Results

Hardware and software developments
Some developments have been pushed to public repositories:

Hardware developments
We designed and implemented a dedicated multi-core DIFT co-processor on FPGA. This work has mainly been done in the context of the PhD of Muhammad Abdul Wahab. The architecture of this co-processor is illustrated below.

The first core (Dispatcher) is a generic fully-pipelined MIPS processor. It executes a firmware which parses the trace coming from the PTM, identifies the current basic block and retrieves the corresponding annotations from the annotations memory. These annotations are sent to the internal program memory of the second core, i.e. the Tag Management Core. The TMC executes the annotation to propagate tags and checks the security policy. Arnab Kumar Biswas developed a Tag Management Unit (TMU) during his PostDoc. This TMU is used by the TMC to retrieve the tag corresponding to a given virtual address. In such multi-core design, we can use multiple TMCs. This can be useful to handle the following usecases:

  • Different tag propagation and check policies can be enforced in parallel (one policy by TMC). This is useful to detect different types of attacks.
  • Different applications can be monitored in parallel (one application by TMC). This approach is useful to handle the difference in frequency between the main CPU and the DIFT monitor.

Software developments
The software part of our approach is implemented into three distinct software components:

  • We modified the Linux kernel to handle file tags and support communication between the instrumented code and the co-processor;
  • We had to patch the official Linux PTM driver, which did not fully support all the features of the PTM. This patch has been officially adopted by the official vanilla Linux kernel distribution.
  • We modified the Linux loader (ld.so) to load annotations to the co-processor;
  • We developed a LLVM backend pass to compute the annotations and instrument applications.

This work has mainly been done in the context of the PhD of Mounir Nasr Allah.

Experimental results
Our experimental results are illustrated below.

Compared to approaches from related work, HardBlare does not modify any part of the monitored CPU and can be used to monitor hardcore, i.e. ASIC CPU. This type of CPU is far more powerful than softcore synthesized on FPGA. The area overhead of the DIFT coprocessor is limited, which allows to used multiple TMC to follow different applications in parallel. We are also able to monitor the code in the libraries used by the application and we support applications executed on a rich OS (most of the existing approaches only support applications directly executed on the CPU). However our runtime overhead is still important and ismainly due to the communication overhead related to the instrumentation. For the moment, the instrumentation sends the address of every memory access which generates a lot of messages. We could reduce this traffic by optimizing the static analysis to better statically predict the address value.

These evaluations have been done using simulations on a simplified environment. We are currently working on the final integration of the last version of the hardware design with all the software stack. Once this integration will be achieved, we will conduct some security evaluations. We have prepared an experimental
setup and we plan to evaluate the detection on two use-cases:

  • a scenariowhere the attacker performed a directory traversal attack against the NGINX web-server to access some confidential data (e.g. the system password file);
  • a scenario where the attacker exploits different vulnerabilities in simple code examples illustrating the common weaknesses of C program, listed in CommonWeakness Enumeration.

We plan to conduct such experiments within six months.
 

Perspectives

We have identified fivemain perspectives:

  • Reducing the TCB, implementing isolation of kernel parts using TrustZone;
  • Reducing instrumentation overhead (by optimizing the static analysis);
  • Implementing multicore and multi-thread DIFT (by using multiple TMC);
  • Porting the approach to other platforms (e.g. Intel PT);
  • Taking benefit of dynamic partial reconfiguration of FPGA to increase the flexibility of the co-processor.

Documentation

Final report: HardBlare_report.pdf

PhD manuscrpit of Muhammad Abdul Wahab: Hardware support for the security analysis of embedded software: applications on information flow control and malware analysis


Dissemination

 

Average (0 Votes)
The average rating is 0.0 stars out of 5.
No comments yet. Be the first.