research-article

CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM

Authors:
Ziyi Liu

University of Houston, Houston, TX

University of Houston, Houston, TX
View Profile

,
JongHyuk Lee

Samsung Electronics, Suwon-si, Gyeonggi-do, Korea

Samsung Electronics, Suwon-si, Gyeonggi-do, Korea
View Profile

,
Junyuan Zeng

University of Texas at Dallas, Dallas, TX

University of Texas at Dallas, Dallas, TX
View Profile

,
Yuanfeng Wen

University of Houston, Houston, TX

University of Houston, Houston, TX
View Profile

,
Zhiqiang Lin

University of Texas at Dallas, Dallas, TX

University of Texas at Dallas, Dallas, TX
View Profile

,
Weidong Shi

University of Houston, Houston, TX

University of Houston, Houston, TX
View Profile

ISCA '13: Proceedings of the 40th Annual International Symposium on Computer ArchitectureJune 2013Pages 392–403https://doi.org/10.1145/2485922.2485956

Published:23 June 2013Publication History

ISCA '13: Proceedings of the 40th Annual International Symposium on Computer Architecture

Pages 392–403

ABSTRACT

Increasingly, cyber attacks (e.g., kernel rootkits) target the inner rings of a computer system, and they have seriously undermined the integrity of the entire computer systems. To eliminate these threats, it is imperative to develop innovative solutions running below the attack surface. This paper presents MGuard, a new most inner ring solution for inspecting the system integrity that is directly integrated with the DRAM DIMM devices. More specifically, we design a programmable guard that is integrated with the advanced memory buffer of FB-DIMM to continuously monitor all the memory traffic and detect the system integrity violations. Unlike the existing approaches that are either snapshot-based or lack compatibility and flexibility, MGuard continuously monitors the integrity of all the outer rings including both OS kernel and hypervisor of interest, with a greater extendibility enabled by a programmable interface. It offers a hardware drop-in solution transparent to the host CPU and memory controller. Moreover, MGuard is isolated from the host software and hardware, leading to strong security for remote attackers. Our simulation-based experimental results show that MGuard introduces no speed overhead, and is able to detect nearly all the OS-kernel and hypervisor control data related rootkits we tested.

References

OpenRISC 1000: Architectural simulator. http://www.opencores.org/openrisc,orlksim.Google Scholar
A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky. Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 38--49, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
A. Baliga, V. Ganapathy, and L. Iftode. Automatic inference and enforcement of kernel data structure invariants. In Proceedings of the 2008 Annual Computer Security Applications Conference (ACSAC'08), pages 77--86, Anaheim, California, December 2008. Google ScholarDigital Library
U. Becker. Ddr2-sdram controller.Google Scholar
N. Binkert, B. Beckmann, G. Black, S. K. Reinhardt, A. Saidi, A. Basu, J. Hestness, D. R. Hower, T. Krishna, S. Sardashti, R. Sen, K. Sewell, M. Shoaib, N. Vaish, M. D. Hill, and D. A. Wood. The gem5 simulator. SIGARCH Comput. Archit. News, 39:1--7, Aug. 2011. Google ScholarDigital Library
N. L. Binkert, R. G. Dreslinski, L. R. Hsu, K. T. Lim, A. G. Saidi, and S. K. Reinhardt. The m5 simulator: Modeling networked systems. IEEE Micro, 26(4):52--60, July 2006. Google ScholarDigital Library
Buffer. Hijacking linux page fault handler. Phrack Magazine, 0x0B, 0x3D, Phile #0x07 of 0x0f, 2003.Google Scholar
Y. Bulygin and D. Samyde. Chipeset based appraoch to detect virtualization malwre aka deepwatch.Google Scholar
M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. Mapping kernel objects to enable systematic integrity checking. In The 16th ACM Conference on Computer and Communications Security (CCS'09), pages 555--565, Chicago, IL, USA, 2009. Google ScholarDigital Library
B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09), pages 566--577, Chicago, Illinois, USA, 2009. ACM. Google ScholarDigital Library
L. Duflot, D. Etiemble, and O. Grumelard. Using cpu system management mode to circumvent operating system security functions. DCSSI 51 bd. De la Tour Maubourg 75700 Paris Cedex, 2007.Google Scholar
Elpida. Fully buffered dimm - main memory for advanced performance.Google Scholar
S. Embleton, S. Sparks, and C. Zou. Smm rootkits: a new breed of os independent malware. In Proceedings of the 4th international conference on Security and privacy in communication netowrks, SecureComm '08, pages 11:1--11:12, 2008. Google ScholarDigital Library
Y. Fu and Z. Lin. Space traveling across vm: Automatically bridging the semantic-gap in virtual machine introspection via online kernel data redirection. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, San Francisco, CA, May 2012. Google ScholarDigital Library
Y. Fu and Z. Lin. Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery. In Proceedings of the 9th Annual International Conference on Virtual Execution Environments, Houston, TX, March 2013. Google ScholarDigital Library
T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings Network and Distributed Systems Security Symposium, 2003.Google Scholar
Y. Gu, Y. Fu, A. Prakash, Z. Lin, and H. Yin. Os-sommelier: Memory-only operating system fingerprinting in the cloud. In Proceedings of the 3rd ACM Symposium on Cloud Computing (SOCC'12), San Jose, CA, October 2012. Google ScholarDigital Library
J. Heasman. Implementing and detecting a pci rootkit. White paper of Next Generation Security Software Ltd., 2007.Google Scholar
J. L. Henning. Spec cpu2006 benchmark descriptions. SIGARCH Comput. Archit. News, 34(4):1--17, Sept. 2006. Google ScholarDigital Library
R. Herveille. Wishbone system-on-chip (soc) interconnection architecture for portable ip cores, rev. version: B4. By Open Cores Organization, 2010.Google Scholar
O. S. Hofmann, A. M. Dunn, S. Kim, I. Roy, and E. Witchel. Ensuring operating system kernel integrity with osck. In Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems, ASPLOS '11, pages 279--290, Newport Beach, California, USA, 2011. Google ScholarDigital Library
JEDEC Standard. Fbdimm advanced memory buffer (amb). 2007.Google Scholar
JEDEC Standard. Fbdimm: Architecture and protocol. 2007.Google Scholar
X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 128--138. 2007. Google ScholarDigital Library
S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Vmm-based hidden process detection and identification using lycosid. In Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pages 91--100, Seattle, WA, 2008. Google ScholarDigital Library
S. T. King, P. M. Chen, Y. min Wang, C. Verbowski, H. J. Wang, and J. R. Lorch. Subvirt: Implementing malware with virtual machines. In IEEE Symposium on Security and Privacy, pages 314--327, 2006. Google ScholarDigital Library
Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Proceedings of the 18th Annual Network and Distributed System Security Symposium, 2011.Google Scholar
M. M. K. Martin, D. J. Sorin, B. M. Beckmann, M. R. Marty, M. Xu, A. R. Alameldeen, K. E. Moore, M. D. Hill, and D. A. Wood. Multifacet's general execution-driven multiprocessor simulator (gems) toolset. SIGARCH Comput. Archit. News, 33(4):92--99, Nov. 2005. Google ScholarDigital Library
R. Marwan. Fbsim and the fully buffered dimm memory system architecture. Master of Science Thesis, Department of Electrical and Computer Engineering, University of Maryland, College Park.Google Scholar
J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: an execution infrastructure for tcb minimization. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, Eurosys '08, pages 315--328, Glasgow, Scotland UK, 2008. Google ScholarDigital Library
H. Moon, H. Lee, J. Lee, K. Kim, Y. Paek, and B. B. Kang. Vigilare: toward snoop-based kernel integrity monitor. In Proceedings of the 2012 ACM conference on Computer and communications security, CCS '12, pages 28--37, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
N. L. Petroni, Jr., T. Fraser, A. Walters, and W. A. Arbaugh. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In Proceedings of the 15th USENIX Security Symposium, Vancouver, B. C., Canada, August 2006. USENIX Association. Google ScholarDigital Library
N. L. Petroni, J. Timothy, F. Jesus, M. William, and A. Arbaugh. Copilot - a coprocessor-based kernel runtime integrity monitor. In In Proceedings of the 13th USENIX Security Symposium, pages 179--194, 2004. Google ScholarDigital Library
P. Rosenfeld, E. Cooper-Balis, and B. Jacob. Dramsim2: A cycle accurate memory system simulator. IEEE Comput. Archit. Lett., 10(1):16--19, Jan. 2011. Google ScholarDigital Library
J. Rutkowska. Beyond the cpu: Defeating hardware based ram acquisition tools. In Black Hat USA, 2007.Google Scholar
J. Rutkowska. New blue pill. Aug 2007.Google Scholar
J. Szefer and R. B. Lee. Architectural support for hypervisor-secure virtualization. In Proceedings of the seventeenth international conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS '12, pages 437--450, 2012. Google ScholarDigital Library
R. Usselmann. Wishbone dma/bridge ip core.Google Scholar
J. Wang, A. Stavrou, and A. Ghosh. Hypercheck: a hardware-assisted integrity monitor. In Proceedings of the 13th international conference on Recent advances in intrusion detection, RAID'10, pages 158--177, Berlin, Heidelberg, 2010. Springer-Verlag. Google ScholarDigital Library
Z. Wang and X. Jiang. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Security and Privacy (SP), 2010 IEEE Symposium on, pages 380--395, may 2010. Google ScholarDigital Library
Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In Proceedings of the 16th ACM conference on Computer and communications security, pages 545--554, Chicago, Illinois, 2009. Google ScholarDigital Library
J. Wei, B. D. Payne, J. Giffin, and C. Pu. Soft-timer driven transient kernel control flow attacks and defense. In Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC '08, pages 97--107, 2008. Google ScholarDigital Library
R. Wojtczuk. Subverting the Xen hypervisor. In Black Hat USA, 2008.Google Scholar
H. Zheng, J. Lin, Z. Zhang, and Z. Zhu. Decoupled dimm: building high-bandwidth memory system using low-speed dram devices. In Proceedings of the 36th annual international symposium on Computer architecture, ISCA '09, pages 255--266, New York, NY, USA, 2009. ACM. Google ScholarDigital Library

Index Terms

CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM
1. Hardware
  1. Integrated circuits
    1. Semiconductor memory
2. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM
ICSA '13

Increasingly, cyber attacks (e.g., kernel rootkits) target the inner rings of a computer system, and they have seriously undermined the integrity of the entire computer systems. To eliminate these threats, it is imperative to develop innovative ...
Read More
Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks
HPCA '13: Proceedings of the 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA)

The privacy and integrity of tenant's data highly rely on the infrastructure of multi-tenant cloud being secure. However, with both hardware and software being controlled by potentially curious or even malicious cloud operators, it is no surprise to see ...
Read More
Hypervisor introspection: a technique for evading passive virtual machine monitoring
WOOT'15: Proceedings of the 9th USENIX Conference on Offensive Technologies

Security requirements in the cloud have led to the development of new monitoring techniques that can be broadly categorized as virtual machine introspection (VMI) techniques. VMI monitoring aims to provide high-fidelity monitoring while keeping the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ISCA '13: Proceedings of the 40th Annual International Symposium on Computer Architecture
June 2013
686 pages
ISBN:9781450320795
DOI:10.1145/2485922
General Chair:
Avi Mendelson
Technion
ACM SIGARCH Computer Architecture News Volume 41, Issue 3
ICSA '13
June 2013
666 pages
ISSN:0163-5964
DOI:10.1145/2508148
Issue’s Table of Contents
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 23 June 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
hardware-based hypervisor and kernel integrity monitor
programmable DRAM
Qualifiers
- research-article
Conference

Acceptance Rates
ISCA '13 Paper Acceptance Rate56of288submissions,19%Overall Acceptance Rate543of3,203submissions,17%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 24
  Total Citations
  View Citations
- 779
  Total Downloads
- Downloads (Last 12 months)20
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM

ISCA '13: Proceedings of the 40th Annual International Symposium on Computer Architecture

ABSTRACT

References

Cited By

Index Terms

Recommendations

CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM

Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks

Hypervisor introspection: a technique for evading passive virtual machine monitoring