Abstract
Memory introspection can be a powerful tool for analyzing contents of a system’s memory for any malicious code. Current approaches based on memory introspection have focused on Virtual Machines and using a privileged software entity, such as a hypervisor, to perform the introspection. Such software-based introspection, however, is susceptible to variety of attacks that may compromise the hypervisor and the introspection code. Furthermore, a hypervisor setup is not always wanted. In this work, we present a hardware-based approach to memory introspection. Dedicated hardware is introduced to read and analyze memory of the target system, independent of any hypervisor or OSes running on the system. We apply the new hardware approach to memory introspection to built-up an architecture that uses DMA and fine-grained memory introspection techniques in order to match network connections to the application-layer while being isolated and undetected from the operating system or the hypervisor. We call the proposed architecture SystemWall since it can be a standalone physical device which can be added as an expansion card to the mother board or a dedicated external box. The architecture is transparent and cannot be manipulated or deactivated by potential malware on the target system. We use the SystemWall in the evaluation to analyze the target system for malicious code and prevent unknown (malicious) applications from establishing network connections which can be used to spread viruses, spam or malware and to leak sensitive information.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, R., Bond, M., Clulow, J., Skorobogatov, S.: Cryptographic Processors – A Survey. Proceedings of the IEEE 94, 357–369 (2006)
Aumaitre, D., Devine, C.: Subverting Windows 7 x64 Kernel with DMA attacks. In: HITB Security Conference Presentation (2010), http://esec-lab.sogeti.com/dotclear/public/publications/10-hitbamsterdam-dmaattacks.pdf (accessed August 8, 2014)
Baiardi, F., Sgandurra, D.: Building Trustworthy Intrusion Detection through VM Introspection. In: Proceedings of the International Symposium on Information Assurance and Security, pp. 209–214 (August 2007)
Balogh, S., Mydlo, M.: New possibilities for memory acquisition by enabling DMA using network card. In: Proceedings of the International Conference on Intelligent Data Acquisition and Advanced Computing Systems (IDAACS), pp. 635–639 (September 2013)
Bellissimo, A., Burgess, J., Fu, K.: Secure Software Updates: Disappointments and New Challenges. In: Proceedings of USENIX Hot Topics in Security (HotSec), pp. 37–43 (July 2006)
Benninger, C., Neville, S., Yazir, Y., Matthews, C., Coady, Y.: Maitland: Lighter-Weight VM Introspection to Support Cyber-security in the Cloud. In: Proceedings of the International Conference on Cloud Computing (CLOUD), pp. 471–478 (June 2012)
Breuk, R., Spruyt, A.: Integrating DMA attacks in exploitation frameworks. Technical Report, System and Network Engineering Research Group, University of Amsterdam (February 2012)
Carrier, B.D., Grand, J.: A hardware-based memory acquisition procedure for digital investigations. Digital Investigation 1(1), 50–60 (2004)
Chen, Y., Wang, Y., Ha, Y., Felipe, M., Ren, S., Aung, K.M.M.: sAES: A high throughput and low latency secure cloud storage with pipelined DMA based PCIe interface. In: Proceedings of the International Conference on Field-Programmable Technology (FPT), pp. 374–377 (December 2013)
Fraser, T., Evenson, M., Arbaugh, W.: VICI – Virtual Machine Introspection for Cognitive Immunity. In: Proceedings of the Annual Computer Security Applications Conference, pp. 87–96 (December 2008)
Intel vPro Technology, http://www.intel.com/content/www/us/en/architecture-and-technology/vpro/vpro-technology-general.html (accessed August 8, 2014)
Kinebuchi, Y., Butt, S., Ganapathy, V., Iftode, L., Nakajima, T.: Monitoring Integrity Using Limited Local Memory. IEEE Transactions on Information Forensics and Security, 1230–1242 (July 2013)
Lee, H., Moon, H., Jang, D., Kim, K., Lee, J., Paek, Y., Kang, B.B.: KI-Mon: A Hardware-assisted Event-triggered Monitoring Platform for Mutable Kernel Object. In: Proceedings of the USENIX Security Symposium, pp. 511–526 (August 2013)
Liu, Z., Lee, J., Zeng, J., Wen, Y., Lin, Z., Shi, W.: CPU Transparent Protection of OS Kernel and Hypervisor Integrity with Programmable DRAM. In: Proceedings of the International Symposium on Computer Architecture (ISCA), pp. 392–403 (June 2013)
FireStorm FW643/FW533 Evaluation Platform, http://www.lsi.com/downloads/Public/1394%20Products/1394%20Products%20Common%20Files/LSI-FireStorm-PB.pdf (accessed August 8, 2014)
Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: Toward Snoop-based Kernel Integrity Monitor. In: Proceedings of the Conference on Computer and Communications Security, pp. 28–37 (October 2012)
Nah, F.F.-H.: A study on tolerable waiting time: how long are web users willing to wait? Behaviour & Information Technology 23(3), 153–163 (2004)
Payne, B., Carbone, M., Sharif, M., Lee, W.: Lares: An Architecture for Secure Active Monitoring Using Virtualization. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 233–247 (May 2008)
Payne, B., de Carbone, M., Lee, W.: Secure and Flexible Monitoring of Virtual Machines. In: Proceedings of the Annual Computer Security Applications Conference, pp. 385–397 (May 2007)
Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor. In: Proceedings of the USENIX Security Symposium, pp. 13 (August 2004)
Ravi, S., Raghunathan, A., Chakradhar, S.: Tamper resistance mechanisms for secure embedded systems. In: Proceedings of the International Conference on VLSI Design, pp. 605–611 (January 2004)
Rutkowska, J.: Beyond The CPU: Defeating Hardware Based RAM Acquisition. Black Hat DC Presentation (2007), http://www.blackhat.com/presentations/bh-dc-07/Rutkowska/Presentation/bh-dc-07-Rutkowska-up.pdf (accessed August 8, 2014)
Sang, F., Lacombe, E., Nicomette, V., Deswarte, Y.: Exploiting an I/OMMU vulnerability. In: Proceedings of the International Conference on Malicious and Unwanted Software (MALWARE), pp. 7–14 (October 2010)
Sang, F., Nicomette, V., Deswarte, Y.: I/O Attacks in Intel PC-based Architectures and Countermeasures. In: Proceedings of the SysSec Workshop (SysSec), pp. 19–26 (July 2011)
Schwarz, O., Gehrmann, C.: Securing DMA through virtualization. In: Proceedings of the Workshop on Complexity in Engineering (COMPENG), pp. 1–6 (June 2012)
Seeger, M., Wolthusen, S.: Towards Concurrent Data Sampling Using GPU Coprocessing. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES), pp. 557–563 (August 2012)
Srivastava, A., Giffin, J.: Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008)
Stewin, P., Bystrov, I.: Understanding DMA malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 21–41. Springer, Heidelberg (2013)
Stewin, P., Seifert, J.-P., Mulliner, C.: Poster: Towards detecting DMA malware. In: Conference on Computer and Communications Security, pp. 857–860 (October 2011)
Suh, G.E., Clarke, D., Gassend, B., van Dijk, M., Devadas, S.: AEGIS: Architecture for Tamper-evident and Tamper-resistant Processing. In: Proceedings of the International Conference on Supercomputing, pp. 160–171 (June 2003)
Wang, J., Stavrou, A., Ghosh, A.: HyperCheck: A Hardware-assisted Integrity Monitor. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 158–177. Springer, Heidelberg (2010)
Yashiro, T., Bessho, M., Kobayashi, S., Koshizuka, N., Sakamura, K.: T-Kernel/SS: A Secure Filesystem with Access Control Protection Using Tamper-Resistant Chip. In: Computer Software and Applications Conference Workshops, pp. 134–139 (July 2010)
Yu, F., Chen, Z., Diao, Y., Lakshman, T.V., Katz, R.H.: Fast and Memory-efficient Regular Expression Matching for Deep Packet Inspection. In: Proceedings of the Symposium on Architecture for Networking and Communications Systems, pp. 93–102 (December 2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Biedermann, S., Szefer, J. (2014). SystemWall: An Isolated Firewall Using Hardware-Based Memory Introspection. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds) Information Security. ISC 2014. Lecture Notes in Computer Science, vol 8783. Springer, Cham. https://doi.org/10.1007/978-3-319-13257-0_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-13257-0_16
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13256-3
Online ISBN: 978-3-319-13257-0
eBook Packages: Computer ScienceComputer Science (R0)