Security-first architecture: deploying physically isolated active security processors for safeguarding the future of computing
Tóm tắt
It is fundamentally challenging to build a secure system atop the current computer architecture. The complexity in software, hardware and ASIC manufacture has reached beyond the capability of existing verification methodologies. Without whole-system verification, current systems have no proven security. It is observed that current systems are exposed to a variety of attacks due to the existence of a large number of exploitable security vulnerabilities. Some vulnerabilities are difficult to remove without significant performance impact because performance and security can be conflicting with each other. Even worse, attacks are constantly evolving, and sophisticated attacks are now capable of systematically exploiting multiple vulnerabilities while remain hidden from detection. Eagering to achieve security hardening of current computer architecture, existing defenses are mostly ad hoc and passive in nature. They are normally developed in responding to specific attacks spontaneously after specific vulnerabilities were discovered. As a result, they are not yet systematic in protecting systems from existing attacks and likely defenseless in front of zero-day attacks. To confront the aforementioned challenges, this paper proposes Security-first Architecture, a concept which enforces systematic and active defenses using Active Security Processors. In systems built based on this concept, traditional processors (i.e., Computation Processors) are monitored and protected by Active Security Processors. The two types of processors execute on their own physically-isolated resources, including memory, disks, network and I/O devices. The Active Security Processors are provided with dedicated channels to access all the resources of the Computation Processors but not vice versa. This allows the Active Security Processors to actively detect and tackle malicious activities in the Computation Processors with minimum performance degradation while protecting themselves from the attacks launched from the Computation Processors thanks to the resource isolation.
Tài liệu tham khảo
Abadi, M, Budiu M, Erlingsson U, Ligatti J (2005) Control-flow integrity In: Proceedings of the 12th ACM Conference on Computer and Communications Security, 340–353.. ACM, Alexandria.
Advanced Micro Devices, Inc (2018) An update on AMD processor security. https://www.amd.com/en/corporate/speculative-execution.
Advanced Micro Devices, Inc (2018) Full security solutions that locks you down, not in. https://www.amd.com/en/technologies/security.
ARM Limited (2009) Building a secure system using TrustZone technology. http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf.
Avanzi, R (2017) The QARMA block cipher family. IACR Transactions on Symmetric Cryptology 1:4–44.
Bletsch, T, Jiang X, Freeh VW, Liang Z (2011) Jump-oriented programming: a new class of code-reuse attack In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 30–40.. ACM, Hong Kong.
Bogowitz, B, Swinford T (2004) Intel®; active management technology reduces it costs with improved PC manageability. Technol@ Intel Mag. https://www.intel.com/content/dam/www/public/us/en/documents/solution-briefs/optimize-management-and-security-of-client-devices-solution-brief.pdf.
Burow, N, Carr SA, Nash J, Larsen P, Franz M, Brunthaler S, Payer M (2017) Control-flow integrity: Precision, security, and performance. ACM Comput Surv 50(1).
Carlini, N, Wagner D (2014) ROP is still dangerous: Breaking modern defenses In: Proceedings of the 23rd USENIX Conference on Security Symposium, 385–399.. ACM, San Diego.
Checkoway, S, Davi L, Dmitrienko A, Sadeghi A-R, Shacham H, Winandy M (2010) Return-oriented programming without returns In: Proceedings of the 17th ACM conference on Computer and communications security, 559–572.. ACM, Chicago.
Common Vulnerabilities and Exposures (2018) Linux kernel: Vulnerability statistics. https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33.
Datenschutz, HT, Pataky D (2017) Intel management engine. https://bitkeks.eu/docs/intelme-report.pdf/.
David, C, Kent Y, Ryan C, David S, Leendert D (2008) A practical guide to trusted computing. IBM Press, first ed., Boston.
Davi, LV (2015) Code-Reuse Attacks and Defenses. PhD thesis. Technische Universität, Darmstadt.
Ehrenfeld, JM (2017) Wannacry, cybersecurity and health information technology: A time to act. J Med Syst 41(7):101.
Evans, I, Long F, Otgonbaatar U, Shrobe H, Rinard M, Okhravi H, Sidiroglou-Douskos S (2015) Control jujutsu: On the weaknesses of fine-grained control flow integrity In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 901–913.. ACM, Denver.
Frantzen, M, Shuey M (2001) Stackghost: Hardware facilitated stack protection In: Proceedings of the 10th Conference on USENIX Security Symposium, 5–5.. ACM, Washington.
Gellman, B, Poitras L (2013) US intelligence mining data from nine U.S. internet companies in broad secret program. The Washington Post. https://www.sanders.senate.gov/newsroom/must-read/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program.
Halfond, WG, Viegas J, Orso A (2006) A classification of SQL-injection attacks and countermeasures In: Proceedings of the IEEE International Symposium on Secure Software Engineering, vol 1, 13–15.. IEEE, Washington.
Intel Corporation (2006) LaGrande technology preliminary architecture specification. http://kib.kiev.ua/x86docs/SDMs/315168-002.pdf.
Intel Corporation (2016) Control-flow enforcement technology preview. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf.
Intel Security, Center (2017) Intel active management technology, intel small business technology, and intel standard manageability escalation of privilege. https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr.
Kim, Y, Daly R, Kim J, Fallin C, Lee JH, Lee D, Wilkerson C, Lai K, Mutlu O (2014) Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. ACM SIGARCH Computer Architecture News 42(3):361–372.
Kocher, P, Genkin D, Gruss D, Haas W, Hamburg M, Lipp M, Mangard S, Prescher T, Schwarz M, Yarom Y (2018) Spectre attacks: Exploiting speculative execution. ArXiv e-prints. https://spectreattack.com/spectre.pdf.
Lin, X, Zavarsky P, Ruhl R, Lindskog D (2009) Threat modeling for CSRF attacks In: International Conference on Computational Science and Engineering, 486–491.. IEEE, Vancouver.
Lipp, M, Schwarz M, Gruss D, Prescher T, Haas W, Mangard S, Kocher P, Genkin D, Yarom Y, Hamburg M (2018) Meltdown. ArXiv e-prints. https://meltdownattack.com/meltdown.pdf.
Liu, F, Yarom Y, Ge Q, Heiser G, Lee RB (2015) Last-level cache side-channel attacks are practical In: Proceedings of the IEEE Symposium on Security and Privacy, 605–622.. IEEE, San Jose.
McKeen, F, Alexandrovich I, Berenzon A, Rozas CV, Shafi H, Shanbhogue V, Savagaonkar UR (2013) Innovative instructions and software model for isolated execution In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, 10:1–10:1.. ACM, Tel-Aviv.
Mozilla Firefox (2018) Project summary. https://www.openhub.net/p/firefox.
Oleksenko, O, Kuvaiskii D, Bhatotia P, Felber P, Fetzer C (2017) Intel MPX explained: An empirical study of intel MPX and software-based bounds checking approaches. arXiv preprint arXiv:1702.00719. https://arxiv.org/pdf/1702.00719.pdf.
Qualcomm Technologies, Inc (2017) Whitepaper: Pointer Authentication on ARMv8.3. https://www.qualcomm.com/documents/whitepaper-pointer-authentication-armv83.
Schuster, F, Tendyck T, Liebchen C, Davi L, Sadeghi AR, Holz T (2015) Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications In: Proceedings of the IEEE Symposium on Security and Privacy, 745–762.. IEEE, San Jose.
Seaborn, M, Dullien T (2015) Exploiting the DRAM rowhammer bug to gain kernel privileges In: Black Hat, 7–9.. UBM, Las Vegas.
Shacham, H (2007) The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) In: Proceedings of the 14th ACM Conference on Computer and Communications Security, 552–561.. ACM, Alexandria.
Shin, Y, Meneely A, Williams L, Osborne J (2011) Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Trans Softw Eng 37(6):772–787.
Sinharoy, B, Swanberg R, Nayar N, Mealey B, Stuecheli J, Schiefer B, Leenstra J, Jann J, Oehler P, Levitan D, Eisen S, Sanner D, Pflueger T, Lichtenau C, Hall W, Block T (2015) Advanced features in IBM POWER8 systems. IBM J Res Dev 59(1):1–1.
Szekeres, L, Payer M, Wei T, Song D (2013) Sok: Eternal war in memory In: Proceedings of the IEEE Symposium on Security and Privacy, 48–62.
Trusted Computing, GroupAdministration (2008) Trusted Platform Module (TPM) summary. https://trustedcomputinggroup.org/trusted-platform-module-tpm-summary/.
Trusted Computing Group, Incorporated (2003) TCG specification architecture overview. https://www.trustedcomputinggroup.org/wp-content/uploads/TCG_1_4_Architecture_Overview.pdf.
van der Veen, V, dutt Sharma N, Cavallaro L, Bos H (2012) Memory errors: the past, the present, and the future In: Proceedings of the 15th ACM International Conference on Research in Attacks, Intrusions, and Defenses, 86–106.. Springer, Amsterdam.
Wang, W, Chen G, Pan X, Zhang Y, Wang X, Bindschaedler V, Tang H, Gunter CA (2017) Leaky cauldron on the dark land: Understanding memory side-channel hazards in SGX In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2421–2434.. ACM, Dallas.
Whalen, S (2001) An introduction to ARP spoofing. Node99 [Online Document]. http://www.madchat.fr/reseau/arp/intro_to_arp_spoofing.pdf.
Wikimedia Foundation, Inc (2018) AMD Platform Security Processor. https://en.wikipedia.org/wiki/AMD_Platform_Security_Processor.
Wojtczuk, R, Rutkowska J (2017) SoC and CPU system-wide approach to security. https://www.arm.com/products/security-on-arm/trustzone.
Xu, Y, Cui W, Peinado M (2015) Controlled-channel attacks: Deterministic side channels for untrusted operating systems In: Proceedings of the IEEE Symposium on Security and Privacy, 640–656.. IEEE, San Jose.
Yang, K, Hicks M, Dong Q, Austin T, Sylvester D (2016) A2: Analog malicious hardware In: Proceedings of the IEEE Symposium on Security and Privacy, 18–37.. IEEE, San Jose.
Zhang, N, Sun K, Shands D, Lou W, Hou YT (2016) Truspy: Cache side-channel information leakage from the secure world on ARM devices. IACR Cryptol ePrint Arch:980.
Zhang, N, Sun H, Sun K, Lou W, Hou YT (2016) Cachekit: Evading memory introspection using cache incoherence In: Proceedings of the IEEE European Symposium on Security and Privacy, 337–352.. IEEE, Saarbrücken.