Co-processor-based Behavior Monitoring

Chevalier, Ronny; Villatel, Maugan; Plaquin, David; Hiet, Guillaume

doi:10.1145/3134600.3134622

“…Hence, we assume their integrity. Such assumptions are reasonable in recent firmware using a hardware-protected root of trust [34,68] at boot time and protection of firmware runtime services [14,88,89]. For the OS kernel, one can use UEFI Secure Boot [81] at boot time, and rely on, e.g., security invariants [76] or a hardware-based integrity monitor [7] at runtime.…”

Section: Threat Model and Assumptionsmentioning

confidence: 99%

Intrusion Survivability for Commodity Operating Systems

Chevalier

¹

,

Plaquin

²

,

Dalton

³

et al. 2020

Digital Threats

Self Cite

0

View full text Add to dashboard Cite

Despite the deployment of preventive security mechanisms to protect the assets and computing platforms of users, intrusions eventually occur. We propose a novel intrusion survivability approach to withstand ongoing intrusions. Our approach relies on an orchestration of fine-grained recovery and per-service responses (e.g., privileges removal). Such an approach may put the system into a degraded mode. This degraded mode prevents attackers to reinfect the system or to achieve their goals if they managed to reinfect it. It maintains the availability of core functions while waiting for patches to be deployed. We devised a cost-sensitive response selection process to ensure that while the service is in a degraded mode, its core functions are still operating. We built a Linux-based prototype and evaluated the effectiveness of our approach against different types of intrusions. The results show that our solution removes the effects of the intrusions, that it can select appropriate responses, and that it allows services to survive when reinfected. In terms of performance overhead, in most cases, we observed a small overhead, except in the rare case of services that write many small files asynchronously in a burst, where we observed a higher but acceptable overhead.

show abstract

“…Hence, we assume their integrity. Such assumptions are reasonable in recent firmware using a hardware-protected root of trust [26,58] at boot time and protection of firmware runtime services [9,75,76]. For the OS kernel, one can use UEFI Secure Boot [69] at boot time, and rely on e.g., security invariants [64] or a hardware-based integrity monitor [4] at runtime.…”

Section: Threat Model and Assumptionsmentioning

confidence: 99%

“…8 When executed, it encrypts all the git repositories and the database used by Gitea. Hence, we previously configured the policy to set the cost of such a malicious behavior to high, 9 since it would render the site almost unusable: mbcost("gitea", "compromise-data-availability") = "high".…”

Section: Cost-sensitive Response Selectionmentioning

confidence: 99%

See 1 more Smart Citation

Survivor

Chevalier

¹

,

Plaquin

²

,

Dalton

³

et al. 2019

Proceedings of the 35th Annual Computer Security Applications Conference

Self Cite

1

0

View full text Add to dashboard Cite

Despite the deployment of preventive security mechanisms to protect the assets and computing platforms of users, intrusions eventually occur. We propose a novel intrusion survivability approach to withstand ongoing intrusions. Our approach relies on an orchestration of fine-grained recovery and per-service responses (e.g., privileges removal). Such an approach may put the system into a degraded mode. This degraded mode prevents attackers to reinfect the system or to achieve their goals if they managed to reinfect it. It maintains the availability of core functions while waiting for patches to be deployed. We devised a cost-sensitive response selection process to ensure that while the service is in a degraded mode, its core functions are still operating. We built a Linux-based prototype and evaluated the effectiveness of our approach against different types of intrusions. The results show that our solution removes the effects of the intrusions, that it can select appropriate responses, and that it allows services to survive when reinfected. In terms of performance overhead, in most cases, we observed a small overhead, except in the rare case of services that write many small files asynchronously in a burst, where we observed a higher but acceptable overhead. CCS CONCEPTS• Security and privacy → Operating systems security; Malware and its mitigation.

show abstract