Browse

Efficient Anomalous Behavior Detection on ARM using the Debug Interface : ARM 프로세서의 디버그 인터페이스를 활용한 효율적인 이상 행위 탐지 방법

Cited 0 time in Web of Science Cited 0 time in Scopus
Authors
이용제
Advisor
백윤흥
Major
공과대학 전기·컴퓨터공학부
Issue Date
2018-02
Publisher
서울대학교 대학원
Keywords
Information SecurityHardware-based Anomalous Behavior DetectionDebug InterfaceARMCoreSight
Description
학위논문 (박사)-- 서울대학교 대학원 : 공과대학 전기·컴퓨터공학부, 2018. 2. 백윤흥.
Abstract
In recent years, the security and privacy of smart embedded devices become increasingly
important problems. Attackers attempt to acquire privileges to control system
behaviors at their disposal mostly by exploiting exposed vulnerabilities of a program
running on the victim device. As a result, the victim exhibits an abnormal behavior
such as control flow diversion. A typical method to detect the anomalous behavior
of the currently running program is to monitor the runtime execution flow and check if
the monitored flow is legitimate based on a set of pre-defined rules. Therefore in order
to detect attacks instantly at the moment when they manipulate the victim device to behave
deviantly, a massive amount of CPU execution information representing program
behaviors is required. For this reason, we must somehow provide a special mechanism
to gather at runtime the CPU execution information and to quickly deliver the gathered
information to detection algorithms as the inputs for detection of attacks on the running
programs. A lot of researchers have endeavored to address this issue by proposing
security solutions that can attain high level of security while minimizing performance
overhead introduced to the system. However, we have witnessed that these mechanisms
have rarely been accepted to the market. If the mechanism is implemented in
software, it obviously will impose too much performance burden on the CPU to be
deployed in practice. Even the hardware solutions incur non-negligible modifications
to the host architecture internals and thus would substantially increase the design time
and manufacturing cost.
This thesis proposes the efficient anomalous behavior detection schemes on smart
devices. We choose an ARM processor as our host CPU since ARM has been a dominant
player in the mobile CPU market for years. To collect the CPU execution information,
we exploit the ARM CoreSight debug interface that has been widely deployed
in recent processors for real-time debugging and tracing of software. Using the debug
i
interface, a hardware-assisted SoC-level mechanisms that are designed to perform the
detection task with acceptably low overhead even in performance-constrained devices.
In order to show the validity of our approach and explore the implication of using
the ARM debug interface for anomalous behavior detection, we first present security
monitoring systems that addresses the well-known security issues :data leakage and
core-reuse attacks. Then, we present a mixed HW/SW approach that gives users the
flexibility to design their own defenses utilizing the ARM debug interface. The experiments
also reveal that the area overhead of the hardware is acceptably small when
compared to the normal sizes of todays mobile processors.
Language
English
URI
https://hdl.handle.net/10371/140675
Files in This Item:
Appears in Collections:
College of Engineering/Engineering Practice School (공과대학/대학원)Dept. of Electrical and Computer Engineering (전기·정보공학부)Theses (Ph.D. / Sc.D._전기·정보공학부)
  • mendeley

Items in S-Space are protected by copyright, with all rights reserved, unless otherwise indicated.

Browse