ABSTRACT
In this paper, we present iCore, a novel continuous and proactive extrospection system with high visibility on IoT devices deploying multi-core ARM platforms. Dedicated cores named Isolated Cores are configured to stay in the TrustZone secure world upon system boot to perform monitoring functionalities to extrospect static normal world kernel memory area proactively, continuously, and stealthily. Different from the existing TrustZone paradigm, in which secure world serves as the slave of the normal world, iCore makes the secure world play a master role. Therefore, iCore remains stealthy and proactive to perform monitoring functionalities. The evaluation results show that iCore is effective and imposes negligible performance degradation using the SPEC CPU2017 benchmark.
- AMD. 2005. Secure Virtual Machine Architecture Reference Manual. https://www.mimuw.edu.pl/~vincent/lecture6/sources/amd-pacifica-specification.pdf.Google Scholar
- ARM. 2009. ARM Security Technology Building a Secure System using TrustZone Technology. http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.prd29-genc-009492c/index.html.Google Scholar
- ARM. 2015. ARM Cortex-A Series Programmer's Guide for ARMv8-A. http://infocenter.arm.com/help/topic/com.arm.doc.den0024a/index.html.Google Scholar
- ARM. 2016. SMC CALLING CONVENTION System Software on ARM Platforms. http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pdf.Google Scholar
- ARM. 2017. ARM Trusted Firmware. https://github.com/ARM-software/arm-trusted-firmware.Google Scholar
- Ahmed M Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. 2014. Hypervision Across Worlds: Real-time Kernel Protection from the ARM TrustZone Secure World. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS). Scottsdale, AZ, 90--102. Google ScholarDigital Library
- Rui Chang, Liehui Jiang, Wenzhi Chen, Yang Xiang, Yuxia Cheng, and Abdul-hameed Alelaiwi. 2017. MIPE: a practical memory integrity protection method in a trusted execution environment. Cluster Computing 20, 2 (2017), 1075--1087. Google ScholarDigital Library
- P Daniel, Cesati Marco, et al. 2007. Understanding the Linux kernel.Google Scholar
- Lucas Davi, Matthias Hanreich, Debayan Paul, Ahmad-Reza Sadeghi, Patrick Koeberl, Dean Sullivan, Orlando Arias, and Yier Jin. 2015. HAFIX: Hardware-assisted flow integrity extension. In Proceedings of the 52nd Annual Design Automation Conference. San Francisco, CA. Google ScholarDigital Library
- Lucas Davi, Patrick Koeberl, and Ahmad-Reza Sadeghi. 2014. Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation. In Proceedings of the 51st Annual Design Automation Conference. San Francisco, CA. Google ScholarDigital Library
- World Economic Forum. 2018. The Global Risks Report 2018, 13th Edition. http://www3.weforum.org/docs/WEF_GRR18_Report.pdf.Google Scholar
- VOLATILITY FOUNDATION. 2017. Volatility Framework - Volatile memory extraction utility framework. https://github.com/volatilityfoundation/volatility.Google Scholar
- Xinyang Ge, Hayawardh Vijayakumar, and Trent Jaeger. 2014. SPROBES: Enforcing kernel code integrity on the trustzone architecture. In Proceedings of the 3rd IEEE Mobile Security Technologies Workshop (MoST). San Jose, CA.Google Scholar
- GlobalPlatform. 2016. GlobalPlatform made simple guide: Trusted Execution Environment (TEE) Guide. http://www.globalplatform.org/mediaguidetee.asp.Google Scholar
- Intel. 2014. Intel Trusted Execution Technology (Intel TXT). https://www.intel.com/content/www/us/en/architecture-and-technology/trusted-execution-technology/trusted-execution-technology-security-paper.html.Google Scholar
- Xuxian Jiang and Xinyuan Wang. 2007. Out-of-the-box Monitoring of VM-based High-Interaction Honeypots. In Proceedings of the 10th International Symposium on Research in Attacks, Intrusions and Defenses (RAID). Queensland, Australia, 198--218. Google ScholarDigital Library
- Xuxian Jiang, Xinyuan Wang, and Dongyan Xu. 2007. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS). 128--138. Google ScholarDigital Library
- Vasileios P Kemerlis, Georgios Portokalidis, and Angelos D Keromytis. {n. d.}. kGuard: Lightweight Kernel Protection against Return-to-User Attacks.. In Proceedings of the 21st USENIX Security Symposium (Security). Google ScholarDigital Library
- Matthias Lange, Steffen Liebergeld, Adam Lackorzynski, Alexander Warg, and Michael Peter. 2011. L4Android: a generic operating system framework for secure smartphones. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices (SPSM). Chicago, IL, 39--50. Google ScholarDigital Library
- Hojoon Lee, Hyungon Moon, Ingoo Heo, Daehee Jang, Jinsoo Jang, Kihwan Kim, Yunheung Paek, and Brent Kang. 2017. KI-Mon ARM: A Hardware-assisted Event-triggered Monitoring Platform for Mutable Kernel Object. IEEE Transactions on Dependable and Secure Computing (2017).Google Scholar
- Anthony Lineberry. 2009. Malicious Code Injection via/dev/mem. Black Hat Europe (2009), 11.Google Scholar
- Lionel Litty, H Andrés Lagar-Cavilla, and David Lie. 2008. Hypervisor Support for Identifying Covertly Executing Binaries.. In Proceedings of the 17th USENIX Security Symposium (Security). Boston, MA, 243--258. Google ScholarDigital Library
- Teresa F Lunt and R Jagannathan. 1988. A prototype real-time intrusion-detection expert system. In Proceedings of the 9th IEEE Symposium on Security and Privacy (Oakland). Oakland, CA, 59--66. Google ScholarDigital Library
- Jonathan M McCune, Bryan J Parno, Adrian Perrig, Michael K Reiter, and Hiroshi Isozaki. 2008. Flicker: An execution infrastructure for TCB minimization. In Proceedings of the 3rd European Conference on Computer Systems (EuroSys). Glasgow, Scotland UK, 315--328. Google ScholarDigital Library
- MITRE. 2017. CVE-2017-15589 Detail. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15589.Google Scholar
- MITRE. 2017. CVE-2017-7228 Detail. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7228.Google Scholar
- MITRE. 2018. CVE-2018-1068 Detail. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1068.Google Scholar
- MITRE. 2018. CVE-2018-7542 Detail. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7542.Google Scholar
- Hyungon Moon, Hojoon Lee, Jihoon Lee, Kihwan Kim, Yunheung Paek, and Brent Byunghoon Kang. 2012. Vigilare: toward snoop-based kernel integrity monitor. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS). Raleigh, NC, 28--37. Google ScholarDigital Library
- Bernard Ngabonziza, Daniel Martin, Anna Bailey, Haehyun Cho, and Sarah Martin. 2016. Trustzone explained: Architectural features and use cases. In Proceedings of the IEEE 2nd International Conference on Collaboration and Internet Computing (CIC). Pittsburgh, PA, 445--451.Google ScholarCross Ref
- OP-TEE. 2018. OP-TEE Trusted OS Documentation. https://www.op-tee.org/.Google Scholar
- Reena Panda, Shuang Song, Joseph Dean, and Lizy K John. 2018. Wait of a Decade: Did SPEC CPU 2017 Broaden the Performance Horizon?. In Proceedings of the 2018 IEEE International Symposium on High Performance Computer Architecture (HPCA). Vienna, Austria, 271--282.Google ScholarCross Ref
- Bryan D Payne, Martim Carbone, Monirul Sharif, and Wenke Lee. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the 29th IEEE Symposium on Security and Privacy (Oakland). Oakland, CA, 233--247. Google ScholarDigital Library
- Nick L Petroni Jr, Timothy Fraser, AAron Walters, and William A Arbaugh. 2006. An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data.. In Proceedings of the 15th USENIX Security Symposium (Security). Vancouver, Canada, 289--304. Google ScholarDigital Library
- Daniel Plastina, Jonathan Cain, and Michael Novak. 2005. Methods, systems, and computer-readable media for generating an ordered list of one or more media items. US Patent App. 11/089,696.Google Scholar
- Mendel Rosenblum and Tal Garfinkel. 2005. Virtual machine monitors: Current technology and future trends. Computer 38, 5 (2005), 39--47. Google ScholarDigital Library
- Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP). Stevenson, WA, 335--350. Google ScholarDigital Library
- Pavitra Shankdhar. 2018. 22 Popular Computer Forensics Tools {Updated for 2018}. https://resources.infosecinstitute.com/computer-forensics-tools/#gref.Google Scholar
- Monirul I Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi. 2009. Secure in-vm monitoring using hardware virtualization. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS). Chicago, IL, 477--487. Google ScholarDigital Library
- Udo Steinberg and Bernhard Kauer. 2010. NOVA: a microhypervisor-based secure virtualization architecture. In Proceedings of the 5th European Conference on Computer Systems (EuroSys). ACM, 209--222. Google ScholarDigital Library
- He Sun, Kun Sun, Yuewu Wang, Jiwu Jing, and Sushil Jajodia. 2014. Trustdump: Reliable memory acquisition on smartphones. In Proceedings of the 19th European Symposium on Research in Computer Security (ESORICS). Wroclaw, Poland, 202--218.Google ScholarDigital Library
- Arijit Ukil, Jaydip Sen, and Sripad Koilakonda. 2011. Embedded security for Internet of Things. In Proceedings of the 2nd National Conference on Emerging Trends and Applications in Computer Science. Shillong, India.Google ScholarCross Ref
- USMAN. 2013. Apple's Secure Enclave for Touch ID And Its Importance Detailed. (2013). http://www.iphoneincanada.ca/iphone-5s/apples-new-secure-enclave-details/.Google Scholar
- Zhi Wang, Xuxian Jiang, Weidong Cui, and Peng Ning. 2009. Countering kernel rootkits with lightweight hook protection. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS). Chicago, IL, 545--554. Google ScholarDigital Library
- White Paper: An Overview of the Samsung Knox Platform. 2016. Samsung Knox. https://kp-cdn.samsungknox.com/df4184593021d7b8fabfdfeff5c318ba.pdf.Google Scholar
Index Terms
- iCore: continuous and proactive extrospection on multi-core IoT devices
Recommendations
TrustShadow: Secure Execution of Unmodified Applications with ARM TrustZone
MobiSys '17: Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and ServicesThe rapid evolution of Internet-of-Things (IoT) technologies has led to an emerging need to make them smarter. A variety of applications now run simultaneously on an ARM-based processor. For example, devices on the edge of the Internet are provided with ...
SeCore: Continuous Extrospection with High Visibility on Multi-core ARM Platforms
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and PrivacyWe present SeCore, which is a novel continuous extrospection system on multi-core ARM platform. SeCore leverages ARM TrustZone technology to keep one core in the secure world and assure the integrity of the static kernel data and code in the normal ...
HA-VMSI: A Lightweight Virtual Machine Isolation Approach with Commodity Hardware for ARM
VEE '17: Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution EnvironmentsOnce compromising the hypervisor, remote or local adversaries can easily access other customers' sensitive data in the memory and context of guest virtual machines (VMs). VM isolation is an efficient mechanism for protecting the memory of guest VMs from ...
Comments