Visible to the public I/O Systems Security, 2014

SoS Newsletter- Advanced Book Block


SoS Logo

I/O Systems Security


Management of I/O devices is a critical part of the operating system. Entire I/O subsystems are devoted to its operation. These subsystems contend both with the movement towards standard interfaces for a wide range of devices to makes it easier to add newly developed devices to existing systems, and the development of entirely new types of devices for which existing standard interfaces can be difficult to apply. Typically, when accessing files, a security check is performed when the file is created or opened. The security check is typically not done again unless the file is closed and reopened. If an opened file is passed to an untrusted caller, the security system can, but is not required to prevent the caller from accessing the file. Research into I/O security addresses the need to provide adequate security economically and to scale. Research works cited here were published or presented in 2014. 

Yeongjin Jang, Chengyu Song, Simon P. Chung, Tielei Wang, Wenke Lee; “A11y Attacks: Exploiting Accessibility in Operating Systems,” CCS ’14, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 103-115. doi:10.1145/2660267.2660295
Abstract: Driven in part by federal law, accessibility (a11y) support for disabled users is becoming ubiquitous in commodity OSs. Some assistive technologies such as natural language user interfaces in mobile devices are welcomed by the general user population. Unfortunately, adding new features in modern, complex OSs usually introduces new security vulnerabilities. Accessibility support is no exception. Assistive technologies can be defined as computing subsystems that either transform user input into interaction requests for other applications and the underlying OS, or transform application and OS output for display on alternative devices. Inadequate security checks on these new I/O paths make it possible to launch attacks from accessibility interfaces. In this paper, we present the first security evaluation of accessibility support for four of the most popular computing platforms: Microsoft Windows, Ubuntu Linux, iOS, and Android. We identify twelve attacks that can bypass state-of-the-art defense mechanisms deployed on these OSs, including UAC, the Yama security module, the iOS sandbox, and the Android sandbox. Further analysis of the identified vulnerabilities shows that their root cause is that the design and implementation of accessibility support involves inevitable trade-offs among compatibility, usability, security, and (economic) cost. These trade-offs make it difficult to secure a system against misuse of accessibility support. Based on our findings, we propose a number of recommendations to either make the implementation of all necessary security checks easier and more intuitive, or to alleviate the impact of missing/incorrect checks. We also point out open problems and challenges in automatically analyzing accessibility support and identifying security vulnerabilities.
Keywords: accessibility, assistive technology, attacks (ID#: 15- 6633)

Lisa J. K. Durbeck, Peter M. Athanas, Nicholas J. Macias; “Secure-by-Construction Composable Componentry for Network Processing,” HotSoS ’14, Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, April 2014, Article No. 27. doi:10.1145/2600176.2600203
Abstract: Techniques commonly used for analyzing streaming video, audio, SIGINT, and network transmissions, at less-than-streaming rates, such as data decimation and ad-hoc sampling, can miss underlying structure, trends and specific events held in the data. This work presents a secure-by-construction approach  for the upper-end data streams with rates from 10- to 100 Gigabits per second. The secure-by-construction approach strives to produce system security through the composition of individually secure hardware and software components. The proposed network processor can be used not only at data centers but also within networks and onboard embedded systems at the network periphery for a wide range of tasks, including preprocessing and data cleansing, signal encoding and compression, complex event processing, flow analysis, and other tasks related to collecting and analyzing streaming data. Our design employs a four-layer scalable hardware/software stack that can lead to inherently secure, easily constructed specialized high-speed stream processing.  This work addresses the following contemporary problems: (1) There is a lack of hardware/software systems providing stream processing and data stream analysis operating at the target data rates; for high-rate streams the implementation options are limited: all-software solutions can't attain the target rates[1]. GPUs and GPGPUs are also infeasible: they were not designed for I/O at 10-100Gbps; they also have asymmetric resources for input and output and thus cannot be pipelined[4, 2], whereas custom chip-based solutions are costly and inflexible to changes, and FPGA-based solutions are historically hard to program[6]; (2) There is a distinct advantage to utilizing high-bandwidth or line-speed analytics to reduce time-to-discovery of information, particularly ones that can be pipelined together to conduct a series of processing tasks or data tests without impeding data rates; (3) There is potentially significant network infrastructure cost savings possible from compact and power-efficient analytic support deployed at the network periphery on the data source or one hop away; (4) There is a need for agile deployment in response to changing objectives; (5) There is an opportunity to constrain designs to use only secure components to achieve their specific objectives.  We address these five problems in our stream processor design to provide secure, easily specified processing for low-latency, low-power 10-100Gbps in-line processing on top of a commodity high-end FPGA-based hardware accelerator network processor. With a standard interface a user can snap together various filter blocks, like Legos™, to form a custom processing chain. The overall design is a four-layer solution in which the structurally lowest layer provides the vast computational power to process line-speed streaming packets, and the uppermost layer provides the agility to easily shape the system to the properties of a given application. Current work has focused on design of the two lowest layers, highlighted in the design detail in Figure 1. The two layers shown in Figure 1 are the embeddable portion of the design; these layers, operating at up to 100Gbps, capture both the low- and high frequency components of a signal or stream, analyze them directly, and pass the lower frequency components, residues to the all-software upper layers, Layers 3 and 4; they also optionally supply the data-reduced output up to Layers 3 and 4 for additional processing. Layer 1 is analogous to a systolic array of processors on which simple low-level functions or actions are chained in series[5]. Examples of tasks accomplished at the lowest layer are: (a) check to see if Field 3 of the packet is greater than 5, or (b) count the number of X.75 packets, or (c) select individual fields from data packets. Layer 1 provides the lowest latency, highest throughput processing, analysis and data reduction, formulating raw facts from the stream; Layer 2, also accelerated in hardware and running at full network line rate, combines selected facts from Layer 1, forming a first level of information kernels. Layer 2 is comprised of a number of combiners intended to integrate facts extracted from Layer 1 for presentation to Layer 3. Still resident in FPGA hardware and hardware-accelerated, a Layer 2 combiner is comprised of state logic and soft-core microprocessors. Layer 3 runs in software on a host machine, and is essentially the bridge to the embeddable hardware; this layer exposes an API for the consumption of information kernels to create events and manage state. The generated events and state are also made available to an additional software Layer 4, supplying an interface to traditional software-based systems. As shown in the design detail, network data transitions systolically through Layer 1, through a series of light-weight processing filters that extract and/or modify packet contents. All filters have a similar interface: streams enter from the left, exit the right, and relevant facts are passed upward to Layer 2. The output of the end of the chain in Layer 1 shown in the Figure 1 can be (a) left unconnected (for purely monitoring activities), (b) redirected into the network (for bent pipe operations), or (c) passed to another identical processor, for extended processing on a given stream (scalability).
Keywords: 100 Gbps, embedded hardware, hardware-software co-design, line-speed processor, network processor, secure-by-construction, stream processing (ID#: 15-6634)

S. T. Choden Konigsmark, Leslie K. Hwang, Deming Chen, Martin D. F. Wong; “System-of-PUFs: Multilevel Security for Embedded Systems,” CODES ’14, Proceedings of the 2014 International Conference on Hardware/Software Codesign and System Synthesis, October 2014, Article No. 27. doi:10.1145/2656075.2656099
Abstract: Embedded systems continue to provide the core for a wide range of applications, from smart-cards for mobile payment to smart-meters for power-grids. The resource and power dependency of embedded systems continues to be a challenge for state-of-the-art security practices. Moreover, even theoretically secure algorithms are often vulnerable in their implementation. With decreasing cost and complexity, physical attacks are an increasingly important threat. This threat led to the development of Physically Unclonable Functions (PUFs) which are disordered physical systems with various applications in hardware security. However, consistent security oriented design of embedded systems remains a challenge, as most formalizations and security models are concerned with isolated physical components or high-level concept. We provide four unique contributions: (i) We propose a system-level security model to overcome the chasm between secure components and requirements of high-level protocols; this enables synergy between component-oriented security formalizations and theoretically proven protocols. (ii) An analysis of current practices in PUF protocols using the proposed system-level security model; we identify significant issues and expose assumptions that require costly security techniques. (iii) A System-of-PUF (SoP) that utilizes the large PUF design-space to achieve security requirements with minimal resource utilization; SoP requires 64% less gate-equivalent units than recently published schemes. (iv) A multilevel authentication protocol based on SoP which is validated using our system-level security model and which overcomes current vulnerabilities. Furthermore, this protocol offers breach recognition and recovery.
Keywords: hardware authentication, physically unclonable functions (ID#: 15-6635)

Ahmed M. Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, Wenbo Shen; “Hypervision Across Worlds: Real-time Kernel Protection from the ARM TrustZone Secure World,” CCS ’14, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 90-102. doi:10.1145/2660267.2660350
Abstract: TrustZone-based Real-time Kernel Protection (TZ-RKP) is a novel system that provides real-time protection of the OS kernel using the ARM TrustZone secure world. TZ-RKP is more secure than current approaches that use hypervisors to host kernel protection tools. Although hypervisors provide privilege and isolation, they face fundamental security challenges due to their growing complexity and code size. TZ-RKP puts its security monitor, which represents its entire Trusted Computing Base (TCB), in the TrustZone secure world; a safe isolated environment that is dedicated to security services. Hence, the security monitor is safe from attacks that can potentially compromise the kernel, which runs in the normal world. Using the secure world for kernel protection has been crippled by the lack of control over targets that run in the normal world. TZ-RKP solves this prominent challenge using novel techniques that deprive the normal world from the ability to control certain privileged system functions. These functions are forced to route through the secure world for inspection and approval before being executed. TZ-RKP's control of the normal world is non-bypassable. It can effectively stop attacks that aim at modifying or injecting kernel binaries. It can also stop attacks that involve modifying the system memory layout, e.g., through memory double mapping. This paper presents the implementation and evaluation of TZ-RKP, which has gone through rigorous and thorough evaluation of effectiveness and performance. It is currently deployed on the latest models of the Samsung Galaxy series smart phones and tablets, which clearly demonstrates that it is a practical real-world system.
Keywords: arm trustzone, integrity monitoring, kernel protection (ID#: 15-6636)

Tongxin Li, Xiaoyong Zhou, Luyi Xing, Yeonjoon Lee, Muhammad Naveed, XiaoFeng Wang, Xinhui Han; “Mayhem in the Push Clouds: Understanding and Mitigating Security Hazards in Mobile Push-Messaging Services,” CCS ’14, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 978-989. doi:10.1145/2660267.2660302
Abstract: Push messaging is among the most important mobile-cloud services, offering critical supports to a wide spectrum of mobile apps. This service needs to coordinate complicated interactions between developer servers and their apps in a large scale, making it error prone. With its importance, little has been done, however, to understand the security risks of the service. In this paper, we report the first security analysis on those push-messaging services, which reveals the pervasiveness of subtle yet significant security flaws in them, affecting billions of mobile users. Through even the most reputable services like Google Cloud Messaging (GCM) and Amazon Device Messaging (ADM), the adversary running carefully-crafted exploits can steal sensitive messages from a target device, stealthily install or uninstall any apps on it, remotely lock out its legitimate user or even completely wipe out her data. This is made possible by the vulnerabilities in those services' protection of device-to-cloud interactions and the communication between their clients and subscriber apps on the same devices. Our study further brings to light questionable practices in those services, including weak cloud-side access control and extensive use of PendingIntent, as well as the impacts of the problems, which cause popular apps or system services like Android Device Manager, Facebook, Google+, Skype, PayPal etc. to leak out sensitive user data or unwittingly act on the adversary's command. To mitigate this threat, we developed a technique that helps the app developers establish end-to-end protection of the communication with their apps, over the vulnerable messaging services they use.
Keywords: android security, end-to-end protection, mobile cloud security, mobile push-messaging services, security analysis (ID#: 15-6637)

Musard Balliu, Mads Dam, Roberto Guanciale; “Automating Information Flow Analysis of Low Level Code,” CCS ’14, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 1080-1091. doi:10.1145/2660267.2660322
Abstract: Low level code is challenging: It lacks structure, it uses jumps and symbolic addresses, the control flow is often highly optimized, and registers and memory locations may be reused in ways that make typing extremely challenging. Information flow properties create additional complications: They are hyperproperties relating multiple executions, and the possibility of interrupts and concurrency, and use of devices and features like memory-mapped I/O requires a departure from the usual initial-state final-state account of noninterference. In this work we propose a novel approach to relational verification for machine code. Verification goals are expressed as equivalence of traces decorated with observation points. Relational verification conditions are propagated between observation points using symbolic execution, and discharged using first-order reasoning. We have implemented an automated tool that integrates with SMT solvers to automate the verification task. The tool transforms ARMv7 binaries into an intermediate, architecture-independent format using the BAP toolset by means of a verified translator. We demonstrate the capabilities of the tool on a separation kernel system call handler, which mixes hand-written assembly with gcc-optimized output, a UART device driver and a crypto service modular exponentiation routine.
Keywords: formal verification, information flow security, machine code, symbolic execution (ID#: 15-6638)

Frederico Araujo, Kevin W. Hamlen, Sebastian Biedermann, Stefan Katzenbeisser; “From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation,” CCS ’14, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 942-953. doi:10.1145/2660267.2660329
Abstract: Traditional software security patches often have the unfortunate side-effect of quickly alerting attackers that their attempts to exploit patched vulnerabilities have failed. Attackers greatly benefit from this information; it expedites their search for unpatched vulnerabilities, it allows them to reserve their ultimate attack payloads for successful attacks, and it increases attacker confidence in stolen secrets or expected sabotage resulting from attacks. To overcome this disadvantage, a methodology is proposed for reformulating a broad class of security patches into honey-patches — patches that offer equivalent security but that frustrate attackers' ability to determine whether their attacks have succeeded or failed. When an exploit attempt is detected, the honey-patch transparently and efficiently redirects the attacker to an unpatched decoy, where the attack is allowed to succeed. The decoy may host aggressive software monitors that collect important attack information, and deceptive files that disinform attackers. An implementation for three production-level web servers, including Apache HTTP, demonstrates that honey-patching can be realized for large-scale, performance-critical software applications with minimal overheads.
Keywords: honeypots, intrusion detection and prevention (ID#: 15-6639)

Shijun Zhao, Qianying Zhang, Guangyao Hu, Yu Qin, Dengguo Feng; “Providing Root of Trust for ARM TrustZone using On-Chip SRAM,” TrustED ’14, Proceedings of the 4th International Workshop on Trustworthy Embedded Devices, November 2014, Pages 25-36. doi:10.1145/2666141.2666145
Abstract: We present the design, implementation and evaluation of the root of trust for the Trusted Execution Environment (TEE) provided by ARM TrustZone based on the on-chip SRAM Physical Unclonable Functions (PUFs). We first implement a building block which provides the foundations for the root of trust: secure key storage and truly random source. The building block doesn't require on or off-chip secure non-volatile memory to store secrets, but provides a high-level security: resistance to physical attackers capable of controlling all external interfaces of the system on chip (SoC). Based on the building block, we build the root of trust consisting of seal/unseal primitives for secure services running in the TEE, and a software-only TPM service running in the TEE which provides rich TPM functionalities for the rich OS running in the normal world of TrustZone. The root of trust resists software attackers capable of compromising the entire rich OS. Besides, both the building block and the root of trust run on the powerful ARM processor. In one word, we leverage the on-chip SRAM, commonly available on mobile devices, to achieve a low-cost, secure, and efficient design of the root of trust.
Keywords: on-chip sram, root of trust, tpm service, trusted execution environment, trustzone (ID#: 15-6640)

Richard Joiner, Thomas Reps, Somesh Jha, Mohan Dhawan, Vinod Ganapathy; “Efficient Runtime-Enforcement Techniques for Policy Weaving,” FSE 2014, Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, November 2014, Pages 224-234. doi: 10.1145/2635868.2635907
Abstract: Policy weaving is a program-transformation technique that rewrites a program so that it is guaranteed to be safe with respect to a stateful security policy. It utilizes (i) static analysis to identify points in the program at which policy violations might occur, and (ii) runtime checks inserted at such points to monitor policy state and prevent violations from occurring. The promise of policy weaving stems from the possibility of blending the best aspects of static and dynamic analysis components. Therefore, a successful instantiation of policy weaving requires a careful balance and coordination between the two. In this paper, we examine the strategy of using a combination of transactional introspection and statement indirection to implement runtime enforcement in a policy-weaving system. Transactional introspection allows the state resulting from the execution of a statement to be examined and, if the policy would be violated, suppressed. Statement indirection serves as a light-weight runtime analysis that can recognize and instrument dynamically generated code that is not available to the static analysis. These techniques can be implemented via static rewriting so that all possible program executions are protected against policy violations. We describe our implementation of transactional introspection and statement indirection for policy weaving, and report experimental results that show the viability of the approach in the context of real-world JavaScript programs executing in a browser.
Keywords: Security policy enforcement, dynamic runtime verification, speculative execution, statement indirection, transactional introspection (ID#: 15-6641)

Hai Van Pham, Philip Moore, Khang Dinh Tran; “Context Matching with Reasoning and Decision Support using Hedge Algebra with Kansei Evaluation,” SoICT ’14, Proceedings of the Fifth Symposium on Information and Communication Technology, December 2014, Pages 202-210. doi:10.1145/2676585.2676598
Abstract: There have been far reaching Societal and Geo-Political developments in healthcare domains locally, nationally, and globally. Healthcare systems are essentially patient centric and decision driven with the clinician focus being on the identification of the best treatment options for patients in uncertain environments. Decision-support systems must focus on knowledge-based decisions using both tacit and explicit knowledge. Decisions are generally made using a qualitative approach in which linguistic (semantic) terms are used to express parameters and preferences to determine the optimal decision from a range of alternative decisions. The study presented in this paper proposes an approach which implements context-matching using hedge algebra integrated with Kansei evaluation. The proposed approach is designed to enable quantification of qualitative factors for linguistic variables while accommodating decision-makers preferences and sensibilities (constraint satisfaction) in decision-making. Experimental results demonstrate that our proposed approach achieves a significant improvement in the performance accuracy. In this paper our proposed approach uses the healthcare domain as a use-case however we argue that the posited approach will potentially generalize to other domains and systems where knowledge-based decision support is a principal requirement.
Keywords: kansei engineering, context, context-matching, decision-support, hedge algebra, personalization, uncertainty (ID#: 15-6642)

Yossi Azar, Seny Kamara, Ishai Menache, Mariana Raykova, Bruce Shepard; “Co-Location-Resistant Clouds,” CCSW ’14, Proceedings of the 6th edition of the ACM Workshop on Cloud Computing Security, November 2014, Pages 9-20. doi:10.1145/2664168.2664179
Abstract: We consider the problem of designing multi-tenant public infrastructure clouds resistant to cross-VM attacks without relying on single-tenancy or on assumptions about the cloud's servers. In a cross-VM attack (which have been demonstrated recently in Amazon EC2) an adversary launches malicious virtual machines (VM) that perform side-channel attacks against co-located VMs in order to recover their contents. We propose a formal model in which to design and analyze secure VM placement algorithms, which are online vector bin packing algorithms that simultaneously satisfy certain optimization constraints and notions of security. We introduce and formalize several notions of security, establishing formal connections between them. We also introduce a new notion of efficiency for online bin packing algorithms that better captures their cost in the setting of cloud computing. Finally, we propose a secure placement algorithm that achieves our strong notions of security when used with a new cryptographic mechanism we refer to as a shared deployment scheme.
Keywords: bin packing, cloud computing, co-location attacks, co-location resistance, cross-vm attacks, cryptography, isolation (ID#: 15-6643)

Kim Ramchen, Brent Waters; “Fully Secure and Fast Signing from Obfuscation,” CCS ’14, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 659-673. doi:10.1145/2660267.2660306
Abstract: In this work we explore new techniques for building short signatures from obfuscation. Our goals are twofold. First, we would like to achieve short signatures with adaptive security proofs. Second, we would like to build signatures with fast signing, ideally significantly faster than comparable signatures that are not based on obfuscation. The goal here is to create an “imbalanced” scheme where signing is fast at the expense of slower verification. We develop new methods for achieving short and fully secure obfuscation-derived signatures. Our base signature scheme is built from punctured programming and makes a novel use of the “prefix technique” to guess a signature. We find that our initial scheme has slower performance than comparable algorithms (e.g. EC-DSA). We find that the underlying reason is that the underlying PRG is called ~l2 times for security parameter l. To address this issue we construct a more efficient scheme by adapting the Goldreich-Goldwasser-Micali [16] construction to form the basis for a new puncturable PRF. This puncturable PRF accepts variable-length inputs and has the property that evaluations on all prefixes of a message can be efficiently pipelined. Calls to the puncturable PRF by the signing algorithm therefore make fewer invocations of the underlying PRG, resulting in reduced signing costs. We evaluate our puncturable PRF based signature schemes using a variety of cryptographic candidates for the underlying PRG. We show that the resulting performance on message signing is competitive with that of widely deployed signature schemes.
Keywords: adaptive security, digital signature scheme, obfuscation, punctured programming (ID#: 15-6644)

Florian Hahn, Florian Kerschbaum; “Searchable Encryption with Secure and Efficient Updates,” CCS ’14, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 310-320. doi:10.1145/2660267.2660297
Abstract: Searchable (symmetric) encryption allows encryption while still enabling search for keywords. Its immediate application is cloud storage where a client outsources its files while the (cloud) service provider should search and selectively retrieve those. Searchable encryption is an active area of research and a number of schemes with different efficiency and security characteristics have been proposed in the literature. Any scheme for practical adoption should be efficient — i.e. have sub-linear search time —, dynamic — i.e. allow updates — and semantically secure to the most possible extent. Unfortunately, efficient, dynamic searchable encryption schemes suffer from various drawbacks. Either they deteriorate from semantic security to the security of deterministic encryption under updates, they require to store information on the client and for deleted files and keywords or they have very large index sizes. All of this is a problem, since we can expect the majority of data to be later added or changed. Since these schemes are also less efficient than deterministic encryption, they are currently an unfavorable choice for encryption in the cloud. In this paper we present the first searchable encryption scheme whose updates leak no more information than the access pattern, that still has asymptotically optimal search time, linear, very small and asymptotically optimal index size and can be implemented without storage on the client (except the key). Our construction is based on the novel idea of learning the index for efficient access from the access pattern itself. Furthermore, we implement our system and show that it is highly efficient for cloud storage.
Keywords: dynamic searchable encryption, searchable encryption, secure index, update (ID#: 15-6645)

Chongxi Bao, Ankur Srivastava; “A Secure Algorithm for Task Scheduling against Side-channel Attacks,” TrustED ’14, Proceedings of the 4th International Workshop on Trustworthy Embedded Devices, November 2014, Pages 3-12. doi:10.1145/2666141.2666142
Abstract: The problem of ordering task executions has been well studied under power, performance, and thermal constraints. However, it has been pursued less under security concerns. We have observed that different orders of task executions have different side-channel information leakage, thus having different security levels. In this paper, we first model the behavior of the attacker and then propose a secure algorithm for ordering a periodic tasks that have soft deadlines. Our algorithm can keep a good balance between side-channel information leakage and total lateness. Experimental results show that the attacker could make 38.65% more error inferring the state of chip through side-channel analysis if tasks are scheduled using our algorithm as compared to using algorithms without security consideration (like EDF algorithm).
Keywords: embedded systems, hardware security, side-channel attacks, task scheduling (ID#: 15-6646)

Joshua Cazalas, J. Todd McDonald, Todd R. Andel, Natalia Stakhanova; “Probing the Limits of Virtualized Software Protection,” PPREW-4, Proceedings of the 4th Program Protection and Reverse Engineering Workshop, December 2014, Article No. 5. doi:10.1145/2689702.2689707
Abstract: Virtualization is becoming a prominent field of research not only in distributed systems, but also in software protection and obfuscation. Software virtualization has given rise to advanced techniques that may provide intellectual property protection and anti-cloning resilience. We present results of an empirical study that answers whether integrity of execution can be preserved for process-level virtualization protection schemes in the face of adversarial analysis. Our particular approach considers exploits that target the virtual execution environment itself and how it interacts with the underlying host operating system and hardware. We give initial results that indicate such protection mechanisms may be vulnerable at the level where the virtualized code interacts with the underlying operating system. The resolution of whether such attacks can undermine security will help create better detection and analysis methods for malware that also employ software virtualization. Our findings help frame research for additional mitigation techniques using hardware-based integration or hybrid virtualization techniques that can better defend legitimate uses of virtualized software protection.
Keywords: Software protection, obfuscation,  process-level virtualization, tamper resistance, virtualized code (ID#: 15-6647)

Anil Kurmus, Robby Zippel; “A Tale of Two Kernels: Towards Ending Kernel Hardening Wars with Split Kernel,” CCS ’14, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 1366-1377. doi:10.1145/2660267.2660331
Abstract: Software security practitioners are often torn between choosing performance or security. In particular, OS kernels are sensitive to the smallest performance regressions. This makes it difficult to develop innovative kernel hardening mechanisms: they may inevitably incur some run-time performance overhead. Here, we propose building each kernel function with and without hardening, within a single split kernel. In particular, this allows trusted processes to be run under unmodified kernel code, while system calls of untrusted processes are directed to the hardened kernel code. We show such trusted processes run with no overhead when compared to an unmodified kernel. This allows deferring the decision of making use of hardening to the run-time. This means kernel distributors, system administrators and users can selectively enable hardening according to their needs: we give examples of such cases. Although this approach cannot be directly applied to arbitrary kernel hardening mechanisms, we show cases where it can. Finally, our implementation in the Linux kernel requires few changes to the kernel sources and no application source changes. Thus, it is both maintainable and easy to use.
Keywords: build system, kernel hardening, os security, performance (ID#: 15-6648)

Tamas K. Lengyel, Steve Maresca, Bryan D. Payne, George D. Webster, Sebastian Vogl, Aggelos Kiayias; “Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System,” ACSAC ’14, Proceedings of the 30th Annual Computer Security Applications Conference. December, 2014, Pages 386-395. doi:10.1145/2664243.2664252
Abstract: Malware is one of the biggest security threats on the Internet today and deploying effective defensive solutions requires the rapid analysis of a continuously increasing number of malware samples. With the proliferation of metamorphic malware the analysis is further complicated as the efficacy of signature-based static analysis systems is greatly reduced. While dynamic malware analysis is an effective alternative, the approach faces significant challenges as the ever increasing number of samples requiring analysis places a burden on hardware resources. At the same time modern malware can both detect the monitoring environment and hide in unmonitored corners of the system.  In this paper we present DRAKVUF, a novel dynamic malware analysis system designed to address these challenges by building on the latest hardware virtualization extensions and the Xen hypervisor. We present a technique for improving stealth by initiating the execution of malware samples without leaving any trace in the analysis machine. We also present novel techniques to eliminate blind-spots created by kernel-mode rootkits by extending the scope of monitoring to include kernel internal functions, and to monitor file-system accesses through the kernel's heap allocations. With extensive tests performed on recent malware samples we show that DRAKVUF achieves significant improvements in conserving hardware resources while providing a stealthy, in-depth view into the behavior of modern malware.
Keywords: dynamic malware analysis, virtual machine introspection (ID#: 15-6649)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.