O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
ScaRR: Scalable Runtime
Remote Attestation for
Complex Systems
Flavio Toffalini - Singapore University of Technology and D...
Problem: Remote Attestation
Verifier (trust) Prover (not-so-trust)
Challenge
Report
Application
Is this ok?
2/27Toffalini et...
What we can verify: Static properties
- Software loaded
- Hardware integrity
What we can’t verify: Dynamic properties
- Ex...
Verifier Prover
Report
(hash_ep, output)
ApplicationValid
Execution
Paths
analyze(Application)
Offline Analysis Online Analy...
Limitations
1. Offline analysis does not scale for big applications
2. Based on heuristics
3. Symbolic execution too slow f...
V P
V
More complex applications
More advanced systems
No-physical attacks
6/27
Scenario: Virtual Machines in a Cloud
Toffal...
N1
N2
N3
N5
N4
N6
a
N1
N2
N3
N4
N5
N6
x = input()
if x == ‘auth’:
y = get_privileged_info()
else:
y = get_unprivileged_inf...
Attacks:
- Standard code-reuse attack (e.g., ROP, JOP)
- Code injection (e.g., shellcode)
- Function hooks
- Attacker take...
N1
−N4
=> [ (N2
,N4
) ]
N1
−N3
=> [ (N2
,N3
) ]
N3
−N6
=> [ ]
N4
−N6
=> [ ]
NOTE: ScaRR does not consider (N4
,N5
) and (N...
- Loop
- Recursion
- Signal
- Exception
10/27
Model Challenges
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Atte...
SA
−N1
=> [ ]
N1
−N1
=> [ (N1
,N2
) ]
N1
−SB
=> [ (N1
,N3
) ]
SA
N1
SB
N2
N3
virtual -checkpoint
11/27
Loop
Toffalini et al...
PB
virtual -checkpoint
a()
N3
N1
N2
PE
call ret
call
ret
PB
−N2
=> [ (PB
,N1
), (N1
,N2
) ]
N2
−N2
=> [ (N2
,N1
), (N1
,N2...
SA
EA
EB
N1
SB
N2
Catch Block
or
Signal Handler
Thread
1. Pause thread LoA
2. Trace new LoA for catch block
signal handler...
14/27
ScaRR Design
Verifier ProverChallenge
(nonce, input)
ApplicationOffline
Measurements**
analyze(Application)
Offline Ana...
Offline Measurements
(Verifier side)
Partial Report (Online Measurements)
(Prover side)
(Cb, Ce, H(LoA))(Cb,Ce,H(LoA)) => [ ...
(Cb, Ce, H(LoA))
Hash of LoA
Beginning
checkpoint
End
checkpoint
H(LoA) is in
DB?
Cet-1
== Cbt
ss(H(LoA))
(Check1)
(Check2...
S
M1
M2
M3
M4
E
A1
C
A2
int main(int argc, char ** argv) {
a(10);
/* irrelevant code */
a(6);
return 0;
}
void a(int x) {
...
(M1
,A1
)
(M1
,A1
)
(A2
,M2
) (M3
,A1
)
(M3
,A1
)
(A2
,M2
)
valid!
(A2
,M2
) ret_to (M1
,A1
)
not valid!
(A2
,M2
) ret_to ...
Implementation
- Offline Analysis
- Prover
19/27Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Comp...
C/C++ program LLVM/Clang
Instrumented
Application
CRAB
Offline
Measurement
// abstract
// interpretation
20/27
Offline Analy...
User-Space
Application Process // instrumented
Kernel-Space
ScaRR Libraries // to communicate with the kernel
ScaRR sys_me...
Evaluation
Based on SPEC-CPU 2017
- Attestation Speed
- Verification Speed
- Network Impact
- Security Properties
22/27Toffa...
Previous works
20K/30K cf-events
23/27
Attestation Speed
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestatio...
From 1.4 M/s to 2.7 M/s
Previous work from 110 to 30k cf-events/s
(Check1) => constant hashmap fetching
(Check2) => consta...
Problem:
Too many reports -> network
overload
Solution:
Compress groups of reports
25/27
Network Impact
Toffalini et al., (...
Security Properties
✓ Code Injection: jumping to shellcode produces wrong LoA
✓ Code-reuse Attacks: produces wrong LoA
✓ O...
Technical Limitation
- Context switch still too slow (considered PT too)
- Be kernel-agnostic by using other trusted ancho...
Thank you for attention…
Flavio Toffalini - flavio_toffalini@mymail.sutd.edu.sg
28
Próximos SlideShares
Carregando em…5
×

0

Compartilhar

Baixar para ler offline

ScaRR

Baixar para ler offline

Scalable Runtime Remote Attestation for Complex Systems

Livros relacionados

Gratuito durante 30 dias do Scribd

Ver tudo

Audiolivros relacionados

Gratuito durante 30 dias do Scribd

Ver tudo
  • Seja a primeira pessoa a gostar disto

ScaRR

  1. 1. ScaRR: Scalable Runtime Remote Attestation for Complex Systems Flavio Toffalini - Singapore University of Technology and Design Eleonora Losiouk, Andrea Biondo - University of Padua Jianying Zhou - Singapore University of Technology and Design Mauro Conti - University of Padua RAID - September 23-25, 2019 - Beijing, China
  2. 2. Problem: Remote Attestation Verifier (trust) Prover (not-so-trust) Challenge Report Application Is this ok? 2/27Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  3. 3. What we can verify: Static properties - Software loaded - Hardware integrity What we can’t verify: Dynamic properties - Execution path - Data correctness ScaRR 3/27 Static Remote Attestation Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  4. 4. Verifier Prover Report (hash_ep, output) ApplicationValid Execution Paths analyze(Application) Offline Analysis Online Analysis 4/27 Runtime Remote Attestation Challenge (nonce, input) Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  5. 5. Limitations 1. Offline analysis does not scale for big applications 2. Based on heuristics 3. Symbolic execution too slow for the verification 5/27 Previous Runtime Remote Attestation Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  6. 6. V P V More complex applications More advanced systems No-physical attacks 6/27 Scenario: Virtual Machines in a Cloud Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems intra-cloud communication ext-cloud com m unication
  7. 7. N1 N2 N3 N5 N4 N6 a N1 N2 N3 N4 N5 N6 x = input() if x == ‘auth’: y = get_privileged_info() else: y = get_unprivileged_info() output(y) terminate = return address corruption 7/27 Basic Example Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  8. 8. Attacks: - Standard code-reuse attack (e.g., ROP, JOP) - Code injection (e.g., shellcode) - Function hooks - Attacker takes control of user-space Prover Assumptions: - Prover is equipped with a trusted anchor - Standard defences like W⊕X - CFI != The attack could come anywhere from within the machine 8/27 Assumptions and Attacker Model Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  9. 9. N1 −N4 => [ (N2 ,N4 ) ] N1 −N3 => [ (N2 ,N3 ) ] N3 −N6 => [ ] N4 −N6 => [ ] NOTE: ScaRR does not consider (N4 ,N5 ) and (N3 ,N5 ) N1 N2 N3 N5 N4 N6 Checkpoint (e.g., beginning thread, syscall, API call) List of Actions Edge 9/27 Idea of ScaRR Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  10. 10. - Loop - Recursion - Signal - Exception 10/27 Model Challenges Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  11. 11. SA −N1 => [ ] N1 −N1 => [ (N1 ,N2 ) ] N1 −SB => [ (N1 ,N3 ) ] SA N1 SB N2 N3 virtual -checkpoint 11/27 Loop Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  12. 12. PB virtual -checkpoint a() N3 N1 N2 PE call ret call ret PB −N2 => [ (PB ,N1 ), (N1 ,N2 ) ] N2 −N2 => [ (N2 ,N1 ), (N1 ,N2 ) ] N2 −N2 => [ (N2 ,N1 ), (N1 ,N3 ), (N3 ,N2 ) ] N2 −PE => [ (N2 ,N1 ), (N1 ,N3 ), (N3 ,PE ) ] PB −PE => [ (PB ,N1 ), (N1 ,N3 ), (N3 ,PE ) ] 12/27 Recursion Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  13. 13. SA EA EB N1 SB N2 Catch Block or Signal Handler Thread 1. Pause thread LoA 2. Trace new LoA for catch block signal handler 3. Resume thread LoA 13/27 Signal and Exception Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  14. 14. 14/27 ScaRR Design Verifier ProverChallenge (nonce, input) ApplicationOffline Measurements** analyze(Application) Offline Analysis Online Analysis *list of reports and output go in parallel **LoA + extra info (output) List of Reports* (Cb, Cr, H(LoA)) Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  15. 15. Offline Measurements (Verifier side) Partial Report (Online Measurements) (Prover side) (Cb, Ce, H(LoA))(Cb,Ce,H(LoA)) => [ (M1 ,A1 ) ... ] Hash of LoA Beginning checkpoint End checkpoint List of Action 15/27 Measurements Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  16. 16. (Cb, Ce, H(LoA)) Hash of LoA Beginning checkpoint End checkpoint H(LoA) is in DB? Cet-1 == Cbt ss(H(LoA)) (Check1) (Check2) (Check3) OK! abort() abort() abort() n y y y n n /* shadow stack */ Partial Report 16/27 Verification Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  17. 17. S M1 M2 M3 M4 E A1 C A2 int main(int argc, char ** argv) { a(10); /* irrelevant code */ a(6); return 0; } void a(int x) { /* irrelevant code */ printf("%dn", x); return; } (S,C,H1 ) => [ (M1 ,A1 ) ] (C,C,H2 ) => [ (A2 ,M2 ), (M3 ,A1 ) ] (C,E,H3 ) => [ (A2 ,M4 ) ] Offline measurement, a map between valid Partial Report and LoA 17/27 Remote Shadow Stack Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  18. 18. (M1 ,A1 ) (M1 ,A1 ) (A2 ,M2 ) (M3 ,A1 ) (M3 ,A1 ) (A2 ,M2 ) valid! (A2 ,M2 ) ret_to (M1 ,A1 ) not valid! (A2 ,M2 ) ret_to (M3 ,A1 ) (S,C,H1 ) (C,C,H2 ) (C,C,H2 ) Time Offline measurement: (S,C,H1 ) => [ (M1 ,A1 ) ] (C,C,H2 ) => [ (A2 ,M2 ), (M3 ,A1 ) ] (C,E,H3 ) => [ (A2 ,M4 ) ] Attack: (S,C,H1 )→(C,C,H2 )→(C,C,H2 )→ (Check1) and (Check2) hold! 18/27 Remote Shadow Stack Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  19. 19. Implementation - Offline Analysis - Prover 19/27Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  20. 20. C/C++ program LLVM/Clang Instrumented Application CRAB Offline Measurement // abstract // interpretation 20/27 Offline Analysis Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  21. 21. User-Space Application Process // instrumented Kernel-Space ScaRR Libraries // to communicate with the kernel ScaRR sys_measureScaRR ModuleScaRR sys_addaction// custom kernel // as trusted anchor // 2 new syscalls 21/27 Prover Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  22. 22. Evaluation Based on SPEC-CPU 2017 - Attestation Speed - Verification Speed - Network Impact - Security Properties 22/27Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  23. 23. Previous works 20K/30K cf-events 23/27 Attestation Speed Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  24. 24. From 1.4 M/s to 2.7 M/s Previous work from 110 to 30k cf-events/s (Check1) => constant hashmap fetching (Check2) => constant operation (Check3) => O(#actions for LoA) Average LoA size 24/27 Verification Speed Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  25. 25. Problem: Too many reports -> network overload Solution: Compress groups of reports 25/27 Network Impact Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  26. 26. Security Properties ✓ Code Injection: jumping to shellcode produces wrong LoA ✓ Code-reuse Attacks: produces wrong LoA ✓ Overwrite Nodes: invalid static attestation 26/27Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  27. 27. Technical Limitation - Context switch still too slow (considered PT too) - Be kernel-agnostic by using other trusted anchor (e.g., SGX, TrustZone) - Require source code - CFG generation affects precisions of attack detections 27/27Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
  28. 28. Thank you for attention… Flavio Toffalini - flavio_toffalini@mymail.sutd.edu.sg 28

Scalable Runtime Remote Attestation for Complex Systems

Vistos

Vistos totais

61

No Slideshare

0

De incorporações

0

Número de incorporações

0

Ações

Baixados

3

Compartilhados

0

Comentários

0

Curtir

0

×