Publications
Detailed Information
Efficient Anomalous Behavior Detection on ARM using the Debug Interface : ARM 프로세서의 디버그 인터페이스를 활용한 효율적인 이상 행위 탐지 방법
Cited 0 time in
Web of Science
Cited 0 time in Scopus
- Authors
- Advisor
- 백윤흥
- Major
- 공과대학 전기·컴퓨터공학부
- Issue Date
- 2018-02
- Publisher
- 서울대학교 대학원
- Keywords
- Information Security ; Hardware-based Anomalous Behavior Detection ; Debug Interface ; ARM ; CoreSight
- Description
- 학위논문 (박사)-- 서울대학교 대학원 : 공과대학 전기·컴퓨터공학부, 2018. 2. 백윤흥.
- Abstract
- In recent years, the security and privacy of smart embedded devices become increasingly
important problems. Attackers attempt to acquire privileges to control system
behaviors at their disposal mostly by exploiting exposed vulnerabilities of a program
running on the victim device. As a result, the victim exhibits an abnormal behavior
such as control flow diversion. A typical method to detect the anomalous behavior
of the currently running program is to monitor the runtime execution flow and check if
the monitored flow is legitimate based on a set of pre-defined rules. Therefore in order
to detect attacks instantly at the moment when they manipulate the victim device to behave
deviantly, a massive amount of CPU execution information representing program
behaviors is required. For this reason, we must somehow provide a special mechanism
to gather at runtime the CPU execution information and to quickly deliver the gathered
information to detection algorithms as the inputs for detection of attacks on the running
programs. A lot of researchers have endeavored to address this issue by proposing
security solutions that can attain high level of security while minimizing performance
overhead introduced to the system. However, we have witnessed that these mechanisms
have rarely been accepted to the market. If the mechanism is implemented in
software, it obviously will impose too much performance burden on the CPU to be
deployed in practice. Even the hardware solutions incur non-negligible modifications
to the host architecture internals and thus would substantially increase the design time
and manufacturing cost.
This thesis proposes the efficient anomalous behavior detection schemes on smart
devices. We choose an ARM processor as our host CPU since ARM has been a dominant
player in the mobile CPU market for years. To collect the CPU execution information,
we exploit the ARM CoreSight debug interface that has been widely deployed
in recent processors for real-time debugging and tracing of software. Using the debug
i
interface, a hardware-assisted SoC-level mechanisms that are designed to perform the
detection task with acceptably low overhead even in performance-constrained devices.
In order to show the validity of our approach and explore the implication of using
the ARM debug interface for anomalous behavior detection, we first present security
monitoring systems that addresses the well-known security issues :data leakage and
core-reuse attacks. Then, we present a mixed HW/SW approach that gives users the
flexibility to design their own defenses utilizing the ARM debug interface. The experiments
also reveal that the area overhead of the hardware is acceptably small when
compared to the normal sizes of todays mobile processors.
- Language
- English
- Files in This Item:
Item View & Download Count
Items in S-Space are protected by copyright, with all rights reserved, unless otherwise indicated.