4,994 research outputs found
Securing Arm Platform: From Software-Based To Hardware-Based Approaches
With the rapid proliferation of the ARM architecture on smart mobile phones and Internet of Things (IoT) devices, the security of ARM platform becomes an emerging problem. In recent years, the number of malware identified on ARM platforms, especially on Android, shows explosive growth. Evasion techniques are also used in these malware to escape from being detected by existing analysis systems.
In our research, we first present a software-based mechanism to increase the accuracy of existing static analysis tools by reassembleable bytecode extraction. Our solution collects bytecode and data at runtime, and then reassemble them offline to help static analysis tools to reveal the hidden behavior in an application.
Further, we implement a hardware-based transparent malware analysis framework for general ARM platforms to defend against the traditional evasion techniques. Our framework leverages hardware debugging features and Trusted Execution Environment (TEE) to achieve transparent tracing and debugging with reasonable overhead.
To learn the security of the involved hardware debugging features, we perform a comprehensive study on the ARM debugging features and summarize the security implications. Based on the implications, we design a novel attack scenario that achieves privilege escalation via misusing the debugging features in inter-processor debugging model.
The attack has raised our concern on the security of TEEs and Cyber-physical System (CPS). For a better understanding of the security of TEEs, we investigate the security of various TEEs on different architectures and platforms, and state the security challenges. A study of the deploying the TEEs on edge platform is also presented. For the security of the CPS, we conduct an analysis on the real-world traffic signal infrastructure and summarize the security problems
Open-TEE - An Open Virtual Trusted Execution Environment
Hardware-based Trusted Execution Environments (TEEs) are widely deployed in
mobile devices. Yet their use has been limited primarily to applications
developed by the device vendors. Recent standardization of TEE interfaces by
GlobalPlatform (GP) promises to partially address this problem by enabling
GP-compliant trusted applications to run on TEEs from different vendors.
Nevertheless ordinary developers wishing to develop trusted applications face
significant challenges. Access to hardware TEE interfaces are difficult to
obtain without support from vendors. Tools and software needed to develop and
debug trusted applications may be expensive or non-existent.
In this paper, we describe Open-TEE, a virtual, hardware-independent TEE
implemented in software. Open-TEE conforms to GP specifications. It allows
developers to develop and debug trusted applications with the same tools they
use for developing software in general. Once a trusted application is fully
debugged, it can be compiled for any actual hardware TEE. Through performance
measurements and a user study we demonstrate that Open-TEE is efficient and
easy to use. We have made Open- TEE freely available as open source.Comment: Author's version of article to appear in 14th IEEE International
Conference on Trust, Security and Privacy in Computing and Communications,
TrustCom 2015, Helsinki, Finland, August 20-22, 201
PerfWeb: How to Violate Web Privacy with Hardware Performance Events
The browser history reveals highly sensitive information about users, such as
financial status, health conditions, or political views. Private browsing modes
and anonymity networks are consequently important tools to preserve the privacy
not only of regular users but in particular of whistleblowers and dissidents.
Yet, in this work we show how a malicious application can infer opened websites
from Google Chrome in Incognito mode and from Tor Browser by exploiting
hardware performance events (HPEs). In particular, we analyze the browsers'
microarchitectural footprint with the help of advanced Machine Learning
techniques: k-th Nearest Neighbors, Decision Trees, Support Vector Machines,
and in contrast to previous literature also Convolutional Neural Networks. We
profile 40 different websites, 30 of the top Alexa sites and 10 whistleblowing
portals, on two machines featuring an Intel and an ARM processor. By monitoring
retired instructions, cache accesses, and bus cycles for at most 5 seconds, we
manage to classify the selected websites with a success rate of up to 86.3%.
The results show that hardware performance events can clearly undermine the
privacy of web users. We therefore propose mitigation strategies that impede
our attacks and still allow legitimate use of HPEs
Resilient self-debugging software protection
Debuggers are a popular reverse engineering and tampering tool. Self-debugging is an effective technique for applications to defend themselves against hostile debuggers. In penetration tests on state-of-the-art self-debugging, we observed several opportunities through which it could be attacked, however. We therefore improved upon the existing technique, making it more resilient by introducing reciprocal debugging and making the transfers of control between protected application and self-debugger more stealthy. This paper presents the improved self-debugging design, and details our research efforts into realizing reciprocal debugging. In our evaluation we show that the improved design is significantly harder for attackers to defeat
HyperDbg: Reinventing Hardware-Assisted Debugging (Extended Version)
Software analysis, debugging, and reverse engineering have a crucial impact
in today's software industry. Efficient and stealthy debuggers are especially
relevant for malware analysis. However, existing debugging platforms fail to
address a transparent, effective, and high-performance low-level debugger due
to their detectable fingerprints, complexity, and implementation restrictions.
In this paper, we present HyperDbg, a new hypervisor-assisted debugger for
high-performance and stealthy debugging of user and kernel applications. To
accomplish this, HyperDbg relies on state-of-the-art hardware features
available in today's CPUs, such as VT-x and extended page tables. In contrast
to other widely used existing debuggers, we design HyperDbg using a custom
hypervisor, making it independent of OS functionality or API. We propose
hardware-based instruction-level emulation and OS-level API hooking via
extended page tables to increase the stealthiness. Our results of the dynamic
analysis of 10,853 malware samples show that HyperDbg's stealthiness allows
debugging on average 22% and 26% more samples than WinDbg and x64dbg,
respectively. Moreover, in contrast to existing debuggers, HyperDbg is not
detected by any of the 13 tested packers and protectors. We improve the
performance over other debuggers by deploying a VMX-compatible script engine,
eliminating unnecessary context switches. Our experiment on three concrete
debugging scenarios shows that compared to WinDbg as the only kernel debugger,
HyperDbg performs step-in, conditional breaks, and syscall recording, 2.98x,
1319x, and 2018x faster, respectively. We finally show real-world applications,
such as a 0-day analysis, structure reconstruction for reverse engineering,
software performance analysis, and code-coverage analysis
Glider: A GPU Library Driver for Improved System Security
Legacy device drivers implement both device resource management and
isolation. This results in a large code base with a wide high-level interface
making the driver vulnerable to security attacks. This is particularly
problematic for increasingly popular accelerators like GPUs that have large,
complex drivers. We solve this problem with library drivers, a new driver
architecture. A library driver implements resource management as an untrusted
library in the application process address space, and implements isolation as a
kernel module that is smaller and has a narrower lower-level interface (i.e.,
closer to hardware) than a legacy driver. We articulate a set of device and
platform hardware properties that are required to retrofit a legacy driver into
a library driver. To demonstrate the feasibility and superiority of library
drivers, we present Glider, a library driver implementation for two GPUs of
popular brands, Radeon and Intel. Glider reduces the TCB size and attack
surface by about 35% and 84% respectively for a Radeon HD 6450 GPU and by about
38% and 90% respectively for an Intel Ivy Bridge GPU. Moreover, it incurs no
performance cost. Indeed, Glider outperforms a legacy driver for applications
requiring intensive interactions with the device driver, such as applications
using the OpenGL immediate mode API
- …