A Framework to Secure Peripherals at Runtime

  • Fengwei Zhang
  • Haining Wang
  • Kevin Leach
  • Angelos Stavrou
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8712)

Abstract

Secure hardware forms the foundation of a secure system. However, securing hardware devices remains an open research problem. In this paper, we present IOCheck, a framework to enhance the security of I/O devices at runtime. It leverages System Management Mode (SMM) to quickly check the integrity of I/O configurations and firmware. IOCheck is agnostic to the operating system. We use random-polling and event-driven approaches to switch into SMM. We implement a prototype of IOCheck and conduct extensive experiments on physical machines. Our experimental results show that IOCheck takes 10 milliseconds to check the integrity of a network card and a video card. Also, IOCheck introduces a low overhead on Windows and Linux platforms. We show that IOCheck achieves a faster switching time than the Dynamic Root of Trust Measurement approach.

Keywords

Integrity Firmware I/O Configurations SMM 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    National Institute of Standards, NIST: National Vulnerability Database, http://nvd.nist.gov (access time March 4, 2014)
  2. 2.
    Mitre: Vulnerability list, http://cve.mitre.org/cve/cve.html
  3. 3.
    Bonkoski, A.J., Bielawski, R., Halderman, J.A.: Illuminating the Security Issues Surrounding Lights-out Server Management. In: Proceedings of the 7th USENIX Conference on Offensive Technologies (WOOT 2013) (2013)Google Scholar
  4. 4.
    Duflot, L., Perez, Y.A.: Can You Still Trust Your Network Card? In: Proceedings of the 13th CanSecWest Conference (CanSecWest 2010) (2010)Google Scholar
  5. 5.
    Chen, K.: Reversing and Exploiting an Apple Firmware Update. Black Hat (2009)Google Scholar
  6. 6.
    Stewin, P., Bystrov, I.: Understanding DMA Malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 21–41. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  7. 7.
    Aumaitre, D., Devine, C.: Subverting Windows 7 x64 Kernel With DMA Attacks. In: HITBSecConf Amsterdam (2010)Google Scholar
  8. 8.
    Triulzi, A.: Project Maux Mk.II. In: CanSecWest (2008)Google Scholar
  9. 9.
    Sang, F., Nicomette, V., Deswarte, Y.: I/O Attacks in Intel PC-based Architectures and Countermeasures. In: SysSec Workshop (SysSec 2011) (2011)Google Scholar
  10. 10.
    Stewin, P.: A Primitive for Revealing Stealthy Peripheral-Based Attacks on the Computing Platform’s Main Memory. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 1–20. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Sang, F., Lacombe, E., Nicomette, V., Deswarte, Y.: Exploiting an I/OMMU vulnerability. In: 5th International Conference on Malicious and Unwanted Software (MALWARE 2010), pp. 7–14 (2010)Google Scholar
  12. 12.
    Wojtczuk, R., Rutkowska, J.: Another Way to Circumvent Intel® Trusted Execution Technology (2009), http://invisiblethingslab.com/resources/misc09/Another
  13. 13.
    Wojtczuk, R., Rutkowska, J.: Following the White Rabbit: Software Attacks against Intel® VT-d (2011)Google Scholar
  14. 14.
    Trusted Computing Group: TCG PC Client Specific Implementation Specification for Conventional BIOS (February 2012), http://www.trustedcomputinggroup.org/files/resource_files/CB0B2BFA-1A4B-B294-D0C3B9075B5AFF17/TCG_PCClientImplementation_1-21_1_00.pdf
  15. 15.
    Trusted Computing Group: TPM Main Specification Level 2 Version 1.2, Revision 116 (2011), http://www.trustedcomputinggroup.org/resources/tpm_main_specification
  16. 16.
    Trusted Computing Group: TCG D-RTM Architecture Document Version 1.0.0 (June 2013), http://www.trustedcomputinggroup.org/resources/drtm_architecture_specification
  17. 17.
  18. 18.
    McCune, J., Parno, B., Perrig, A., Reiter, M., Isozaki, H.: Flicker: An Execution Infrastructure for TCB Minimization. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems (2008)Google Scholar
  19. 19.
    Duflot, L., Perez, Y.-A., Morin, B.: What If You Can’t Trust Your Network Card? In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 378–397. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  20. 20.
    Li, Y., McCune, J., Perrig, A.: VIPER: Verifying the Integrity of PERipherals’ Firmware. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS 2011) (2011)Google Scholar
  21. 21.
    Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.: Vigilare: Toward Snoop-based Kernel Integrity Monitor. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012) (2012)Google Scholar
  22. 22.
    Wang, J., Sun, K., Stavrou, A.: A Dependability Analysis of Hardware-Assisted Polling Integrity Checking Systems. In: Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012) (2012)Google Scholar
  23. 23.
    Zaddach, J., Kurmus, A., Balzarotti, D., Blass, E.O., Francillon, A., Goodspeed, T., Gupta, M., Koltsidas, I.: Implementation and Implications of a Stealth Hard-Drive Backdoor. In: Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC 2013) (2013)Google Scholar
  24. 24.
    Triulzi, A.: The Jedi Packet Trick Takes Over the Deathstar: Taking NIC Backdoors to the Next Level. In: The 12th Annual CanSecWest Conference (2010)Google Scholar
  25. 25.
    Butterworth, J., Kallenberg, C., Kovah, X.: BIOS Chronomancy: Fixing the Core Root of Trust for Measurement. In: Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS 2013) (2013)Google Scholar
  26. 26.
    Coreboot: Open-Source BIOS, http://www.coreboot.org/
  27. 27.
    VIA: VT8237R Southbridge, http://www.via.com.tw/
  28. 28.
    Broadcom Corporation: Broadcom NetXtreme Gigabit Ethernet Controller, http://www.broadcom.com/products/BCM5751
  29. 29.
  30. 30.
    Salihun, D.: Malicious Code Execution in PCI Expansion ROM (June 2012), http://resources.infosecinstitute.com/pci-expansion-rom/
  31. 31.
    Flashrom: Firmware flash utility, http://www.flashrom.org/
  32. 32.
    Advanced Micro Devices, Inc.: BIOS and Kernel Developer’s Guide for AMD Athlon 64 and AMD Opteron ProcessorsGoogle Scholar
  33. 33.
    William, H., Teukolsky, S.A., Vetterling, W.T., Flannery, B.P.: Numerical Recipes: The Art of Scientific Computing. Cambridge University Press, New York (2007)Google Scholar
  34. 34.
  35. 35.
  36. 36.
    Jeff: RWEverything Tool, http://rweverything.com/
  37. 37.
  38. 38.
    Advanced Micro Devices, Inc.: AMD K8 Architecture, http://commons.wikimedia.org/wiki/File:AMD_K8.PNG
  39. 39.
    Wojtczuk, R., Rutkowska, J.: Attacking Intel Trust Execution Technologies (2009), http://invisiblethingslab.com/resources/bh09dc/Attacking
  40. 40.
    Wojtczuk, R., Rutkowska, J.: Attacking Intel TXT via SINIT Code Execution Hijacking (November 2011), http://www.invisiblethingslab.com/resources/2011/Attacking_Intel_TXT_via_SINIT_hijacking.pdf
  41. 41.
    Azab, A.M., Ning, P., Zhang, X.: SICE: A Hardware-level Strongly Isolated Computing Environment for x86 Multi-core Platforms. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS 2011) (2011)Google Scholar
  42. 42.
    Wojtczuk, R., Rutkowska, J.: Attacking SMM Memory via Intel CPU Cache Poisoning (2009)Google Scholar
  43. 43.
    Duflot, L., Levillain, O., Morin, B., Grumelard, O.: Getting into the SMRAM: SMM Reloaded. In: Proceedings of the 12th CanSecWest Conference (CanSecWest 2009) (2009)Google Scholar
  44. 44.
    Intel: Intel® 64 and IA-32 Architectures Software Developer’s ManualGoogle Scholar
  45. 45.
    Sang, F.L., Nicomette, V., Deswarte, Y.: A Tool to Analyze Potential I/O Attacks Against PCs. IEEE Security & Privacy (2013)Google Scholar
  46. 46.
    Zhang, F., Wang, J., Sun, K., Stavrou, A.: HyperCheck: A Hardware-assisted Integrity Monitor. IEEE Transactions on Dependable and Secure Computing (2013)Google Scholar
  47. 47.
    Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: HyperSentry: Enabling Stealthy In-Context Measurement of Hypervisor Integrity. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2010) (2010)Google Scholar
  48. 48.
    Reina, A., Fattori, A., Pagani, A., Cavallaro, L., Bruschi, D.: When Hardware Meets Software: A Bulletproof Solution to Forensic Memory Acquisition. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC 2012) (2012)Google Scholar
  49. 49.
    Zhang, F., Leach, K., Sun, K., Stavrou, A.: SPECTRE: A Dependable Introspection Framework via System Management Mode. In: Proceedings of the 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2013) (2013)Google Scholar
  50. 50.
    Zhang, Y., Pan, W., Wang, Q., Bai, K., Yu, M.: HypeBIOS: Enforcing VM Isolation with Minimized and Decomposed Cloud TCB. Technical report, Virginia Commonwealth University (2012)Google Scholar
  51. 51.
    Embleton, S., Sparks, S., Zou, C.: SMM rootkits: A New Breed of OS Independent Malware. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Networks (SecureComm 2008) (2008)Google Scholar
  52. 52.
    PCI-SIG: PCI Local Bus Specification Revision 3.0, http://www.pcisig.com/specifications/

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Fengwei Zhang
    • 1
  • Haining Wang
    • 2
  • Kevin Leach
    • 3
  • Angelos Stavrou
    • 1
  1. 1.George Mason UniversityFairfaxUSA
  2. 2.College of William and MaryWilliamsburgUSA
  3. 3.University of VirginiaCharlottesvilleUSA

Personalised recommendations