CaSE: Cache-Assisted Secure Execu3on on ARM Processors N1NG N1NG - - PowerPoint PPT Presentation

case cache assisted secure execu3on on arm processors
SMART_READER_LITE
LIVE PREVIEW

CaSE: Cache-Assisted Secure Execu3on on ARM Processors N1NG N1NG - - PowerPoint PPT Presentation

Dec 24, 2023 200 likes •552 views

CaSE: Cache-Assisted Secure Execu3on on ARM Processors N1NG N1NG ZHANG ZHANG , KUN SUN, WENJING LOU, TOM HOU Who am I ? - 10 years, working on different security products data forensic, mul;-level security systems - did my undergrad @

slide-1
SLIDE 1

CaSE: Cache-Assisted Secure Execu3on on ARM Processors

N1NG N1NG ZHANG ZHANG, KUN SUN, WENJING LOU, TOM HOU

slide-2
SLIDE 2

Who am I ?

  • 10 years, working on different security products – data forensic, mul;-level security systems
  • did my undergrad @ Umass – middle of no where
  • did my Ph.D @ VT in DC. – nice area, but I never got to go out !
  • back to industry doing interes;ng things – or not
  • lastly, I am also an adjunct assistant professor at the complex network and security research

laboratory (CNSR) at Virginia Tech

slide-3
SLIDE 3

Talk Outline

ü Mo;va;on and Background – Why this work ? ü Threat Model – What are we defending against ? ü CaSE: Cache-Assisted Secure Execu;on – How does it work? ü CaSE highlight – Challenges ? ü Evalua;on – How did we do ? ü Conclusion and future Work

slide-4
SLIDE 4

Cyber ALacks

slide-5
SLIDE 5

Threat to Mobile devices

slide-6
SLIDE 6

But how does it really work ?

slide-7
SLIDE 7

Buffer overflow - What is a soRware stack

slide-8
SLIDE 8

SoRware Exploits – Can you spot the bug ?

slide-9
SLIDE 9

What happened ?

Tests array

slide-10
SLIDE 10

Before and ARer J

slide-11
SLIDE 11

So are we doomed ? The best you can do ?

slide-12
SLIDE 12

ARM TrustZone – Trusted Execu3on Environment (TEE)

System Wide Protec;on

ü Divides system resources into two worlds ü Normal World runs the content rich OS ü Secure World runs security cri;cal services ü The protec;on of resources includes

  • processor, memory and IO devices

Normal World Secure World

slide-13
SLIDE 13

Many Products use ARM TrustZone

slide-14
SLIDE 14

Smart Devices Going Mo Mobile bile

slide-15
SLIDE 15

Physical Level ALack

slide-16
SLIDE 16

Hardware ALacks - Cold Boot ALack

slide-17
SLIDE 17

What can you recover ?

slide-18
SLIDE 18

And whatever else that are in memory

slide-19
SLIDE 19

Previous Works on Coldboot Defense

TRESOR Sec 2011 – Register-based RAM-less AES encryp;on Copker NDSS 2014 – Cache-based RAM-less RSA encryp;on PixelVault CCS 2014 – GPU based RAM-less encryp;on Sentry ASPLOS 2015 – Cache-based RAM-less encryp;on Mimosa S&P 2015 – Transac;onal-based RAM-less encryp;on

slide-20
SLIDE 20

Mul3-vector Adversary

slide-21
SLIDE 21

Introducing CaSE - Goals

ü Defense against Mul;-Vector adversary

ü Physical memory disclosure a_ack – Cold boot ü Compromised rich OS

ü Provide confiden;ality and integrity to both the code and data of the binaries in TEE

ü Confiden;ality – Protects IP, secret code, sensi;ve data ü Integrity – Program behavior

slide-22
SLIDE 22

System On Chip (SoC)

Threat Model

DRAM

Secure Cache NonSecure Normal World Memory Secure Memory Secure OS NonSecure Rich OS NonSecure Cache Processor Cache

slide-23
SLIDE 23

Case-Assisted Execu3on in Secure World

System On Chip (SoC) DRAM

NonSecure Normal World Memory Secure Memory Secure OS NonSecure Rich OS Processor Cache

Secure storage Packer

0101010110101101 1101 1001 1101 0101 0101010110101101

Context

slide-24
SLIDE 24

Case-Assisted Execu3on in Normal World

System On Chip (SoC) DRAM

Secure Memory NonSecure Normal World Memory NonSecure OS Secure Rich OS Processor Cache

Secure storage Packer

0101010110101101 1101 1001 1101 0101

Context

0101010110101101 1101 0101010110101101011010100 0101 1101 0101010110101101011010100 0101

CaSE Manager

slide-25
SLIDE 25

Cache Architecture Details

slide-26
SLIDE 26

Controlling the Cache

ü Cache Locking is available through L2 cache lockdown CP15 coprocessor ü The granularity of locking is per cache way ü On Cortex-A8, which has 8 way total 256KB L2 unified cache

slide-27
SLIDE 27

SoC-Bound Execu3on – Cache Locking

slide-28
SLIDE 28

Self Modifying Program

System On Chip (SoC)

L1 Instruc;on Cache L1 Data Cache L2 Unified Cache

slide-29
SLIDE 29

Self Modifying Program

System On Chip (SoC)

L1 Instruc;on Cache L1 Data Cache L2 Unified Cache

slide-30
SLIDE 30

Evalua3on Feasibility of using Cache as Memory

slide-31
SLIDE 31

Evalua3on Performance Impact to the Applica3on

slide-32
SLIDE 32

Performance Impact to the System

slide-33
SLIDE 33

Conclusion

ü A secure cache-assisted SoC-bound execu;on framework

ü Provide confiden;ality and integrity to sensi;ve code and data of applica;ons ü Protect against both sodware a_acks and cold boot a_ack.

ü In the future, we would like to further study efficient method to provide OS support to the TEE.

slide-34
SLIDE 34

What other things did I do ?

  • Differen;al privacy in data mining - ICC 11
  • Reverse engineer ASUS BIOS - Trusted Cloud Compu;ng – CNS 14
  • An;-memory forensic framework – HIVES – ASIACCS 15
  • Cache-based rootkits – EUROSP 16
  • Case – Cached-assisted security execu;on – SP16
  • Augmented reality authen;ca;on – TRUSTED – CCS16

Feel free to contact me at Ningzhang.info / ningzh@vt.edu