Proceedings of the 33rd Annual Computer Security Applications Conference 2017
DOI: 10.1145/3134600.3134622
|View full text |Cite
|
Sign up to set email alerts
|

Co-processor-based Behavior Monitoring

Abstract: Highly privileged software, such as firmware, is an attractive target for attackers. Thus, BIOS vendors use cryptographic signatures to ensure firmware integrity at boot time. Nevertheless, such protection does not prevent an attacker from exploiting vulnerabilities at runtime. To detect such attacks, we propose an event-based behavior monitoring approach that relies on an isolated co-processor. We instrument the code executed on the main CPU to send information about its behavior to the monitor. This informat… Show more

Help me understand this report
View preprint versions

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1

Citation Types

0
4
0

Year Published

2019
2019
2021
2021

Publication Types

Select...
2
2
1

Relationship

2
3

Authors

Journals

citations
Cited by 7 publications
(4 citation statements)
references
References 35 publications
0
4
0
Order By: Relevance
“…Hence, we assume their integrity. Such assumptions are reasonable in recent firmware using a hardware-protected root of trust [34,68] at boot time and protection of firmware runtime services [14,88,89]. For the OS kernel, one can use UEFI Secure Boot [81] at boot time, and rely on, e.g., security invariants [76] or a hardware-based integrity monitor [7] at runtime.…”
Section: Threat Model and Assumptionsmentioning
confidence: 99%
“…Hence, we assume their integrity. Such assumptions are reasonable in recent firmware using a hardware-protected root of trust [34,68] at boot time and protection of firmware runtime services [14,88,89]. For the OS kernel, one can use UEFI Secure Boot [81] at boot time, and rely on, e.g., security invariants [76] or a hardware-based integrity monitor [7] at runtime.…”
Section: Threat Model and Assumptionsmentioning
confidence: 99%
“…Hence, we assume their integrity. Such assumptions are reasonable in recent firmware using a hardware-protected root of trust [26,58] at boot time and protection of firmware runtime services [9,75,76]. For the OS kernel, one can use UEFI Secure Boot [69] at boot time, and rely on e.g., security invariants [64] or a hardware-based integrity monitor [4] at runtime.…”
Section: Threat Model and Assumptionsmentioning
confidence: 99%
“…8 When executed, it encrypts all the git repositories and the database used by Gitea. Hence, we previously configured the policy to set the cost of such a malicious behavior to high, 9 since it would render the site almost unusable: mbcost("gitea", "compromise-data-availability") = "high".…”
Section: Cost-sensitive Response Selectionmentioning
confidence: 99%
See 1 more Smart Citation