ABSTRACT
Increasingly, cyber attacks (e.g., kernel rootkits) target the inner rings of a computer system, and they have seriously undermined the integrity of the entire computer systems. To eliminate these threats, it is imperative to develop innovative solutions running below the attack surface. This paper presents MGuard, a new most inner ring solution for inspecting the system integrity that is directly integrated with the DRAM DIMM devices. More specifically, we design a programmable guard that is integrated with the advanced memory buffer of FB-DIMM to continuously monitor all the memory traffic and detect the system integrity violations. Unlike the existing approaches that are either snapshot-based or lack compatibility and flexibility, MGuard continuously monitors the integrity of all the outer rings including both OS kernel and hypervisor of interest, with a greater extendibility enabled by a programmable interface. It offers a hardware drop-in solution transparent to the host CPU and memory controller. Moreover, MGuard is isolated from the host software and hardware, leading to strong security for remote attackers. Our simulation-based experimental results show that MGuard introduces no speed overhead, and is able to detect nearly all the OS-kernel and hypervisor control data related rootkits we tested.
- OpenRISC 1000: Architectural simulator. http://www.opencores.org/openrisc,orlksim.Google Scholar
- A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky. Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 38--49, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- A. Baliga, V. Ganapathy, and L. Iftode. Automatic inference and enforcement of kernel data structure invariants. In Proceedings of the 2008 Annual Computer Security Applications Conference (ACSAC'08), pages 77--86, Anaheim, California, December 2008. Google ScholarDigital Library
- U. Becker. Ddr2-sdram controller.Google Scholar
- N. Binkert, B. Beckmann, G. Black, S. K. Reinhardt, A. Saidi, A. Basu, J. Hestness, D. R. Hower, T. Krishna, S. Sardashti, R. Sen, K. Sewell, M. Shoaib, N. Vaish, M. D. Hill, and D. A. Wood. The gem5 simulator. SIGARCH Comput. Archit. News, 39:1--7, Aug. 2011. Google ScholarDigital Library
- N. L. Binkert, R. G. Dreslinski, L. R. Hsu, K. T. Lim, A. G. Saidi, and S. K. Reinhardt. The m5 simulator: Modeling networked systems. IEEE Micro, 26(4):52--60, July 2006. Google ScholarDigital Library
- Buffer. Hijacking linux page fault handler. Phrack Magazine, 0x0B, 0x3D, Phile #0x07 of 0x0f, 2003.Google Scholar
- Y. Bulygin and D. Samyde. Chipeset based appraoch to detect virtualization malwre aka deepwatch.Google Scholar
- M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. Mapping kernel objects to enable systematic integrity checking. In The 16th ACM Conference on Computer and Communications Security (CCS'09), pages 555--565, Chicago, IL, USA, 2009. Google ScholarDigital Library
- B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09), pages 566--577, Chicago, Illinois, USA, 2009. ACM. Google ScholarDigital Library
- L. Duflot, D. Etiemble, and O. Grumelard. Using cpu system management mode to circumvent operating system security functions. DCSSI 51 bd. De la Tour Maubourg 75700 Paris Cedex, 2007.Google Scholar
- Elpida. Fully buffered dimm - main memory for advanced performance.Google Scholar
- S. Embleton, S. Sparks, and C. Zou. Smm rootkits: a new breed of os independent malware. In Proceedings of the 4th international conference on Security and privacy in communication netowrks, SecureComm '08, pages 11:1--11:12, 2008. Google ScholarDigital Library
- Y. Fu and Z. Lin. Space traveling across vm: Automatically bridging the semantic-gap in virtual machine introspection via online kernel data redirection. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, San Francisco, CA, May 2012. Google ScholarDigital Library
- Y. Fu and Z. Lin. Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery. In Proceedings of the 9th Annual International Conference on Virtual Execution Environments, Houston, TX, March 2013. Google ScholarDigital Library
- T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings Network and Distributed Systems Security Symposium, 2003.Google Scholar
- Y. Gu, Y. Fu, A. Prakash, Z. Lin, and H. Yin. Os-sommelier: Memory-only operating system fingerprinting in the cloud. In Proceedings of the 3rd ACM Symposium on Cloud Computing (SOCC'12), San Jose, CA, October 2012. Google ScholarDigital Library
- J. Heasman. Implementing and detecting a pci rootkit. White paper of Next Generation Security Software Ltd., 2007.Google Scholar
- J. L. Henning. Spec cpu2006 benchmark descriptions. SIGARCH Comput. Archit. News, 34(4):1--17, Sept. 2006. Google ScholarDigital Library
- R. Herveille. Wishbone system-on-chip (soc) interconnection architecture for portable ip cores, rev. version: B4. By Open Cores Organization, 2010.Google Scholar
- O. S. Hofmann, A. M. Dunn, S. Kim, I. Roy, and E. Witchel. Ensuring operating system kernel integrity with osck. In Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems, ASPLOS '11, pages 279--290, Newport Beach, California, USA, 2011. Google ScholarDigital Library
- JEDEC Standard. Fbdimm advanced memory buffer (amb). 2007.Google Scholar
- JEDEC Standard. Fbdimm: Architecture and protocol. 2007.Google Scholar
- X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 128--138. 2007. Google ScholarDigital Library
- S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Vmm-based hidden process detection and identification using lycosid. In Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pages 91--100, Seattle, WA, 2008. Google ScholarDigital Library
- S. T. King, P. M. Chen, Y. min Wang, C. Verbowski, H. J. Wang, and J. R. Lorch. Subvirt: Implementing malware with virtual machines. In IEEE Symposium on Security and Privacy, pages 314--327, 2006. Google ScholarDigital Library
- Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Proceedings of the 18th Annual Network and Distributed System Security Symposium, 2011.Google Scholar
- M. M. K. Martin, D. J. Sorin, B. M. Beckmann, M. R. Marty, M. Xu, A. R. Alameldeen, K. E. Moore, M. D. Hill, and D. A. Wood. Multifacet's general execution-driven multiprocessor simulator (gems) toolset. SIGARCH Comput. Archit. News, 33(4):92--99, Nov. 2005. Google ScholarDigital Library
- R. Marwan. Fbsim and the fully buffered dimm memory system architecture. Master of Science Thesis, Department of Electrical and Computer Engineering, University of Maryland, College Park.Google Scholar
- J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: an execution infrastructure for tcb minimization. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, Eurosys '08, pages 315--328, Glasgow, Scotland UK, 2008. Google ScholarDigital Library
- H. Moon, H. Lee, J. Lee, K. Kim, Y. Paek, and B. B. Kang. Vigilare: toward snoop-based kernel integrity monitor. In Proceedings of the 2012 ACM conference on Computer and communications security, CCS '12, pages 28--37, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- N. L. Petroni, Jr., T. Fraser, A. Walters, and W. A. Arbaugh. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In Proceedings of the 15th USENIX Security Symposium, Vancouver, B. C., Canada, August 2006. USENIX Association. Google ScholarDigital Library
- N. L. Petroni, J. Timothy, F. Jesus, M. William, and A. Arbaugh. Copilot - a coprocessor-based kernel runtime integrity monitor. In In Proceedings of the 13th USENIX Security Symposium, pages 179--194, 2004. Google ScholarDigital Library
- P. Rosenfeld, E. Cooper-Balis, and B. Jacob. Dramsim2: A cycle accurate memory system simulator. IEEE Comput. Archit. Lett., 10(1):16--19, Jan. 2011. Google ScholarDigital Library
- J. Rutkowska. Beyond the cpu: Defeating hardware based ram acquisition tools. In Black Hat USA, 2007.Google Scholar
- J. Rutkowska. New blue pill. Aug 2007.Google Scholar
- J. Szefer and R. B. Lee. Architectural support for hypervisor-secure virtualization. In Proceedings of the seventeenth international conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS '12, pages 437--450, 2012. Google ScholarDigital Library
- R. Usselmann. Wishbone dma/bridge ip core.Google Scholar
- J. Wang, A. Stavrou, and A. Ghosh. Hypercheck: a hardware-assisted integrity monitor. In Proceedings of the 13th international conference on Recent advances in intrusion detection, RAID'10, pages 158--177, Berlin, Heidelberg, 2010. Springer-Verlag. Google ScholarDigital Library
- Z. Wang and X. Jiang. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Security and Privacy (SP), 2010 IEEE Symposium on, pages 380--395, may 2010. Google ScholarDigital Library
- Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In Proceedings of the 16th ACM conference on Computer and communications security, pages 545--554, Chicago, Illinois, 2009. Google ScholarDigital Library
- J. Wei, B. D. Payne, J. Giffin, and C. Pu. Soft-timer driven transient kernel control flow attacks and defense. In Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC '08, pages 97--107, 2008. Google ScholarDigital Library
- R. Wojtczuk. Subverting the Xen hypervisor. In Black Hat USA, 2008.Google Scholar
- H. Zheng, J. Lin, Z. Zhang, and Z. Zhu. Decoupled dimm: building high-bandwidth memory system using low-speed dram devices. In Proceedings of the 36th annual international symposium on Computer architecture, ISCA '09, pages 255--266, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
Index Terms
- CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM
Recommendations
CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM
ICSA '13Increasingly, cyber attacks (e.g., kernel rootkits) target the inner rings of a computer system, and they have seriously undermined the integrity of the entire computer systems. To eliminate these threats, it is imperative to develop innovative ...
Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks
HPCA '13: Proceedings of the 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA)The privacy and integrity of tenant's data highly rely on the infrastructure of multi-tenant cloud being secure. However, with both hardware and software being controlled by potentially curious or even malicious cloud operators, it is no surprise to see ...
Hypervisor introspection: a technique for evading passive virtual machine monitoring
WOOT'15: Proceedings of the 9th USENIX Conference on Offensive TechnologiesSecurity requirements in the cloud have led to the development of new monitoring techniques that can be broadly categorized as virtual machine introspection (VMI) techniques. VMI monitoring aims to provide high-fidelity monitoring while keeping the ...
Comments