Trusted Monitor: TEE-Based System Monitoring

As trusted computing becomes increasingly important, Trusted Execution Environments (TEEs) see more widespread use. A particular high demand for security arises in the context of embedded systems in critical infrastructures. We present a novel intrusion detection system called the Trusted Monitor (TM) that protects its integrity even in the presence of a system-level attacker by running inside the ARM TrustZone TEE. The TM constantly monitors the system using hardware performance counters and detects intrusions based on the classification by an application-specific machine learning model. Our evaluation shows that the TM correctly classifies 86% of 183 evaluated workloads, while the performance overhead stays below 2%. In particular, we show that a real-world kernel-level rootkit observably influences the hardware performance counters and, thus, can be detected.

[1]  Haomeng Xie,et al.  Security Vulnerabilities of SGX and Countermeasures , 2021, ACM Comput. Surv..

[2]  Felix C. Freiling,et al.  Advanced System Resiliency Based on Virtualization Techniques for IoT Devices , 2021, ACSAC.

[3]  M. A. Sadeeq,et al.  IoT and Cloud Computing Issues, Challenges and Opportunities: A Review , 2021, Qubahan Academic Journal.

[4]  Yinhai Wang,et al.  A Smart, Efficient, and Reliable Parking Surveillance System With Edge Artificial Intelligence on IoT Devices , 2020, IEEE Transactions on Intelligent Transportation Systems.

[5]  A. Bagley,et al.  Anvil , 2019, Encyclopedic Dictionary of Archaeology.

[6]  Ning Zhang,et al.  RusTEE: Developing Memory-Safe ARM TrustZone Applications , 2020, ACSAC.

[7]  Akira Tsukamoto,et al.  Reboot-Oriented IoT: Life Cycle Management in Trusted Execution Environment for Disposable IoT devices , 2020, ACSAC.

[8]  Manuel Huber,et al.  The Lazarus Effect: Healing Compromised Devices in the Internet of Small Things , 2020, AsiaCCS.

[9]  Pedro Fonseca,et al.  SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[10]  Dawn Song,et al.  Keystone: an open framework for architecting trusted execution environments , 2020, EuroSys.

[11]  Alexander Nilsson,et al.  A Survey of Published Attacks on Intel SGX , 2020, ArXiv.

[12]  Tommaso Frassetto,et al.  Offline Model Guard: Secure and Private ML on Mobile Devices , 2020, 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[13]  Aseem Rastogi,et al.  CrypTFlow: Secure TensorFlow Inference , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[14]  Faisal Zaman,et al.  What is TensorFlow Lite , 2020 .

[15]  Payman Mohassel,et al.  Practical Privacy-Preserving K-means Clustering , 2020, IACR Cryptol. ePrint Arch..

[16]  Tao Wei,et al.  Towards Memory Safe Enclave Programming with Rust-SGX , 2019, CCS.

[17]  Marcel Busch,et al.  TEEMo: trusted peripheral monitoring for optical networks and beyond , 2019, SysTEX '19.

[18]  Manos Antonakakis,et al.  SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[19]  Paul England,et al.  Dominance as a New Trusted Computing Primitive for the Internet of Things , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[20]  Vitaly Shmatikov,et al.  Exploiting Unintended Feature Leakage in Collaborative Learning , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[21]  Ning Zhang,et al.  TruSense: Information Leakage from TrustZone , 2018, IEEE INFOCOM 2018 - IEEE Conference on Computer Communications.

[22]  Vitaly Shmatikov,et al.  Chiron: Privacy-preserving Machine Learning as a Service , 2018, ArXiv.

[23]  Philip Levis,et al.  Multiprogramming a 64kB Computer Safely and Efficiently , 2017, SOSP.

[24]  Philip Levis,et al.  The Case for Writing a Kernel in Rust , 2017, APSys.

[25]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[26]  Jie Sheng,et al.  Identifying parking spaces & detecting occupancy using vision-based IoT devices , 2017, 2017 Global Internet of Things Summit (GIoTS).

[27]  Trent Jaeger,et al.  TrustShadow: Secure Execution of Unmodified Applications with ARM TrustZone , 2017, MobiSys.

[28]  Iliano Cervesato,et al.  On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters , 2017, AsiaCCS.

[29]  Dan Boneh,et al.  Prio: Private, Robust, and Scalable Computation of Aggregate Statistics , 2017, NSDI.

[30]  Sebastian Nowozin,et al.  Oblivious Multi-Party Machine Learning on Trusted Processors , 2016, USENIX Security Symposium.

[31]  Reetuparna Das,et al.  ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks , 2016, ASPLOS.

[32]  Stefan Mangard,et al.  ARMageddon: Cache Attacks on Mobile Devices , 2015, USENIX Security Symposium.

[33]  Ning Zhang,et al.  TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices , 2016, IACR Cryptol. ePrint Arch..

[34]  David E. Culler,et al.  Ownership is theft: experiences building an embedded OS in rust , 2015, PLOS@SOSP.

[35]  Gbadebo Ayoade,et al.  A Survey on Hypervisor-Based Monitoring , 2015, ACM Comput. Surv..

[36]  Brent Byunghoon Kang,et al.  SeCReT: Secure Channel between Rich Execution Environment and Trusted Execution Environment , 2015, NDSS.

[37]  Mahdi Abadi,et al.  HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition , 2014, 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE).

[38]  Quan Chen,et al.  Hypervision Across Worlds: Real-time Kernel Protection from the ARM TrustZone Secure World , 2014, CCS.

[39]  Trent Jaeger,et al.  Sprobes: Enforcing Kernel Code Integrity on the TrustZone Architecture , 2014, ArXiv.

[40]  Sushil Jajodia,et al.  TrustDump: Reliable Memory Acquisition on Smartphones , 2014, ESORICS.

[41]  Salvatore J. Stolfo,et al.  Unsupervised Anomaly-Based Malware Detection Using Hardware Features , 2014, RAID.

[42]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.

[43]  Ramesh Karri,et al.  NumChecker: Detecting kernel control-flow modifying rootkits by using Hardware Performance Counters , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[44]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[45]  Haibo Chen,et al.  Security breaches as PMU deviation: detecting and identifying security attacks using performance counters , 2011, APSys.

[46]  Peng Ning,et al.  HIMA: A Hypervisor-Based Integrity Measurement Agent , 2009, 2009 Annual Computer Security Applications Conference.

[47]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[48]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[49]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[50]  Brad Calder,et al.  SimPoint 3.0: Faster and More Flexible Program Phase Analysis , 2005, J. Instr. Level Parallelism.

[51]  James E. Smith,et al.  Comparing program phase detection techniques , 2003, Proceedings. 36th Annual IEEE/ACM International Symposium on Microarchitecture, 2003. MICRO-36..

[52]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[53]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.