Skip to main content
SpringerLink
Log in

Design and implementation of an attestation protocol for measured dynamic behavior

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

Security of applications running on remote devices has become an essential need of enterprises. For this purpose, several software-based solutions have been proposed. However, it has been observed that software solutions are vulnerable to several kinds of attacks. Moreover, they cannot protect and monitor all parts of the system. To overcome this problem, researchers have proposed to monitor a target system from an isolated hardware and store system’s sensitive information in its tamper-proof memory locations. To realize such a solution, Trusted Computing Group (TCG) has proposed the specifications of a co-processor called Trusted Platform Module which is widely available in commodity hardware. Integrity Measurement Architecture is one of the well-known static techniques that brings TCG’s attestation from kernel to the application level. However, this method cannot measure runtime behavior of applications, which is necessary to detect runtime attacks such as buffer overflow and return-oriented programming. In this paper, we have extended the base work which aims to detect runtime vulnerabilities. Current high-level-based attestation protocol has been extended for dynamic behavior collection and verification, and the dynamic behavior is verified via several machine learning algorithms. Our results justify the use of this approach and show that a high rate detection was achieved for datasets of real-world vulnerabilities in the popular Firefox browser.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

References

  1. IAIK: Institute for Applied Information Processing and Communications, Graz University of Technology. http://www.iaik.tugraz.at/

  2. Alam M, Zhang X, Nauman M, Ali T (2008) Behavioral attestation for web services (BA4WS). In: SWS’08: Proceedings of the ACM Workshop on Secure Web Services (SWS) Located at 15th ACM Conference on Computer and Communications Security (CCS-15). ACM Press, New York

  3. Alam M, Zhang X, Nauman M, Ali T, Seifert JP (2008) Model-based behavioral attestation. In: SACMAT ’08: Proceedings of the Thirteenth ACM Symposium on Access Control Models and Technologies. ACM Press, New York

  4. Anderson S, Bohren J, Boubez T et al Web services trust language (WS-Trust). Public draft release, Actional Corporation, BEA Systems, Computer Associates International, International Business Machines Corporation, Layer 7

  5. Atkinson B, Della-Libera G, Hada S, Hondo M, Hallam-Baker P, Klein J, LaMacchia B, Leach P, Manferdelli J, Maruyama H et al. Web services security (WS-Security). Version 1

  6. Azab AM, Ning P, Sezer EC, Zhang X (2009) Hima: a hypervisor-based integrity measurement agent. In: Computer Security Applications Conference, 2009. ACSAC’09. Annual. IEEE, pp 461–470

  7. Beresford AR, Rice A, Skehin N, Sohan R (2011) Mockdroid: trading privacy for application functionality on smartphones. In: Proceedings of the 12th Workshop on Mobile Computing Systems and Applications. ACM, pp 49–54

  8. Burguera I, Zurutuza U, Nadjm-Tehrani S (2011) Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. ACM, pp 15–26

  9. Davi L, Sadeghi A, Winandy M (2009) Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing. ACM, pp 49–54

  10. Dhurandhar A, Dobra A (2008) Probabilistic characterization of random decision trees. J Mach Learn Res 9:2321–2348

    MATH  Google Scholar 

  11. Dietz M, Shekhar S, Pisetsky Y, Shu A, Wallach DS (2011) Quire: lightweight provenance for smart phone operating systems. In: USENIX Security Symposium, vol 31

  12. Durumeric Z, Kasten J, Adrian D, Halderman JA, Bailey M, Li F, Weaver N, Amann J, Beekman J, Payer M, Paxson V (2014) The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp 475–488. doi:10.1145/2663716.2663755. http://dl.acm.org/citation.cfm?doid=2663716.2663755

  13. Enck W, Gilbert P, Han S, Tendulkar V, Chun BG, Cox LP, Jung J, McDaniel P, Sheth AN (2014) Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans Comput Syst (TOCS) 32(2):5

    Article  Google Scholar 

  14. grsecurity.net: PAX Security Solution for Linux (2013). http://en.wikibooks.org/wiki/Grsecurity/Overview. Accessed Mar 2013

  15. Gu L, Cheng Y, Ding X, Deng R, Guo Y, Shao W (2009) Remote attestation on function execution. In: InTrust’09: Proceedings of the 2009 International Conference on Trusted Systems

  16. Gu L, Ding X, Deng R, Xie B, Mei H (2008) Remote attestation on program execution. In: STC ’08: Proceedings of the 2008 ACM Workshop on Scalable Trusted Computing. ACM, New York. doi:10.1145/1314354.1314362

  17. Heuser S, Nadkarni A, Enck W, Sadeghi AR (2014) Asm: a programmable interface for extending android security. In: Proceedings of the 23rd USENIX Security Symposium (SEC14)

  18. Ismail R, Syed TA, Musa S (2014) Design and implementation of an efficient framework for behaviour attestation using n-call slides. In: Proceedings of the 8th International Conference on Ubiquitous Information Management and Communication, ICUIMC ’14. ACM, New York, pp 36:1–36:8. doi:10.1145/2557977.2558002

  19. Jiang X, Wang X, Xu D (2007) Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, pp 128–138

  20. Larose DT (2004) k-Nearest neighbor algorithm. In: Discovering knowledge in data: an introduction to data mining. Wiley, Hoboken, NJ, USA. doi:10.1002/0471687545.ch5

  21. Lorch M, Proctor S, Lepro R, Kafura D, Shah S (2003) First experiences using XACML for access control in distributed systems. In: XMLSEC ’03: Proceedings of the 2003 ACM Workshop on XML Security. ACM, New York, pp 25–37. doi:10.1145/968559.968563

  22. Loscocco PA, Wilson PW, Pendergrass JA, McDonell CD (2007) Linux kernel integrity measurement using contextual inspection. In: STC ’07: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing. ACM, New York, pp 21–29. doi:10.1145/1314354.1314362

  23. Magerman DM (1995) Statistical decision-tree models for parsing. In: Proceedings of the 33rd Annual Meeting on Association for Computational Linguistics. Association for Computational Linguistics, pp 276–283

  24. McCune JM, Parno B, Perrig A, Reiter MK, Seshadri A (2007) Minimal TCB code execution. In: IEEE Symposium on Security and Privacy, 2007. SP’07, pp 267–272

  25. Milenković M, Milenković A, Jovanov E (2005) Hardware support for code integrity in embedded processors. In: Proceedings of the 2005 International Conference on Compilers, Architectures and Synthesis for Embedded Systems. ACM, pp 55–65

  26. Nauman M, Khan S, Zhang X (2010) Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security. ACM, pp 328–332

  27. Nauman M, Khan S, Zhang X, Seifert JP (2010) Beyond kernel-level integrity measurement: enabling remote attestation for the android platform. In: Acquisti A, Smith SW, Sadeghi AR (eds) Trust and trustworthy computing. Trust 2010. Lecture notes in Computer Science, vol 6101. Springer, Berlin, Heidelberg, pp 1–15

    Google Scholar 

  28. Noorman J, Agten P, Daniels W, Strackx R, Van Herrewege A, Huygens C, Preneel B, Verbauwhede I, Piessens F (2013) Sancus: low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In: Presented as Part of the 22nd USENIX Security Symposium (USENIX Security 13), pp 479–498

  29. Park J, Sandhu R (2002) Towards usage control models: beyond traditional access control. In: SACMAT ’02: Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies. ACM Press, New York, pp 57–64. doi:10.1145/507711.507722

  30. Payne BD, de Carbone M, Lee W (2007) Secure and flexible monitoring of virtual machines. In: Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual. IEEE, pp 385–397

  31. Petroni Jr, NL, Fraser T, Molina J, Arbaugh WA (2004) Copilot—a coprocessor-based kernel runtime integrity monitor. In: USENIX Security Symposium, pp 179–194

  32. Reina A, Fattori A, Cavallaro L (2013) A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: ACM European Workshop on Systems Security (EuroSec). ACM

  33. Sailer R, Zhang X, Jaeger T, van Doorn L (2004) Design and implementation of a TCG-based integrity measurement architecture. In: Proceedings of the 13th USENIX Security Symposium

  34. Sandhu R (1996) Rationale for the RBAC96 family of access control models. In: RBAC ’95: Proceedings of the First ACM Workshop on Role-Based Access Control. ACM Press, New York, p 9. doi:10.1145/270152.270167

  35. Sandhu RS (1993) Lattice-based access control models. IEEE Computer Society Press, Los Alamitos, pp 9–19

    Google Scholar 

  36. Schiffman J, Moyer T, Vijayakumar H, Jaeger T, McDaniel P (2010) Seeding clouds with trust anchors. In: Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop. ACM, pp 43–46

  37. Schulz S, Sadeghi AR, Wachsmann C (2011) Short paper: lightweight remote attestation using physical functions. In: Proceedings of the Fourth ACM Conference on Wireless Network Security. ACM, pp 109–114

  38. Shacham H (2007) The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’08). ACM, New York, pp 552–561

  39. Stumpf F, Tafreschi O, Röder P, Eckert C (2006) A robust integrity reporting protocol for remote attestation. In: Second Workshop on Advances in Trusted Computing (WATC06 Fall), pp 25–36

  40. Sule MJ, Li M, Taylor GA, Furber S (2015) Deploying trusted cloud computing for data intensive power system applications. In: Power Engineering Conference (UPEC), 2015 50th International Universities. IEEE, pp 1–5

  41. Svetnik V, Liaw A, Tong C, Culberson JC, Sheridan RP, Feuston BP (2003) Random forest: a classification and regression tool for compound classification and QSAR modeling. J Chem Inf Comput Sci 43(6):1947–1958

    Article  Google Scholar 

  42. Tanveer TA, Alam M, Nauman M (2010) Scalable remote attestation with privacy protection. In: Chen L, Yung M (eds) Trusted systems. INTRUST 2009. Lecture notes in Computer Science, vol 6163. Springer, Berlin, Heidelberg, pp 73–87

    Chapter  Google Scholar 

  43. Thomson I (2016) Patch ASAP: tons of Linux apps can be hijacked by evil DNS servers, man-in-the-middle miscreants—the register. http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/. Accessed 20 Feb 2016

  44. Tuck N, Calder B, Varghese G (2004) Hardware and binary modification support for code pointer protection from buffer overflow. In: 37th International Symposium on Microarchitecture, 2004. MICRO-37 2004. IEEE, pp 209–220

  45. Xu R, Saïdi H, Anderson R (2012) Aurasium: practical policy enforcement for android applications. In: USENIX Security Symposium, pp 539–552

  46. Yoshihama S, Ebringer T, Nakamura M, Munetoh S, Mishina T, Maruyama H (2007) WS-attestation: enabling trusted computing on web services. In: Baresi L, Di Nitto E (eds) Test and analysis of web services. Springer, Berlin, Heidelberg, pp 441–469

    Chapter  Google Scholar 

  47. Zhu L, Zhang Z, Liao L, Guo C (2012) A secure robust integrity reporting protocol of trusted computing for remote attestation under fully adaptive party corruptions. In: Zhang Y (ed) Future wireless networks and information systems. Lecture notes in Electrical Engineering, vol 143. Springer, Berlin, Heidelberg, pp 211–217

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Islamic University of Almadinah Almunawwarah, Madina, Saudi Arabia

    Toqeer Ali

  2. University Kuala Lumpur, Kuala Lumpur, Malaysia

    Roslan Ismail, Shahrulniza Musa & Sohail Khan

  3. Max Planck Institute for Software Systems, Kaiserslautern, Germany

    Mohammad Nauman

Authors
  1. Toqeer Ali
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Roslan Ismail
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shahrulniza Musa
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mohammad Nauman
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Sohail Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Toqeer Ali.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ali, T., Ismail, R., Musa, S. et al. Design and implementation of an attestation protocol for measured dynamic behavior. J Supercomput 74, 5746–5773 (2018). https://doi.org/10.1007/s11227-017-2054-2

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-017-2054-2

Keywords

Search

Navigation