Análise de malware com suporte de hardware

Orientadores: Paulo Lício de Geus, André Ricardo Abed GrégioDissertação (mestrado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: O mundo atual é impulsionado pelo uso de sistemas computacionais, estando estes pre- sentes em todos aspectos da vida cotidiana. Portanto, o correto funcionamento destes é essencial para se assegurar a manutenção das possibilidades trazidas pelos desenvolvi- mentos tecnológicos. Contudo, garantir o correto funcionamento destes não é uma tarefa fácil, dado que indivíduos mal-intencionados tentam constantemente subvertê-los visando benefíciar a si próprios ou a terceiros. Os tipos mais comuns de subversão são os ataques por códigos maliciosos (malware), capazes de dar a um atacante controle total sobre uma máquina. O combate à ameaça trazida por malware baseia-se na análise dos artefatos coletados de forma a permitir resposta aos incidentes ocorridos e o desenvolvimento de contramedidas futuras. No entanto, atacantes têm se especializado em burlar sistemas de análise e assim manter suas operações ativas. Para este propósito, faz-se uso de uma série de técnicas denominadas de "anti-análise", capazes de impedir a inspeção direta dos códigos maliciosos. Dentre essas técnicas, destaca-se a evasão do processo de análise, na qual são empregadas exemplares capazes de detectar a presença de um sistema de análise para então esconder seu comportamento malicioso. Exemplares evasivos têm sido cada vez mais utilizados em ataques e seu impacto sobre a segurança de sistemas é considerá- vel, dado que análises antes feitas de forma automática passaram a exigir a supervisão de analistas humanos em busca de sinais de evasão, aumentando assim o custo de se manter um sistema protegido. As formas mais comuns de detecção de um ambiente de análise se dão através da detecção de: (i) código injetado, usado pelo analista para inspecionar a aplicação; (ii) máquinas virtuais, usadas em ambientes de análise por questões de escala; (iii) efeitos colaterais de execução, geralmente causados por emuladores, também usados por analistas. Para lidar com malware evasivo, analistas tem se valido de técnicas ditas transparentes, isto é, que não requerem injeção de código nem causam efeitos colaterais de execução. Um modo de se obter transparência em um processo de análise é contar com suporte do hardware. Desta forma, este trabalho versa sobre a aplicação do suporte de hardware para fins de análise de ameaças evasivas. No decorrer deste texto, apresenta-se uma avaliação das tecnologias existentes de suporte de hardware, dentre as quais máqui- nas virtuais de hardware, suporte de BIOS e monitores de performance. A avaliação crítica de tais tecnologias oferece uma base de comparação entre diferentes casos de uso. Além disso, são enumeradas lacunas de desenvolvimento existentes atualmente. Mais que isso, uma destas lacunas é preenchida neste trabalho pela proposição da expansão do uso dos monitores de performance para fins de monitoração de malware. Mais especificamente, é proposto o uso do monitor BTS para fins de construção de um tracer e um debugger. O framework proposto e desenvolvido neste trabalho é capaz, ainda, de lidar com ataques do tipo ROP, um dos mais utilizados atualmente para exploração de vulnerabilidades. A avaliação da solução demonstra que não há a introdução de efeitos colaterais, o que per- mite análises de forma transparente. Beneficiando-se desta característica, demonstramos a análise de aplicações protegidas e a identificação de técnicas de evasãoAbstract: Today¿s world is driven by the usage of computer systems, which are present in all aspects of everyday life. Therefore, the correct working of these systems is essential to ensure the maintenance of the possibilities brought about by technological developments. However, ensuring the correct working of such systems is not an easy task, as many people attempt to subvert systems working for their own benefit. The most common kind of subversion against computer systems are malware attacks, which can make an attacker to gain com- plete machine control. The fight against this kind of threat is based on analysis procedures of the collected malicious artifacts, allowing the incident response and the development of future countermeasures. However, attackers have specialized in circumventing analysis systems and thus keeping their operations active. For this purpose, they employ a series of techniques called anti-analysis, able to prevent the inspection of their malicious codes. Among these techniques, I highlight the analysis procedure evasion, that is, the usage of samples able to detect the presence of an analysis solution and then hide their malicious behavior. Evasive examples have become popular, and their impact on systems security is considerable, since automatic analysis now requires human supervision in order to find evasion signs, which significantly raises the cost of maintaining a protected system. The most common ways for detecting an analysis environment are: i) Injected code detec- tion, since injection is used by analysts to inspect applications on their way; ii) Virtual machine detection, since they are used in analysis environments due to scalability issues; iii) Execution side effects detection, usually caused by emulators, also used by analysts. To handle evasive malware, analysts have relied on the so-called transparent techniques, that is, those which do not require code injection nor cause execution side effects. A way to achieve transparency in an analysis process is to rely on hardware support. In this way, this work covers the application of the hardware support for the evasive threats analysis purpose. In the course of this text, I present an assessment of existing hardware support technologies, including hardware virtual machines, BIOS support, performance monitors and PCI cards. My critical evaluation of such technologies provides basis for comparing different usage cases. In addition, I pinpoint development gaps that currently exists. More than that, I fill one of these gaps by proposing to expand the usage of performance monitors for malware monitoring purposes. More specifically, I propose the usage of the BTS monitor for the purpose of developing a tracer and a debugger. The proposed framework is also able of dealing with ROP attacks, one of the most common used technique for remote vulnerability exploitation. The framework evaluation shows no side-effect is introduced, thus allowing transparent analysis. Making use of this capability, I demonstrate how protected applications can be inspected and how evasion techniques can be identifiedMestradoCiência da ComputaçãoMestre em Ciência da ComputaçãoCAPE

Development of a multi-core and multi-accelerator platform for approximate computing

Proyecto de graduación (Licenciatura en Ingeniería en Electrónica) Instituto Tecnológico de Costa Rica, Escuela de Ingeniería Electrónica, 2017.Changing environment in the current technologies have introduce a gap between the ever growing needs of users and the state of present designs. As high data and hard computation applications moved forward in the near future, the current trend reaches for a greater performance. Approximate computing enters this scheme to boost a system overall attributes, while working with intrinsic and error tolerable characteristics both in software and hardware. This work proposes a multicore and multi-accelerator platform design that uses both exact and approximate versions, also providing interaction with a software counterpart to ensure usage of both layouts. A set of five di↵erent approximate accelerator versions and one exact, are present for three di↵erent image processing filters, Laplace, Sobel and Gauss, along with their respective characterization in terms of Power, Area and Delay time. This will show better results for design versions 2 and 3. Later it will be seen three di↵erent interfaces designs for accelerators along with a softcore processor, Altera’s NIOS II. Results gathered demonstrate a definitively improvement while using approximate accelerators in comparison with software and exact accelerator implementations. Memory accessing and filter operations times, for two di↵erent matrices sizes, present a gain of 500, 2000 and 1500 cycles measure for Laplace, Gauss and Sobel filters respectively, while contrasting software times, and a range of 28-84, 20-40 and 68-100 ticks decrease against the use of an exact accelerator

Wireless System on Virtual Platform Evaluation

The most common way to develop System-on-Chip's (SoC) today is to utilize hardware design on a Field programmable gate array (FPGA). By utilizing the hardware on an FPGA, the opportunity to verify the hardware and start software design before implementing the final solution on silicon is possible. However, using an FPGA as a reference model for a final design gives a slightly imprecise estimation regarding required hardware such as memory and bus sizes. Trying to counteract this weakness, specific Electronic System-Level (ESL) Design tools has been developed in order to simplify production and increase capabilities to analyze and optimize during the developing phase. ARM SoC Designer is such a tool which provides a virtual environment for simulation of integrated SoC’s to simulate whole systems at a cycle accurate level. This Master's Thesis intend to evaluate ARM SoC Designer aspects and validity as an alternative to an FPGA when implementing and verifying a larger SoC system. To provide a thorough assessment of ARM SoC Designer, a cycle accurate model of the digital signal processing system of a general NB-IoT system was to be built and verified. Results shown, reveal that an implementation in ARM SoC Designer can be a valid representation of a preexisting wireless NB-IoT system currently developed on an FPGA board. Also that SoC Designer adds some very useful functionalities to traditional SoC development techniques but not without some significant flaws.With rising complexity and highly competitive market of integrated circuits, new techniques to develop embedded systems are always needed in order to secure the quality and to streamline the production of circuits. The tool ARM SoC Designer tries to accomplish this through adjusting traditional System-on-Chip development by adding debugging and troubleshooting capabilities not present in current design techniques. The question is, will the use of SoC Designer help? A System-on-Chip (SoC) is an especially designed chip that combines required electronic circuits of different components onto a single integrated chip, usually not bigger than a thumbnail. By directly building a chip containing all desired components instead of assemble multiple chips together makes it possible to manufacture the chips as small as possible and at the same time make them faster and more energy efficient than before. But the tininess of a SoC and the numerous amount components it is going to contain makes it also to a very complex system with a long and expensive developing process, where faults and errors are very hard to find and eliminate. The procedure of designing and developing SoC have been almost the same for a very long time. But with the rising demands on chips with more capacity in less area puts a lot of pressure on the manufacturers in the industry. Therefore manufacturers and developers have been starting to look for better design tools to increase the possibility to analyze and optimize during development. One of these tools are ARM SoC Designer which provides a virtual environment for simulation of integrated SoC's with the promise of great debugging and verifying capabilities. ARM SoC Designer are able to do this by allowing the user to simulate the process step by step and to easily modify system parameters. In order to evaluate ARM SoC Designer, a virtual model of an existing wireless system was built, tested and verified in the virtual environment. Different tests to analyze performance, accuracy, and debug- and troubleshooting capabilities were constructed and performed. With results showing great promise in categories accuracy and debugging, but left some things to be desired with performance and usability. This thesis can confirm that ARM SoC Designer does deliver an accurate representation of a SoC and that the verification capabilities are extremely helpful during implementation and testing. But, at the current performance in combination with a less good user experience, a steep learning curve and scarce documentation makes it difficult to recommend during a daily development basis. However, ARM SoC Designer shows a lot of promise if the usability can be enhanced slightly and performance be improved upon to such an extent that downtime of simulations won't be the majority of time consumed during usage

Design of an Embedded Readout System for the ALOFT Gamma-Ray Detector Instrument

Birkeland Center for Space Science has proposed a campaign known as the Airborne Lightning Observatory for FEGS & TGFs (ALOFT) to study Terrestrial Gamma-Ray Flashes (TGFs). TGFs are the most energetic natural phenomena occurring in the Earth’s atmosphere, and are important to our knowledge about the relationship between the Earth and space. The ALOFT campaign will use a gamma-ray detector instrument built by the University of Bergen which will be mounted to the NASA ER-2 High-Altitude Airborne Science Aircraft. This work covers the design and development of the embedded software used to offload and operate the detector readout system of said instrument. A similar instrument was built and flown in 2017. The new instrument differs from this by being implemented on a System on a Chip (SoC) embedded platform, reusing relevant modules from the old instrument. The software has been implemented with the FreeRTOS Realtime Operating System (RTOS). Design considerations to limit complexity, and the impact of the radiation environment the instrument is to be operated in, has been performed trough implementation of a checksum algorithm, cyclic rewriting of registers, and modular design strategies. A verification system has been realized with a prototype hardware setup, in which test systems has been added to process synthetic TGF-events in the software and hardware. Test with emulated data and a Telnet control interface has been successfully implemented. The current implementation focuses on modularity, and thus offers a very good framework for further development of the instrument when campaign specifications are decided.Masteroppgåve i fysikkMAMN-PHYSPHYS39

Enhanced performance simulation of diesel engines

SIGLEAvailable from British Library Document Supply Centre- DSC:DX90577 / BLDSC - British Library Document Supply CentreGBUnited Kingdo

Towards Intelligent Data Acquisition Systems with Embedded Deep Learning on MPSoC

Large-scale scientific experiments rely on dedicated high-performance data-acquisition systems to sample, readout, analyse, and store experimental data. However, with the rapid development in detector technology in various fields, the number of channels and the data rate are increasing. For trigger and control tasks data acquisition systems needs to satisfy real-time constraints, enable short-time latency and provide the possibility to integrate intelligent data processing. During recent years machine learning approaches have been used successfully in many applications. This dissertation will study how machine learning techniques can be integrated already in the data acquisition of large-scale experiments. A universal data acquisition platform for multiple data channels has been developed. Different machine learning implementation methods and application have been realized using this system. On the hardware side, recent FPGAs do not only provide high-performance parallel logic but more and more additional features, like ultra-fast transceivers and embedded ARM processors. TSMC\u27s 16nm FinFET Plus (16FF+) 3D transistor technology enables Xilinx in the Zynq UltraScale+ FPGA devices to increase the performance/watt ratio by 2 to 5 times compared to their previous generation. The selected main processor ZU11EG owns 32 GTH transceivers where each one could operate up to $16.3$ Gb/s and 16 GTY transceivers where each of them could operate up to $32.75$ Gb/s. These transceivers are routed to x16 lanes Gen $3$/$4$ PCIe, $12$ lanes full-duplex FireFly electrical/optical data link and VITA 57.4 FMC+ connector. The new Zynq UltraScale+ device provides at least three major advantages for advanced data acquisition systems: First, the 16nm FinFET+ programmable logic (PL) provides high-speed readout capabilities by high-speed transceivers; second, built-in quad-core 64-bit ARM Cortex-A53 processor enable host embedded Linux system. Thus, webservers, slow control and monitoring application could be realized in a embedded processor environment; third, the Zynq Multiprocessor System-on-Chip technology connects programmable logic and microprocessors. In this thesis, the benefits of such architectures for the integration of machine learning algorithms in data acquisition systems and control application are demonstrated. On the algorithm side, there have been many achievements in the field of machine learning over the last decades. Existing machine learning algorithms split into several categories depending on how the learning phase is organized: Supervised Learning, Unsupervised Learning, Semi-Supervised Learning and Reinforcement Learning. Most commonly used in scientific applications are supervised learning and reinforcement learning. Supervised learning learns from the labelled input and output, and generates a function that could predict the future different input to the appropriate output. A common application instance is a classification. They have a wide difference in basic math theory, training, inference, and their implementation. One of the natural solutions is Application Specific Integrated Circuit (ASIC) Artificial Intelligence (AI) chips. A typical example is the Google Tensor Processing Unit (TPU), it could cover the training and inference for both supervised learning and reinforcement learning. One of the major issues is that such chip could not provide high data transferring bandwidth other than high compute power. As a comparison, the Xilinx UltraScale+ FPGA could also provide raw compute power and efficiency for all different data types down to a single bit. From a deployment point of view, the training part of supervised learning is typically performed by CPU/GPU/TPU on a fixed dataset. For reinforcement learning, the training phase is more complex. The algorithm needs to periodically interact with the controlled system and execute a Markov Decision Process (MDP). There is no static training dataset, but it is obtained in real-time. The time slot between each step depends on the dynamics of the controlled system. The inference is also bound to this sampling time because the algorithm needs to interact with the environment and decide the appropriate action for a response, then a higher demand on time is proposed. This thesis gives solutions for both training and inference of reinforcement learning. At first, the requirements are analyzed, then the algorithm is deduced from scratch, and training on the PS part of Zynq device is implemented, meanwhile the inference at FPGA side is proposed which is similar solution compared with supervised learning. The results for Policy Gradient show a lot of improvement over a CPU/GPU-based machine learning framework. The Deep Deterministic Policy Gradient also has improvement regarding both training latency and stability. This implementation method provides a low-latency approach for reinforcement learning on-field training process

Multi-Client Embedded Telemetry System (MCETS)

The Multi-Client Embedded Telemetry System (MCETS) is an ultra-low-power prototype data acquisition system developed in collaboration with MIT Lincoln Laboratory for testing components of the Ballistic Missile Defense System. Capable of collecting both atmospheric and kinematic data, the MCETS incorporates a network of small modular clients that stream data to a server in real-time. This project is concerned with all aspects of the system, including defining the system\u27s functionality, designing the client hardware, developing firmware, and writing server-control software

Firmware and gateway for the ACE1 reconfigurable accelerator card

This thesis describes the continued work on the in-house designed FPGA based co-processor daughtercard referred to as ACE1. The aim: to create an ecosystem incorporating firmware, bootstrapping code, drivers and a development environment to create a seamless environment. Challenges in setting up and debugging the interface that connects the coprocessor daughtercard to the host server include: problems with the power network, the edge connectors and timing problems with the primary protocol which prevented host-based communications. The options include allowing the daughtercard to function in a stand-alone fashion and we present a gateware solution that allows users to select from a number of alternatives for each of the layers in the Open Systems Interconnect networking model