Enforcing Executing-Implies-Verified with the Integrity-Aware Processor

Michael LeMayCarl A. Gunter

University of Illinois at Urbana-ChampaignModified version of presentation for TRUST 2011

• Motivation• Contributions• Design• Conclusions and future work

Outline

2

• Injected malicious code into Programmable Logic Controller.

– Can be blocked using code whitelisting.

Stuxnet

[Symantec Stuxnet Dossier 2011] 3

Clean OB1 Infected OB1

• Corporate desktop PCs• Chrome OS devices• Advanced electric meters• Power substation Intelligent Electronic Devices• …

Other Potential Applications

4

• Existing approaches to malware detection and prevention exhibit limitations in the areas of:– Isolation– Visibility– Performance– Compatibility

Motivation for Integrity-Aware Hardware

5

• Motivation• Contributions• Design• Conclusions and future work

Outline

6

• Integrity-Aware Processor: Only processor architecture with hardware support for directly detecting the execution of unverified code.

• XIVE kernel for IAP: Most compact integrity kernel that is capable of enforcing executing-implies-verified.

Contributions

7

• Motivation• Contributions• Design• Conclusions and future work

Outline

8

Hypervisors

Operating System

Hypervisor

Hardware

[SeshadriLQP2007-SOSP] 9

Integrity Kernel

Large Hypervisors

Xen~230 thousand

lines of code

Big attack surface!

[LittyLL2008-Oakland] 10

Integrity Kernel

Hypervisor Vulnerabilities

[IBM X-Force 2010] 11

(See chart on page 50 of the report cited below)

• Integer overflow in the decompression loop memory allocator might result in overrunning the buffer used for the decompressed image.

• Integer overflows and lack of checking of certain length fields can result in the loader reading its own address space beyond the size of the supplied kernel image file.

• An attacker who can supply a kernel image to be booted as a paravirtualised guest might be able to:– Escalate privilege, taking control of the management domain

and hence the entire machine.– Gain knowledge the contents of memory in the management

tools. Depending on the toolstack in use this might contain sensitive information such as domain management or VNC passwords.

Example: Xen security advisory CVE-2011-1583 (May 9, 2011)

12

System Management Mode

System Management Mode

APM Control Register

Two orders of magnitudeslowdown observed comparedto protected mode.

[AzabNWJZS2010-CCS] [WangSG2010-RAID] 13

Hardware Electrical Connection

Integrity Kernel

(sleeping dog picture by Eduardo Habkost via Flickr, CC BY 2.0)

• Motivation• Contributions• Related work• Design• Conclusions and future work

Outline

14

Integrity-Aware Processor

15

Based onLEON3 SPARCv8

(figure from paper)

IAP Complexities

16(figure from paper)

• Isolation:– IAP includes specific hardware support for isolating

the integrity kernel, which is less complex than the MMU’s general protection mechanisms.

• Visibility:– IAP verification tracking mechanisms operate at TLB

and cache level, removing page table walk mechanisms from TCB.

IAP vs. MMU Hardware TCB

17

TCB Comparison

XIVE contains 859 instructions18

Hardware Prototype

19

Performance

20(figure from paper)

Plentiful Dark Silicon

Same area + same total heat dissipation + more transistors =lower % of simultaneously active transistors

37% slice overhead21% BlockRAM overhead

[SwansonT2011-IEEEComm] 21

• Motivation• Contributions• Design• Conclusions and future work

Outline

22

• Integrity-Aware Processor: Only processor architecture with hardware support for directly detecting the execution of unverified code.

• XIVE kernel for IAP: Most compact integrity kernel that is capable of enforcing executing-implies-verified.

Contributions

23

• Adapt IAP to other architectures.• Explore integrity kernels for health information

technology.• Implement different types of policies within XIVE.

Future Work

24

Hash vs. Network Overhead

25(figure from paper)