Self Protection Project

431 views • 15 slides
General Introduction to Protected Areas and IUCNs Role in Protected Areas Sub-Regional

General Introduction to Protected Areas and IUCNs Role in Protected Areas Sub-Regional

General Introduction to Protected Areas and IUCNs Role in Protected Areas Sub-Regional Workshop for West Asia and North Africa on Capacity Building for the Implementation of the CBD Programme of Work on Protected Areas Dubai, 16-20 April 2012

692 views • 31 slides
ECE 7970 Machine Learning in Cyber Security Chapter 0: Important information Dr. Mohamed

ECE 7970 Machine Learning in Cyber Security Chapter 0: Important information Dr. Mohamed

ECE 7970 Machine Learning in Cyber Security Chapter 0: Important information Dr. Mohamed Mahmoud Dr. Mostafa Fouda 1 - Course I nform ation I nstructors : Dr. Mohamed M. E. A. Mahmoud Office: Brown Hall - 332 E-mail:

2.98k views • 11 slides
Presentations Evaluating the Effectiveness of Security Mechanisms at Scale David Nicol

Presentations Evaluating the Effectiveness of Security Mechanisms at Scale David Nicol

Trustworthy Cyber Infrastructure for the Power Grid Presentations Evaluating the Effectiveness of Security Mechanisms at Scale David Nicol University of Illinois Dartmouth College Cornell University Washington State

335 views • 7 slides
A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi

A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi

A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi Jonathan Andersson, Philippe Lin, Stephen Hilt, Akira Urano, and Rainer Vosseler TL;DR SECURITY ANALYSIS FINDINGS TL;DR SECURITY ANALYSIS FIN

908 views • 68 slides
1 Who am I / ? 2 IMA History and Goals 3 IMA Internals and Roadmap 4

1 Who am I / ? 2 IMA History and Goals 3 IMA Internals and Roadmap 4

Petko Manolov Konsulko Group petko.manolov@konsulko.com 1 Who am I / ? 2 IMA History and Goals 3 IMA Internals and Roadmap 4 Conclusion q Software engineer and long time Linux kernel hacker since 1995 q

210 views • 18 slides
Jack Chen Some content taken from a previous year's walkthrough by Prof. Adam Bates CS 423:

Jack Chen Some content taken from a previous year's walkthrough by Prof. Adam Bates CS 423:

CS 423Operating System Design: Introduction to Linux Kernel Programming (MP4 Walkthrough) Jack Chen Some content taken from a previous year's walkthrough by Prof. Adam Bates CS 423: Operating Systems Design Preliminaries Take stable snapshots

492 views • 33 slides
Operating System Security It is also important to understand the operations and the

Operating System Security It is also important to understand the operations and the

Security risks exist for all operating systems and are not new. It is important to know the existing threats. Operating System Security It is also important to understand the operations and the vulnerabilities of your OS. Try to

214 views • 8 slides
I n t r o t o P o s t g r e S Q L S e c u r i t y NordicPGDay 2014 Stockholm, Sweden Stephen

I n t r o t o P o s t g r e S Q L S e c u r i t y NordicPGDay 2014 Stockholm, Sweden Stephen

I n t r o t o P o s t g r e S Q L S e c u r i t y NordicPGDay 2014 Stockholm, Sweden Stephen Frost sfrost@snowman.net Resonate, Inc. Digital Media PostgreSQL Hadoop techjobs@resonateinsights.com

954 views • 54 slides
Information Flow ( Chapter 5 of the lecture notes) Erik Poll Digital Security group Radboud

Information Flow ( Chapter 5 of the lecture notes) Erik Poll Digital Security group Radboud

Software Security Information Flow ( Chapter 5 of the lecture notes) Erik Poll Digital Security group Radboud University Nijmegen Motivating example Imagine using a mobile phone app to 1. locate nearest hotel using google 2. book a room

589 views • 45 slides

More recommend