co processor based behavior monitoring
play

Co-processor-based Behavior Monitoring Application to the Detection - PowerPoint PPT Presentation

Sep 08, 2023 •405 likes •875 views

Co-processor-based Behavior Monitoring Application to the Detection of Attacks Against the System Management Mode ACSAC, December 7, 2017 Ronny Chevalier 1,2 Maugan Villatel 1 David Plaquin 1 Guillaume Hiet 2 1 HP Labs, United Kingdom (

  1. Co-processor-based Behavior Monitoring Application to the Detection of Attacks Against the System Management Mode ACSAC, December 7, 2017 Ronny Chevalier 1,2 Maugan Villatel 1 David Plaquin 1 Guillaume Hiet 2 1 HP Labs, United Kingdom ( firstname.lastname@hp.com ) 2 Team CIDRE, CentraleSupélec/Inria/CNRS/IRISA, France ( firstname.lastname@centralesupelec.fr )

  2. Introduction SMM Behavior Monitoring Approach overview How to define a correct behavior? How to monitor? Evaluation Related Work Conclusion

  3. Computers rely on firmware UEFI Less More Privileges Applications System Operating Firmware Hardware Where can we find firmware? • Stored in a flash • Highly privileged runtime software • Early execution • Tightly linked to hardware • Low-level software What is it? Here, we focus on BIOS/UEFI-compliant firmware Mother boards (e.g., BIOS), hard disks, network cards,... 1

  4. What is the problem? BIOS is often written in unsafe languages (i.e., C & assembly) Memory safety errors (e.g., use after free or buffer overflow) BIOS is not exempt from vulnerabilities [Kallenberg et al. 2013; Bazhaniuk et al. 2015] Why compromise BIOS? • Malware can be hard to detect (stealth) • Malware can be persistent (survives even if the HDD/SSD is changed) and costly to remove What do we want? • Boot time integrity • Runtime integrity 2

  5. What are the currently used solutions? Operating our focus is with the System Management Mode (SMM) Isolation of critical services available while the OS is running Runtime Report Measure & Verify Updates Signed System Bootloader Boot time Firmware UEFI Root of Trust Immutable • Immutable hardware root of trust Module (TPM) chip • Measurements and reporting to a Trusted Platform • Signature verification before executing • Signed updates 3

  6. What are the currently used solutions? Operating Isolation of critical services available while the OS is running Runtime Report Measure & Verify Updates Signed System Bootloader Boot time Firmware UEFI Root of Trust Immutable • Immutable hardware root of trust Module (TPM) chip • Measurements and reporting to a Trusted Platform • Signature verification before executing • Signed updates 3 → our focus is with the System Management Mode (SMM)

  7. Introducing the System Management Mode (SMM) Highly privileged execution mode for x86 processors Runtime services BIOS update, power management, UEFI variables handling, etc. How to enter the SMM? • Trigger a System Management Interrupt (SMI) • SMIs code & data are stored in a protected memory region: System Management RAM (SMRAM) BIOS code is not exempt from vulnerabilities affecting SMM [Bazhaniuk et al. 2015; Bulygin, Bazhaniuk, et al. 2017; Pujos 2016] Why is it interesting for an attacker? • Only mode that can write to the flash containing the BIOS • Arbitrary code execution in SMM gives full control of the platform 4

  8. Our objective Response • How to monitor? • How to define a correct behavior? • How to ensure the integrity of the monitor? Such goal raises the following questions: Monitoring Behavior ... Stop execution or Raise alert or Firmware Runtime Monitor behavior at runtime . 5 Our goal is to detect attacks that modify the expected behavior of the SMM by monitoring its

  9. Introduction SMM Behavior Monitoring Approach overview How to define a correct behavior? How to monitor? Evaluation Related Work Conclusion

  10. Approach overview integrity of the monitor? How to define a correct behavior? BIOS source code code SMM source Compilation bridging the semantic gap How to monitor? Semantic gap? How to ensure the Co-processor RAM SMM code target behavior Expected Processor Co-processor Monitor Target Processor RAM 6

  11. Approach overview integrity of the monitor? How to define a correct behavior? BIOS source code code SMM source Compilation bridging the semantic gap How to monitor? Semantic gap? How to ensure the Co-processor RAM SMM code target behavior Expected Processor Co-processor Monitor Target Processor RAM 6

  12. Approach overview integrity of the monitor? How to define a correct behavior? BIOS source code code SMM source Compilation bridging the semantic gap How to monitor? Semantic gap? How to ensure the Co-processor RAM SMM code target behavior Expected Processor Co-processor Monitor Target Processor RAM 6

  13. Approach overview Semantic gap? channel Communication How to define a correct behavior? BIOS source code code SMM source Compilation bridging the semantic gap How to monitor? integrity of the monitor? Co-processor RAM How to ensure the SMM code Instrumented target behavior Expected Processor Co-processor Monitor Target Processor RAM 6

  14. Approach overview Semantic gap? channel Communication How to define a correct behavior? BIOS source code code SMM source Compilation bridging the semantic gap How to monitor? integrity of the monitor? Co-processor RAM How to ensure the SMM code Instrumented target behavior Expected Processor Co-processor Monitor Target Processor RAM 6

  15. Introduction SMM Behavior Monitoring Approach overview How to define a correct behavior? How to monitor? Evaluation Related Work Conclusion

  16. How to define a correct behavior? Our use case: SMM code • Written in unsafe languages (i.e., C & assembly) • Tightly coupled to hardware Control Flow Graph (CFG) Define the control flow that the software is expected to follow Invariants on CPU registers Define rules that registers are expected to satisfy 7 → Such languages are often targeted by attacks hijacking the control flow → Such software modifies hardware configuration registers → Control Flow Integrity (CFI) → CPU registers integrity

  17. How to define a correct behavior? Control Flow Integrity (CFI): principle Authenticated authenticated Non verification auth Simplified graph 8 Example void auth( int a, int b) { char buffer[512]; [...vuln...] verification(buffer); } void verification( char *input) { if (strcmp(input, "secret") == 0) authenticated(); else non_authenticated(); }

  18. How to define a correct behavior? Control Flow Integrity (CFI): principle Authenticated authenticated Non verification auth Simplified graph 8 Example void auth( int a, int b) { char buffer[512]; [...vuln...] verification(buffer); } void verification( char *input) { if (strcmp(input, "secret") == 0) authenticated(); else non_authenticated(); }

  19. How to define a correct behavior? Control Flow Integrity (CFI): principle Goal: constrain the execution path to follow a control-flow graph (CFG) Authenticated authenticated Non verification auth Simplified graph 8 Example void auth( int a, int b) { char buffer[512]; [...vuln...] verification(buffer); } void verification( char *input) { if (strcmp(input, "secret") == 0) authenticated(); else non_authenticated(); }

  20. How to define a correct behavior? Control Flow Integrity (CFI): type-based verification We focus on indirect branches integrity Type-based verification Ensures the integrity of indirect calls 9 typedef struct SomeStruct { [...] char (*foo)( int ); } SomeStruct; int bar(SomeStruct *s) { char c; [...] c = s->foo(31); [...] }

  21. How to define a correct behavior? Control Flow Integrity (CFI): type-based verification We focus on indirect branches integrity Type-based verification Ensures the integrity of indirect calls 9 typedef struct SomeStruct { [...] char (*foo)( int ); } SomeStruct; int bar(SomeStruct *s) { char c; [...] c = s->foo(31); [...] }

  22. How to define a correct behavior? Control Flow Integrity (CFI): type-based verification We focus on indirect branches integrity Type-based verification Ensures the integrity of indirect calls 9 typedef struct SomeStruct { [...] char (*foo)(int); } SomeStruct; int bar(SomeStruct *s) { char c; [...] c = s->foo(31); [...] }

  23. How to define a correct behavior? i32(i8) Message Call Site ID 1561 Target Address Message Call Site ID Type 1561 i8(i32) 4852 ... Instrumented ... Function Address Type i8(i32) i32() ... ... Compilation SMM source code valid? Control Flow Integrity (CFI): type-based verification SMM code Message Monitor We focus on indirect branches integrity Type-based verification Ensures the integrity of indirect calls Target Runtime Compile time 9 Runtime Target Address Message 1561 Call Site ID Compile time 0x0fffb804 typedef struct SomeStruct { [...] char (*foo)( int ); } SomeStruct; int bar(SomeStruct *s) { char c; 0x0fffb804 [...] 0x0fffb804 c = s->foo(31); 0x0befca04 [...] }

  24. How to define a correct behavior? i32(i8) Message Call Site ID 1561 Target Address Message Call Site ID Type 1561 i8(i32) 4852 ... Control Flow Integrity (CFI): type-based verification ... Function Address Type i8(i32) i32() ... ... Compilation SMM source code valid? SMM code Instrumented Message Monitor We focus on indirect branches integrity Type-based verification Ensures the integrity of indirect calls Target Runtime Compile time 9 Runtime Compile time Message Target Address 1561 Call Site ID 0x0fffb804 typedef struct SomeStruct { [...] char (*foo)(int); } SomeStruct; int bar(SomeStruct *s) { char c; 0x0fffb804 [...] 0x0fffb804 c = s->foo(31); /* Call Site ID = 1561 */ 0x0befca04 [...] }

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Behavior Based Saf ety Behavior Based Saf ety PCL INDUSTRIAL CONSTRUCTORS INC. Objectives Upon

Behavior Based Saf ety Behavior Based Saf ety PCL INDUSTRIAL CONSTRUCTORS INC. Objectives Upon

Behavior Based Saf ety Behavior Based Saf ety PCL INDUSTRIAL CONSTRUCTORS INC. Objectives Upon completion of this presentation the participants will: Define activator, behavior, and consequence. Classify consequences to determine their

738 views • 71 slides
USING DIRECT BEHAVIOR RATING IN SELF-MONITORING TO IMPROVE MIDDLE SCHOOL BEHAVIOR Rose Jaffery,

USING DIRECT BEHAVIOR RATING IN SELF-MONITORING TO IMPROVE MIDDLE SCHOOL BEHAVIOR Rose Jaffery,

USING DIRECT BEHAVIOR RATING IN SELF-MONITORING TO IMPROVE MIDDLE SCHOOL BEHAVIOR Rose Jaffery, Lindsay M. Fallon, Lisa M. Sanetti, and Sandra M. Chafouleas University of Connecticut NASP 2011 Convention ~ Feb. 24, 2011 Advance Organizer !

566 views • 42 slides
Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM:

Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM:

Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM: Advanced RISC Machine First developed in 1983 by Acorn Computers ARM Ltd was formed in 1988 to continue development Advantages of the ARM

391 views • 14 slides
ndd P rint MPS Complete Stock Events Billing Cycle Monitoring Control Monitoring Validation

ndd P rint MPS Complete Stock Events Billing Cycle Monitoring Control Monitoring Validation

ndd P rint MPS Complete Stock Events Billing Cycle Monitoring Control Monitoring Validation Many nddPrint MPS define supplies replenishment, based on the printers behavior instead of its supply levels Specialists in network and USB

728 views • 25 slides
2 3 Intel 48-core SCC processor Tilera 100-core processor Introduction Parallel program

2 3 Intel 48-core SCC processor Tilera 100-core processor Introduction Parallel program

2 3 Intel 48-core SCC processor Tilera 100-core processor Introduction Parallel program structure and behavior Case study of fluidanimate Thread criticality problem Communication impact on thread criticality

527 views • 23 slides
Behavior Based Safety CAP Safety Meeting June V.A.0.0 1 1 PPT-CAP-BBS Safety is more

Behavior Based Safety CAP Safety Meeting June V.A.0.0 1 1 PPT-CAP-BBS Safety is more

Behavior Based Safety CAP Safety Meeting June V.A.0.0 1 1 PPT-CAP-BBS Safety is more important than getting the job done. V.A.0.0 2 2 PPT-CAP-BBS Behavior Based Safety Behavior Based Safety (BBS) helps you identify and choose a safe

327 views • 21 slides
FPGA co-processor Patrick Dunne for the co-processor group Introduction Co-processor will

FPGA co-processor Patrick Dunne for the co-processor group Introduction Co-processor will

FPGA co-processor Patrick Dunne for the co-processor group Introduction Co-processor will take care of data compression and trigger primitive generation Co-processor will also perform data buffering for supernova trigger Sits on FELIX

522 views • 13 slides
Acoustic emission monitoring of the fracture behavior of mortar specimens fabricated using

Acoustic emission monitoring of the fracture behavior of mortar specimens fabricated using

Acoustic emission monitoring of the fracture behavior of mortar specimens fabricated using recycled concrete aggregates Anastasios Mpalaskas 1 , Dimitrios G. Aggelis 2 , Theodore E. Matikas 1 1 Department of Materials Science and Engineering,

361 views • 17 slides
A Fault Tolerant Superscalar Processor 1 [Based on Coverage of a Microarchitecture-level

A Fault Tolerant Superscalar Processor 1 [Based on Coverage of a Microarchitecture-level

A Fault Tolerant Superscalar Processor 1 [Based on Coverage of a Microarchitecture-level Fault Check Regimen in a Superscalar Processor by V. Reddy and E. Rotenberg (2008)] P R E S E N T E D B Y N A N Z H E N G [Part of slides borrowed

398 views • 21 slides
Behavior Based Saf ety Workshop Behavior Based Saf ety Workshop BEST PRACTI CES BEST PRACTI CES

Behavior Based Saf ety Workshop Behavior Based Saf ety Workshop BEST PRACTI CES BEST PRACTI CES

Behavior Based Saf ety Workshop Behavior Based Saf ety Workshop BEST PRACTI CES BEST PRACTI CES Sponsored by PCL INDUSTRIAL CONSTRUCTORS INC. And FLUOR CONSTRUCTORS CANADA, LTD. (in conjunction with Fluor Daniel Canada Inc.) ABC Model of

492 views • 26 slides
Monitoring the Initial DNS Behavior of Malicious Domains Shuang Hao (Gatech) , Nick Feamster

Monitoring the Initial DNS Behavior of Malicious Domains Shuang Hao (Gatech) , Nick Feamster

Monitoring the Initial DNS Behavior of Malicious Domains Shuang Hao (Gatech) , Nick Feamster (Gatech) , Ramakant Pandrangi (Verisign, Inc.) Motivation DNS: A Critical Internet Service A distributed database mapping host names to IPs Most

377 views • 16 slides
Why are you here? Hopes, and goals for our 4: Improving Mental Health Services students

Why are you here? Hopes, and goals for our 4: Improving Mental Health Services students

9/25/2013 Screening for Behavior Difficulties and Monitoring Social-Emotional Three-quarters of mental illnesses appear by the age Interventions with the Behavior of 24, yet less than half of children with diagnosable Intervention

457 views • 24 slides
An Adaptive Technique to Model Virtual Machine Behavior for Scalable Cloud Monitoring C. Canali

An Adaptive Technique to Model Virtual Machine Behavior for Scalable Cloud Monitoring C. Canali

An Adaptive Technique to Model Virtual Machine Behavior for Scalable Cloud Monitoring C. Canali R. Lancellotti University of Modena and Reggio Emilia Department of Engineering Enzo Ferrari ISCC'14, 24-26 Jun. 2014, Madeira 1

714 views • 17 slides
Monitoring Behavior at Scale Upneet Singh Water and Sanitation Program India The World Bank

Monitoring Behavior at Scale Upneet Singh Water and Sanitation Program India The World Bank

Nirmal Bharat Abhiyan Monitoring Behavior at Scale Upneet Singh Water and Sanitation Program India The World Bank Overview Monitoring Nirmal Bharat Abhiyan Monitoring Behavior at Scale Upneet Singh, Water and Sanitation

447 views • 17 slides
Processor Design Pipelined Processor Hung-Wei Tseng Drawbacks of a single-cycle processor

Processor Design Pipelined Processor Hung-Wei Tseng Drawbacks of a single-cycle processor

Processor Design Pipelined Processor Hung-Wei Tseng Drawbacks of a single-cycle processor The cycle time is determined by the longest instruction Could be very long, thinking about fetch data from DRAM Hardware is mostly idle 3

866 views • 47 slides
Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and

Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and

Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and SEU Emulation for FPGAs Emulation for FPGAs Bradley Dutton, Mustafa Ali, John Bradley Dutton, Mustafa Ali, John Sunwoo, and Charles Stroud Sunwoo,

305 views • 26 slides
A Recognizer Influenced Handler Based Outer Interpreter Structure T H E D I C T I O N A R Y 1 5

A Recognizer Influenced Handler Based Outer Interpreter Structure T H E D I C T I O N A R Y 1 5

many pictures taken from leo brodies famous book "starting forth" (c) forth, inc A Recognizer Influenced Handler Based Outer Interpreter Structure T H E D I C T I O N A R Y 1 5 Ulrich Hoffmann What happens when you try to execute a

575 views • 30 slides
SQL SQL SQL = Structured Query Language Standard query language for relational

SQL SQL SQL = Structured Query Language Standard query language for relational

SQL SQL SQL = Structured Query Language Standard query language for relational DBMSs History: Developed at IBM in late 70s 1 st standard: SQL-86 2 nd standard: SQL-92 3 rd standard: SQL-99 or SQL3, well over 1000 pages

643 views • 22 slides
Objectives become familiar with Java primitive types Primitive Types, Strings, (numbers,

Objectives become familiar with Java primitive types Primitive Types, Strings, (numbers,

Objectives become familiar with Java primitive types Primitive Types, Strings, (numbers, characters, etc.) learn about assignment statements and and Console I/O expressions learn about strings Chapter 2 become familiar with

528 views • 22 slides
Unix API 2 shells / fjle descriptors 1 last time context switch in xv6 (fjnish) POSIX

Unix API 2 shells / fjle descriptors 1 last time context switch in xv6 (fjnish) POSIX

Unix API 2 shells / fjle descriptors 1 last time context switch in xv6 (fjnish) POSIX standard source compatibility fork copy current process return value in copy (child) is 0 return value in original (parent) is

1.4k views • 100 slides
Chapter 4 Mathematical Functions, Characters, and Strings 1 Outline 1. Java Class Library 2.

Chapter 4 Mathematical Functions, Characters, and Strings 1 Outline 1. Java Class Library 2.

Chapter 4 Mathematical Functions, Characters, and Strings 1 Outline 1. Java Class Library 2. Class Math Character Data Type 3. 4. Class String printf Statement 5. 2 1. Java Class Library A class library is a collection of classes

739 views • 47 slides
Chapter 7 Attaway MATLAB 4E Strings: Terminology A string in MATLAB consists of any number of

Chapter 7 Attaway MATLAB 4E Strings: Terminology A string in MATLAB consists of any number of

String Manipulation Chapter 7 Attaway MATLAB 4E Strings: Terminology A string in MATLAB consists of any number of characters and is contained in single quotes strings are vectors in which every element is a single character A substring

573 views • 19 slides
Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern University Smashing the Stack for Fun and Profit Review: Process memory organization The problem: Buffer overflows How to exploit the problem

660 views • 46 slides
Inter-Process Communication Lecture 5 Disclaimer: some slides are adopted from the book authors

Inter-Process Communication Lecture 5 Disclaimer: some slides are adopted from the book authors

Inter-Process Communication Lecture 5 Disclaimer: some slides are adopted from the book authors slides with permission 1 Recap What are the three components of a process? Address space CPU context OS resources What are the

421 views • 26 slides

More recommend