Publications
Detailed Information
Efficient Anomalous Behavior Detection on ARM using the Debug Interface : ARM 프로세서의 디버그 인터페이스를 활용한 효율적인 이상 행위 탐지 방법
DC Field | Value | Language |
---|---|---|
dc.contributor.advisor | 백윤흥 | - |
dc.contributor.author | 이용제 | - |
dc.date.accessioned | 2018-05-28T16:21:37Z | - |
dc.date.available | 2018-05-28T16:21:37Z | - |
dc.date.issued | 2018-02 | - |
dc.identifier.other | 000000149479 | - |
dc.identifier.uri | https://hdl.handle.net/10371/140675 | - |
dc.description | 학위논문 (박사)-- 서울대학교 대학원 : 공과대학 전기·컴퓨터공학부, 2018. 2. 백윤흥. | - |
dc.description.abstract | In recent years, the security and privacy of smart embedded devices become increasingly
important problems. Attackers attempt to acquire privileges to control system behaviors at their disposal mostly by exploiting exposed vulnerabilities of a program running on the victim device. As a result, the victim exhibits an abnormal behavior such as control flow diversion. A typical method to detect the anomalous behavior of the currently running program is to monitor the runtime execution flow and check if the monitored flow is legitimate based on a set of pre-defined rules. Therefore in order to detect attacks instantly at the moment when they manipulate the victim device to behave deviantly, a massive amount of CPU execution information representing program behaviors is required. For this reason, we must somehow provide a special mechanism to gather at runtime the CPU execution information and to quickly deliver the gathered information to detection algorithms as the inputs for detection of attacks on the running programs. A lot of researchers have endeavored to address this issue by proposing security solutions that can attain high level of security while minimizing performance overhead introduced to the system. However, we have witnessed that these mechanisms have rarely been accepted to the market. If the mechanism is implemented in software, it obviously will impose too much performance burden on the CPU to be deployed in practice. Even the hardware solutions incur non-negligible modifications to the host architecture internals and thus would substantially increase the design time and manufacturing cost. This thesis proposes the efficient anomalous behavior detection schemes on smart devices. We choose an ARM processor as our host CPU since ARM has been a dominant player in the mobile CPU market for years. To collect the CPU execution information, we exploit the ARM CoreSight debug interface that has been widely deployed in recent processors for real-time debugging and tracing of software. Using the debug i interface, a hardware-assisted SoC-level mechanisms that are designed to perform the detection task with acceptably low overhead even in performance-constrained devices. In order to show the validity of our approach and explore the implication of using the ARM debug interface for anomalous behavior detection, we first present security monitoring systems that addresses the well-known security issues :data leakage and core-reuse attacks. Then, we present a mixed HW/SW approach that gives users the flexibility to design their own defenses utilizing the ARM debug interface. The experiments also reveal that the area overhead of the hardware is acceptably small when compared to the normal sizes of todays mobile processors. | - |
dc.description.tableofcontents | 1 INTRODUCTION 1
2 Monitoring Dynamic Information Flow using Control-Flow/Data-Flow Information 6 2.1 Introduction 6 2.2 Related Work 8 2.3 DIFT Process with an External Hardware Engine 10 2.4 Building a DIFT Engine for CDI 13 2.4.1 Components of the DIFT Engine 13 2.4.2 Tag Propagation Unit 16 2.5 Experiment 18 2.5.1 Security Evaluation 20 2.5.2 Performance Evaluation 20 2.6 Conclusion 22 3 Monitoring Return-Oriented Programming with Control-Flow Information 24 3.1 Introduction 24 3.2 Related Work and Assumptions 28 3.2.1 Related Work 28 3.2.2 Threat Model and Assumptions 30 3.3 Architecture for ROP Detection 31 3.3.1 Branch Trace Analyzer 32 3.3.2 Shadow Call Stack 34 3.4 Meta-data Construction 36 3.4.1 Meta-data Structure 37 3.4.2 Using Meta-data for ROP Monitoring 40 3.5 Experimental Result 41 3.6 Conclusion and Future Extension 44 4 Implementing Host-based Control-Flow Monitoring Framework using the ARM PTM Interface 46 4.1 INTRODUCTION 46 4.2 ASSUMPTIONS 52 4.3 OVERALL SYSTEM ARCHITECTURE 53 4.3.1 SoC Prototype Overview 53 4.3.2 CRA Detection Process 54 4.4 FULL HARDWARE IMPLEMENTATION 57 4.4.1 Binary Instrumentation 57 4.4.2 Hardware Architectures 59 4.5 LIGHTWEIGHT MIXED CRA DETECTION SOLUTION 63 4.5.1 Hardware Architectures 64 4.5.2 Implementing CRA Inspection Software on Our Framework 67 4.6 EXPERIMENTAL RESULTS 68 4.6.1 Experimental Setup and Synthesis Results 68 4.6.2 Analysis of Full Hardware Implementation 69 4.6.3 Analysis of Mixed Hardware/Software Implementation 74 4.7 RELATED WORK AND DISCUSSION 76 4.7.1 RELATED WORK 76 4.7.2 DISCUSSION 79 4.8 CONCLUSION 81 5 Conclusion 85 Bibliography 86 Abstract (In Korean) 97 | - |
dc.format | application/pdf | - |
dc.format.extent | 3337850 bytes | - |
dc.format.medium | application/pdf | - |
dc.language.iso | en | - |
dc.publisher | 서울대학교 대학원 | - |
dc.subject | Information Security | - |
dc.subject | Hardware-based Anomalous Behavior Detection | - |
dc.subject | Debug Interface | - |
dc.subject | ARM | - |
dc.subject | CoreSight | - |
dc.subject.ddc | 621.3 | - |
dc.title | Efficient Anomalous Behavior Detection on ARM using the Debug Interface | - |
dc.title.alternative | ARM 프로세서의 디버그 인터페이스를 활용한 효율적인 이상 행위 탐지 방법 | - |
dc.type | Thesis | - |
dc.contributor.AlternativeAuthor | Yongje Lee | - |
dc.description.degree | Doctor | - |
dc.contributor.affiliation | 공과대학 전기·컴퓨터공학부 | - |
dc.date.awarded | 2018-02 | - |
- Appears in Collections:
- Files in This Item:
Item View & Download Count
Items in S-Space are protected by copyright, with all rights reserved, unless otherwise indicated.