Toshiki Kobayashi
Adrian Perrig
ABSTRACT
Monitoring software of low-end devices is a key part of defense in depth for IoT systems. These devices are particularly susceptible to memory corruption vulnerabilities because the limited computational resources restrict the types of countermeasures that can be implemented. Run-time monitoring therefore is fundamental for the security of these devices. We propose a monitoring architecture for untrusted software at the I/O event granularity for TrustZone-enabled devices. The architecture enables us to measure the integrity of the code immediately before its execution is triggered by any input. To verify the integrity in a lightweight manner, we statically determine the minimal code region that needs to be measured based on the I/O operation. We develop a prototype of the architecture using TrustZone-M and demonstrate that our prototype has a low processing overhead and small ROM memory footprint.
- Tigist Abera, N. Asokan, Lucas Davi, Jan-Erik Ekberg, Thomas Nyman, Andrew Paverd, Ahmad-Reza Sadeghi, and Gene Tsudik. 2016. C-FLAT: Control-Flow Attestation for Embedded Systems Software. In ACM CCS. Google Scholar
Digital Library
- Sergey Bratus, Nihal D'Cunha, Evan Sparks, and Sean W Smith. 2008. TOCTOU, traps, and trusted computing. In International Conference on Trusted Computing and Trust in Information Technologies. Google ScholarDigital Library
- Xavier Carpent, Norrathep Rattanavipanon, and Gene Tsudik. 2017. ERASMUS: Efficient Remote Attestation via Self-Measurement for Unattended Settings. IEEE/ACM Design, Automation, and Test in Europe (DATE).Google Scholar
- Shuo Chen, Jun Xu, Emre Can Sezer, Prachi Gauriar, and Ravishankar K Iyer. 2005. Non-Control-Data Attacks Are Realistic Threats. In USENIX Security Symposium. Google ScholarDigital Library
- Thurston H.Y. Dang, Petros Maniatis, and David Wagner. 2015. The performance cost of shadow stacks and stack canaries. In ASIA CCS. Google ScholarDigital Library
- Karim El Defrawy, Aurelién Francillon, Daniele Perito, and Gene Tsudik. 2012. SMART: Secure and Minimal Architecture for (Establishing a Dynamic) Root of Trust. In NDSS.Google Scholar
- Ghada Dessouky, Shaza Zeitouni, Thomas Nyman, Andrew Paverd, Lucas Davi, Patrick Koeberl, N. Asokan, and Ahmad-Reza Sadeghi. 2017. LO-FAT: Low-Overhead Control Flow ATtestation in Hardware. In DAC. Google ScholarDigital Library
- Trusted Computing Group. 2011. TPM Main Specification Level 2 Version 1.2, Revision 116. https://trustedcomputinggroup.org/resource/tpm-main-specification, Last accessed: 21 August 2018.Google Scholar
- Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-oriented programming: On the expressiveness of non-control data attacks. In IEEE Symposium on Security and Privacy.Google ScholarCross Ref
- Intel. 2014. Intel Software Guard Extensions Programming Reference. https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf, Last accessed: 21 August 2018.Google Scholar
- Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz. 2014. SoK: Automated software diversity. In IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Amit Levy, Bradford Campbell, Branden Ghena, Daniel B Giffin, Pat Pannuto, Prabal Dutta, and Philip Levis. 2017. Multiprogramming a 64kB Computer Safely and Efficiently. In ACM SOSP. Google ScholarDigital Library
- ARM Ltd. 2016. ARMv8-M Architecture Reference Manual. http://infocenter.arm.com/help/topic/com.arm.doc.ddi0553a.b, Last accessed: 21 August 2018.Google Scholar
- Thomas Nyman, Jan-Erik Ekberg, Lucas Davi, and N Asokan. 2017. CFI CaRE: Hardware-Supported Call and Return Enforcement for Commercial Microcontrollers. In RAID.Google Scholar
- Arvind Seshadri, Mark Luk, Adrian Perrig, Leendert van Doorn, and Pradeep Khosla. 2006. SCUBA: Secure code update by attestation in sensor networks. In ACM workshop on Wireless security. Google ScholarDigital Library
- Hovav Shacham. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In ACM CCS. Google ScholarDigital Library
- Rodrigo Vieira Steiner and Emil Lupu. 2016. Attestation in wireless sensor networks: A survey. ACM Computing Surveys (CSUR), Vol. 49, 3 (2016), 51. Google ScholarDigital Library
- Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal War in Memory. In IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- John Viega and Hugh Thompson. 2012. The state of embedded-device security (spoiler alert: It's bad). IEEE Security & Privacy, Vol. 10, 5 (2012), 68--70. Google ScholarDigital Library
- Paul Williamson. 2017. It's Here: A Common Industry Framework for Protecting a Trillion Connected Devices. https://www.arm.com/company/news/2017/10/a-common-industry-framework.Google Scholar
Recommendations
Light-SPD: a platform to prototype secure mobile applications
PAMCO '16: Proceedings of the 1st ACM Workshop on Privacy-Aware Mobile ComputingSecurely storing sensitive personal data is critical for protecting privacy. Currently, many persons use smartphones to store their private data. However, smartphones suffer from many security issues. To overcome this situation, the PCAS project is ...
Using ARM trustzone to build a trusted language runtime for mobile applications
ASPLOS '14This paper presents the design, implementation, and evaluation of the Trusted Language Runtime (TLR), a system that protects the confidentiality and integrity of .NET mobile applications from OS security breaches. TLR enables separating an application's ...
Securing a communication channel for the trusted execution environment
AbstractAs a security extension to processor, ARM TrustZone has been widely adopted for various mobile and IoT devices. The protection is conducted by separating the system into two domains: the rich execution environment (REE) and the trusted ...
Comments