Using CoreSight PTM to Integrate CRA Monitoring IPs in an ARM-Based SoC
| Autor: | Dongil Hwang, Yunheung Paek, Yongje Lee, Jinyong Lee, Ingoo Heo |
|---|---|
| Rok vydání: | 2017 |
| Předmět: |
0301 basic medicine
Computer science media_common.quotation_subject 02 engineering and technology Tracing computer.software_genre 03 medical and health sciences Software Control flow 0202 electrical engineering electronic engineering information engineering Electrical and Electronic Engineering media_common Debugger business.industry Code reuse Computer Graphics and Computer-Aided Design 020202 computer hardware & architecture Computer Science Applications ARM architecture 030104 developmental biology Debugging Embedded system Operating system business Host (network) computer |
| Zdroj: | ACM Transactions on Design Automation of Electronic Systems. 22:1-25 |
| ISSN: | 1557-7309 1084-4309 |
| Popis: | The ARM CoreSight Program Trace Macrocell (PTM) has been widely deployed in recent ARM processors for real-time debugging and tracing of software. Using PTM, the external debugger can extract execution behaviors of applications running on an ARM processor. Recently, some researchers have been using this feature for other purposes, such as fault-tolerant computation and security monitoring. This motivated us to develop an external security monitor that can detect control hijacking attacks, of which the goal is to maliciously manipulate the control flow of victim applications at an attacker’s disposal. This article focuses on detecting a special type of attack called code reuse attacks (CRA), which use a recently introduced technique that allows attackers to perform arbitrary computation without injecting their code by reusing only existing code fragments. Our external monitor is attached to the outside of the host system via the system bus and ARM CoreSight PTM, and is fed with execution traces of a victim application running on the host. As a majority of CRAs violates the normal execution behaviors of a program, our monitor constantly watches and analyzes the execution traces of the victim application and detects a symptom of attacks when the execution behaviors violate certain rules that normal applications are known to adhere. We present two different implementations for this purpose: a hardware-based solution in which all CRA detection components are implemented in hardware, and a hardware/software mixed solution that can be employed in a more resource-constrained environment where the deployment of full hardware-level CRA detection is burdensome. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|