Results 1 - 10
of
303
Terra: a virtual machine-based platform for trusted computing
, 2003
"... We present a flexible architecture for trusted computing, called Terra, that allows applications with a wide range of security requirements to run simultaneously on commodity hardware. Applications on Terra enjoy the semantics of running on a separate, dedicated, tamper-resistant hardware platform, ..."
Abstract
-
Cited by 431 (5 self)
- Add to MetaCart
(Show Context)
We present a flexible architecture for trusted computing, called Terra, that allows applications with a wide range of security requirements to run simultaneously on commodity hardware. Applications on Terra enjoy the semantics of running on a separate, dedicated, tamper-resistant hardware platform, while retaining the ability to run side-by-side with normal applications on a generalpurpose computing platform. Terra achieves this synthesis by use of a trusted virtual machine monitor (TVMM) that partitions a tamper-resistant hardware platform into multiple, isolated virtual machines (VM), providing the appearance of multiple boxes on a single, general-purpose platform. To each VM, the TVMM provides the semantics of either an “open box, ” i.e. a general-purpose hardware platform like today’s PCs and workstations, or a “closed box, ” an opaque special-purpose platform that protects the privacy and integrity of its contents like today’s game consoles and cellular phones. The software stack in each VM can be tailored from the hardware interface up to meet the security requirements of its application(s). The hardware and TVMM can act as a trusted party to allow closed-box VMs to cryptographically identify the software they run, i.e. what is in the box, to remote parties. We explore the strengths and limitations of this architecture by describing our prototype implementation and several applications that we developed for it.
Improving Host Security with System Call Policies
- In Proceedings of the 12th Usenix Security Symposium
, 2002
"... We introduce a system that eliminates the need to run programs in privileged process contexts. Using our system, programs run unprivileged but may execute certain operations with elevated privileges as determined by a configurable policy eliminating the need for suid or sgid binaries. We present the ..."
Abstract
-
Cited by 330 (0 self)
- Add to MetaCart
(Show Context)
We introduce a system that eliminates the need to run programs in privileged process contexts. Using our system, programs run unprivileged but may execute certain operations with elevated privileges as determined by a configurable policy eliminating the need for suid or sgid binaries. We present the design and analysis of the "Systrace" facility which supports fine grained process confinement, intrusion detection, auditing and privilege elevation. It also facilitates the often difficult process of policy generation. With Systrace, it is possible to generate policies automatically in a training session or generate them interactively during program execution. The policies describe the desired behavior of services or user applications on a system call level and are enforced to prevent operations that are not explicitly permitted. We show that Systrace is efficient and does not impose significant performance penalties.
Least we remember: Cold boot attacks on encryption keys
- In USENIX Security Symposium
, 2008
"... For the most recent version of this paper, answers to frequently asked questions, and videos of demonstration attacks, visit ..."
Abstract
-
Cited by 205 (3 self)
- Add to MetaCart
For the most recent version of this paper, answers to frequently asked questions, and videos of demonstration attacks, visit
SWATT: SoftWare-based ATTestation for Embedded Devices
"... ... We present an implementation of SWATT in off-the-shelf sensor network devices, which enables us to verify the contents of the program memory even while the sensor node is running. ..."
Abstract
-
Cited by 187 (14 self)
- Add to MetaCart
(Show Context)
... We present an implementation of SWATT in off-the-shelf sensor network devices, which enables us to verify the contents of the program memory even while the sensor node is running.
Design of a Wireless Sensor Network Platform for Detecting Rare, Random, and Ephemeral Events
, 2005
"... We present the design of the eXtreme Scale Mote, a new sensor network platform for reliably detecting and classifying, and quickly reporting, rare, random, and ephemeral events in a largescale, long-lived, and retaskable manner. This new mote was designed for the ExScal project which seeks to demons ..."
Abstract
-
Cited by 172 (18 self)
- Add to MetaCart
(Show Context)
We present the design of the eXtreme Scale Mote, a new sensor network platform for reliably detecting and classifying, and quickly reporting, rare, random, and ephemeral events in a largescale, long-lived, and retaskable manner. This new mote was designed for the ExScal project which seeks to demonstrate a 10,000 node network capable of discriminating civilians, soldiers and vehicles, spread out over a 10km 2 area, with node lifetimes approaching 1,000 hours of continuous operation on two AA alkaline batteries. This application posed unique functional, usability, scalability, and robustness requirements which could not be met with existing hardware, and therefore motivated the design of a new platform. The detection and classification requirements are met using infrared, magnetic, and acoustic sensors. The infrared and acoustic sensors are designed for low-power continuous operation and include asynchronous processor wakeup circuitry. The usability and scalability requirements are met by minimizing the frequency and cost of human-in-the-loop operations during node deployment, activation, and verification through improvements in the user interface, packaging, and configurability of the platform. Recoverable retasking is addressed by using a grenade timer that periodically forces a system reset. The key contributions of this work are a specific design point and general design methods for building sensor network platforms to detect exceptional events. 1.
The SwitchWare Active Network Architecture
, 1998
"... Active networks must balance the flexibility of a programmable network infrastructure against the safety and security requirements inherent in sharing that infrastructure. Furthermore, this balance must be achieved while maintaining the usability of the network. The SwitchWare active network archite ..."
Abstract
-
Cited by 156 (32 self)
- Add to MetaCart
Active networks must balance the flexibility of a programmable network infrastructure against the safety and security requirements inherent in sharing that infrastructure. Furthermore, this balance must be achieved while maintaining the usability of the network. The SwitchWare active network architecture is a novel approach to achieving this balance using three layers: active packets, which contain mobile programs that replace traditional packets; active extensions, which provide services on the network elements, and which can be dynamically loaded, and; a secure active router infrastructure, which forms a high integrity base upon which the security of the other layers depends. In addition to integrity-checking and cryptography-based authentication, security in our architecture depends heavily on verification techniques from programming languages, such as strong type checking.
SubVirt: Implementing malware with virtual machines
, 2006
"... Attackers and defenders of computer systems both strive to gain complete control over the system. To maximize their control, both attackers and defenders have migrated to low-level, operating system code. In this paper, we assume the perspective of the attacker, who is trying to run malicious softwa ..."
Abstract
-
Cited by 153 (2 self)
- Add to MetaCart
(Show Context)
Attackers and defenders of computer systems both strive to gain complete control over the system. To maximize their control, both attackers and defenders have migrated to low-level, operating system code. In this paper, we assume the perspective of the attacker, who is trying to run malicious software and avoid de-tection. By assuming this perspective, we hope to help defenders understand and defend against the threat posed by a new class of rootkits. We evaluate a new type of malicious software that gains qualitatively more control over a system. This new type of malware, which we call a virtual-machine based rootkit (VMBR), installs a virtual-machine mon-itor underneath an existing operating system and hoists the original operating system into a virtual machine. Virtual-machine based rootkits are hard to detect and remove because their state cannot be accessed by soft-ware running in the target system. Further, VMBRs support general-purpose malicious services by allowing such services to run in a separate operating system that is protected from the target system. We evaluate this new threat by implementing two proof-of-concept VMBRs. We use our proof-of-concept VMBRs to sub-vert Windows XP and Linux target systems, and we implement four example malicious services using the VMBR platform. Last, we use what we learn from our proof-of-concept VMBRs to explore ways to defend against this new threat. We discuss possible ways to detect and prevent VMBRs, and we implement a de-fense strategy suitable for protecting systems against this threat. 1.
Efficient TCB Reduction and Attestation
, 2009
"... We develop a special-purpose hypervisor called TrustVisor that facilitates the execution of security-sensitive code in isolation from commodity OSes and applications. TrustVisor provides code and execution integrity as well as data secrecy and integrity for protected code, even in the presence of a ..."
Abstract
-
Cited by 141 (17 self)
- Add to MetaCart
(Show Context)
We develop a special-purpose hypervisor called TrustVisor that facilitates the execution of security-sensitive code in isolation from commodity OSes and applications. TrustVisor provides code and execution integrity as well as data secrecy and integrity for protected code, even in the presence of a compromised OS. These strong properties can be attested to a remote verifier. TrustVisor only adds 5306 lines to the TCB (over half of which is for cryptographic operations). TrustVisorimposeslessthan7%overheadinthecommoncase. Thisoverheadislargelytheresult of today’s x86hardware virtualization support. 1
Stealthy malware detection through VMM-based “out-of-the-box” semantic view reconstruction
- IN: COMPUTER AND COMMUNICATIONS SECURITY (CCS
, 2007
"... An alarming trend in malware attacks is that they are armed with stealthy techniques to detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a fundamental limitation of traditional host-based anti-malware systems is that they run inside the very hosts they ar ..."
Abstract
-
Cited by 139 (18 self)
- Add to MetaCart
(Show Context)
An alarming trend in malware attacks is that they are armed with stealthy techniques to detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a fundamental limitation of traditional host-based anti-malware systems is that they run inside the very hosts they are protecting (“in the box”), making them vulnerable to counter-detection and subversion by malware. To address this limitation, recent solutions based on virtual machine (VM) technologies advocate placing the malware detection facilities outside of the protected VM (“out of the box”). However, they gain tamper resistance at the cost of losing the native, semantic view of the host which is enjoyed by the “in the box ” approach, thus leading to a technical challenge known as the semantic gap. In this paper, we present the design, implementation, and evaluation of VMwatcher – an “out-of-the-box ” approach that overcomes the semantic gap challenge. A new technique called guest view casting is developed to systematically reconstruct internal semantic views (e.g., files, processes, and kernel modules) of a VM from the outside in a non-intrusive manner. Specifically, the new technique casts semantic definitions of guest OS data structures and functions on virtual machine monitor (VMM)-level VM states, so that the semantic view can be reconstructed. With the semantic gap bridged, we identify two unique malware detection capabilities: (1) view comparison-based malware detection and its demonstration in rootkit detection and (2) “out-of-the-box ” deployment of hostbased anti-malware software with improved detection accuracy and tamper-resistance. We have implemented a proof-of-concept prototype on both Linux and Windows platforms and our experimental results with real-world malware, including elusive kernel-level rootkits,demonstrate itspracticality and effectiveness.
Copilot - a coprocessor-based kernel runtime integrity monitor
- In Proceedings of the 13th USENIX Security Symposium
, 2004
"... Copilot is a coprocessor-based kernel integrity monitor for commodity systems. Copilot is designed to detect malicious modifications to a host’s kernel and has correctly detected the presence of 12 real-world rootkits, each within 30 seconds of their installation with less than a 1 % penalty to the ..."
Abstract
-
Cited by 133 (5 self)
- Add to MetaCart
(Show Context)
Copilot is a coprocessor-based kernel integrity monitor for commodity systems. Copilot is designed to detect malicious modifications to a host’s kernel and has correctly detected the presence of 12 real-world rootkits, each within 30 seconds of their installation with less than a 1 % penalty to the host’s performance. Copilot requires no modifications to the protected host’s software and can be expected to operate correctly even when the host kernel is thoroughly compromised – an advantage over traditional monitors designed to run on the host itself. 1
