Abstract
Security monitoring has long been considered as a fundamental mechanism to mitigate the damage of a security attack. Recently, intra-level security systems have been proposed that can efficiently and securely monitor system software without any involvement of more privileged entity. Unfortunately, there exists no full intra-level security system that can universally operate at any privilege level on ARM. However, as malware and attacks increase against virtually every level of privileged software including an OS, a hypervisor, and even the highest privileged software armored by TrustZone, we have been motivated to develop an intra-level security system, named Hilps. Hilps realizes true intra-level scheme in all these levels of privileged software on ARM by elaborately exploiting a new hardware feature of ARM’s latest 64-bit architecture, called TxSZ, that enables elastic adjustment of the accessible virtual address range. Furthermore, Hilps newly supports the sandbox mechanism that provides security tools with individually isolated execution environments, thereby minimizing security threats from untrusted security tools. We have implemented a prototype of Hilps on a real machine. The experimental results demonstrate that Hilps is quite promising for practical use in real deployments.
- CVE Details. 2018. Linux kernel vulnerabilities. Retrieved from http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33.Google Scholar
- LLVM Linux. {n.d.}. Retrieved from http://llvm.linuxfoundation.org.Google Scholar
- CVE Details. 2018. Xen: Vulnerability statistics. Retrieved from http://www.cvedetails.com/vendor/6276/XEN.html.Google Scholar
- Darren Abramson, Jeff Jackson, Sridhar Muthrasanallur, Gil Neiger, Greg Regnier, Rajesh Sankaran, Ioannis Schoinas, Rich Uhlig, Balaji Vembu, and John Wiegert. 2006. Intel virtualization technology for directed I/O. Intel Technology Journal 10, 3 (2006), 179--192.Google Scholar
Cross Ref
- Rohan Bhutkar, Jia Ma, Wenbo Shen, Ruowen Wang, Ahmed M. Azab, Kirk Swidowski, and Peng Ning. 2016. SKEE: A lightweight secure kernel-level execution environment for ARM. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- ARM. {n.d.}. System Memory Management Unit (SMMU). Retrieved from http://www.arm.com/products/system-ip/controllers/system-mmu.php.Google Scholar
- ARM. 2015. Versatile express Juno r1 development platform. Retrieved from http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.100122_0100_01_en/bri1412864820181.html.Google Scholar
- Ahmed M. Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. 2014. Hypervision across worlds: Real-time kernel protection from the arm trustzone secure world. In Proceedings of the 21st ACM SIGSAC Conference on Computer and Communications Security. Google Scholar
Digital Library
- Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang, Xiaolan Zhang, and Nathan C. Skalsky. 2010. HyperSentry: Enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
- Ahmed M. Azab, Peng Ning, and Xiaolan Zhang. 2011. Sice: A hardware-level strongly isolated computing environment for x86 multi-core platforms. In Proceedings of the 18th ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
- Victor R. Basili and Barry T. Perricone. 1984. Software errors and complexity: An empirical investigation. Commun. ACM 27, 1 (1984), 43--52. Google Scholar
Digital Library
- Erick Bauman, Gbadebo Ayoade, and Zhiqiang Lin. 2015. A survey on hypervisor-based monitoring: Approaches, applications, and evolutions. ACM Comput. Surveys 48, 1 (2015), 10 pages. Google Scholar
Digital Library
- Michael Becher, Maximillian Dornseif, and Christian N. Klein. 2005. FireWire: All your memory are belong to us. Proceedings of CanSecWest.Google Scholar
- Miguel Castro, Manuel Costa, Jean-Philippe Martin, Marcus Peinado, Periklis Akritidis, Austin Donnelly, Paul Barham, and Richard Black. 2009. Fast byte-granularity software fault isolation. In Proceedings of the 22nd ACM SIGOPS Symposium on Operating Systems Principles. Google Scholar
Digital Library
- Yeongpil Cho, Donghyun Kwon, Hayoon Yi, and Yunheung Paek. 2017. Dynamic virtual address range adjustment for intra-level privilege separation on ARM. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
Cross Ref
- John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014. Virtual ghost: Protecting applications from hostile operating systems. Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems (2014). Google Scholar
Digital Library
- Nathan Dautenhahn, Theodoros Kasampalis, Will Dietz, John Criswell, and Vikram Adve. 2015. Nested kernel: An operating system architecture for intra-kernel privilege separation. In Proceedings of the 20th International Conference on Architectural Support for Programming Languages and Operating Systems. Google Scholar
Digital Library
- Úlfar Erlingsson. 2003. The Inlined Reference Monitor Approach to Security Policy Enforcement. Technical Report. Cornell University.Google Scholar
- Ulfar Erlingsson, Martín Abadi, Michael Vrable, Mihai Budiu, and George C. Necula. 2006. XFI: Software guards for system address spaces. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation. Google Scholar
Digital Library
- Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, and Bryan Parno. 2017. Komodo: Using verification to disentangle secure-enclave hardware from software. In Proceedings of the 26th Symposium on Operating Systems Principles. ACM, 287--305. Google Scholar
Digital Library
- Stephanie Forrest, Steven A. Hofmeyr, Aniln Somayaji, and Thomas A. Longstaff. 1996. A sense of self for unix processes. In Proceedings of the 17th IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Tal Garfinkel, Mendel Rosenblum, et al. 2003. A virtual machine introspection-based architecture for intrusion detection. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- Xinyang Ge, Hayawardh Vijayakumar, and Trent Jaeger. 2014. Sprobes: Enforcing kernel code integrity on the trustzone architecture. In Proceedings of the workshop on Mobile Security Technologies (MoST'14).Google Scholar
- Kim Hazelwood and Artur Klauser. 2006. A dynamic binary instrumentation engine for the ARM architecture. In Proceedings of the 2006 International Conference on Compilers, Architecture and Synthesis for Embedded Systems. ACM, 261--270. Google Scholar
Digital Library
- Owen S. Hofmann, Alan M. Dunn, Sangman Kim, Indrajit Roy, and Emmett Witchel. 2011. Ensuring operating system kernel integrity with OSck. In Proceedings of the 16th International Conference on Architectural Support for Programming Languages and Operating Systems. Google Scholar
Digital Library
- Intel. 2008. Trusted Execution Technology: Software Development Guide (315168- 005). Retrieved from https://www.intel.com/content/dam/www/public/us/en/documents/guides/intel-txt-software-development-guide.pdf.Google Scholar
- Taegyu Kim, Chung Hwan Kim, Hongjun Choi, Yonghwi Kwon, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu. 2017. RevARM: A platform-agnostic arm binary rewriter for security applications. In Proceedings of the 33rd Annual Computer Security Applications Conference. ACM, 412--424. Google Scholar
Digital Library
- Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. 2014. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In Proceedings of the 41st Annual International Symposium on Computer Architecture. Google Scholar
Digital Library
- Samuel T. King and Peter M. Chen. 2006. SubVirt: Implementing malware with virtual machines. In Proceedings of the 27th IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish et al. 2009. seL4: Formal verification of an OS kernel. In Proceedings of the 22nd ACM SIGOPS Symposium on Operating Systems Principles. Google Scholar
Digital Library
- J. Liedtke. 1995. On micro-kernel construction. In Proceedings of the 15th ACM Symposium on Operating Systems Principles. Google Scholar
Digital Library
- Yandong Mao, Haogang Chen, Dong Zhou, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2011. Software fault isolation with API integrity and multi-principal modules. In Proceedings of the 23rd ACM SIGOPS Symposium on Operating Systems Principles. Google Scholar
Digital Library
- Alex Markuze, Adam Morrison, and Dan Tsafrir. 2016. True IOMMU protection from DMA attacks: When copy is faster than zero copy. In Proceedings of the 21st International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’16). Google Scholar
Digital Library
- Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki. 2008. Flicker: An execution infrastructure for TCB minimization. In Proceedings of the ACM European Conference in Computer Systems. Google Scholar
Digital Library
- Subhas C. Misra and Virendra C. Bhavsar. 2003. Relationships between selected software measures and latent bug-density: Guidelines for improving quality. In Computational Science and Its Applications ICCSA. Google Scholar
Digital Library
- Thomas J. Ostrand and Elaine J. Weyuker. 2002. The distribution of faults in a large industrial software system. In ACM SIGSOFT Software Engineering Notes. Google Scholar
Digital Library
- Nick L. Petroni Jr. and Michael Hicks. 2007. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM conference on Computer and Communications Security. Google Scholar
Digital Library
- David R. Piegdon and L. Pimenidis. 2007. hacking in physically addressable memory. In Proceedings of the Seminar of Advanced Exploitation Techniques (WS’07).Google Scholar
- Dan Rosenberg. 2014. QSEE trustzone kernel integer overflow. In Black Hat USA. Retrieved from https://blackhat.com/docs/us-14/materials/us-14-Rosenberg-Reflections-On-Trusting-TrustZone-WP.pdf.Google Scholar
- Thomas Roth. 2013. Next generation mobile rootkits. In Black Hack Europe. Retrieved from https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf.Google Scholar
- Fred B. Schneider, Greg Morrisett, and Robert Harper. 2001. A language-based approach to security. In Informatics. Google Scholar
Digital Library
- David Sehr, Robert Muth, Cliff Biffle, Victor Khimenko, Egor Pasko, Karl Schimpf, Bennet Yee, and Brad Chen. 2010. Adapting software fault isolation to contemporary CPU architectures. In Proceedings of the 19th USENIX Security Symposium. Google Scholar
Digital Library
- Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In Proceedings of the 21st ACM SIGOPS Symposium on Operating Systems Principles. Google Scholar
Digital Library
- Monirul I. Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi. 2009. Secure in-vm monitoring using hardware virtualization. In Proceedings of the 16th ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
- Di Shen. 2015. Attacking your trusted core: Exploiting trustzone on android. In Black Hat USA. Retrieved from https://www.blackhat.com/docs/us-15/materials/us-15-Shen-Attacking-Your-Trusted-Core-Exploiting-Trustzone-On-Android.pdf.Google Scholar
- Abhinav Srivastava and Jonathon T. Giffin. 2011. Efficient monitoring of untrusted kernel-mode execution. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- Udo Steinberg and Bernhard Kauer. 2010. NOVA: A microhypervisor-based secure virtualization architecture. In Proceedings of the 5th European Conference on Computer Systems. Google Scholar
Digital Library
- G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten Van Dijk, and Srinivas Devadas. 2003. AEGIS: Architecture for tamper-evident and tamper-resistant processing. In Proceedings of the 17th Annual International Conference on Supercomputing. Google Scholar
Digital Library
- Michael M. Swift, Brian N. Bershad, and Henry M. Levy. 2003. Improving the reliability of commodity operating systems. In Proceedings of the 19th ACM Symposium on Operating Systems Principles. Google Scholar
Digital Library
- Josh Thomas and Nathan Keltner. 2014. Here be dragons. In Proceedings of RECON Canada.Google Scholar
- Donghai Tian, Xi Xiong, Changzhen Hu, and Peng Liu. 2014. Defeating buffer overflow attacks via virtualization. Comput. Electric. Eng. 40, 6 (2014), 1940--1950.Google Scholar
Cross Ref
- EFI Unified. 2014. Unified extensible firmware interface specification. Retrieved from https://uef.org/specifcations.Google Scholar
- Ananthasayanam Vasudevan, Sagar Chaki, Limin Jia, Jonathan McCune, James Newsome, and Amitava Datta. 2013. Design, implementation and verification of an extensible and modular hypervisor framework. In Proceedings of the 34th IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Amit Vasudevan, Sagar Chaki, Petros Maniatis, Limin Jia, and Anupam Datta. 2016. überSpark: Enforcing verifiable object abstractions for automated compositional security analysis of a hypervisor. In Proceedings of the USENIX Security Symposium. 87--104. Google Scholar
Digital Library
- Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1994. Efficient software-based fault isolation. In ACM SIGOPS Operating Systems Review, Vol. 27. ACM, 203--216. Google Scholar
Digital Library
- Xiaoguang Wang, Yue Chen, Zhi Wang, Yong Qi, and Yajin Zhou. 2015. SecPod: A framework for virtualization-based security systems. In Proceedings of the USENIX Annual Technical Conference. Google Scholar
Digital Library
- Zhi Wang and Xuxian Jiang. 2010. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of the 31st IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Zhi Wang, Xuxian Jiang, Weidong Cui, and Peng Ning. 2009. Countering kernel rootkits with lightweight hook protection. In Proceedings of the 16th ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
- Chiachih Wu, Zhi Wang, and Xuxian Jiang. 2013. Taming hosted hypervisors with (Mostly) deprivileged execution. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- Rubin Xu, Hassen Saïdi, and Ross Anderson. 2012. Aurasium: Practical policy enforcement for android applications. In Proceedings of the 21st USENIX Security Symposium. Google Scholar
Digital Library
- Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. 2009. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 30th IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Fengwei Zhang, Jiang Wang, Kun Sun, and Angelos Stavrou. 2014. Hypercheck: A hardware-assisted integrity monitor. IEEE Trans. Depend. Secure Comput. 11, 4 (2014), 332--344.Google Scholar
Cross Ref
Index Terms
Safe and Efficient Implementation of a Security System on ARM using Intra-level Privilege Separation
Recommendations
Enhanced Privilege Separation for Commodity Software on Virtualized Platform
ICPADS '10: Proceedings of the 2010 IEEE 16th International Conference on Parallel and Distributed SystemsConventional privilege separation can effectively reduce the TCB size by granting privilege to only the privileged compartments. However, since they this approach relies on process isolation to ensure security assurance, malware exploiting against ...
Identifying Privilege Separation Vulnerabilities in IoT Firmware with Symbolic Execution
Computer Security – ESORICS 2019AbstractWith the rapid proliferation of IoT devices, we have witnessed increasing security breaches targeting IoT devices. To address this, considerable attention has been drawn to the vulnerability discovery of IoT firmware. However, in contrast to the ...
Formal Modeling and Security Analysis for Intra-level Privilege Separation
ACSAC '22: Proceedings of the 38th Annual Computer Security Applications ConferencePrivileged system software such as mainstream operating system kernels and hypervisors have an ongoing stream of vulnerabilities. Even the inflated secure world in Trusted Execution Environment (TEE) is no longer secure in complex real-world scenarios. ...






Comments