Remote attestation, as a challenge-response protocol, enables a trusted entity, called verifier, to ask for an untrusted device, called prover, to provide assurance about its internal integrity. With its strong guarantees not suffering from false positives, remote attestation is becoming increasingly popular for critical embedded systems which can be used for medical, military or industrial control purposes. Previous proposals, which used checksums on static code regions to assure the load-time integrity, miss the runtime attacks that affect only dynamic memory regions. To address these attacks, this paper proposes a new scheme that attests the runtime integrity according to the control and data features of the program. The runtime check is performed in real time with the help of a novel hardware security module (HSM) which is connected to the prover's system bus. Proposed HSM detects runtime issues by checking compliance of the bits seen on the address and data bus with the static model loaded into its memory. Our attestation scheme can detect sophisticated runtime attacks such as code-reuse and non-control data attacks.
This paper distinguishes malware families from a specific category (i.e., ransomware) via dynamic analysis. We collect samples from four ransomware families and use Cuckoo sandbox environment, to observe their runtime behaviour. This study aims to provide new insight into malware family classification by comparing possible runtime features, and application of different extraction and selection techniques on them. As we try many extraction models on call traces such as bag-ofwords, ngram sequences and wildcard patterns, we also look for other behavioural features such as files, registry and mutex artefacts. While wildcard patterns on call traces are designed to overcome advanced evasion strategies such as the insertion of junk API calls (causing ngram searches to fail), for the models generating too many features, we adapt new feature selection techniques with a classwise fashion to avoid unfair representation of families in the feature set which leads to poor detection performance. To our knowledge, no research paper has applied a classwise approach to the multi-class malware family identification. With a 96.05% correct classification ratio for four families, this study outperforms most studies applying similar techniques.
Remote attestation, as a challenge-response protocol, enables a trusted entity, called verifier, to ask a potentially infected device, called prover, to provide integrity assurance about its internal state. Remote attestation is becoming increasingly vital for embedded systems that serve in many critical domains, as part of health, military, transportation and industry services, but still lack the most security features available to high-end systems. In most attestation techniques, the prover provides a cryptographic checksum of its static memory contents, that is, code segments, to the verifier when requested to demonstrate that the device is loaded with the right software. However, those measurements are subject to two limitations. First, they cannot guarantee that the prover has always had legitimate software in the memory prior to attestation. This is because occasional measurements, triggered by the verifier, still leave the device vulnerable to the compromise between two attestation windows as a time-of-check-to-time-of-use (TOCTOU) problem. Second, including dynamic memory regions in the checksum calculation is not helpful in practice, since the verifier typically does not know what those regions should contain or which checksums should be accepted as valid. Hence, many attack scenarios residing in those dynamic regions (e.g. stack) would also go unnoticed. To reveal attack scenarios exploiting the memory regions and time windows left unattested, we propose an attestation scheme that can continuously monitor both static and dynamic memory regions with better spatial and temporal attestation coverage. Our monitoring mechanism is designed to be performed in real time using a novel hardware security module (HSM) connected to the prover's system bus. The proposed HSM monitors not only the integrity of the code on the prover but also its execution by checking the compliance of the bits seen on the bus according to a runtime integrity model (RIM) of the prover's software. Therefore, our attestation scheme is capable of reporting scenarios that violate both the (static) code and (dynamic) runtime integrity since the deployment time. K E Y W O R D S embedded systems, protocols, security | INTRODUCTIONRemote attestation aims to address these risks by providing reports on the integrity of a device to a remote entity. A remote attestation scheme generally consists of two parties. Prover, as a potentially infected device, has to assure a remote party called verifier that the device is in a benign state. In a typical attestation scheme, the verifier makes a request to the prover with a challenge. Then, the prover performs some measurements on its memory and returns it as a signed response. Upon receiving the response, if satisfied with its freshness, integrity and authenticity, the verifier can then decide whether the prover is in a legitimate state using the measurement returned.This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction ...
Data-oriented attacks, where the adversary corrupts critical program data in memory, remain one of the most challenging security threats to address. Because the attacker does not touch any code or code pointers, dataoriented attacks are able to circumvent common defence strategies such as data execution prevention or control-flow protection. Data-flow integrity (DFI) techniques can address these attacks by detecting corruption of any program data. However, due to high performance penalties, these techniques are not widely adopted in practice. This paper presents TRUVIN, a lightweight scheme that mitigates data-oriented attacks by focusing on only those variables which are crucial to the integrity assurance. Instead of instrumenting every memory operation, TRUVIN selectively defends program data that originate from only trusted agents (e.g. the programmer), as they are considered critical to the runtime integrity. Our analysis is performed at compile-time and generates instrumentation only for the necessary operations. TRUVIN reduces the performance cost by a factor of 4.3 on average with 28% overhead compared to full instrumentation (121%), while retaining the security guarantees.
CPU registers are small discrete storage units, used to hold temporary data and instructions within the CPU. Registers are not addressable in the same way memory is, which makes them immune from memory attacks and manipulation by other means. In this paper, we take advantage of this to provide a protection mechanism for critical program data; both active local variables and control objects on the stack. This protection effectively eliminates the threat of control-and data-oriented attacks, even by adversaries with full knowledge of the active stack.Our solution RegGuard, is a compiler register allocation strategy that utilises the available CPU registers to hold critical variables during execution. Unlike conventional allocations schemes, RegGuard prioritises the security significance of a program variable over its expected performance gain. Our scheme can deal effectively with saved registers to the stack, i.e., when the compiler needs to free up registers to make room for the variables of a new function call. With RegGuard, critical data objects anywhere on the entire stack are effectively protected from corruption, even by adversaries with arbitrary read and write access.While our primary design focus is on security, performance is very important for a scheme to be adopted in practice. Reg-Guard is still benefiting from the performance gain normally associated with register allocations, and the overhead is within a few percent of other unsecured register allocation schemes for most cases. We present detailed experiments that showcase the performance of RegGuard using different benchmark programs and the C library on ARM64 platform.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.