A Primitive for Revealing Stealthy Peripheral-Based Attacks on the Computing Platform’s Main Memory

Stewin, Patrick

doi:10.1007/978-3-642-41284-4_1

Cited by 14 publications

(15 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although the main goal of this attack is to circumvent Intel TXT, we can learn that VT-d is easy to misconfigure and then an attacker can launch a DMA attack. Moreover, Stewin [10] explains several reasons that we cannot trust IOMMU as a countermeasure against DMA attacks. However, IOCheck is a generic framework that can check IOMMU configurations and provide further protection for I/O devices.…”

Section: Related Workmentioning

confidence: 99%

“…BARM [10] aims to detect and prevent DMA-based attacks. It is based on modeling the expected memory bus activity and comparing it to the actual activity.…”

Section: Related Workmentioning

confidence: 99%

“…AMD also has its own I/O virtualization technology called AMD-Vi. However, IOMMU cannot always be trusted as a countermeasure against DMA attacks, as it relies on a flawless configuration to operate correctly [10]. In particular, researchers have demonstrated several attacks against IOMMU [11][12][13].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Framework to Secure Peripherals at Runtime

Zhang

Wang

Leach

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Secure hardware forms the foundation of a secure system. However, securing hardware devices remains an open research problem. In this paper, we present IOCheck, a framework to enhance the security of I/O devices at runtime. It leverages System Management Mode (SMM) to quickly check the integrity of I/O configurations and firmware. IOCheck is agnostic to the operating system. We use random-polling and event-driven approaches to switch into SMM. We implement a prototype of IOCheck and conduct extensive experiments on physical machines. Our experimental results show that IOCheck takes 10 milliseconds to check the integrity of a network card and a video card. Also, IOCheck introduces a low overhead on Windows and Linux platforms. We show that IOCheck achieves a faster switching time than the Dynamic Root of Trust Measurement approach.

show abstract

Section: Related Workmentioning

confidence: 99%

“…BARM [10] aims to detect and prevent DMA-based attacks. It is based on modeling the expected memory bus activity and comparing it to the actual activity.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A Framework to Secure Peripherals at Runtime

Zhang

Wang

Leach

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The core entity used for facilitating virtualization in cloud computing infrastructures is the hypervisor (also referred to as the VMM, Virtual Machine Monitor) as in [2,4,6,7,27,22,3,16,17,18,19,21]. Being a basic part in the virtualization infrastructure, the hypervisor is the most attractive target for attackers.…”

Section: Introductionmentioning

confidence: 99%

Self-Stabilizing Virtual Machine Hypervisor Architecture for Resilient Cloud

Binun

Bloch

Kahil

et al. 2014

2014 IEEE World Congress on Services

View full text Add to dashboard Cite

This paper presents the architecture for a selfstabilizing hypervisor able to recover itself in the presence of Byzantine faults regardless of the state it is currently in. Our architecture is applicable to wide variety of underlying hardware and software and does not require augmenting computers with special hardware. The actions representing defense and recovery strategies can be specified by a user. We describe our architecture in OS-independent terms, thus making it applicable to various virtualization infrastructures. We also provide a prototype extending the Linux-based hypervisor KVM with the self-stabilizing functionality. These features allow augmenting KVM with robustness functionality in the coming stages and moving to cloud management system architectures such as OpenStack to support more industrial scenarios.

show abstract

“…al. [209] demonstrated that all of these DMA-based approaches will reveal some artifacts that are exposed in the CPU performance counters. Similar techniques could be employed by malware authors in both physical and virtual environments to detect the presence of a polling-based memory acquisition system such as ours.…”

Section: Addressing Memory Bandwidth Artifactsmentioning

confidence: 99%

Transparent System Introspection in Support of Analyzing Stealthy Malware

Leach

View full text Add to dashboard Cite

The proliferation of malware has increased dramatically and seriously degraded the privacy of users and the integrity of hosts. Millions of unique malware samples appear every year, which has driven the development of a vast array of analysis tools. Malware analysis is often performed with the assistance of virtualization or emulation for rapid deployment.Malware samples are run in an instrumented virtual machine or analysis tool, and existing introspection techniques help an analyst determine its behavior. Unfortunately, a growing body of malware samples has begun employing anti-debugging, anti-virtualization, and antiemulation techniques to escape or otherwise subvert these analysis mechanisms.These anti-analysis techniques often require measuring differences between the analysis environment and the native environment (e.g., executing more slowly in a debugger). We call these measurable differences artifacts. Malware samples that use artifacts to exhibit stealthy behavior have increased the effort required to analyze and understand each stealthy sample. Additionally, traditional automated techniques fail against such samples because they produce measurable artifacts. We desire a transparent approach that produces no artifacts, thereby admitting the analysis of stealthy malware. We refer to this challenge as the debugging transparency problem. Solving this problem is thus concerned with reducing artifacts or permitting reliable analysis in the presence of artifacts.We present a system consisting of two approaches to address the debugging transparency problem and then demonstrate how these components can apply to currently available computer systems. We present two techniques capable of transparently acquiring snapshots of memory and disk activity that can be used to analyze stealthy malware. First, we discuss a novel use of a custom Field-Programmable Gate Array that provides snapshots of memory and disk activity with no measurable timing artifacts. Second, we present a novel use of System Management Mode on x86 platforms that produces no functional artifacts at the expense of producing timing artifacts. Finally, we present an approach to evaluating the i tradeoff space that exists between analysis transparency and the fidelity of introspection data provided by such an analysis system. Together, these approaches form a cohesive solution to the debugging transparency problem that admits analyzing stealthy malware.ii DedicationThe graduate school experience has been a long endurance test. There are several people to whom I owe a tremendous amount of gratitude.

show abstract

A Primitive for Revealing Stealthy Peripheral-Based Attacks on the Computing Platform’s Main Memory

Cited by 14 publications

References 16 publications

A Framework to Secure Peripherals at Runtime

A Framework to Secure Peripherals at Runtime

Self-Stabilizing Virtual Machine Hypervisor Architecture for Resilient Cloud

Transparent System Introspection in Support of Analyzing Stealthy Malware

Contact Info

Product

Resources

About