Skip to main content
SpringerLink
Log in

SystemWall: An Isolated Firewall Using Hardware-Based Memory Introspection

  • Conference paper
Information Security (ISC 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8783))

Included in the following conference series:

Abstract

Memory introspection can be a powerful tool for analyzing contents of a system’s memory for any malicious code. Current approaches based on memory introspection have focused on Virtual Machines and using a privileged software entity, such as a hypervisor, to perform the introspection. Such software-based introspection, however, is susceptible to variety of attacks that may compromise the hypervisor and the introspection code. Furthermore, a hypervisor setup is not always wanted. In this work, we present a hardware-based approach to memory introspection. Dedicated hardware is introduced to read and analyze memory of the target system, independent of any hypervisor or OSes running on the system. We apply the new hardware approach to memory introspection to built-up an architecture that uses DMA and fine-grained memory introspection techniques in order to match network connections to the application-layer while being isolated and undetected from the operating system or the hypervisor. We call the proposed architecture SystemWall since it can be a standalone physical device which can be added as an expansion card to the mother board or a dedicated external box. The architecture is transparent and cannot be manipulated or deactivated by potential malware on the target system. We use the SystemWall in the evaluation to analyze the target system for malicious code and prevent unknown (malicious) applications from establishing network connections which can be used to spread viruses, spam or malware and to leak sensitive information.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, R., Bond, M., Clulow, J., Skorobogatov, S.: Cryptographic Processors – A Survey. Proceedings of the IEEE 94, 357–369 (2006)

    Article  Google Scholar 

  2. Aumaitre, D., Devine, C.: Subverting Windows 7 x64 Kernel with DMA attacks. In: HITB Security Conference Presentation (2010), http://esec-lab.sogeti.com/dotclear/public/publications/10-hitbamsterdam-dmaattacks.pdf (accessed August 8, 2014)

  3. Baiardi, F., Sgandurra, D.: Building Trustworthy Intrusion Detection through VM Introspection. In: Proceedings of the International Symposium on Information Assurance and Security, pp. 209–214 (August 2007)

    Google Scholar 

  4. Balogh, S., Mydlo, M.: New possibilities for memory acquisition by enabling DMA using network card. In: Proceedings of the International Conference on Intelligent Data Acquisition and Advanced Computing Systems (IDAACS), pp. 635–639 (September 2013)

    Google Scholar 

  5. Bellissimo, A., Burgess, J., Fu, K.: Secure Software Updates: Disappointments and New Challenges. In: Proceedings of USENIX Hot Topics in Security (HotSec), pp. 37–43 (July 2006)

    Google Scholar 

  6. Benninger, C., Neville, S., Yazir, Y., Matthews, C., Coady, Y.: Maitland: Lighter-Weight VM Introspection to Support Cyber-security in the Cloud. In: Proceedings of the International Conference on Cloud Computing (CLOUD), pp. 471–478 (June 2012)

    Google Scholar 

  7. Breuk, R., Spruyt, A.: Integrating DMA attacks in exploitation frameworks. Technical Report, System and Network Engineering Research Group, University of Amsterdam (February 2012)

    Google Scholar 

  8. Carrier, B.D., Grand, J.: A hardware-based memory acquisition procedure for digital investigations. Digital Investigation 1(1), 50–60 (2004)

    Article  Google Scholar 

  9. Chen, Y., Wang, Y., Ha, Y., Felipe, M., Ren, S., Aung, K.M.M.: sAES: A high throughput and low latency secure cloud storage with pipelined DMA based PCIe interface. In: Proceedings of the International Conference on Field-Programmable Technology (FPT), pp. 374–377 (December 2013)

    Google Scholar 

  10. Fraser, T., Evenson, M., Arbaugh, W.: VICI – Virtual Machine Introspection for Cognitive Immunity. In: Proceedings of the Annual Computer Security Applications Conference, pp. 87–96 (December 2008)

    Google Scholar 

  11. Intel vPro Technology, http://www.intel.com/content/www/us/en/architecture-and-technology/vpro/vpro-technology-general.html (accessed August 8, 2014)

  12. Kinebuchi, Y., Butt, S., Ganapathy, V., Iftode, L., Nakajima, T.: Monitoring Integrity Using Limited Local Memory. IEEE Transactions on Information Forensics and Security, 1230–1242 (July 2013)

    Google Scholar 

  13. Lee, H., Moon, H., Jang, D., Kim, K., Lee, J., Paek, Y., Kang, B.B.: KI-Mon: A Hardware-assisted Event-triggered Monitoring Platform for Mutable Kernel Object. In: Proceedings of the USENIX Security Symposium, pp. 511–526 (August 2013)

    Google Scholar 

  14. Liu, Z., Lee, J., Zeng, J., Wen, Y., Lin, Z., Shi, W.: CPU Transparent Protection of OS Kernel and Hypervisor Integrity with Programmable DRAM. In: Proceedings of the International Symposium on Computer Architecture (ISCA), pp. 392–403 (June 2013)

    Google Scholar 

  15. FireStorm FW643/FW533 Evaluation Platform, http://www.lsi.com/downloads/Public/1394%20Products/1394%20Products%20Common%20Files/LSI-FireStorm-PB.pdf (accessed August 8, 2014)

  16. Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: Toward Snoop-based Kernel Integrity Monitor. In: Proceedings of the Conference on Computer and Communications Security, pp. 28–37 (October 2012)

    Google Scholar 

  17. Nah, F.F.-H.: A study on tolerable waiting time: how long are web users willing to wait? Behaviour & Information Technology 23(3), 153–163 (2004)

    Article  Google Scholar 

  18. Payne, B., Carbone, M., Sharif, M., Lee, W.: Lares: An Architecture for Secure Active Monitoring Using Virtualization. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 233–247 (May 2008)

    Google Scholar 

  19. Payne, B., de Carbone, M., Lee, W.: Secure and Flexible Monitoring of Virtual Machines. In: Proceedings of the Annual Computer Security Applications Conference, pp. 385–397 (May 2007)

    Google Scholar 

  20. Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor. In: Proceedings of the USENIX Security Symposium, pp. 13 (August 2004)

    Google Scholar 

  21. Ravi, S., Raghunathan, A., Chakradhar, S.: Tamper resistance mechanisms for secure embedded systems. In: Proceedings of the International Conference on VLSI Design, pp. 605–611 (January 2004)

    Google Scholar 

  22. Rutkowska, J.: Beyond The CPU: Defeating Hardware Based RAM Acquisition. Black Hat DC Presentation (2007), http://www.blackhat.com/presentations/bh-dc-07/Rutkowska/Presentation/bh-dc-07-Rutkowska-up.pdf (accessed August 8, 2014)

  23. Sang, F., Lacombe, E., Nicomette, V., Deswarte, Y.: Exploiting an I/OMMU vulnerability. In: Proceedings of the International Conference on Malicious and Unwanted Software (MALWARE), pp. 7–14 (October 2010)

    Google Scholar 

  24. Sang, F., Nicomette, V., Deswarte, Y.: I/O Attacks in Intel PC-based Architectures and Countermeasures. In: Proceedings of the SysSec Workshop (SysSec), pp. 19–26 (July 2011)

    Google Scholar 

  25. Schwarz, O., Gehrmann, C.: Securing DMA through virtualization. In: Proceedings of the Workshop on Complexity in Engineering (COMPENG), pp. 1–6 (June 2012)

    Google Scholar 

  26. Seeger, M., Wolthusen, S.: Towards Concurrent Data Sampling Using GPU Coprocessing. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES), pp. 557–563 (August 2012)

    Google Scholar 

  27. Srivastava, A., Giffin, J.: Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  28. Stewin, P., Bystrov, I.: Understanding DMA malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 21–41. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  29. Stewin, P., Seifert, J.-P., Mulliner, C.: Poster: Towards detecting DMA malware. In: Conference on Computer and Communications Security, pp. 857–860 (October 2011)

    Google Scholar 

  30. Suh, G.E., Clarke, D., Gassend, B., van Dijk, M., Devadas, S.: AEGIS: Architecture for Tamper-evident and Tamper-resistant Processing. In: Proceedings of the International Conference on Supercomputing, pp. 160–171 (June 2003)

    Google Scholar 

  31. Wang, J., Stavrou, A., Ghosh, A.: HyperCheck: A Hardware-assisted Integrity Monitor. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 158–177. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  32. Yashiro, T., Bessho, M., Kobayashi, S., Koshizuka, N., Sakamura, K.: T-Kernel/SS: A Secure Filesystem with Access Control Protection Using Tamper-Resistant Chip. In: Computer Software and Applications Conference Workshops, pp. 134–139 (July 2010)

    Google Scholar 

  33. Yu, F., Chen, Z., Diao, Y., Lakshman, T.V., Katz, R.H.: Fast and Memory-efficient Regular Expression Matching for Deep Packet Inspection. In: Proceedings of the Symposium on Architecture for Networking and Communications Systems, pp. 93–102 (December 2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Security Engineering Group, Department of Computer Science, Technische Universität Darmstadt, Germany

    Sebastian Biedermann

  2. Computer Architecture and Security Laboratory, Department of Electrical Engineering, Yale University, New Haven, CT, USA

    Jakub Szefer

Authors
  1. Sebastian Biedermann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jakub Szefer
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Information Engineering, Chinese University of Hong Kong, Room 808, Ho Sin Hang Engineering Building, Sha Tin, N.T., Hong Kong, China

    Sherman S. M. Chow

  2. IBM Research Zurich, Säumerstrasse 4, 8803, Rüschlikon, Switzerland

    Jan Camenisch

  3. Department of Computer Science, The University of Hong Kong, Chow Yei Ching Building, Pokfulam Road, Hong Kong, China

    Lucas C. K. Hui  & Siu Ming Yiu  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Biedermann, S., Szefer, J. (2014). SystemWall: An Isolated Firewall Using Hardware-Based Memory Introspection. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds) Information Security. ISC 2014. Lecture Notes in Computer Science, vol 8783. Springer, Cham. https://doi.org/10.1007/978-3-319-13257-0_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-13257-0_16

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-13256-3

  • Online ISBN: 978-3-319-13257-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation