sok a study of using hardware assisted isolated execu on
play

SoK: A Study of Using Hardware- assisted Isolated Execu<on - PowerPoint PPT Presentation

Apr 04, 2023 •505 likes •795 views

SoK: A Study of Using Hardware- assisted Isolated Execu<on Environments for Security Fengwei Zhang Wayne State University Detroit, Michigan, USA Wayne State University CSC 6991 Topics in Computer Security 1 Overview Of The Talk

  1. SoK: A Study of Using Hardware- assisted Isolated Execu<on Environments for Security Fengwei Zhang Wayne State University Detroit, Michigan, USA Wayne State University CSC 6991 Topics in Computer Security 1

  2. Overview Of The Talk • Introduc<on • Hardware-assisted Isolated Execu<on Environments (HIEEs) • Use Cases of HIEEs • APacks against HIEEs • Discussions and Conclusions Wayne State University CSC 6991 Topics in Computer Security 2

  3. Overview Of The Talk • Introduc<on • Hardware-assisted Isolated Execu<on Environments (HIEEs) • Use Cases of HIEEs • APacks against HIEEs • Discussions and Conclusions Wayne State University CSC 6991 Topics in Computer Security 3

  4. Introduc<on • Isola<ng code execu<on is one of the fundamental approaches for achieving security • Isolated execu<on environments – SoSware-based: Virtual machines • A large trusted compu<ng base (e.g., Xen has 532K SLOC) • Failure to deal with hypervisor or firmware rootkits • Suffering from system overhead • Hardware-assisted isolated execu<on environments (HIEEs) – Isolated execu<on concept: Trusted execu<on environment (TEE) – Hardware-assisted technologies • Excluding the hypervisors from TCB • Achieving a high level of privilege (i.e., hardware-level privilege) • Reducing performance overhead (e.g., context switches) Wayne State University CSC 6991 Topics in Computer Security 4

  5. Overview Of The Talk • Introduc<on • Hardware-assisted Isolated Execu<on Environments (HIEEs) • Use Cases of HIEEs • APacks against HIEEs • Discussions and Conclusions Wayne State University CSC 6991 Topics in Computer Security 5

  6. HIEEs • A list of hardware-assisted isolated execu<on environments (HIEEs) that have been used for building security tools – System management mode (SMM) [24] – Intel management engine (ME) [36] – AMD plaaorm security processor (PSP) [4] – Dynamic root of trust for measurements (DRTM) [52] – Intel soSware guard extension (SGX) [5, 23, 34] – ARM TrustZone technology [6] Wayne State University CSC 6991 Topics in Computer Security 6

  7. HIEE: System Management Mode A CPU mode similar to Real and Protected modes available on x86 • architecture Ini<alized by the Basic Input/Output System (BIOS) • Entering SMM by asser<ng the system management interrupt (SMI) pin • System management RAM (SMRAM) that is inaccessible from the normal • OS Protected Mode System Management Mode Highest privilege Trigger SMI SMM entry Software SMI or Isolated SMRAM SMM exit Handler Hardware RSM Interrupts disabled Normal OS Isolated Execution Environment Wayne State University CSC 6991 Topics in Computer Security 7

  8. HIEE: Intel Management Engine Management Engine (ME) is a micro-computer Internal Bus embedded inside of all recent Intel processors; it is ME Introduced as an embedded processor, and Intel AMT Processor ROM is the first applica<on running in ME [36] Internal SRAM Crypto Engine Interrupt Controller DMA Engine Timer HECI Engine CLink I/O Management Engine Wayne State University CSC 6991 Topics in Computer Security 8

  9. HIEE: AMD Embedded Processors • AMD secure processor [4] – Also called plaaorm security processor (PSP) – Embedded inside of the main AMD CPU to enable running third-party applica<ons – Partnership with ARM TrustZone • System management unit (SMU) [30] – An embedded processor at Northbridge – Northbridge has been integrated into CPU – Responsible for a variety of system and power management tasks during boot and run<me Wayne State University CSC 6991 Topics in Computer Security 9

  10. HIEE: Dynamic Root of Trust for Measurement • TCG introduced DRTM, also called “late launch”, in the TPM v1.2 specifica<on in 2005 [51, 52] • SRTM v.s. DRTM – Sta<c root of trust for measurement (SRTM) operates at boot <me, DRTM allows the root of trust for measurement to be ini<alized at any points • Intel and AMD implementa<ons – Intel trusted execu<on technology (TXT) [25] – AMD secure virtual machine (SVM) [2] – Overhead for late launch: SENTER v.s. SKINIT Wayne State University CSC 6991 Topics in Computer Security 10

  11. HIEE: Intel SoSware Guard Extension • Three introduc<on papers [5, 34, 23] about SGX presented at HASP 2013 • SGX is a set of instruc<ons and mechanisms for memory accesses added to Intel architecture processors • Allowing an user-level applica<on to instan<ate a protected container, called enclave • Providing confiden<ality and integrity even without trus<ng the BIOS, firmware, hypervisors, and OS • OpenSGX [27]: An open-source plaaorm that emulates Intel SGX at the instruc<on level by modifying QEMU Wayne State University CSC 6991 Topics in Computer Security 11

  12. HIEE: ARM TrustZone • ARM TrustZone technology is a hardware extension that creates a secure execu<on environment since ARMv6 [12] • Two modes: Secure world and normal world • Iden<fied by the NS bit in the secure configura<on register (SCR) Normal World Secure World Normal world Secure world user mode user mode Normal world Secure world priviledge modes priviledge modes Monitor mode Rich OS in REE Secure OS in TEE Wayne State University CSC 6991 Topics in Computer Security 12

  13. HIEEs Wayne State University CSC 6991 Topics in Computer Security 13

  14. Overview Of The Talk • Introduc<on • Hardware-assisted Isolated Execu<on Environments (HIEEs) • Use Cases of HIEEs • APacks against HIEEs • Discussions and Conclusions Wayne State University CSC 6991 Topics in Computer Security 14

  15. Use Cases of HIEEs • System introspec<on • Memory forensics • Transparent malware analysis • Execu<on sensi<ve workloads • Rootkits and keyloggers Wayne State University CSC 6991 Topics in Computer Security 15

  16. Use Case: System Introspec<on • Running system introspec<on tools inside of HIEEs – Hypervisor/OS integrity checking – OS rootkits detec<on – APacks detec<on (e.g., heap spray and heap overflows) • SMM-based – Hypercheck [65], HyperGuard [41], HyperSentry [8], IOCheck [64], and Spectre [62] • TrustZone-based – SPROBES [22] and TZ-RKP [7] • DRTM-based – Flicker [31] Wayne State University CSC 6991 Topics in Computer Security 16

  17. Use Case: Memory Forensics • Using HIEEs to perform acquisi<on of vola<le memory of a target system, and then transmit the memory contents to a remote machine for analysis • Examples of exis<ng systems – SMMDump [35] implemented by using SMM – TrustDump [48] used ARM TrustZone Wayne State University CSC 6991 Topics in Computer Security 17

  18. Use Case: Transparent Malware Analysis • Malware uses an<-debugging, an<-virtualiza<on, an<-emula<on techniques to evade tradi<onal analysis suing virtualiza<on or emula<on technology • Analyzing malware using HIEEs so that advanced malware can be debugged on bare metal • Exposing the real behavior of malware with an<-debugging, an<- vm, and an<-emula<on techniques • Examples of exi<ng systems – MalT [61] using SMM – Other HIEEs like TrustZone and ME can be used for the same purpose Wayne State University CSC 6991 Topics in Computer Security 18

  19. Use Case: Execu<ng Sensi<ve Workloads • Using HIEEs to run security sensi<ve opera<ons • DRTM-based – Flicker [31], TrustVisor [32], and Bumpy [33] • TrustZone-based – TrustICE [49] and TrustOTP [47] • SMM-based – SICE [9] and TrustLogin [63] • SGX-based – Haven [10] and VC3 [43] Wayne State University CSC 6991 Topics in Computer Security 19

  20. Use Case: Rootkits and Keyloggers Though researchers have used HIEEs for implemen<ng defensive tools, aPackers • can also use them for malicious purposes due to their high privilege and stealthiness SMM rootkits • PS/2 [20] and USB [42] keyloggers – NSA: DEITYBOUNCE for Dell and IRONCHEF for HP Proliant servers [1] – ME rootkits • Ring -3 rootkits [46, 50] – DRTM, SGX, and TrustZone rootkits • We haven’t seen any publicly available examples but aPackers have the mo<va<on to – implement them due to their stealthiness HIEEs create ideal environments or infrastructures that aPract aPackers to • implement super-powerful rootkits. Wayne State University CSC 6991 Topics in Computer Security 20

  21. Overview Of The Talk • Introduc<on • Hardware-assisted Isolated Execu<on Environments (HIEEs) • Use Cases of HIEEs • APacks against HIEEs • Discussions and Conclusions Wayne State University CSC 6991 Topics in Computer Security 21

  22. HIEE APacks • HIEE aPacks: Bypassing the hardware protec<on mechanisms of HIEE isola<on; not using HIEEs for malicious purposes • SMM aPacks Wayne State University CSC 6991 Topics in Computer Security 22

  23. HIEE APacks (cont’d) • ME aPacks – In 2009, Tereshkin and Wojtczuk [50] demonstrated that they can implement ring -3 rootkits in ME by injec<ng the malicious code into the Intel AMT – DAGGER [46] bypasses the ME isola<on using a similar technique in [50] • DRTM aPacks – Wojtczuk and Rutkowska from Invisible Things Lab demonstrate several aPacks [57, 56, 59] against Intel TXT • TrustZone aPacks – Di [44] found vulnerabili<es that are able to execute arbitrarily code in secure world using a user-level applica<on in normal world on Huawei HiSilicon devices Wayne State University CSC 6991 Topics in Computer Security 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSC 6991: Using Hardware Isolated Execu;on Environments for

CSC 6991: Using Hardware Isolated Execu;on Environments for

CSC 6991: Using Hardware Isolated Execu;on Environments for Securing Systems Fengwei Zhang Wayne State University CSC 6991 Advanced Computer Security 1

302 views • 19 slides
Dynamic Scheduling Hardware rearranges instruc/on execu/on to

Dynamic Scheduling Hardware rearranges instruc/on execu/on to

Dynamic Scheduling Hardware rearranges instruc/on execu/on to reduce stalls of dependent instruc/on (increases ILP) - permit out-of-order execu/on.

435 views • 25 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
Hardware Implementation of Droop Control for Isolated AC Microgrid By: Cristina Guzman Alben

Hardware Implementation of Droop Control for Isolated AC Microgrid By: Cristina Guzman Alben

Hardware Implementation of Droop Control for Isolated AC Microgrid By: Cristina Guzman Alben Cardenas Kodjo Agbossou Universit du Qubec Trois-Rivires Qubec-Canada Outline Introduction Droops

227 views • 21 slides
Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

The 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016) Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory Marius Muench, Fabio Pagani, Yan Shoshitaishvili,

559 views • 25 slides
The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko

The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko

The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko Julius-Maximilians-Universitt Wrzburg alexandra.dmitrienko@uni-wuerzburg.de SEPTEMBER 9 13, 2019 CROSSING Summer School on Sustainable Security &amp; Privacy

2.37k views • 187 slides
Efficient Hardware-assisted Logging with Asynchronous and Direct Update for Persistent Memory

Efficient Hardware-assisted Logging with Asynchronous and Direct Update for Persistent Memory

Efficient Hardware-assisted Logging with Asynchronous and Direct Update for Persistent Memory Jungi Jeong , Chang Hyun Park, Jaehyuk Huh, and Seungryoul Maeng International Symposium on Microarchitecture (MICRO) 2018 Storage-Class Memory

1.95k views • 155 slides
Position Paper: Challenges Towards Securing Hardware-assisted Execution Environments Zhenyu Ning 1

Position Paper: Challenges Towards Securing Hardware-assisted Execution Environments Zhenyu Ning 1

Position Paper: Challenges Towards Securing Hardware-assisted Execution Environments Zhenyu Ning 1 Fengwei Zhang 1 Weisong Shi 1 Larry Shi 2 1 Wayne State University 2 University of Houston November 21, 2019 1 Overview of The Talk Motivation

575 views • 24 slides
CTA Design Study CTA Design Study - Swiss Hardware Contributions - Swiss Hardware Contributions

CTA Design Study CTA Design Study - Swiss Hardware Contributions - Swiss Hardware Contributions

CTA Design Study CTA Design Study - Swiss Hardware Contributions - Swiss Hardware Contributions Isabel Braun Insttut for Partcle Physics, ETH Zrich CHIPP Plenary Meeting 2009, Appenberg Participating Institutes Participating Institutes

442 views • 16 slides
HOOP: Efficient Hardware-Assisted Out-of-Place Update for Non-Volatile Memory Miao Cai Chance

HOOP: Efficient Hardware-Assisted Out-of-Place Update for Non-Volatile Memory Miao Cai Chance

HOOP: Efficient Hardware-Assisted Out-of-Place Update for Non-Volatile Memory Miao Cai Chance Coats Jian Huang Systems Platform Research Group Non-Volatile Memory is a Revolutionary Technology Close-to-DRAM Performance Data

367 views • 21 slides
HDFI: Hardware-Assisted Data-flow Isolation Chengyu Song 1 , Hyungon Moon 2 , Monjur Alam 1 ,

HDFI: Hardware-Assisted Data-flow Isolation Chengyu Song 1 , Hyungon Moon 2 , Monjur Alam 1 ,

HDFI: Hardware-Assisted Data-flow Isolation Chengyu Song 1 , Hyungon Moon 2 , Monjur Alam 1 , Insu Yun 1 , Byoungyoung Lee 1 , Taesoo Kim 1 , Wenke Lee 1 , Yunheung Paek 2 1 Georgia Institute of Technology 2 Seoul National University Memory

311 views • 29 slides
The Policemans Dilemma House of Lords National Mental Capacity Forum An isolated highway

The Policemans Dilemma House of Lords National Mental Capacity Forum An isolated highway

11/23/17 The Policemans Dilemma House of Lords National Mental Capacity Forum An isolated highway Portraying assisted suicide and Fuel tanker overturns euthanasia Driver trapped in the cab A policeman patrol car arrives at the scene

458 views • 4 slides
Hardware Assisted Tracing on ARM with CoreSight and OpenCSD Mathieu Poirier In this Presentation

Hardware Assisted Tracing on ARM with CoreSight and OpenCSD Mathieu Poirier In this Presentation

Hardware Assisted Tracing on ARM with CoreSight and OpenCSD Mathieu Poirier In this Presentation End-to-end overview of the technology Not an in-depth presentation on CoreSight Emphasis on how to use rather than what it is

470 views • 35 slides
Filling line &amp; Lyo Interface (one Isolated system) Case Study By Ben Riepe

Filling line &amp; Lyo Interface (one Isolated system) Case Study By Ben Riepe

Filling line &amp; Lyo Interface (one Isolated system) Case Study By Ben Riepe 608-562-7735 briepe@walkerbarrier.com www.walkerbarrier.com Discussion Points Key design steps of a custom capital Isolator equipment project

620 views • 37 slides
Shared Variable Proof Methods, Hardware-Assisted Critical Sections Dr. Liam OConnor University

Shared Variable Proof Methods, Hardware-Assisted Critical Sections Dr. Liam OConnor University

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Shared Variable Proof Methods, Hardware-Assisted Critical Sections Dr. Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020 1 Transition Diagrams

162 views • 12 slides
Shared Variable Proof Methods, Hardware-Assisted Critical Sections Dr. Liam OConnor University

Shared Variable Proof Methods, Hardware-Assisted Critical Sections Dr. Liam OConnor University

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Shared Variable Proof Methods, Hardware-Assisted Critical Sections Dr. Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020 1 Transition Diagrams

954 views • 49 slides
The Barrelfish operating system for CMPs: research issues Tim Harris Based on slides by Andrew

The Barrelfish operating system for CMPs: research issues Tim Harris Based on slides by Andrew

The Barrelfish operating system for CMPs: research issues Tim Harris Based on slides by Andrew Baumann and Rebecca Isaacs. Joint work with colleagues at MSR Cambridge and ETH Zurich. The Barrelfish project Collaboration between ETH Zurich

725 views • 51 slides
Vi Visual S Studio Cod o Code e Shipping One of the Largest Microso3 JavaScript Applica8ons

Vi Visual S Studio Cod o Code e Shipping One of the Largest Microso3 JavaScript Applica8ons

Vi Visual S Studio Cod o Code e Shipping One of the Largest Microso3 JavaScript Applica8ons Alexandru Dima Microso7 What do we ship? Visual Studio Code Monaco Editor Electron node.js Chromium Modern browsers Growing the code Growing

471 views • 46 slides
Whats new in HPC? Gregory Bauer To keep up-to-date on HPC HPC Guru -

Whats new in HPC? Gregory Bauer To keep up-to-date on HPC HPC Guru -

Whats new in HPC? Gregory Bauer To keep up-to-date on HPC HPC Guru - https://twitter.com/HPC_Guru Glenn Lockwood - http://www.glennklockwood.com/ http://www.nextplatform.com 2 Whats old is new again? All aspects of HPC are

426 views • 17 slides
Johnathan Alsop *, Matthew D. Sinclair* , Sarita V. Adve* *Illinois, AMD, Wisconsin

Johnathan Alsop *, Matthew D. Sinclair* , Sarita V. Adve* *Illinois, AMD, Wisconsin

Johnathan Alsop *, Matthew D. Sinclair* , Sarita V. Adve* *Illinois, AMD, Wisconsin Sponsors: NSF, C-FAR, ADA (JUMP center by SRC, DARPA) Specialized architectures are increasingly important in all compute domains 2

572 views • 25 slides
&quot;On the Efficacy of a Fused CPU + GPU Processor (or APU) for Parallel Computing&quot;

&quot;On the Efficacy of a Fused CPU + GPU Processor (or APU) for Parallel Computing&quot;

&quot;On the Efficacy of a Fused CPU + GPU Processor (or APU) for Parallel Computing&quot; Paper: Mayank Daga, et. al Presentation: Liesl Wigand General: an APU is Accelerated Processing Unit Combines CPU and GPU onto a single die Best

410 views • 10 slides
Industrial Hardware and Software Verification with ACL2 Warren A. Hunt, Jr. 1 , Matt Kaufmann 1 ,

Industrial Hardware and Software Verification with ACL2 Warren A. Hunt, Jr. 1 , Matt Kaufmann 1 ,

Industrial Hardware and Software Verification with ACL2 Warren A. Hunt, Jr. 1 , Matt Kaufmann 1 , J Strother Moore 1 , and Anna Slobodova 2 1 Department of Computer Science University of Texas at Austin and 2 Centaur Technology, Inc. Austin, TX.

483 views • 29 slides
Scheduling for Virtualized Accelerator-based Systems Vishakha Gupta , Karsten Schwan @ Georgia Tech

Scheduling for Virtualized Accelerator-based Systems Vishakha Gupta , Karsten Schwan @ Georgia Tech

Pegasus: Coordinated Scheduling for Virtualized Accelerator-based Systems Vishakha Gupta , Karsten Schwan @ Georgia Tech Niraj Tolia @ Maginatics Vanish Talwar, Parthasarathy Ranganathan @ HP Labs USENIX ATC 2011 Portland, OR, USA Increasing

1.44k views • 88 slides
WEYERHAEUSER Earnings Release 3rd Quarter 2011 10/28/2011 1 FORWARD-LOOKING STATEMENT

WEYERHAEUSER Earnings Release 3rd Quarter 2011 10/28/2011 1 FORWARD-LOOKING STATEMENT

WEYERHAEUSER Earnings Release 3rd Quarter 2011 10/28/2011 1 FORWARD-LOOKING STATEMENT This presentation contains statements concerning the companys future results and performance that are forward -looking statements within the meaning

388 views • 18 slides

More recommend