ABSTRACT
Hardware debugging facilities, such as watchpoints, have been used for software development and analysis. In this paper, we expanded the use of watchpoints as a hardware security primitive for enhancing the runtime security of mobile devices. By analyzing the watchpoints in detail, we derived useful watchpoint properties that can be exploited to build security applications. Based on our analysis, we designed example applications for hardening the OS kernel by exploiting watchpoints. The proposed applications were implemented on a Juno development board with 64-bit ARM architecture (ARMv8). Hardening the kernel by fully enabling the proposed schemes was found to impose reasonable overhead, i.e., 3% with SPEC CPU2006.
- 2018. ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile. (May 2018). https://developer.arm.com/docs/ddi0487/latest/arm-architecture-reference-manual-armv8-for-armv8-a-architecture-profileGoogle Scholar
- 2018. ARM Cortex -A Series: Programmer's Guide for ARMv8-A. (May 2018). http://infocenter.arm.com/help/topic/com.arm.doc.den0024a/DEN0024A_v8_architecture_PG.pdfGoogle Scholar
- 2018. Efficient Application Processors for Every Level of Performance. (May 2018). https://www.arm.com/products/processors/cortex-aGoogle Scholar
- 2018. Exploit Methods/Userspace data usage. (May 2018). https://kernsec.org/wiki/index.php/Exploit_Methods/Userspace_data_usageGoogle Scholar
- 2018. Introduction to Intel Memory Protection Extensions. (May 2018). https://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensionsGoogle Scholar
- 2018. Juno ARM Development Platform SoC. (May 2018). https://www.arm.com/files/pdf/DDI0515D1a_juno_arm_development_platform_soc_trm.pdfGoogle Scholar
- 2018. Lifting the (Hyper) Visor: Bypassing Samsungąŕs Real-Time Kernel Protection. (May 2018). https://googleprojectzero.blogspot.com/2017/02/lifting-hyper-visor-bypassing-samsungs.htmlGoogle Scholar
- 2018. Literal pools. (May 2018). http://www.keil.com/support/man/docs/armasm/armasm_dom1359731147760.htmGoogle Scholar
- 2018. Racehound. (May 2018). https://github.com/kmrov/racehoundGoogle Scholar
- 2018. Real-time Kernel Protection (RKP). (May 2018). https://www.samsungknox.com/pt-br/blog/real-time-kernel-protection-rkpGoogle Scholar
- Ahmed M Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. 2014. Hypervision across worlds: real-time kernel protection from the ARM trustzone secure world. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 90--102. Google ScholarDigital Library
- Michael Backes, Thorsten Holz, Benjamin Kollenda, Philipp Koppe, Stefan Nürnberger, and Jannik Pewny. 2014. You can run but you can't read: Preventing disclosure exploits in executable code. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1342--1353. Google ScholarDigital Library
- Kjell Braden, Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Stephen Crane, Michael Franz, and Per Larsen. 2016. Leakage-Resilient Layout Randomization for Mobile Devices.. In NDSS.Google Scholar
- Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, and Long Lu. 2016. Shreds: Fine-grained Execution Units with Private Memory. In Security and Privacy, 2016. SP 2016. IEEE Symposium on. IEEE.Google ScholarCross Ref
- Yaohui Chen, Dongli Zhang, Ruowen Wang, Rui Qiao, Ahmed M Azab, Long Lu, Hayawardh Vijayakumar, and Wenbo Shen. 2017. NORAX: Enabling execute-only memory for COTS binaries on AArch64. In Security and Privacy (SP), 2017 IEEE Symposium on. IEEE, 304--319.Google ScholarCross Ref
- Lee Chew and David Lie. 2010. Kivati: fast detection and prevention of atomicity violations. In Proceedings of the 5th European conference on Computer systems. ACM, 307--320. Google ScholarDigital Library
- Patrick Colp, Jiawen Zhang, James Gleeson, Sahil Suneja, Eyal de Lara, Himanshu Raj, Stefan Saroiu, and Alec Wolman. 2015. Protecting Data on Smartphones and Tablets from Memory Attacks. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '15). ACM, 177--189. Google ScholarDigital Library
- Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. 2015. Readactor: Practical code randomization resilient to memory disclosure. In Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 763--780. Google ScholarDigital Library
- Cristiano Giuffrida, Anton Kuijsten, and Andrew S Tanenbaum. 2012. Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization.. In USENIX Security Symposium. 475--490. Google ScholarDigital Library
- Jinsoo Jang and Brent Byunghoon Kang. 2018. Retrofitting the Partially Privileged Mode for TEE Communication Channel Protection. IEEE Transactions on Dependable and Secure Computing (05 2018).Google ScholarCross Ref
- Jinsoo Jang, Sunjune Kong, Minsu Kim, Daegyeong Kim, and Brent Byunghoon Kang. {n. d.}. SeCReT: Secure Channel between Rich Execution Environment and Trusted Execution Environment. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS'15), San Diego, CA.Google Scholar
- Kari Kostiainen, Jan-Erik Ekberg, N Asokan, and Aarne Rantala. 2009. Onboard credentials with open provisioning. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security. ACM, 104--115. Google ScholarDigital Library
- Aravind Machiry, Eric Gustafson, Chad Spensky, Christopher Salls, Nick Stephens, Ruoyu Wang, Antonio Bianchi, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna. {n. d.}. BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments. In Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS'17), San Diego, CA.Google Scholar
- Zhenyu Ning and Fengwei Zhang. 2017. Ninja: Towards transparent tracing and debugging on arm. In 26th USENIX Security Symposium (USENIX Security 17). Google ScholarDigital Library
- Marios Pomonis, Theofilos Petsios, Angelos D Keromytis, Michalis Polychronakis, and Vasileios P Kemerlis. 2017. kR^ X: Comprehensive Kernel Protection against Just-In-Time Code Reuse. In Proceedings of the Twelfth European Conference on Computer Systems. ACM, 420--436. Google ScholarDigital Library
- Masoud Rostami, Farinaz Koushanfar, and Ramesh Karri. 2014. A primer on hardware security: Models, methods, and metrics. Proc. IEEE 102, 8 (2014), 1283--1295.Google ScholarCross Ref
- Kevin Z Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 574--588. Google ScholarDigital Library
- Jan Werner, George Baltas, Rob Dallara, Nathan Otterness, Kevin Z Snow, Fabian Monrose, and Michalis Polychronakis. 2016. No-execute-after-read: Preventing code disclosure in commodity software. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. ACM, 35--46. Google ScholarDigital Library
- Yajin Zhou, Xiaoguang Wang, Yue Chen, and Zhi Wang. 2014. Armlock: Hardware-based fault isolation for arm. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 558--569. Google ScholarDigital Library
- Revisiting the ARM Debug Facility for OS Kernel Security
Recommendations
VAX DEBUG: an interactive, symbolic, multilingual debugger
Proceedings of the ACM SIGSOFT/SIGPLAN software engineering symposium on high-level debuggingDigital Equipment Corporation's VAX-11 Debugger, usually called VAX DEBUG or simply DEBUG, is an interactive, symbolic, and multilingual debugger which runs on the VAX-11 series of computers under the VMS operating system. The following gives an ...
Comments