The Experts below are selected from a list of 2031 Experts worldwide ranked by ideXlab platform
Yunheung Paek - One of the best experts on this subject based on the ideXlab platform.
-
Architectural Supports to Protect OS Kernels from Code-Injection Attacks and Their Applications
ACM Transactions on Design Automation of Electronic Systems, 2017Co-Authors: Hyungon Moon, Dongil Hwang, Seonhwa Jung, Yunheung PaekAbstract:The kernel code injection is a common behavior of kernel-compromising attacks where the attackers aim to gain their goals by manipulating an OS kernel. Several security mechanisms have been proposed to mitigate such threats, but they all suffer from non-negligible performance overhead. This article introduces a hardware reference monitor, called Kargos, which can detect the kernel code injection attacks with nearly zero performance cost. Kargos monitors the behaviors of an OS kernel from outside the CPU through the standard bus interconnect and Debug Interface available with most major microprocessors. By watching the execution traces and memory access events in the monitored target system, Kargos uncovers attempts to execute malicious code with the kernel privilege. On top of this, we also applied the architectural supports for Kargos to the detection of ROP attacks. KS-Stack is the hardware component that builds and maintains the shadow stacks using the existing supports to detect this ROP attacks. According to our experiments, Kargos detected all the kernel code injection attacks that we tested, yet just increasing the computational loads on the target CPU by less than 1% on average. The performance overhead of the KS-Stack was also less than 1%.
-
efficient security monitoring with the core Debug Interface in an embedded processor
ACM Transactions on Design Automation of Electronic Systems, 2016Co-Authors: Yunheung PaekAbstract:For decades, various concepts in security monitoring have been proposed. In principle, they all in common in regard to the monitoring of the execution behavior of a program (e.g., control-flow or dataflow) running on the machine to find symptoms of attacks. Among the proposed monitoring schemes, software-based ones are known for their adaptability on the commercial products, but there have been concerns that they may suffer from nonnegligible runtime overhead. On the other hand, hardware-based solutions are recognized for their high performance. However, most of them have an inherent problem in that they usually mandate drastic changes to the internal processor architecture. More recent ones have strived to minimize such modifications by employing external hardware security monitors in the system. However, these approaches intrinsically suffer from the overhead caused by communication between the host and the external monitor. Our solution also relies on external hardware for security monitoring, but unlike the others, ours tackles the communication overhead by using the core Debug Interface (CDI), which is readily available in most commercial processors for Debugging. We build our system simply by plugging our monitoring hardware into the processor via CDI, precluding the need for altering the processor internals. To validate the effectiveness of our approach, we implement two well-known monitoring techniques on our proposed framework: dynamic information flow tracking and branch regulation. The experimental results on our FPGA prototype show that our external hardware monitors efficiently perform monitoring tasks with negligible performance overhead, mainly with thanks to the support of CDI, which helps us reduce communication costs substantially.
-
architectural supports to protect os kernels from code injection attacks
Hardware and Architectural Support for Security and Privacy, 2016Co-Authors: Hyungon Moon, Dongil Hwang, Jinyong Lee, Seonhwa Jung, Jiwon Seo, Yunheung PaekAbstract:The kernel code injection is a common behavior of kernel -compromising attacks where the attackers aim to gain their goals by manipulating an OS kernel. Several security mechanisms have been proposed to mitigate such threats, but they all suffer from non-negligible performance overhead. This paper introduces a hardware reference monitor, called Kargos, which can detect the kernel code injection attacks with nearly zero performance cost. Kargos monitors the behaviors of an OS kernel from outside the CPU through the standard bus interconnect and Debug Interface available with most major microprocessors. By watching the execution traces and memory access events in the monitored target system, Kargos uncovers attempts to execute malicious code with the kernel privilege. According to our experiments, Kargos detected all the kernel code injection attacks that we tested, yet just increasing the computational loads on the target CPU by less than 1% on average.
-
The new real-time Debug Interface for efficient code reuse attack detection
2015 International SoC Design Conference (ISOCC), 2015Co-Authors: Dongil Hwang, Yunheung PaekAbstract:Code reuse attack (CRA) is a powerful exploitation technique that allows attackers to perform arbitrary computation. To maximize the performance, prior hardware solutions to CRAs require invasive modifications to the CPU architecture or substantial storage overhead to keep the binary analysis result. In this paper, we propose a new Debug Interface with which CRA solutions can be easily implemented without the CPU modifications nor offline binary analysis.
-
towards a practical solution to detect code reuse attacks on arm mobile devices
Hardware and Architectural Support for Security and Privacy, 2015Co-Authors: Yongje Lee, Dongil Hwang, Ingoo Heo, Kyungmin Kim, Yunheung PaekAbstract:In recent years, there is a growing need to protect security and privacy of the data against various attacks on software running on smart mobile devices. The attackers mostly attempt to acquire privileges to control system behaviors as they want. As of today, the code reuse attack (CRA) is known as one of the most sophisticated techniques that can be exploited in such attempts. The attackers launch CRAs to perform arbitrary computation by reusing and chaining existing code fragments, called gadgets. Prior solutions to CRAs are engineered either in software or hardware. However, both of them have their own weaknesses. Software solutions suffer from huge performance overhead because they occupy computing resources of the host CPU. On the other hand, existing hardware solutions all require invasive modifications to the CPU internal architecture. This is contradictory to the conventional application processor (AP) design principle which is to integrate off-the-shelf commodity CPU cores and other special-purpose hardware modules together to form a system. In this paper, we propose a more practical hardware solution which conforms to such design convention, thus being amenable for immediate deployment to modern mobile devices that use APs as their central computing engines. In our work, we target the devices that employ as their AP CPUs the ARM processors which are the de-facto standard CPUs for commercial mobile devices today. The key difference of ours from previous hardware solutions is that our CRA detection hardware modules have been integrated as off-core modules with the processor, strictly following the AP designing principle. We exploit the ARM Debug Interface to obtain the core internal information which is not directly accessible from off-core hardware modules. As a result, we were able to detect CRAs from outside the CPU without modifying the processor internal. For our preliminary experiment, we have implemented in our prototype a module to detect the attacks based on return-oriented programming (ROP) which is a representative technique used in CRAs. Empirical results show that our solution successfully detects ROP attacks with negligibly low runtime overhead and moderate area overhead.
Jinyong Lee - One of the best experts on this subject based on the ideXlab platform.
-
architectural supports to protect os kernels from code injection attacks
Hardware and Architectural Support for Security and Privacy, 2016Co-Authors: Hyungon Moon, Dongil Hwang, Jinyong Lee, Seonhwa Jung, Jiwon Seo, Yunheung PaekAbstract:The kernel code injection is a common behavior of kernel -compromising attacks where the attackers aim to gain their goals by manipulating an OS kernel. Several security mechanisms have been proposed to mitigate such threats, but they all suffer from non-negligible performance overhead. This paper introduces a hardware reference monitor, called Kargos, which can detect the kernel code injection attacks with nearly zero performance cost. Kargos monitors the behaviors of an OS kernel from outside the CPU through the standard bus interconnect and Debug Interface available with most major microprocessors. By watching the execution traces and memory access events in the monitored target system, Kargos uncovers attempts to execute malicious code with the kernel privilege. According to our experiments, Kargos detected all the kernel code injection attacks that we tested, yet just increasing the computational loads on the target CPU by less than 1% on average.
-
efficient dynamic information flow tracking on a processor with core Debug Interface
Design Automation Conference, 2015Co-Authors: Jinyong Lee, Ingoo Heo, Yongje Lee, Yunheung PaekAbstract:Dynamic information flow tracking (DIFT) is a promising solution to prevent various attacks on software running on a processor. Previous hardware solutions usually mandate drastic change to internal processor architecture. More recent ones to minimize the change have proposed external devices for DIFT. However, these approaches intrinsically suffer from the high overhead to communicate with their external devices. Consequently, they either significantly lose performance, or inevitably make invasive modifications to the processor inside. Our solution also rely on external hardware for DIFT, but unlike theirs, ours exploits the core Debug Interface (CDI) to tackle the communication issue. CDI is provided in most commercial processors for Debugging so that we were able to build our system simply by plugging our hardware to the processor via CDI, precluding the need for altering the processor itself. Experiments show that our hardware efficiently performs DIFT mainly thanks to the support of CDI that helps us cut substantially down the communication costs.
Dongil Hwang - One of the best experts on this subject based on the ideXlab platform.
-
Architectural Supports to Protect OS Kernels from Code-Injection Attacks and Their Applications
ACM Transactions on Design Automation of Electronic Systems, 2017Co-Authors: Hyungon Moon, Dongil Hwang, Seonhwa Jung, Yunheung PaekAbstract:The kernel code injection is a common behavior of kernel-compromising attacks where the attackers aim to gain their goals by manipulating an OS kernel. Several security mechanisms have been proposed to mitigate such threats, but they all suffer from non-negligible performance overhead. This article introduces a hardware reference monitor, called Kargos, which can detect the kernel code injection attacks with nearly zero performance cost. Kargos monitors the behaviors of an OS kernel from outside the CPU through the standard bus interconnect and Debug Interface available with most major microprocessors. By watching the execution traces and memory access events in the monitored target system, Kargos uncovers attempts to execute malicious code with the kernel privilege. On top of this, we also applied the architectural supports for Kargos to the detection of ROP attacks. KS-Stack is the hardware component that builds and maintains the shadow stacks using the existing supports to detect this ROP attacks. According to our experiments, Kargos detected all the kernel code injection attacks that we tested, yet just increasing the computational loads on the target CPU by less than 1% on average. The performance overhead of the KS-Stack was also less than 1%.
-
architectural supports to protect os kernels from code injection attacks
Hardware and Architectural Support for Security and Privacy, 2016Co-Authors: Hyungon Moon, Dongil Hwang, Jinyong Lee, Seonhwa Jung, Jiwon Seo, Yunheung PaekAbstract:The kernel code injection is a common behavior of kernel -compromising attacks where the attackers aim to gain their goals by manipulating an OS kernel. Several security mechanisms have been proposed to mitigate such threats, but they all suffer from non-negligible performance overhead. This paper introduces a hardware reference monitor, called Kargos, which can detect the kernel code injection attacks with nearly zero performance cost. Kargos monitors the behaviors of an OS kernel from outside the CPU through the standard bus interconnect and Debug Interface available with most major microprocessors. By watching the execution traces and memory access events in the monitored target system, Kargos uncovers attempts to execute malicious code with the kernel privilege. According to our experiments, Kargos detected all the kernel code injection attacks that we tested, yet just increasing the computational loads on the target CPU by less than 1% on average.
-
The new real-time Debug Interface for efficient code reuse attack detection
2015 International SoC Design Conference (ISOCC), 2015Co-Authors: Dongil Hwang, Yunheung PaekAbstract:Code reuse attack (CRA) is a powerful exploitation technique that allows attackers to perform arbitrary computation. To maximize the performance, prior hardware solutions to CRAs require invasive modifications to the CPU architecture or substantial storage overhead to keep the binary analysis result. In this paper, we propose a new Debug Interface with which CRA solutions can be easily implemented without the CPU modifications nor offline binary analysis.
-
towards a practical solution to detect code reuse attacks on arm mobile devices
Hardware and Architectural Support for Security and Privacy, 2015Co-Authors: Yongje Lee, Dongil Hwang, Ingoo Heo, Kyungmin Kim, Yunheung PaekAbstract:In recent years, there is a growing need to protect security and privacy of the data against various attacks on software running on smart mobile devices. The attackers mostly attempt to acquire privileges to control system behaviors as they want. As of today, the code reuse attack (CRA) is known as one of the most sophisticated techniques that can be exploited in such attempts. The attackers launch CRAs to perform arbitrary computation by reusing and chaining existing code fragments, called gadgets. Prior solutions to CRAs are engineered either in software or hardware. However, both of them have their own weaknesses. Software solutions suffer from huge performance overhead because they occupy computing resources of the host CPU. On the other hand, existing hardware solutions all require invasive modifications to the CPU internal architecture. This is contradictory to the conventional application processor (AP) design principle which is to integrate off-the-shelf commodity CPU cores and other special-purpose hardware modules together to form a system. In this paper, we propose a more practical hardware solution which conforms to such design convention, thus being amenable for immediate deployment to modern mobile devices that use APs as their central computing engines. In our work, we target the devices that employ as their AP CPUs the ARM processors which are the de-facto standard CPUs for commercial mobile devices today. The key difference of ours from previous hardware solutions is that our CRA detection hardware modules have been integrated as off-core modules with the processor, strictly following the AP designing principle. We exploit the ARM Debug Interface to obtain the core internal information which is not directly accessible from off-core hardware modules. As a result, we were able to detect CRAs from outside the CPU without modifying the processor internal. For our preliminary experiment, we have implemented in our prototype a module to detect the attacks based on return-oriented programming (ROP) which is a representative technique used in CRAs. Empirical results show that our solution successfully detects ROP attacks with negligibly low runtime overhead and moderate area overhead.
Liu Peng - One of the best experts on this subject based on the ideXlab platform.
-
implementation of Debug Interface of dsp processor based on jtag architecture
Computer Engineering, 2005Co-Authors: Liu PengAbstract:A Debug Interface based on IEEE1149.1 JTAG architecture is developed. The design is described from the overview to the detailed module design. This Interface is successfully used in MD32,a 32bits DSP Processor, and is verified by both software simulation and FPGA hardware emulation.
Yongje Lee - One of the best experts on this subject based on the ideXlab platform.
-
towards a practical solution to detect code reuse attacks on arm mobile devices
Hardware and Architectural Support for Security and Privacy, 2015Co-Authors: Yongje Lee, Dongil Hwang, Ingoo Heo, Kyungmin Kim, Yunheung PaekAbstract:In recent years, there is a growing need to protect security and privacy of the data against various attacks on software running on smart mobile devices. The attackers mostly attempt to acquire privileges to control system behaviors as they want. As of today, the code reuse attack (CRA) is known as one of the most sophisticated techniques that can be exploited in such attempts. The attackers launch CRAs to perform arbitrary computation by reusing and chaining existing code fragments, called gadgets. Prior solutions to CRAs are engineered either in software or hardware. However, both of them have their own weaknesses. Software solutions suffer from huge performance overhead because they occupy computing resources of the host CPU. On the other hand, existing hardware solutions all require invasive modifications to the CPU internal architecture. This is contradictory to the conventional application processor (AP) design principle which is to integrate off-the-shelf commodity CPU cores and other special-purpose hardware modules together to form a system. In this paper, we propose a more practical hardware solution which conforms to such design convention, thus being amenable for immediate deployment to modern mobile devices that use APs as their central computing engines. In our work, we target the devices that employ as their AP CPUs the ARM processors which are the de-facto standard CPUs for commercial mobile devices today. The key difference of ours from previous hardware solutions is that our CRA detection hardware modules have been integrated as off-core modules with the processor, strictly following the AP designing principle. We exploit the ARM Debug Interface to obtain the core internal information which is not directly accessible from off-core hardware modules. As a result, we were able to detect CRAs from outside the CPU without modifying the processor internal. For our preliminary experiment, we have implemented in our prototype a module to detect the attacks based on return-oriented programming (ROP) which is a representative technique used in CRAs. Empirical results show that our solution successfully detects ROP attacks with negligibly low runtime overhead and moderate area overhead.
-
efficient dynamic information flow tracking on a processor with core Debug Interface
Design Automation Conference, 2015Co-Authors: Jinyong Lee, Ingoo Heo, Yongje Lee, Yunheung PaekAbstract:Dynamic information flow tracking (DIFT) is a promising solution to prevent various attacks on software running on a processor. Previous hardware solutions usually mandate drastic change to internal processor architecture. More recent ones to minimize the change have proposed external devices for DIFT. However, these approaches intrinsically suffer from the high overhead to communicate with their external devices. Consequently, they either significantly lose performance, or inevitably make invasive modifications to the processor inside. Our solution also rely on external hardware for DIFT, but unlike theirs, ours exploits the core Debug Interface (CDI) to tackle the communication issue. CDI is provided in most commercial processors for Debugging so that we were able to build our system simply by plugging our hardware to the processor via CDI, precluding the need for altering the processor itself. Experiments show that our hardware efficiently performs DIFT mainly thanks to the support of CDI that helps us cut substantially down the communication costs.
