Efficient Anomalous Behavior Detection on ARM using the Debug Interface

Abstract

In recent years, the security and privacy of smart embedded devices become increasingly important problems. Attackers attempt to acquire privileges to control system behaviors at their disposal mostly by exploiting exposed vulnerabilities of a program running on the victim device. As a result, the victim exhibits an abnormal behavior such as control flow diversion. A typical method to detect the anomalous behavior of the currently running program is to monitor the runtime execution flow and check if the monitored flow is legitimate based on a set of pre-defined rules. Therefore in order to detect attacks instantly at the moment when they manipulate the victim device to behave deviantly, a massive amount of CPU execution information representing program behaviors is required. For this reason, we must somehow provide a special mechanism to gather at runtime the CPU execution information and to quickly deliver the gathered information to detection algorithms as the inputs for detection of attacks on the running programs. A lot of researchers have endeavored to address this issue by proposing security solutions that can attain high level of security while minimizing performance overhead introduced to the system. However, we have witnessed that these mechanisms have rarely been accepted to the market. If the mechanism is implemented in software, it obviously will impose too much performance burden on the CPU to be deployed in practice. Even the hardware solutions incur non-negligible modifications to the host architecture internals and thus would substantially increase the design time and manufacturing cost. This thesis proposes the efficient anomalous behavior detection schemes on smart devices. We choose an ARM processor as our host CPU since ARM has been a dominant player in the mobile CPU market for years. To collect the CPU execution information, we exploit the ARM CoreSight debug interface that has been widely deployed in recent processors for real-time debugging and tracing of software. Using the debug i interface, a hardware-assisted SoC-level mechanisms that are designed to perform the detection task with acceptably low overhead even in performance-constrained devices. In order to show the validity of our approach and explore the implication of using the ARM debug interface for anomalous behavior detection, we first present security monitoring systems that addresses the well-known security issues :data leakage and core-reuse attacks. Then, we present a mixed HW/SW approach that gives users the flexibility to design their own defenses utilizing the ARM debug interface. The experiments also reveal that the area overhead of the hardware is acceptably small when compared to the normal sizes of todays mobile processors.