spectre a dependable introspec3on framework via system
play

Spectre: A Dependable Introspec3on Framework via System Management - PowerPoint PPT Presentation

Mar 23, 2023 •381 likes •675 views

Spectre: A Dependable Introspec3on Framework via System Management Mode Fengwei Zhang, Kevin Leach, Kun Sun, and Angelos Stavrou. In DSN'13. Presented by Fengwei Zhang Wayne State University CSC 6991 Topics in Computer Security 1 Agenda

  1. Spectre: A Dependable Introspec3on Framework via System Management Mode Fengwei Zhang, Kevin Leach, Kun Sun, and Angelos Stavrou. In DSN'13. Presented by Fengwei Zhang Wayne State University CSC 6991 Topics in Computer Security 1

  2. Agenda • Introduc3on • Background • System Framework • Experimental Results • Conclusion Wayne State University CSC 6991 Topics in Computer Security 2

  3. Agenda • Introduc3on • Background • System Framework • Experimental Results • Conclusion Wayne State University CSC 6991 Topics in Computer Security 3

  4. Introduc3on • Malware detec3on and analysis remain an open research problem • ︎ Tradi3onally, malware detec3on is provided by installing an3-malware tools (e.g., an3-virus) within the OS • ︎ However, these detec3on tools are vulnerable to malware running at the same level (e.g., rootkits) • ︎ ’Out-of-box’ introspec3on mechanism proposed for malware detec3on and analysis (e.g., Virtual machine introspec3on) Wayne State University CSC 6991 Topics in Computer Security 4

  5. Introduc3on • Virtual Machine Intropsec3on (VMI) systems run malware within a VM and use analysis tool to introspect the malware from outside • ︎ VMI systems have been widely adopted for malware detec3on and analysis. They isolate the malware detec3on so]ware from a vulnerable guest [4, 5, 6] • Limita3ons of VMI systems: – Large Trusted Compu3ng Base (TCB) (e.g., Xen 4.2 has 208K lines of code) – Armored malware can detect the presence of a VM and alter its own execu3on (e.g., an3-VM techniques) – High performance overhead • We present Spectre, a dependable introspec3on framework via system management mode Wayne State University CSC 6991 Topics in Computer Security 5

  6. Agenda • Introduc3on • Background • System Framework • Experimental Results • Conclusion Wayne State University CSC 6991 Topics in Computer Security 6

  7. Background System Management Mode (SMM) • A CPU mode on the x86 Architecture. • A]er entering into SMM, it executes the System Management Interrupt (SMI) handler • SMI handler stores at a sealed storage called System Management RAM (SMRAM) • BIOS locks the SMRAM, and the SMRAM is inaccessible from any other CPU modes • SMM-based systems – Integrity checking: HyperGuard [7], HyperCheck [8], – HyperSentry [1] – SMM rootkits [3, 2] – Agacks against SMM [9] Wayne State University CSC 6991 Topics in Computer Security 7

  8. Background Basic Input and Output System (BIOS) and Coreboot • BIOS code is stored on-vola3le ROM, and it is responsible for hardware ini3aliza3on before OS starts. • Coreboot is an open source project aimed to replace the BIOS in current computer • Spectre uses a custom SMI handler in Coreboot Wayne State University CSC 6991 Topics in Computer Security 8

  9. Agenda • Introduc3on • Background • System Framework • Experimental Results • Conclusion Wayne State University CSC 6991 Topics in Computer Security 9

  10. System Framework Target Machine Monitor S PECTRE system regularly introspects native memory on target machine Machine Check kernel data Rebuild Check kernel code Enter Report alerts semantic SMM Check program data ‘heartbeat’ data attack occured? optional custom module ... select module Wayne State University CSC 6991 Topics in Computer Security 10

  11. System Framework • Step 1: Periodic triggering of SMM Target Machine Monitor S PECTRE system regularly introspects native memory on target machine Machine Enter SMM Wayne State University CSC 6991 Topics in Computer Security 11

  12. System Framework • Step 1: Periodic triggering of SMM • Step 2: Rebuilding seman3c informa3on Target Machine Monitor S PECTRE system regularly introspects native memory on target machine Machine Rebuild Enter semantic SMM data Wayne State University CSC 6991 Topics in Computer Security 12

  13. System Framework • Step 1: Periodic triggering of SMM • Step 2: Rebuilding seman3c informa3on • Step 3: Running a detec3on module Target Machine Monitor S PECTRE system regularly introspects native memory on target machine Machine Check kernel data Rebuild Check kernel code Enter semantic SMM Check program data data optional custom module ... select module Wayne State University CSC 6991 Topics in Computer Security 13

  14. System Framework • Step 1: Periodic triggering of SMM • Step 2: Rebuilding seman3c informa3on • Step 3: Running a detec3on module • Step 4: Communica3on with monitor server Target Machine Monitor S PECTRE system regularly introspects native memory on target machine Machine Check kernel data Rebuild Check kernel code Enter Report alerts semantic SMM Check program data ‘heartbeat’ data attack occured? optional custom module ... select module Wayne State University CSC 6991 Topics in Computer Security 14

  15. Step 1: Periodic Triggering of SMM • Two ways to trigger an SMI – So]ware-based: write to an ACPI port specified by chipsets – Hardware-based: NIC card, keyboard, mouse, and hardware 3mer • Hardware-based method is more reliable than so]ware-based method, so we use a hardware 3mer at southbridge to periodically assert an SMI Wayne State University CSC 6991 Topics in Computer Security 15

  16. Step 2: Rebuilding Seman3c Informa3on SMM only sees the raw memory, and does not know the seman3cs of the • memory (e.g. OS data structures) Similar to the seman3c gap problem in VMI systems • We manually bridge the seman3c gap in our prototype, automa3cally • bridging (e.g., Virtuoso [6], VMST [4]) Heap List Segment Executive Process PsActiveProcessHead Static VA of KPCR Segment S 0 Heap H 0 prev Metadata... +78h Heap H 1 0xffdff000 KPCR KdVersionBlock FirstEntry next +34h Heap H 2 LastEntry Heap H 3 PEB Entry E 1 Heap H 4 Executive Process Executive Process Executive Process e.g., “lsass.exe” e.g., “explorer.exe” e.g., “System” Data... ... Heap H n Entry E 2 Other prev prev prev Executive Data... next next next Processes Heap H 0 Metadata Entry E 3 ... Segment S 0 Entry ... Heap List Segment S 1 Data... Segment S 2 Other heap ... ... Entry E n Handle Table 3 Handle Table 2 Handle Table 1 Segment S n tables Heap Process Environment Block Wayne State University CSC 6991 Topics in Computer Security 16

  17. Seman3c Gap Problem in VMI • SoK: Introspec3ons on Trust and the Seman3c Gap. Bhushan Jain, Mirza Basim Baig, Dongli Zhang, Donald E. Porter, and Radu Sion. In S&P'14. • SMM-based Systems, TrustZone-based Systems, SGX, other hardware isolated execu3on environments (HIEEs) Wayne State University CSC 6991 Topics in Computer Security 17

  18. Step 3: Running a Detec3on Module • We demonstrate the capability of our framework with three memory-based agacks: – Detec3ng heap spray agacks – Detec3ng heap overflow agacks – Detec3ng rootkits • Other checking modules can be extended into Spectre with corresponding detec3on algorithm Wayne State University CSC 6991 Topics in Computer Security 18

  19. Step 4: Communica3on with Monitor Machine • The SMI handler alerts the monitor machine over a serial or Ethernet cable • We port the NIC driver into SMI handler because we do want to trust any code in the OS • ‘Heartbeat’ message can be used to detect denial of service agack • Exit from SMM and resume OS states Wayne State University CSC 6991 Topics in Computer Security 19

  20. Agenda • Introduc3on • Background • System Framework • Experimental Results • Conclusion Wayne State University CSC 6991 Topics in Computer Security 20

  21. Prototype Specifica3on • ︎ Hardware – Motherboard: ASUS-M2V MX SE – CPU: 2.2GHz AMD Sempron LE-1250 – RAM: 2GB Kingston DDR2 – NICs: Integrated NIC and Intel e1000 Gigabit with PCI • ︎ So]ware – BIOS: Coreboot+SeaBIOS – OSes: Linux (Cent OS 5.5) and Windows XP SP3 Wayne State University CSC 6991 Topics in Computer Security 21

  22. Memory Agacks Detec3on • Run various memory agacks, and measure the detec3on 3me in the SMM • Detec3on 3me = Time at SMM exit - Time at SMM enter Wayne State University CSC 6991 Topics in Computer Security 22

  23. System Overhead • Spectre is OS-agnos3c, and can detect memory agacks on both Windows and Linux plaqorms. • Benchmark: PassMark on Windows and UnixBench on Linux • First, we run different detec3on modules, and record their benchmark scores – Without detec3on module – Heap spray detec3on module – Heap Overflow detec3on module – Rootkits detec3on module • Second, we change the SMI triggering rate, and it ranges from 1/16 s to 5s Wayne State University CSC 6991 Topics in Computer Security 23

  24. System Overhead • X-coordinate: Sampling interval ︎ • Y-coordinate: Percent overhead Windows Linux 20% Without detection module Without detection module Heap spray module Heap spray detection module Percent overhead Percent overhead 20% 15% Heap overflow module Rootkit detection module Rootkit module 10% 10% 5% 0% 0% 5 s 2 s 1 s 1 1 5 s 2 s 1 s 1 1 2 s 16 s 2 s 16 s Sampling interval / s Sampling interval / s Wayne State University CSC 6991 Topics in Computer Security 24

  25. Comparison with VMI Systems • Smaller code base–Spectre only trust the BIOS, but VMI systems need to trust hypervisor • More transparent–armored malware with an3-VM techniques cannot detect it • Beger Performance Wayne State University CSC 6991 Topics in Computer Security 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Spectre: A Dependable Introspec3on Framework via System Management

Spectre: A Dependable Introspec3on Framework via System Management

Spectre: A Dependable Introspec3on Framework via System Management Mode Fengwei Zhang, Kevin Leach, Kun Sun, and Angelos Stavrou. In DSN'13. Presented

485 views • 31 slides
Spectre and Meltdown Clifford Wolf q/Talk 2018-01-30 Spectre and Meltdown Spectre

Spectre and Meltdown Clifford Wolf q/Talk 2018-01-30 Spectre and Meltdown Spectre

Spectre and Meltdown Clifford Wolf q/Talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative execution It allows a program

441 views • 16 slides
SpECTRE CCE tutorial ICERM, September 2020 Jordan Moxon, on behalf of the SpECTRE team and SXS

SpECTRE CCE tutorial ICERM, September 2020 Jordan Moxon, on behalf of the SpECTRE team and SXS

SpECTRE CCE tutorial ICERM, September 2020 Jordan Moxon, on behalf of the SpECTRE team and SXS moxon@black-holes.org I. INTRODUCTION This is a quick description on how to get up and running with the stand-alone version of the SpECTRE CCE

546 views • 6 slides
SpECTRE: Towards improved simulations of relativistic astrophysical systems Nils Deppe May 1,

SpECTRE: Towards improved simulations of relativistic astrophysical systems Nils Deppe May 1,

SpECTRE: Towards improved simulations of relativistic astrophysical systems Nils Deppe May 1, 2019 github.com/sxs-collaboration/spectre 1 Table of Contents 1 Background and motivation 2 Numerical methods 3 SpECTRE implementation

880 views • 38 slides
A SpECTRE With a New face Nils Deppe Simulating eXtreme Spacetimes Collaboration Charm ++

A SpECTRE With a New face Nils Deppe Simulating eXtreme Spacetimes Collaboration Charm ++

A SpECTRE With a New face Nils Deppe Simulating eXtreme Spacetimes Collaboration Charm ++ Workshop April 11, 2018 github.com/sxs-collaboration/spectre A SpECTRE With a New Face 1 / 21 Table of Contents 1 SpECTRE 2 The New face

623 views • 29 slides
Mutable Protection Domains: Towards a Component-based System for Dependable and Predictable

Mutable Protection Domains: Towards a Component-based System for Dependable and Predictable

Mutable Protection Domains: Towards a Component-based System for Dependable and Predictable Computing Gabriel Parmer and Richard West Computer Science Deparment Boston University Boston, MA 02215 { gabep1, richwest } @cs.bu.edu December 6,

831 views • 33 slides
Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel Meltdown attack Spectre attack Microsoft Interview Question Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room CPU

732 views • 30 slides
What is the THRIVE Framework for system change? The THRIVE Framework for system change (Wolpert et

What is the THRIVE Framework for system change? The THRIVE Framework for system change (Wolpert et

What is the THRIVE Framework for system change? The THRIVE Framework for system change (Wolpert et al., 2019) is a conceptual framework for children and young peoples mental health and wellbeing developed by a collaboration of authors from the

633 views • 4 slides
Spectre/Meltdown at eCG: Rebooting 80k cores Bruno Bompastor Adrian Joian Cloud Reliability Team

Spectre/Meltdown at eCG: Rebooting 80k cores Bruno Bompastor Adrian Joian Cloud Reliability Team

Spectre/Meltdown at eCG: Rebooting 80k cores Bruno Bompastor Adrian Joian Cloud Reliability Team 2018 10 Brands In Multiple Countries NL/DE Datacenters Spectre/Meltdown - Meltdown: melts security boundaries which are normally enforced by

305 views • 26 slides
Computer System Virendra Singh Associate Professor Computer Architecture and Dependable Systems

Computer System Virendra Singh Associate Professor Computer Architecture and Dependable Systems

Computer System Virendra Singh Associate Professor Computer Architecture and Dependable Systems Lab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/ E-mail: viren@ee.iitb.ac.in

714 views • 37 slides
Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer Architect, Red Hat, Inc. jcm@redhat.com | @jonmasters 2 Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Overview

1.58k views • 140 slides
Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer Architect, Red Hat, Inc. jcm@redhat.com | @jonmasters 2 Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Overview

2.11k views • 184 slides
10 Dependable Architectures The material of this course has been initially created by Prof. Dr. H.

10 Dependable Architectures The material of this course has been initially created by Prof. Dr. H.

EPFL, Spring 2017 10 Dependable Architectures The material of this course has been initially created by Prof. Dr. H. Kirrmann and adapted by Dr. Y-A. Pignolet & J-C. Tournier Fault Error - Failure Fault: Defect in system (bug) Error:

1.07k views • 65 slides
Behavioral Contracts and Service Substitutability: A Contribution to Dependable SOA Haldor

Behavioral Contracts and Service Substitutability: A Contribution to Dependable SOA Haldor

1 Behavioral Contracts and Service Substitutability: A Contribution to Dependable SOA Haldor Samset and Rolv Brk, Norwegian University of Science and Technology NTNU, Department of Telematics NTNU, June 2008 Dependable SOA 2 What is

555 views • 13 slides
Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck

Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck

Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven jo.vanbulck@cs.kuleuven.be jovanbulck ISSE Brussels, November 6, 2018 A primer on software security Secure

897 views • 58 slides
RAIC: Architecting Dependable Systems Through Redundancy and Just-In-Time Testing For The ICSE

RAIC: Architecting Dependable Systems Through Redundancy and Just-In-Time Testing For The ICSE

RAIC: Architecting Dependable Systems Through Redundancy and Just-In-Time Testing For The ICSE 2002 Workshop on Architecting Dependable Systems Orlando, Florida, USA Chang Liu, Debra J. Richardson Information And Computer Science University

840 views • 24 slides
RECURSION, DICTIONARIES (download slides and .py files and follow along!) 6.0001 LECTURE 6 1

RECURSION, DICTIONARIES (download slides and .py files and follow along!) 6.0001 LECTURE 6 1

RECURSION, DICTIONARIES (download slides and .py files and follow along!) 6.0001 LECTURE 6 1 6.0001 LECTURE 6 QUIZ PREP a paper and an online component open book/notes not open Internet, not open computer start prinSng out whatever

804 views • 58 slides
Political support for reforms of the pension system - two experiments Ana Fontoura Gouveia Banco

Political support for reforms of the pension system - two experiments Ana Fontoura Gouveia Banco

Information Priming Design Conclusions Political support for reforms of the pension system - two experiments Ana Fontoura Gouveia Banco de Portugal and NOVA SBE SPARC seminar - ICS Lisboa - 12 July 2018 Ana Fontoura Gouveia Political

174 views • 15 slides
Interprocedural Analysis The Problem: match entries with exits proc fib(val z, u; res v) The

Interprocedural Analysis The Problem: match entries with exits proc fib(val z, u; res v) The

Interprocedural Analysis The Problem: match entries with exits proc fib(val z, u; res v) The problem is 1 MVP: Meet over Valid Paths no [ z<3 ] 2 Making context explicit yes [ call

341 views • 7 slides
STELLAR SHELLS IN THE ILLUSTRIS SIMULATION Ana-Roxana Pop in collabora*on with Lars Hernquist,

STELLAR SHELLS IN THE ILLUSTRIS SIMULATION Ana-Roxana Pop in collabora*on with Lars Hernquist,

STELLAR SHELLS IN THE ILLUSTRIS SIMULATION Ana-Roxana Pop in collabora*on with Lars Hernquist, Annalisa Pillepich, Nicola Amorisco En*re group Satellite forming shells radial velocity x y radial distance Ana-Roxana Pop Stellar Shells in

737 views • 26 slides
News on Rho PANDA Collaboration Meeting , Bochum 11. 9. 2013 K. Gtzen, GSI 1 Major Changes

News on Rho PANDA Collaboration Meeting , Bochum 11. 9. 2013 K. Gtzen, GSI 1 Major Changes

News on Rho PANDA Collaboration Meeting , Bochum 11. 9. 2013 K. Gtzen, GSI 1 Major Changes (by Ralf Kliemt) Rename all Rho classes to Rho* RhoCandidate handled fully with pointers Unclutter Rho classes delete

710 views • 30 slides
The Wild Side of the Santa Ana River OCWD Department of Natural Resources Outline

The Wild Side of the Santa Ana River OCWD Department of Natural Resources Outline

The Wild Side of the Santa Ana River OCWD Department of Natural Resources Outline Introduction: OCWD Natural Resources Department The Connection Between Water Management and the Environment Santa Ana Watershed Prado Basin and

607 views • 47 slides
Highlights from Five Years of UW STARTALK Heritage Language Symposia Dr. Michele Anciaux Aoki,

Highlights from Five Years of UW STARTALK Heritage Language Symposia Dr. Michele Anciaux Aoki,

Highlights from Five Years of UW STARTALK Heritage Language Symposia Dr. Michele Anciaux Aoki, Consultant to UW STARTALK Programs 2011-2020 michele@anciauxinternational.com UW STARTALK Heritage Language Symposia

748 views • 18 slides
Coalgebra Love and Beauty in Science Ana Sokolova Logic Mentoring Workshop 2019 Do you know any

Coalgebra Love and Beauty in Science Ana Sokolova Logic Mentoring Workshop 2019 Do you know any

Coalgebra Love and Beauty in Science Ana Sokolova Logic Mentoring Workshop 2019 Do you know any coalgebra? Ana Sokolova LMW 2019 22-6-19 Do you know any coalgebra? Yes, you know many coalgebras ! Ana Sokolova LMW 2019 22-6-19 Some

931 views • 82 slides

More recommend