Efficient Security Monitoring with the Core Debug Interface in an Embedded Processor

For decades, various concepts in security monitoring have been proposed. In principle, they all in common in regard to the monitoring of the execution behavior of a program (e.g., control-flow or dataflow) running on the machine to find symptoms of attacks. Among the proposed monitoring schemes, software-based ones are known for their adaptability on the commercial products, but there have been concerns that they may suffer from nonnegligible runtime overhead. On the other hand, hardware-based solutions are recognized for their high performance. However, most of them have an inherent problem in that they usually mandate drastic changes to the internal processor architecture. More recent ones have strived to minimize such modifications by employing external hardware security monitors in the system. However, these approaches intrinsically suffer from the overhead caused by communication between the host and the external monitor. Our solution also relies on external hardware for security monitoring, but unlike the others, ours tackles the communication overhead by using the core debug interface (CDI), which is readily available in most commercial processors for debugging. We build our system simply by plugging our monitoring hardware into the processor via CDI, precluding the need for altering the processor internals. To validate the effectiveness of our approach, we implement two well-known monitoring techniques on our proposed framework: dynamic information flow tracking and branch regulation. The experimental results on our FPGA prototype show that our external hardware monitors efficiently perform monitoring tasks with negligible performance overhead, mainly with thanks to the support of CDI, which helps us reduce communication costs substantially.

[1]  Bei Yu,et al.  TaintTrace: Efficient Flow Tracing with Dynamic Binary Rewriting , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[2]  Wei Liu,et al.  iWatcher: efficient architectural support for software debugging , 2004, Proceedings. 31st Annual International Symposium on Computer Architecture, 2004..

[3]  Kyungmin Kim,et al.  Towards a practical solution to detect code reuse attacks on ARM mobile devices , 2015, HASP@ISCA.

[4]  Per Larsen,et al.  Readactor: Practical Code Randomization Resilient to Memory Disclosure , 2015, 2015 IEEE Symposium on Security and Privacy.

[5]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[6]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[7]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[8]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[9]  G. Edward Suh,et al.  Flexible and Efficient Instruction-Grained Run-Time Monitoring Using On-Chip Reconfigurable Fabric , 2010, 2010 43rd Annual IEEE/ACM International Symposium on Microarchitecture.

[10]  Ian G. Harris,et al.  Control-flow checking for intrusion detection via a real-time debug interface , 2014, 2014 International Conference on Smart Computing Workshops.

[11]  Nicholas Nethercote,et al.  Using Valgrind to Detect Undefined Value Errors with Bit-Precision , 2005, USENIX Annual Technical Conference, General Track.

[12]  Mehmet Kayaalp,et al.  SCRAP: Architecture for signature-based protection from Code Reuse Attacks , 2013, 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA).

[13]  Hai Zhou,et al.  Parallel CAD: Algorithm Design and Programming Special Section Call for Papers TODAES: ACM Transactions on Design Automation of Electronic Systems , 2010 .

[14]  Onur Mutlu,et al.  Flexible reference-counting-based hardware acceleration for garbage collection , 2009, ISCA '09.

[15]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[16]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[17]  Rajiv Gupta,et al.  Dynamic Information Flow Tracking on Multicores , 2008 .

[18]  Christoforos E. Kozyrakis,et al.  Decoupling Dynamic Information Flow Tracking with a dedicated coprocessor , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[19]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[20]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[21]  Gustavo Ribeiro Alves,et al.  Real-time fault injection using enhanced on-chip debug infrastructures , 2011, Microprocess. Microsystems.

[22]  Yunheung Paek,et al.  Implementing an Application-Specific Instruction-Set Processor for System-Level Dynamic Program Analysis Engines , 2015, ACM Trans. Design Autom. Electr. Syst..

[23]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[24]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[25]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[26]  Babak Falsafi,et al.  Flexible Hardware Acceleration for Instruction-Grain Program Monitoring , 2008, 2008 International Symposium on Computer Architecture.

[27]  Frank Piessens,et al.  Code Pointer Masking: Hardening Applications against Code Injection Attacks , 2011, DIMVA.

[28]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[29]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[30]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[31]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[32]  G. Edward Suh,et al.  High-performance parallel accelerator for flexible and efficient run-time monitoring , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[33]  Guru Venkataramani,et al.  FlexiTaint: A programmable accelerator for dynamic taint propagation , 2008, 2008 IEEE 14th International Symposium on High Performance Computer Architecture.

[34]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[35]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[36]  Goutam Paul,et al.  CoARX: A coprocessor for ARX-based cryptographic algorithms , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[37]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[38]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[39]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[40]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[41]  Bing Mao,et al.  DROP: Detecting Return-Oriented Programming Malicious Code , 2009, ICISS.

[42]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[43]  Mehmet Kayaalp,et al.  Branch regulation: Low-overhead protection from code reuse attacks , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[44]  Stefan Savage,et al.  802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions , 2003, USENIX Security Symposium.

[45]  William A. Orme Debug and Trace for Multicore SoCs How to build an efficient and effective debug and trace system for complex , multicore SoCs , 2008 .

[46]  Alessandro Orso,et al.  Effective memory protection using dynamic tainting , 2007, ASE '07.

[47]  Ben Niu,et al.  Per-Input Control-Flow Integrity , 2015, CCS.

[48]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[49]  Roman L. Lysecky,et al.  Non-intrusive dynamic application profiling for multitasked applications , 2009, 2009 46th ACM/IEEE Design Automation Conference.

[50]  Ahmad-Reza Sadeghi,et al.  TyTAN: Tiny trust anchor for tiny devices , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[51]  Matteo Sonza Reorda,et al.  On the use of embedded debug features for permanent and transient fault resilience in microprocessors , 2012, Microprocess. Microsystems.

[52]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[53]  Per Larsen,et al.  Opaque Control-Flow Integrity , 2015, NDSS.

[54]  Calton Pu,et al.  Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[55]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[56]  Dawn Song,et al.  Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks , 2009 .

[57]  Albert Meixner,et al.  Argus: Low-Cost, Comprehensive Error Detection in Simple Cores , 2007, 40th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO 2007).