skip to main content
research-article

Safe and Efficient Implementation of a Security System on ARM using Intra-level Privilege Separation

Authors Info & Claims
Published:26 February 2019Publication History
Skip Abstract Section

Abstract

Security monitoring has long been considered as a fundamental mechanism to mitigate the damage of a security attack. Recently, intra-level security systems have been proposed that can efficiently and securely monitor system software without any involvement of more privileged entity. Unfortunately, there exists no full intra-level security system that can universally operate at any privilege level on ARM. However, as malware and attacks increase against virtually every level of privileged software including an OS, a hypervisor, and even the highest privileged software armored by TrustZone, we have been motivated to develop an intra-level security system, named Hilps. Hilps realizes true intra-level scheme in all these levels of privileged software on ARM by elaborately exploiting a new hardware feature of ARM’s latest 64-bit architecture, called TxSZ, that enables elastic adjustment of the accessible virtual address range. Furthermore, Hilps newly supports the sandbox mechanism that provides security tools with individually isolated execution environments, thereby minimizing security threats from untrusted security tools. We have implemented a prototype of Hilps on a real machine. The experimental results demonstrate that Hilps is quite promising for practical use in real deployments.

References

  1. CVE Details. 2018. Linux kernel vulnerabilities. Retrieved from http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33.Google ScholarGoogle Scholar
  2. LLVM Linux. {n.d.}. Retrieved from http://llvm.linuxfoundation.org.Google ScholarGoogle Scholar
  3. CVE Details. 2018. Xen: Vulnerability statistics. Retrieved from http://www.cvedetails.com/vendor/6276/XEN.html.Google ScholarGoogle Scholar
  4. Darren Abramson, Jeff Jackson, Sridhar Muthrasanallur, Gil Neiger, Greg Regnier, Rajesh Sankaran, Ioannis Schoinas, Rich Uhlig, Balaji Vembu, and John Wiegert. 2006. Intel virtualization technology for directed I/O. Intel Technology Journal 10, 3 (2006), 179--192.Google ScholarGoogle ScholarCross RefCross Ref
  5. Rohan Bhutkar, Jia Ma, Wenbo Shen, Ruowen Wang, Ahmed M. Azab, Kirk Swidowski, and Peng Ning. 2016. SKEE: A lightweight secure kernel-level execution environment for ARM. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  6. ARM. {n.d.}. System Memory Management Unit (SMMU). Retrieved from http://www.arm.com/products/system-ip/controllers/system-mmu.php.Google ScholarGoogle Scholar
  7. ARM. 2015. Versatile express Juno r1 development platform. Retrieved from http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.100122_0100_01_en/bri1412864820181.html.Google ScholarGoogle Scholar
  8. Ahmed M. Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. 2014. Hypervision across worlds: Real-time kernel protection from the arm trustzone secure world. In Proceedings of the 21st ACM SIGSAC Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang, Xiaolan Zhang, and Nathan C. Skalsky. 2010. HyperSentry: Enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Ahmed M. Azab, Peng Ning, and Xiaolan Zhang. 2011. Sice: A hardware-level strongly isolated computing environment for x86 multi-core platforms. In Proceedings of the 18th ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Victor R. Basili and Barry T. Perricone. 1984. Software errors and complexity: An empirical investigation. Commun. ACM 27, 1 (1984), 43--52. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Erick Bauman, Gbadebo Ayoade, and Zhiqiang Lin. 2015. A survey on hypervisor-based monitoring: Approaches, applications, and evolutions. ACM Comput. Surveys 48, 1 (2015), 10 pages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Michael Becher, Maximillian Dornseif, and Christian N. Klein. 2005. FireWire: All your memory are belong to us. Proceedings of CanSecWest.Google ScholarGoogle Scholar
  14. Miguel Castro, Manuel Costa, Jean-Philippe Martin, Marcus Peinado, Periklis Akritidis, Austin Donnelly, Paul Barham, and Richard Black. 2009. Fast byte-granularity software fault isolation. In Proceedings of the 22nd ACM SIGOPS Symposium on Operating Systems Principles. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Yeongpil Cho, Donghyun Kwon, Hayoon Yi, and Yunheung Paek. 2017. Dynamic virtual address range adjustment for intra-level privilege separation on ARM. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarGoogle ScholarCross RefCross Ref
  16. John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014. Virtual ghost: Protecting applications from hostile operating systems. Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems (2014). Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Nathan Dautenhahn, Theodoros Kasampalis, Will Dietz, John Criswell, and Vikram Adve. 2015. Nested kernel: An operating system architecture for intra-kernel privilege separation. In Proceedings of the 20th International Conference on Architectural Support for Programming Languages and Operating Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Úlfar Erlingsson. 2003. The Inlined Reference Monitor Approach to Security Policy Enforcement. Technical Report. Cornell University.Google ScholarGoogle Scholar
  19. Ulfar Erlingsson, Martín Abadi, Michael Vrable, Mihai Budiu, and George C. Necula. 2006. XFI: Software guards for system address spaces. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, and Bryan Parno. 2017. Komodo: Using verification to disentangle secure-enclave hardware from software. In Proceedings of the 26th Symposium on Operating Systems Principles. ACM, 287--305. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Stephanie Forrest, Steven A. Hofmeyr, Aniln Somayaji, and Thomas A. Longstaff. 1996. A sense of self for unix processes. In Proceedings of the 17th IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Tal Garfinkel, Mendel Rosenblum, et al. 2003. A virtual machine introspection-based architecture for intrusion detection. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  23. Xinyang Ge, Hayawardh Vijayakumar, and Trent Jaeger. 2014. Sprobes: Enforcing kernel code integrity on the trustzone architecture. In Proceedings of the workshop on Mobile Security Technologies (MoST'14).Google ScholarGoogle Scholar
  24. Kim Hazelwood and Artur Klauser. 2006. A dynamic binary instrumentation engine for the ARM architecture. In Proceedings of the 2006 International Conference on Compilers, Architecture and Synthesis for Embedded Systems. ACM, 261--270. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Owen S. Hofmann, Alan M. Dunn, Sangman Kim, Indrajit Roy, and Emmett Witchel. 2011. Ensuring operating system kernel integrity with OSck. In Proceedings of the 16th International Conference on Architectural Support for Programming Languages and Operating Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Intel. 2008. Trusted Execution Technology: Software Development Guide (315168- 005). Retrieved from https://www.intel.com/content/dam/www/public/us/en/documents/guides/intel-txt-software-development-guide.pdf.Google ScholarGoogle Scholar
  27. Taegyu Kim, Chung Hwan Kim, Hongjun Choi, Yonghwi Kwon, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu. 2017. RevARM: A platform-agnostic arm binary rewriter for security applications. In Proceedings of the 33rd Annual Computer Security Applications Conference. ACM, 412--424. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. 2014. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In Proceedings of the 41st Annual International Symposium on Computer Architecture. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Samuel T. King and Peter M. Chen. 2006. SubVirt: Implementing malware with virtual machines. In Proceedings of the 27th IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish et al. 2009. seL4: Formal verification of an OS kernel. In Proceedings of the 22nd ACM SIGOPS Symposium on Operating Systems Principles. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. J. Liedtke. 1995. On micro-kernel construction. In Proceedings of the 15th ACM Symposium on Operating Systems Principles. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Yandong Mao, Haogang Chen, Dong Zhou, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2011. Software fault isolation with API integrity and multi-principal modules. In Proceedings of the 23rd ACM SIGOPS Symposium on Operating Systems Principles. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Alex Markuze, Adam Morrison, and Dan Tsafrir. 2016. True IOMMU protection from DMA attacks: When copy is faster than zero copy. In Proceedings of the 21st International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’16). Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki. 2008. Flicker: An execution infrastructure for TCB minimization. In Proceedings of the ACM European Conference in Computer Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Subhas C. Misra and Virendra C. Bhavsar. 2003. Relationships between selected software measures and latent bug-density: Guidelines for improving quality. In Computational Science and Its Applications ICCSA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Thomas J. Ostrand and Elaine J. Weyuker. 2002. The distribution of faults in a large industrial software system. In ACM SIGSOFT Software Engineering Notes. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Nick L. Petroni Jr. and Michael Hicks. 2007. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. David R. Piegdon and L. Pimenidis. 2007. hacking in physically addressable memory. In Proceedings of the Seminar of Advanced Exploitation Techniques (WS’07).Google ScholarGoogle Scholar
  39. Dan Rosenberg. 2014. QSEE trustzone kernel integer overflow. In Black Hat USA. Retrieved from https://blackhat.com/docs/us-14/materials/us-14-Rosenberg-Reflections-On-Trusting-TrustZone-WP.pdf.Google ScholarGoogle Scholar
  40. Thomas Roth. 2013. Next generation mobile rootkits. In Black Hack Europe. Retrieved from https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf.Google ScholarGoogle Scholar
  41. Fred B. Schneider, Greg Morrisett, and Robert Harper. 2001. A language-based approach to security. In Informatics. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. David Sehr, Robert Muth, Cliff Biffle, Victor Khimenko, Egor Pasko, Karl Schimpf, Bennet Yee, and Brad Chen. 2010. Adapting software fault isolation to contemporary CPU architectures. In Proceedings of the 19th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In Proceedings of the 21st ACM SIGOPS Symposium on Operating Systems Principles. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Monirul I. Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi. 2009. Secure in-vm monitoring using hardware virtualization. In Proceedings of the 16th ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Di Shen. 2015. Attacking your trusted core: Exploiting trustzone on android. In Black Hat USA. Retrieved from https://www.blackhat.com/docs/us-15/materials/us-15-Shen-Attacking-Your-Trusted-Core-Exploiting-Trustzone-On-Android.pdf.Google ScholarGoogle Scholar
  46. Abhinav Srivastava and Jonathon T. Giffin. 2011. Efficient monitoring of untrusted kernel-mode execution. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  47. Udo Steinberg and Bernhard Kauer. 2010. NOVA: A microhypervisor-based secure virtualization architecture. In Proceedings of the 5th European Conference on Computer Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten Van Dijk, and Srinivas Devadas. 2003. AEGIS: Architecture for tamper-evident and tamper-resistant processing. In Proceedings of the 17th Annual International Conference on Supercomputing. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Michael M. Swift, Brian N. Bershad, and Henry M. Levy. 2003. Improving the reliability of commodity operating systems. In Proceedings of the 19th ACM Symposium on Operating Systems Principles. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Josh Thomas and Nathan Keltner. 2014. Here be dragons. In Proceedings of RECON Canada.Google ScholarGoogle Scholar
  51. Donghai Tian, Xi Xiong, Changzhen Hu, and Peng Liu. 2014. Defeating buffer overflow attacks via virtualization. Comput. Electric. Eng. 40, 6 (2014), 1940--1950.Google ScholarGoogle ScholarCross RefCross Ref
  52. EFI Unified. 2014. Unified extensible firmware interface specification. Retrieved from https://uef.org/specifcations.Google ScholarGoogle Scholar
  53. Ananthasayanam Vasudevan, Sagar Chaki, Limin Jia, Jonathan McCune, James Newsome, and Amitava Datta. 2013. Design, implementation and verification of an extensible and modular hypervisor framework. In Proceedings of the 34th IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Amit Vasudevan, Sagar Chaki, Petros Maniatis, Limin Jia, and Anupam Datta. 2016. überSpark: Enforcing verifiable object abstractions for automated compositional security analysis of a hypervisor. In Proceedings of the USENIX Security Symposium. 87--104. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1994. Efficient software-based fault isolation. In ACM SIGOPS Operating Systems Review, Vol. 27. ACM, 203--216. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Xiaoguang Wang, Yue Chen, Zhi Wang, Yong Qi, and Yajin Zhou. 2015. SecPod: A framework for virtualization-based security systems. In Proceedings of the USENIX Annual Technical Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Zhi Wang and Xuxian Jiang. 2010. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of the 31st IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Zhi Wang, Xuxian Jiang, Weidong Cui, and Peng Ning. 2009. Countering kernel rootkits with lightweight hook protection. In Proceedings of the 16th ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Chiachih Wu, Zhi Wang, and Xuxian Jiang. 2013. Taming hosted hypervisors with (Mostly) deprivileged execution. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  60. Rubin Xu, Hassen Saïdi, and Ross Anderson. 2012. Aurasium: Practical policy enforcement for android applications. In Proceedings of the 21st USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. 2009. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 30th IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Fengwei Zhang, Jiang Wang, Kun Sun, and Angelos Stavrou. 2014. Hypercheck: A hardware-assisted integrity monitor. IEEE Trans. Depend. Secure Comput. 11, 4 (2014), 332--344.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Safe and Efficient Implementation of a Security System on ARM using Intra-level Privilege Separation

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on Privacy and Security
      ACM Transactions on Privacy and Security  Volume 22, Issue 2
      May 2019
      214 pages
      ISSN:2471-2566
      EISSN:2471-2574
      DOI:10.1145/3316298
      Issue’s Table of Contents

      Copyright © 2019 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 26 February 2019
      • Revised: 1 January 2019
      • Accepted: 1 January 2019
      • Received: 1 December 2017
      Published in tops Volume 22, Issue 2

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Research
      • Refereed

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    HTML Format

    View this article in HTML Format .

    View HTML Format
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!