시스템온칩 상에서의 효율적이고 실용적인 보안 모니터링을 위한 응용 특화 하드웨어 모듈

학위논문 (박사)-- 서울대학교 대학원 : 전기·컴퓨터공학부, 2016. 2. 백윤흥.Many researchers have proposed the concept of security monitoring, which watches the execution behavior of a program (e.g, control-flow or data-flow) running on the machine to find the existence of malicious attacks. Among the proposed approaches in the literature, software-based works are known to be relatively easy to be adopted to the commercial products, but may incur tremendous runtime overhead. Although many hardware-based solutions provide high performance, the inherent problem of them is that they usually mandate drastic change to the internal processor architecture. More recent ones to minimize the change have proposed external devices for security monitoring. However, these approaches intrinsically suffer from the high overhead to communicate with their external devices. Consequently, they either significantly lose performance, or inevitably make invasive modifications to the processor inside. In this thesis, I propose several approaches for efficient security monitoring, where external hardware engines conduct the task of monitoring. The main priority in desinging the engines is not to require any modification in the host processor core internal. Thus, the engines introduced in this thesis are designed as external hardware modules and integrated to the host processor using the existing interface in the system. Complying with the rule, I explored the architectural design space for the engine and in ths thesis, three types of such approaches will be presented. Starting from the hardware engine that utilizes only the system bus, I will introduce the final solution that exploits the debug interface of the commercial processor. From the design exploration, this thesis shows various design decisions that can be applied in the current commercial platforms.Chapter 1 Introduction 1 Chapter 2 Implementing an Application Specific Instructionset Processor for System Level Dynamic Program Analysis Engines 6 2.1 Introduction 6 2.2 Backgrounds 11 2.2.1 Understanding Tag-based DPA Techniques 11 2.2.2 DPA Execution on a System-Level Hardware Engine 12 2.3 System-Level Programmable DPA Engine for Extendibility 14 2.3.1 Overall System Design with PAU 14 2.3.2 Execution Trace Communication 17 2.3.3 Synchronization and Multi-threading Support 18 2.4 Tag Processing Core 20 2.4.1 TPC Instruction-Set Architecture 20 2.4.2 TPC Microarchitecture 25 2.5 Case Studies 27 2.5.1 Case Study 1 : DIFT for Data Leak Prevention 27 2.5.2 Case Study 2 : Uninitialized Memory Checking 33 2.5.3 Case Study 3 : Bound Checking 36 2.6 Implementing Optimizations for DIFT with TPC 38 2.6.1 Function Level Tag Propagation Optimization 40 2.6.2 Block Level Tag Propagation Optimization 42 2.7 Experiment 45 2.7.1 Prototype System 45 2.7.2 Synthesis Results 46 2.7.3 Performance Evaluation 47 2.8 Related Works 53 2.9 Chapter Summary 58 Chapter 3 A Practical Solution to Detect Code Reuse Attacks on ARM Mobile Devices using an On-chip Debug Module 60 3.1 Introduction 60 3.2 Related Work and Assumptions 65 3.2.1 Related Work 65 3.2.2 Threat Model and Assumptions 67 3.3 Architecture for ROP Detection 68 3.3.1 Branch Trace Analyzer 70 3.3.2 Shadow Call Stack 72 3.4 Meta-data Construction 74 3.4.1 Meta-data Structure 75 3.4.2 Using Meta-data for ROP Monitoring 78 3.5 Experimental Result 79 3.6 Chapter Summary 82 Chapter 4 Efficient Security Monitoring with Core Debug Interface in an Embedded Processor 84 4.1 Introduction 84 4.2 Background 86 4.2.1 Control Flow Integrity Checking for Detecting Code Reuse Attacks 86 4.2.2 Core Debug Interface 87 4.3 Our Framework 88 4.3.1 Overall Architecture 89 4.3.2 CDI Filter and Trace FIFO 90 4.3.3 Monitor Engine 91 4.4 Bulding a DIFT Engine for CDI 91 4.4.1 DIFT on Our Framework 92 4.4.2 Design of our DIFT Engine 94 4.5 Implementing a CRA Detection with CDI 98 4.5.1 Branch Regulation on Our Framework 98 4.5.2 Design of our CRA Detection Engine 100 4.6 Experiment 105 4.6.1 Prototype and Synthesis Result 105 4.6.2 Experimental Results for DIFT 106 4.6.3 Experimental Results for Branch Regulation 110 4.7 Related Work 111 4.8 Chapter Summary 114 Chapter 5 Conculsion 116 Bibliography 118 초록 132Docto

Detecting and Preventing Kernel Rootkit Attacks with Bus Snooping

To protect the integrity of operating system kernels, we present Vigilare system, a kernel integrity monitor that is architected to snoop the bus traffic of the host system from a separate independent hardware. This snoop-based monitoringenabled by the Vigilare system, overcomes the limitations of the snapshot-based monitoring employed in previous kernel integrity monitoring solutions. Being based on inspecting snapshots collected over a certain interval, the previous hardware-based monitoring solutions cannot detect transient attacks that can occur in between snapshots, and cannot protect the kernel against permanent damage. We implemented three prototypes of the Vigilare system by adding Snooper hardware connections module to the host system for bus snooping, and a snapshot-based monitor to be comared with, in order to evaluate the benefit of snoop-based monitoring. The prototypes of Vigilare system detected all the transient attacks and the second one protected the kernel with negligible performance degradation while the snapshot-based monitor could not detect all the attacks and induced considerable performance degradation as much as 10 percent in our tuned STREAM benchmark test

Exploiting Both Pipelining and Data Parallelism with SIMD Reconfigurable

Reconfigurable Architecture (RA), which provides extremely high energy efficiency for certain domains of applications, have one problem that current mapping algorithms for it do not scale well with the number of cores. One approach to this problem is using SIMD (Single Instruction Multiple Data) paradigm. However, SIMD can complicate the mapping problem by adding an additional dimension, i.e., iteration mapping, to the already inter-dependent problems of data mapping and operation mapping, and can significantly affect performance through memory bank conflicts. In this paper we introduce SIMD reconfigurable architecture, which allows for SIMD mapping at multiple levels of granularity, and investigate ways to minimize bank conflicts in a SIMD reconfigurable architecture with the related sub-problems taken into consideration. We further present data tiling and evaluate a conflict-free scheduling algorithm as a way to eliminate bank conflicts for a certain class of iteration and data mapping

Efficient Kernel Integrity Monitor Design for Commodity Mobile Application Processors

In recent years, there are increasing threats of rootkits that undermine the integrity of a system by manipulating OS kernel. To cope with the rootkits, in Vigilare, the snoop-based monitoring which snoops the memory traffics of the host system was proposed. Although the previous work shows its detection capability and negligible performance loss, the problem is that the proposed design is not acceptable in recent commodity mobile application processors (APs) which have become de facto the standard computing platforms of smart devices. To mend this problem and adopt the idea of snoop-based monitoring in commercial products, in this paper, we propose a snoop-based monitor design called S-Mon, which is designed for the AP platforms. In designing S-Mon, we especially consider two design constraints in the APs which were not addressed in Vigilare; the unified memory model and the crossbar switch interconnect. Taking into account those, we derive a more realistic architecture for the snoop-based monitoring and a new hardware module, called the region controller, is also proposed. In our experiments on a simulation framework modeling a production-quality device, it is shown that our S-Mon can detect the rootkit attacks while the runtime overhead is also negligible

KI-Mon ARM: A Hardware-assisted Event-triggered Monitoring Platform for Mutable Kernel Object

External hardware-based kernel integrity monitors have been proposed to mitigate kernel-level malwares. However, the existing external approaches have been limited to monitoring the static regions of kernel while the latest rootkits manipulate the dynamic kernel objects. To address the issue, we present KI-Mon, a hardware-based platform that introduces event-triggered monitoring techniques for kernel dynamic objects. KI-Mon advances the bus traffic snooping technique to not only detect memory write traffic on the host bus but also filter out all but meaningful traffic to generate events. We show how kernel invariant verification software can be developed around these events, and also provide a set of APIs for additional invariant verification development. We also report our findings and considerations on the unique challenges for external monitors - such as cache coherency, dynamic object tracing. We introduce host-side kernel changes that alleviate these issues that involve changes in kernel's object allocation and cache policy control. We have built a prototype of KI-Mon on the ARM architecture to demonstrate the efficacy of KI-Mon's event-triggered mechanism in terms of performance overhead for the monitored host system and the processor usage of the KI-Mon processor