Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information and Communications Security

ICICS 2020: Information and Communications Security pp 20–35Cite as

A Machine Learning-Assisted Compartmentalization Scheme for Bare-Metal Systems

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12282))

Abstract

A primary concern in creating compartments (i.e., protection domains) for bare-metal systems is to adopt the applicable compartmentalization policy. Existing studies have proposed several typical policies in literature. However, neither of the policies consider the influence of unsafe functions on the compartment security that a vulnerable function would expose unpredictable attack surfaces, which could be exploited to manipulate any contents that are stored in the same compartment. In this paper, we design a machine learning-assisted compartmentalization scheme, which adopts a new policy that takes every function’s security into full account, to create compartments for bare-metal systems. First, the scheme takes advantage of the machine learning method to predict how likely a function holds an exploitable security bug. Second, the prediction results are used to create a new instrumented firmware that isolates vulnerable and normal functions into different compartments. Further, the scheme provides some optional optimization plans to the developer to improve the performance. The PoC of the scheme is incorporated into an LLVM-based compiler and evaluated on a Cortex-M based IoT device. Compared with the firmware adopting other typical policies, the firmware with the new policy not only shows better security but also assures the overhead basically unchanged.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. ARM: Armv7-m architecture reference manual. https://developer.arm.com/documentation/ddi0403/latest/

  2. Azab, A.M., et al.: SKEE: a lightweight secure kernel-level execution environment for ARM. In: 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, 21–24 February 2016 (2016)

    Google Scholar 

  3. Baeza-Yates, R.A., Ribeiro-Neto, B.A.: Modern Information Retrieval. ACM Press/Addison-Wesley, New York (1999)

    Google Scholar 

  4. Cho, Y., Kwon, D., Yi, H., Paek, Y.: Dynamic virtual address range adjustment for intra-level privilege separation on ARM. In: 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, 26 February– 1 March 2017 (2017)

    Google Scholar 

  5. Clements, A.A., Almakhdhub, N.S., Bagchi, S., Payer, M.: ACES: automatic compartments for embedded systems. In: 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, 15–17 August 2018, pp. 65–82 (2018)

    Google Scholar 

  6. Clements, A.A., et al.: Protecting bare-metal embedded systems with privilege overlays. In: 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, 22–26 May 2017, pp. 289–303 (2017)

    Google Scholar 

  7. Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst. 9(3), 319–349 (1987)

    Article  Google Scholar 

  8. Giger, E., D’Ambros, M., Pinzger, M.: Method-level bug prediction. In: 2012 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2012, Lund, Sweden, 9–20 September 2012, pp. 171–180 (2012)

    Google Scholar 

  9. Hata, H., Mizuno, O., Kikuno, T.: Bug prediction based on fine-grained module histories. In: 34th International Conference on Software Engineering, ICSE 2012, Zurich, Switzerland, 2–9 June 2012, pp. 200–210 (2012)

    Google Scholar 

  10. Kim, C.H., et al.: Securing real-time microcontroller systems through customized memory view switching. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, 18–21 February 2018 (2018)

    Google Scholar 

  11. Koeberl, P., Schulz, S., Sadeghi, A., Varadharajan, V.: Trustlite: a security architecture for tiny embedded devices. In: Ninth Eurosys Conference 2014, EuroSys 2014, Amsterdam, The Netherlands, 13–16 April 2014, pp. 10:1–10:14 (2014)

    Google Scholar 

  12. Li, Z., et al.: Vuldeepecker: a deep learning-based system for vulnerability detection. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, 18–21 February 2018 (2018)

    Google Scholar 

  13. NetworkX: Networkx library. https://networkx.github.io/

  14. Noorman, J., et al.: Sancus: low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In: Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, 14–16 August 2013, pp. 479–494 (2013)

    Google Scholar 

  15. Omary, Z., Mtenzi, F.: Dataset threshold for the performance estimators in supervised machine learning experiments. In: Proceedings of the 4th International Conference for Internet Technology and Secured Transactions, ICITST 2009, London, UK, 9–12 November 2009, pp. 1–8 (2009)

    Google Scholar 

  16. Ronen, E., Shamir, A., Weingarten, A., O’Flynn, C.: IoT goes nuclear: creating a zigbee chain reaction. In: 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, 22–26 May 2017, pp. 195–212 (2017)

    Google Scholar 

  17. Sarnowski, M.M., Larson, D., Alnaeli, S.M., Sarrab, M.K.: A study on the usage of unsafe functions in gcc compared to mobile software systems. In: IEEE International Conference on Electro Information Technology, EIT 2017, Lincoln, NE, USA, 14–17 May 2017, pp. 138–142 (2017)

    Google Scholar 

  18. Scitools: Understand python interface. https://scitools.com/features/

  19. STMicroelectronics: Stm32f4discovery. https://www.st.com/en/evaluation-tools/stm32f4discovery.html

  20. Syed, M.H., Fernández, E.B., Moreno, J.: A misuse pattern for DDoS in the IoT. In: Proceedings of the 23rd European Conference on Pattern Languages of Programs, EuroPLoP 2018, Irsee, Germany, 04–08 July 2018, pp. 34:1–34:5 (2018)

    Google Scholar 

  21. Xiling Gong, P.P.: Exploiting qualcomm WLAN and modem over-the-air. In: 22nd BLACK HAT USA (2019)

    Google Scholar 

Download references

Acknowledgments

The authors would like to thank the anonymous reviewers for their critical suggestions that greatly improved the paper quality. This work is supported by the National Key R&D Program of China (No. 2019YFB1706002).

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Dongdong Huo, Chao Liu, Xiao Wang, Mingxuan Li, Yu Wang, Yazhe Wang & Zhen Xu

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Dongdong Huo, Chao Liu, Xiao Wang, Mingxuan Li, Yu Wang, Yazhe Wang & Zhen Xu

  3. College of Information Sciences and Technology, Pennsylvania State University, State College, USA

    Peng Liu

Authors
  1. Dongdong Huo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chao Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiao Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mingxuan Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yu Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Yazhe Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Peng Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Zhen Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yazhe Wang .

Editor information

Editors and Affiliations

  1. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  2. Hamburg University of Technology, Hamburg, Germany

    Dieter Gollmann

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Christian D. Jensen

  4. Singapore University of Technology and Design, Singapore, Singapore

    Jianying Zhou

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Huo, D. et al. (2020). A Machine Learning-Assisted Compartmentalization Scheme for Bare-Metal Systems. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds) Information and Communications Security. ICICS 2020. Lecture Notes in Computer Science(), vol 12282. Springer, Cham. https://doi.org/10.1007/978-3-030-61078-4_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-61078-4_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-61077-7

  • Online ISBN: 978-3-030-61078-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation