Iso-X: A Flexible Architecture for Hardware-Managed Isolated Execution

Evtyushkin, Dmitry; Elwell, Jesse; Özsoy, Meltem; Ponomarev, Dmitry; Abu-Ghazaleh, Nael; Riley, Ryan

doi:10.1109/micro.2014.25

Cited by 60 publications

(51 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…CRAs, including both return-oriented [57] and jump-oriented [11] variations remain open vulnerabilities and active research topics, despite some promising solutions [48,70,36,37]. An orthogonal line of research pursues protection of application secrets even in the presence of compromised system software layers and malware [23,25,42].…”

Section: Related Workmentioning

confidence: 99%

Malware-aware processors: A framework for efficient online malware detection

Özsoy

Donovick

Gorelik

et al. 2015

2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA)

Self Cite

117

View full text Add to dashboard Cite

Security exploits and ensuant malware pose an increasing challenge to computing systems as the variety and complexity of attacks continue to increase. In response, software-based malware detection tools have grown in complexity, thus making it computationally difficult to use them to protect systems in real-time. Therefore, software detectors are applied selectively and at a low frequency, creating opportunities for malware to remain undetected. In this paper, we propose Malware-Aware Processors (MAP) -processors augmented with an online hardware-based detector to serve as the first line of defense to differentiate malware from legitimate programs. The output of this detector helps the system prioritize how to apply more expensive software-based solutions. The always-on nature of MAP detector helps protect against intermittently operating malware. Our work improves on the state of the art in the following ways: (1) We define and explore the use of sub-semantic features for online detection of malware. (2) We explore hardware implementations and show that simple classifiers appropriate for such implementations can effectively classify malware. We also study different classifiers, develop implementation optimizations, and explore complexity to performance trade-offs. (3) We propose a two-level detection framework where the hardware classifier prioritizes the work of a more accurate but more expensive software defense mechanism. (4) We integrate the MAP implementation with an open-source x86-compatible core, synthesizing the resulting design to run on an FPGA.

show abstract

Section: Related Workmentioning

confidence: 99%

Malware-aware processors: A framework for efficient online malware detection

Özsoy

Donovick

Gorelik

et al. 2015

2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA)

Self Cite

117

View full text Add to dashboard Cite

show abstract

“…Another approach is to employ some existing hardware-assisted isolated execution solutions such as Iso-X [27] or Bastion [33]. This approach has two advantages.…”

Section: Smc Allocationmentioning

confidence: 99%

“…However, it is strongly prohibited due to the protection of the securely launched kernel module or the hardware assisted memory compartment setup (see Section 6.7.1). The detailed security analysis of these two approaches can be found in [25,27]. Alternatively, one can also modify the address value in set_sr instruction even though the SMC is securely set up.…”

Section: Security Analysismentioning

confidence: 99%

“…Another tamper-resistant approach is to restrict the memory page access with the techniques proposed in Iso-X [27] or Bastion [33]. These approaches share the same technique that makes use of TLB to restrict the access to a particular running application process.…”

Section: Code Injection Attack Protectionmentioning

confidence: 99%

“…Such an approach requires an extra processing system which usually has low computational power and is expensive. Lastly, the computer architecture community has proposed a secure processor approach [24][25][26][27][28] which stores the decryption key in the main processor and provides a mechanism to protect the data in o -chip memory. Nevertheless, these approaches initially target Digital Right Management (DRM) and portable devices which protect the application program and data as a whole.…”

mentioning

confidence: 99%

See 2 more Smart Citations

A novel architecture for secure database processing in cloud computing

Chen¹

View full text Add to dashboard Cite

Security, particularly data privacy, is one of the biggest barriers to the adoption of Database-as-a-Service (DBaaS) in Cloud Computing. Recent security breaches demonstrate that a more powerful protection mechanism is needed to protect data confidentiality from any honest-but-curious administrator. Typical prior e ort on addressing this security problem is either prohibitively slow or highly restrictive in operation.In this thesis, a novel cloud system architecture CypherDB, which makes use of a secure processor, is proposed to protect the confidentiality of outsourced database processing. To achieve this, a framework is developed to use these secure processors in the cloud for secure database processing. This framework allows distributed and parallel processing of the encrypted data and exhibits virtualization features in Cloud Computing. The CypherDB architecture also relies on two major components to protect the privacy of an outsourced database against any honest-but-curious administrator of high performance.Firstly, a novel database encryption scheme is developed to protect the outsourced database which can be executed under a CypherDB secure processor with high performance. Our proposed scheme makes use of custom instructions to hide the encryption latency from the program execution. This scheme is extensively validated through an integration with SQLite, a practical database application program.Secondly, a novel secure processor architecture is also developed to provide architectural support to our proposed database encryption scheme and e cient protection mechanism to secure all intermediate data generated onthe-fly during query execution. The e ciency, robustness and the cost of our novel processor architecture are validated and evaluated through extensive simulations and implementation on a FPGA platform.

show abstract

Off-Limits: Abusing Legacy x86 Memory Segmentation to Spy on Enclaved Execution

Gyselinck

Bulck

Piessens

et al. 2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Enclaved execution environments, such as Intel SGX, enable secure, hardware-enforced isolated execution of critical application components without having to trust the underlying operating system or hypervisor. A recent line of research, however, explores innovative controlled-channel attacks mounted by untrusted system software to partially compromise the confidentiality of enclave programs. Apart from exploiting relatively well-known side-channels like the CPU cache and branch predictor, these attacks have so far focused on tracking sideeffects from enclaved address translations via the paging unit. This paper shows, however, that for 32-bit SGX enclaves the unacclaimed x86 segmentation unit can be abused as a novel controlled-channel to reveal enclaved memory accesses at a page-level granularity, and in restricted circumstances even at a very precise byte-level granularity. While the x86 paging unit has been extensively studied from both an attack as well as a defense perspective, we are the first to show that address translation side-channels are not limited to paging. Our findings furthermore confirm that largely abandoned legacy x86 processor features, included for backwards compatibility, suggest new and unexpected side-channels.

show abstract

Iso-X: A Flexible Architecture for Hardware-Managed Isolated Execution

Cited by 60 publications

References 32 publications

Malware-aware processors: A framework for efficient online malware detection

Malware-aware processors: A framework for efficient online malware detection

A novel architecture for secure database processing in cloud computing

Off-Limits: Abusing Legacy x86 Memory Segmentation to Spy on Enclaved Execution

Contact Info

Product

Resources

About