Hw Monitor

Reference 1

Hardware-based monitoring technique that can detect if the system calls of sophisticated embedded operating systems (e.g. Linux) deviate from the originally programmed behavior due to an attack.

  1. By Verifying operation at the level of an individual processor instruction, we can detect any deviation almost instantaneously.
  2. By limiting the monitoring to a fraction of the operating system code (i.e. system calls) and not the entire code base, we can achieve low overhead compared to other hardware monitoring approaches.

This combination of sensitivity to attacks on vulnerable code and low hardware overhead (and no modification to any software) provides a promising approach to protecting embedded systems in the IoT domain or anywhere else.

Monitoring System Calls

GOAL: prevent execution deviation from system calls to malicious code.

Basic monitor operation

Hardware monitors are components that are co-located with processor cores to track the processing of software on that core. The objective is to assess the operation of the processor and determine when incorrect behavior is detected (which can be due to benign faults or malicious attacks).

In this work, hardware monitor receives information about every instruction executed on the processor core and compares it to a “monitoring graph” that is generated from the processing binary.

A monitoring graph is generated during compilation [^6] for selected system calls. Each instruction in the system call is encoded as an entry in the graph that includes the valid has value(s) of the next instruction (or instructions in the case of a branch) and the next graph state(s).

Linux (4.13.15) contains 337 system calls.

Attacking database analysis

Between 1999 and 2017, 1931 vulnerabilities in the Linux kernel were reported to the CVE database. Of those, 45 vulnerabilities (2.3%) directly relate to system calls. This may seem like a small percentage. However, the existence of a vulnerability is particularly problematic if an exploit exists that can let an attacker use the vulnerability in a practical manner. Of 148 publicly available exploits (listed in Exploit Database maintained by Offensive Security) that lead to privilege escalation attacks (which gives the attacker full control over the system), 25 exploits (16.9%) are based on vulnerabilities in system calls.

Hardware monitoring from basic block level to instruction level

Hardware monitoring system at the granularity of basic block[^c2]. Then was extended by Mao et al. in verifying individual processor instructions[^c3]. Pouraghily et al. further expanded the previous work to not only monitor monolithic applications, but the underlying operating system [^c4].

This work also on monitoring operating system, but aim to work with a real Linux, not a light, embedded variant of a simplistic operating system.

  1. A Hardware Monitor to Protect Linux System Calls, IEEE Computer Society Annual Symposium on VLSI, 2018. ↩
Created Oct 4, 2019 // Last Updated Oct 6, 2019

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?