Extraction of Host Internal Information for External Hardware Security Monitors

Abstract

Defending electrical devices against a variety of attacks is a daunting task. A lot of researchers have endeavored to address this issue by proposing security solutions that can attain high level of security while minimizing performance overhead introduced to the system. Among them, hardware-based security solutions have been noted for high performance compared to their software-based counterparts. However, we have witnessed that these mechanisms have rarely been accepted to the market. This phenomenon may be attributed to the fact that most solutions incur non-negligible modifications to the host architecture internals and thus would substantially increase the design time and manufacturing cost. In order to answer this problem, a hardware-based external monitoring has recently been proposed. The crux of this solution is that, being located outside the host core and connected to the host via a standard bus interface, the external monitor can efficiently conduct time-consuming monitoring tasks on behalf of the host while requiring no alteration to the host internals. However, these approaches either suffer from the incapability of handling various security problems or experience unsubtle performance overhead because, being externally placed and having no dedicated communication channels, the hardware monitor has a limited access to the information produced by the host core, and consequently, the system may be forced to use memory regions or other shared hardware resources to explicitly transfer the information from the host to the monitor hardware. In this thesis, we propose a security solution that can carry out more complicated security tasks with low performance overhead while keeping the host internal architecture intact. This can be archived by using an existing standard debug interface, readily available in numerous modern processors, to connect our security monitor to the host processor. In order to show the validity of our approach and explore the implication of using the debug interface for security monitoring, we present three security monitoring systems each of which addresses one of three well-known security issues: defending against kernel rootkits, tracking information-flow, and defense of code-reuse attacks. The experiment results show that, when implemented on a FPGA prototyping board, our monitoring solutions successfully detect the attack samples (i.e., data leakage attacks and CRAs). More importantly, our systems can attain significantly low performance overhead compared to previously proposed security monitoring solutions. The experiments also reveal that the area overhead of the hardware is acceptably small when compared to the normal sizes of today's mobile processors.