Enforcing Executing-Implies-Verified with the Integrity-Aware Processor

  • Michael LeMay
  • Carl A. Gunter
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6740)


Malware often injects and executes new code to infect hypervisors, OSs and applications. Such malware infections can be prevented by checking all code against a whitelist before permitting it to execute. The eXecuting Implies Verified Enforcer (XIVE) is a distributed system in which a kernel on each target system consults a server called the approver to verify code on-demand. We propose a new hardware mechanism to isolate the XIVE kernel from the target host. The Integrity-Aware Processor (IAP) that embodies this mechanism is based on a SPARC soft-core for an FPGA and provides high performance, high compatibility with target systems and flexible invocation options to ensure visibility into the target system. This facilitates the development of a very small trusted computing base.


Target System Address Space Direct Memory Access Page Table Kernel Code 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Advanced Micro Devices: AMD64 architecture programmers manual. System Programming, vol. 2. Publication Number: 24593 (June 2010)Google Scholar
  2. 2.
    ARM Limited: ARM security technology—Building a secure system using TrustZone technology. PRD29-GENC-009492C (April 2009)Google Scholar
  3. 3.
    Azab, A.M., Ning, P., Sezer, E.C., Zhang, X.: HIMA: A hypervisor-based integrity measurement agent. In: Proceedings of the 25th Annual Computer Security Applications Conference, ACSAC 2009, Honolulu, HI, USA, pp. 461–470 (December 2009)Google Scholar
  4. 4.
    Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: HyperSentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, IL, USA, pp. 38–49 (October 2010)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a board range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium, Security 2003, Washington, DC, USA (August 2003)Google Scholar
  7. 7.
    Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: Generalizing return-oriented programming to RISC. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, VA, USA, pp. 27–38 (October 2008)Google Scholar
  8. 8.
    Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Duflot, L., Levillain, O., Morin, B., Grumelard, O.: Getting into the SMRAM: SMM reloaded. In: CanSecWest 2009, Vancouver, Canada (March 2009)Google Scholar
  10. 10.
    Intel: Intel trusted execution technology software development guide. Document Number: 315168-006 (December 2009)Google Scholar
  11. 11.
    International Business Machines: IBM X-Force 2010 mid-year trend and risk report (August 2010),
  12. 12.
    LeMay, M., Gunter, C.A.: Cumulative Attestation Kernels for Embedded Systems. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 655–670. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: Proceedings of the 17th USENIX Security Symposium, Security 2008, San Jose, CA, USA, pp. 243–258 (July 2008)Google Scholar
  14. 14.
    McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: TrustVisor: Efficient TCB reduction and attestation. In: Proceedings of the 31st IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 143–158 (May 2010)Google Scholar
  15. 15.
    Murase, M., Shimizu, K., Plouffe, W., Sakamoto, M.: Effective implementation of the cell broadband engine(TM) isolation loader. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, Chicago, IL, USA, pp. 303–313 (November 2009)Google Scholar
  16. 16.
    Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: Proceedings of the 13th USENIX Security Symposium, Security 2004, San Diego, CA, USA (August 2004)Google Scholar
  17. 17.
    Seshadri, A., Luk, M., Perrig, A., van Doorn, L., Khosla, P.: SCUBA: Secure code update by attestation in sensor networks. In: Proceedings of the 5th ACM Workshop on Wireless Security, WiSe 2006, Los Angeles, CA, USA, pp. 85–94 (September 2006)Google Scholar
  18. 18.
    Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of the 21st ACM SIGOPS Symposium on Operating Systems Principles, SOSP 2007, Stevenson, WA, USA, pp. 335–350 (October 2007)Google Scholar
  19. 19.
    SHA-3 proposal BLAKE,
  20. 20.
    Wang, J., Stavrou, A., Ghosh, A.: HyperCheck: A hardware-assisted integrity monitor. In: Proceedings of the 13th international symposium on Recent Advances in Intrusion Detection, RAID 2010, Ottawa, ON, CA , pp. 158–177 (September 2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Michael LeMay
    • 1
  • Carl A. Gunter
    • 1
  1. 1.University of IllinoisUrbanaUSA

Personalised recommendations