yanlinl_ECE_2015.pdf (1.82 MB)
Verifying the System State for the Absence of Malware on Commodity Platforms
Several techniques exist to verify the integrity of the software image to guarantee the absence of malware on commodity computers or embedded platforms based on a hardware- or software-based root of trust. However, as modern embedded
platforms have become increasingly complex, existing software-based attestation techniques for embedded platforms no longer cover the new hardware features.
In addition, malware can infect peripherals’ firmware in a commodity computer. Such malware, once inside a peripheral, may also compromise other peripherals’
firmware or the host operating system. Unfortunately, none of the existing techniques provides a mechanism for verifying the integrity of peripherals’ firmware to guarantee the absence of malware. In the first two parts of this thesis, we investigate the feasibility of addressing the following two challenges: (1) establishing a software-only root of trust on an embedded platform to verify the system state of the embedded platform, and (2) verifying the integrity of peripherals’ firmware on commodity computers. For the
first challenge, we identify three new classes of attacks against existing software based attestation mechanisms and propose countermeasures to detect these attacks.
For the second challenge, we propose a software-based scheme enabling a piece of trusted code running on the main CPU, bootstrapped through a hardware- or
software-based root of trust, to verify the integrity of peripherals’ firmware. The software stack on commodity computers contains an increasingly large
number of vulnerabilities. Verifying the integrity of the entire software image on commodity computers in a hostile world is impractical for protecting security sensitive
operations. To protect security-sensitive operations, e.g., paying bills, shopping online, accessing medical records, establishing an isolated execution environment
on commodity computers for security-sensitive operations with integrity measurement is a desirable functionality. The software-based mechanism for peripheral
firmware integrity verification can be integrated with the isolated execution environment to guarantee the absence of malware in peripherals, providing an isolated malware-free operation environment with trusted peripherals for security sensitive operations. However, one-way protected malware-free operation environment is insufficient in some practical scenarios, e.g., Cloudlets, in which two-way protection is
required. In the third part of this thesis, we propose MiniBox, the first two-way sandbox for x86 native code that not only protects a benign OS from a misbehaving
program, but also protects a running program from a malicious OS. To achieve two-way protection, MiniBox verifies the system state including the integrity of
peripherals’ firmware to prevent malware from spreading to either side.
platforms have become increasingly complex, existing software-based attestation techniques for embedded platforms no longer cover the new hardware features.
In addition, malware can infect peripherals’ firmware in a commodity computer. Such malware, once inside a peripheral, may also compromise other peripherals’
firmware or the host operating system. Unfortunately, none of the existing techniques provides a mechanism for verifying the integrity of peripherals’ firmware to guarantee the absence of malware. In the first two parts of this thesis, we investigate the feasibility of addressing the following two challenges: (1) establishing a software-only root of trust on an embedded platform to verify the system state of the embedded platform, and (2) verifying the integrity of peripherals’ firmware on commodity computers. For the
first challenge, we identify three new classes of attacks against existing software based attestation mechanisms and propose countermeasures to detect these attacks.
For the second challenge, we propose a software-based scheme enabling a piece of trusted code running on the main CPU, bootstrapped through a hardware- or
software-based root of trust, to verify the integrity of peripherals’ firmware. The software stack on commodity computers contains an increasingly large
number of vulnerabilities. Verifying the integrity of the entire software image on commodity computers in a hostile world is impractical for protecting security sensitive
operations. To protect security-sensitive operations, e.g., paying bills, shopping online, accessing medical records, establishing an isolated execution environment
on commodity computers for security-sensitive operations with integrity measurement is a desirable functionality. The software-based mechanism for peripheral
firmware integrity verification can be integrated with the isolated execution environment to guarantee the absence of malware in peripherals, providing an isolated malware-free operation environment with trusted peripherals for security sensitive operations. However, one-way protected malware-free operation environment is insufficient in some practical scenarios, e.g., Cloudlets, in which two-way protection is
required. In the third part of this thesis, we propose MiniBox, the first two-way sandbox for x86 native code that not only protects a benign OS from a misbehaving
program, but also protects a running program from a malicious OS. To achieve two-way protection, MiniBox verifies the system state including the integrity of
peripherals’ firmware to prevent malware from spreading to either side.
History
Date
2015-08-10Degree Type
- Dissertation
Department
- Electrical and Computer Engineering
Degree Name
- Doctor of Philosophy (PhD)