Trustworthy Prevention of Code Injection in Linux on Embedded Devices

We present MProsper, a trustworthy system to prevent code injection in Linux on embedded devices. MProsper is a formally verified run-time monitor, which forces an untrusted Linux to obey the executable space protection policy; a memory area can be either executable or writable, but cannot be both. The executable space protection allows the MProsper's monitor to intercept every change to the executable code performed by a user application or by the Linux kernel. On top of this infrastructure, we use standard code signing to prevent code injection. MProsper is deployed on top of the Prosper hypervisor and is implemented as an isolated guest. Thus MProsper inherits the security property verified for the hypervisor: i Its code and data cannot be tampered by the untrusted Linux guest and ii all changes to the memory layout is intercepted, thus enabling MProsper to completely mediate every operation that can violate the desired security property. The verification of the monitor has been performed using the HOL4 theorem prover and by extending the existing formal model of the hypervisor with the formal specification of the high level model of the monitor.

[1]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[2]  Thomas Santen,et al.  Verifying the Microsoft Hyper-V Hypervisor with VCC , 2009, FM.

[3]  Roberto Guanciale,et al.  Formal verification of information flow security for a simple arm-based separation kernel , 2013, CCS.

[4]  Xuxian Jiang,et al.  Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing , 2008, RAID.

[5]  Roberto Guanciale,et al.  Automating Information Flow Analysis of Low Level Code , 2014, CCS.

[6]  Bennet S. Yee,et al.  Adapting Software Fault Isolation to Contemporary CPU Architectures , 2010, USENIX Security Symposium.

[7]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[8]  Magnus O. Myreen,et al.  Translation validation for a verified OS kernel , 2013, PLDI.

[9]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[10]  Xuxian Jiang,et al.  Analyzing and improving Linux kernel memory protection: a model checking approach , 2010, ACSAC '10.

[11]  Raymond J. Richards Modeling and Security Analysis of a Commercial Real-Time Operating System Kernel , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[12]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[13]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[14]  David Kaeli,et al.  Virtual machine monitor-based lightweight intrusion detection , 2011, OPSR.

[15]  David Lie,et al.  Hypervisor Support for Identifying Covertly Executing Binaries , 2008, USENIX Security Symposium.

[16]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[17]  Gerwin Klein,et al.  From a Verified Kernel towards Verified Systems , 2010, APLAS.

[18]  Yves Deswarte,et al.  Enforcing kernel constraints by hardware-assisted virtualization , 2009, Journal in Computer Virology.

[19]  Roberto Guanciale,et al.  Trustworthy Virtualization of the ARMv7 Memory Subsystem , 2015, SOFSEM.