research-article

IO-Trust: An out-of-band trusted memory acquisition for intrusion detection and Forensics investigations in cloud IOMMU based systems

Authors:

Giuseppe Petracca,

Jon CrowcroftAuthors Info & Claims

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

Article No.: 45, Pages 1 - 6

https://doi.org/10.1145/3339252.3340511

Published: 26 August 2019 Publication History

Abstract

Modern malware is complex, stealthy, and employ anti-forensics techniques to evade detection. In order to detect malware, data must be collected, such, allows further analyses of the malware's behaviour. However, when both the malware and the detecting system run on the same domain (the CPU) it's questionable whether the data acquired by the acquisition method is not tampered with. Hardware based techniques, such as acquiring data out-of-band using a PCIe device allow for data acquisition that is deemed trusted when the acquisition method does not rely on any data present on the host memory. Unfortunately, in Input-Output Memory Management Unit (IOMMU) based systems, peripheral devices access to host memory go through a stage of translation by the IOMMU. The translation tables which reside in the host's memory are subject to malware control, hence are not trustworthy. In this paper we present a method that allows acquiring the data reliably without dependant on data residing in host memory, even when IOMMU is being used to restrict devices. We show how accessing host physical memory is achieved and discuss why this is not a vulnerability in some platforms, but rather a powerful tool for securing data acquisition when the host is not trusted to perform the acquisition.

References

[1]

Damien Aumaitre and Christophe Devine. 2010. Subverting windows 7 x64 kernel with dma attacks. HITBSecConf Amsterdam (2010).

[2]

Michael Becher, Maximillian Dornseif, and Christian N Klein. 2005. FireWire: all your memory are belong to us. Proceedings of CanSecWest (2005), 67.

[3]

Rory Breuk and Albert Spruyt. 2012. Integrating DMA attacks in exploitation frameworks. Retrieved on January 14, 2014 (2012), 2011--2012.

[4]

Ravi Budruk, Don Anderson, and Tom Shanley. 2004. PCI express system architecture. Addison-Wesley Professional.

Digital Library

[5]

Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, and Ten H Lai. 2018. Sgxpectre attacks: Leaking enclave secrets via speculative execution. arXiv preprint arXiv:1802.09085 (2018).

[6]

Intel Corporation. {n. d.}. ArriaÂő 10 GX FPGA Development Kit. https://www.intel.com/content/www/us/en/programmable/products/boards_and_kits/dev-kits/altera/kit-a10-gx-fpga.html.

[7]

Francis M David, Ellick M Chan, Jeffrey C Carlyle, and Roy H Campbell. 2008. Cloaker: Hardware supported rootkit concealment. In 2008 IEEE Symposium on Security and Privacy (sp 2008). IEEE, 296--310.

Digital Library

[8]

Zhui Deng, Xiangyu Zhang, and Dongyan Xu. 2013. Spider: Stealthy binary program instrumentation and debugging via hardware virtualization. In Proceedings of the 29th Annual Computer Security Applications Conference. ACM, 289--298.

Digital Library

[9]

Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security. ACM, 51--62.

Digital Library

[10]

Tal Garfinkel, Mendel Rosenblum, et al. 2003. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Ndss, Vol. 3. Citeseer, 191--206.

[11]

Github. 2017. Boardbase Management Controller. https://github.com/openbmc/openbmc.

[12]

Robert P Goldberg. 1974. Survey of virtual machine research. Computer 7, 6 (1974), 34--45.

Digital Library

[13]

Brian Kelly. 2018. Cerberus Architecture. https://github.com/opencomputeproject/Project_Olympus/tree/master/Project_Cerberus.

[14]

Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. Barecloud: bare-metal analysis-based evasive malware detection. In 23rd {USENIX} Security Symposium ({USENIX} Security 14). 287--301.

Digital Library

[15]

Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2018. Spectre attacks: Exploiting speculative execution. arXiv preprint arXiv:1801.01203 (2018).

[16]

Moritz Lipp, Misiker Tadesse Aga, Michael Schwarz, Daniel Gruss, Clémentine Maurice, Lukas Raab, and Lukas Lamster. 2018. Nethammer: Inducing rowhammer faults through network requests. arXiv preprint arXiv:1805.04956 (2018).

[17]

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown. arXiv preprint arXiv:1801.01207 (2018).

[18]

Ben Martini and Kim-Kwang Raymond Choo. 2012. An integrated conceptual digital forensic framework for cloud computing. Digital Investigation 9, 2 (2012), 71--80.

[19]

Nick L Petroni Jr, Timothy Fraser, Jesus Molina, and William A Arbaugh. 2004. Copilot-a Coprocessor-based Kernel Runtime Integrity Monitor. In USENIX Security Symposium. San Diego, USA, 179--194.

Digital Library

[20]

Darren Quick and Kim-Kwang Raymond Choo. 2014. Impacts of increasing volume of digital forensic data: A survey and future research challenges. Digital Investigation 11, 4 (2014), 273--294.

Digital Library

[21]

Danny Quist, Val Smith, and Offensive Computing. 2006. Detecting the presence of virtual machines using the local data table. Offensive Computing (2006).

[22]

Thomas Raffetseder, Christopher Kruegel, and Engin Kirda. 2007. Detecting system emulators. In International Conference on Information Security. Springer, 1--18.

Digital Library

[23]

Michael Rushanan and Stephen Checkoway. 2015. Run-dma. In 9th {USENIX} Workshop on Offensive Technologies ({WOOT} 15).

Digital Library

[24]

Joanna Rutkowska. 2007. Beyond the CPU: Defeating hardware based RAM acquisition. Proceedings of BlackHat DC 2007 (2007).

[25]

Fernand Lone Sang, Eric Lacombe, Vincent Nicomette, and Yves Deswarte. 2010. Exploiting an I/OMMU vulnerability. In 2010 5th International Conference on Malicious and Unwanted Software. IEEE, 7--14.

[26]

Fernand Lone Sang, Vincent Nicomette, and Yves Deswarte. 2011. I/O attacks in Intel PC-based architectures and countermeasures. In 2011 First SysSec Workshop. IEEE, 19--26.

Digital Library

[27]

Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. 2008. BitBlaze: A new approach to computer security via binary analysis. In International Conference on Information Systems Security. Springer, 1--25.

Digital Library

[28]

Chad Spensky, Hongyi Hu, and Kevin Leach. 2016. LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis. In NDSS.

[29]

Patrick Stewin and Iurii Bystrov. 2012. Understanding DMA malware. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 21--41.

Digital Library

[30]

Andrei Tatar, Radhesh Krishnan Konoth, Elias Athanasopoulos, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2018. Throwhammer: Rowhammer attacks over the network and defenses. In 2018 {USENIX} Annual Technical Conference ({USENIX}{ATC} 18). 213--226.

Digital Library

[31]

Jiang Wang, Angelos Stavrou, and Anup Ghosh. 2010. Hypercheck: A hardware-assisted integrity monitor. In International Workshop on Recent Advances in Intrusion Detection. Springer, 158--177.

Digital Library

[32]

Filip Wecherowski. 2009. A real smm rootkit: Reversing and hooking bios smi handlers. Phrack Magazine 13, 66 (2009).

[33]

Lok-Kwong Yan, Manjukumar Jayachandra, Mu Zhang, and Heng Yin. 2012. V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis. ACM Sigplan Notices 47, 7 (2012), 227--238.

Digital Library

Cited By

Purnaye PKulkarni V(2022)BiSHM: Evidence detection and preservation model for cloud forensicsOpen Computer Science10.1515/comp-2022-024112:1(154-170)Online publication date: 16-May-2022
https://doi.org/10.1515/comp-2022-0241
Aljumah AAhanger T(2020)Cyber security threats, challenges and defence mechanisms in cloud computingIET Communications10.1049/iet-com.2019.004014:7(1185-1191)Online publication date: Apr-2020
https://doi.org/10.1049/iet-com.2019.0040

Index Terms

IO-Trust: An out-of-band trusted memory acquisition for intrusion detection and Forensics investigations in cloud IOMMU based systems
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
  2. Systems security
    1. Operating systems security
      1. Trusted computing

Recommendations

Flexible Device Sharing in PCIe Clusters using Device Lending
ICPP Workshops '18: Workshop Proceedings of the 47th International Conference on Parallel Processing

Processing workloads may have very high IO demands, exceeding the capabilities provided by resource virtualization and requiring direct access to the physical hardware. For computers that are interconnected in PCI Express (PCIe) networks, we have ...
Demon: An Efficient Solution for on-Device MMU Virtualization in Mediated Pass-Through
VEE '18: Proceedings of the 14th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

Memory Management Units (MMUs) for on-device address translation are widely used in modern devices. However, conventional solutions for on-device MMU virtualization, such as shadow page table implemented in mediated pass-through, still suffer from high ...
Page Fault Support for Network Controllers
Asplos'17

Direct network I/O allows network controllers (NICs) to expose multiple instances of themselves, to be used by untrusted software without a trusted intermediary. Direct I/O thus frees researchers from legacy software, fueling studies that innovate in ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

August 2019

979 pages

ISBN:9781450371643

DOI:10.1145/3339252

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 August 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES '19

ARES '19: 14th International Conference on Availability, Reliability and Security

August 26 - 29, 2019

CA, Canterbury, United Kingdom

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
277
Total Downloads

Downloads (Last 12 months)34
Downloads (Last 6 weeks)1

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Purnaye PKulkarni V(2022)BiSHM: Evidence detection and preservation model for cloud forensicsOpen Computer Science10.1515/comp-2022-024112:1(154-170)Online publication date: 16-May-2022
https://doi.org/10.1515/comp-2022-0241
Aljumah AAhanger T(2020)Cyber security threats, challenges and defence mechanisms in cloud computingIET Communications10.1049/iet-com.2019.004014:7(1185-1191)Online publication date: Apr-2020
https://doi.org/10.1049/iet-com.2019.0040

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten