학위논문 (박사)-- 서울대학교 대학원 : 전기·컴퓨터공학부, 2016. 2. 백윤흥.Many researchers have proposed the concept of security monitoring, which watches the execution behavior of a program (e.g, control-flow or data-flow) running on the machine to find the existence of malicious attacks. Among the proposed approaches in the literature, software-based works are known to be relatively easy to be adopted to the commercial products, but may incur tremendous runtime overhead. Although many hardware-based solutions provide high performance, the inherent problem of them is that they usually mandate drastic change to the internal processor architecture. More recent ones to minimize the change have proposed external devices for security monitoring. However, these approaches intrinsically suffer from the high overhead to communicate with their external devices. Consequently, they either significantly lose performance, or inevitably make invasive modifications to the processor inside.
In this thesis, I propose several approaches for efficient security monitoring, where external hardware engines conduct the task of monitoring. The main priority in desinging the engines is not to require any modification in the host processor core internal. Thus, the engines introduced in this thesis are designed as external hardware modules and integrated to the host processor using the existing interface in the system. Complying with the rule, I explored the architectural design space for the engine and in ths thesis, three types of such approaches will be presented. Starting from the hardware engine that utilizes only the system bus, I will introduce the final solution that exploits the debug interface of the commercial processor. From the design exploration, this thesis shows various design decisions that can be applied in the current commercial platforms.Chapter 1 Introduction 1
Chapter 2 Implementing an Application Specific Instructionset Processor for System Level Dynamic Program Analysis Engines 6
2.1 Introduction 6
2.2 Backgrounds 11
2.2.1 Understanding Tag-based DPA Techniques 11
2.2.2 DPA Execution on a System-Level Hardware Engine 12
2.3 System-Level Programmable DPA Engine for Extendibility 14
2.3.1 Overall System Design with PAU 14
2.3.2 Execution Trace Communication 17
2.3.3 Synchronization and Multi-threading Support 18
2.4 Tag Processing Core 20
2.4.1 TPC Instruction-Set Architecture 20
2.4.2 TPC Microarchitecture 25
2.5 Case Studies 27
2.5.1 Case Study 1 : DIFT for Data Leak Prevention 27
2.5.2 Case Study 2 : Uninitialized Memory Checking 33
2.5.3 Case Study 3 : Bound Checking 36
2.6 Implementing Optimizations for DIFT with TPC 38
2.6.1 Function Level Tag Propagation Optimization 40
2.6.2 Block Level Tag Propagation Optimization 42
2.7 Experiment 45
2.7.1 Prototype System 45
2.7.2 Synthesis Results 46
2.7.3 Performance Evaluation 47
2.8 Related Works 53
2.9 Chapter Summary 58
Chapter 3 A Practical Solution to Detect Code Reuse Attacks on ARM Mobile Devices using an On-chip Debug Module 60
3.1 Introduction 60
3.2 Related Work and Assumptions 65
3.2.1 Related Work 65
3.2.2 Threat Model and Assumptions 67
3.3 Architecture for ROP Detection 68
3.3.1 Branch Trace Analyzer 70
3.3.2 Shadow Call Stack 72
3.4 Meta-data Construction 74
3.4.1 Meta-data Structure 75
3.4.2 Using Meta-data for ROP Monitoring 78
3.5 Experimental Result 79
3.6 Chapter Summary 82
Chapter 4 Efficient Security Monitoring with Core Debug Interface in an Embedded Processor 84
4.1 Introduction 84
4.2 Background 86
4.2.1 Control Flow Integrity Checking for Detecting Code Reuse Attacks 86
4.2.2 Core Debug Interface 87
4.3 Our Framework 88
4.3.1 Overall Architecture 89
4.3.2 CDI Filter and Trace FIFO 90
4.3.3 Monitor Engine 91
4.4 Bulding a DIFT Engine for CDI 91
4.4.1 DIFT on Our Framework 92
4.4.2 Design of our DIFT Engine 94
4.5 Implementing a CRA Detection with CDI 98
4.5.1 Branch Regulation on Our Framework 98
4.5.2 Design of our CRA Detection Engine 100
4.6 Experiment 105
4.6.1 Prototype and Synthesis Result 105
4.6.2 Experimental Results for DIFT 106
4.6.3 Experimental Results for Branch Regulation 110
4.7 Related Work 111
4.8 Chapter Summary 114
Chapter 5 Conculsion 116
Bibliography 118
초록 132Docto
