Secure and Manageable Host-based IDS with SGX and SMM

Secure and Manageable Host-based IDS with SGX and SMM
Slide Note
Embed
Share

Requirements for host-based IDS solutions are increasing as attacks against complex systems rise. This paper discusses utilizing System Management Mode (SMM) and Intel SGX to securely run and protect Host-based IDS. It explores the advantages, challenges, and approaches to implementing such systems effectively.

  • Host-based IDS
  • Security
  • SGX
  • SMM
  • Intrusion Detection
jimmied
jimmied Follow

Uploaded on Mar 09, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. SSdetector: Secure and Manageable Host-based IDS with SGX and SMM Yoshimichi Koga and Kenichi Kourai Kyushu Institute of Technology, Japan

  2. 2 Requirements for Host-based IDS Attacks against complex systems are increasing Intrusion detection systems (IDS) are required as countermeasures Host-based IDS (HIDS) monitors the internal system states Not easy to run HIDS securely inside the target system Need not to rely on the functions of the target system Need to protect HIDS against intruders target system HIDS intruder

  3. 3 Approach 1: Using SMM HIDS can securely run using System Management Mode SMM is one of the operation modes in Intel/AMD processors Invoke SMM code by using special interrupts (SMI) SMM provides an isolated execution environment in BIOS SMM code is located in the dedicated memory region Even the OS cannot access SMM code SMI BIOS SMM code

  4. 4 Previous SMM-based HIDS Run the entire HIDS as SMM code in BIOS [Zhang+, DSN 13] Monitor the code and the internal system states in memory Not easy to update HIDS and deploy new HIDS Send memory data to remote HIDS in SMM [Wang+, RAID'10] Make the management of HIDS easier HIDS running at remote hosts is less secure target system remote host network driver BIOS HIDS HIDS memory

  5. 5 Approach 2: Using Intel SGX HIDS can be protected by SGX SGX is a security feature of Intel processors Enable code to securely run in SGX applications SGX provides a trusted execution environment (enclave) Verify the digital signature of code Encrypt and integrity-check enclave memory SGX application enclave untrusted code code

  6. 6 Previous SGX-based HIDS Run HIDS in SGX enclaves [Nakano+, CLOUD 21] HIDS is protected against eavesdropping and tampering Monitor the memory of virtual machines (VMs) Need to rely on the hypervisor to obtain memory data The hypervisor can be compromised if it has vulnerabilities Support only virtualized systems SGX application enclave memory target VM HIDS VM s memory hypervisor

  7. 7 Our Approach: SSdetector Combine SGX and SMM for security and manageability Run HIDS inside enclaves in SGX applications HIDS can be easily updated by restarting SGX applications Detect abnormal stop of HIDS by heartbeats from remote hosts Obtain memory data by invoking the SMM monitor in BIOS The SMM monitor is much smaller than the hypervisor SGX application enclave memory HIDS SMM monitor BIOS

  8. 8 Invoking the SMM Monitor HIDS invokes the SSdetector runtime outside the enclave An SGX enclave cannot directly invoke SMM code Securely invoke the runtime using the SGX mechanism (OCALL) Pass the addresses of the target data and the buffer The runtime generates an interrupt (SMI) Write data to the I/O port used for SMI SGX application passed addresses enclave HIDS library runtime OCALL SMI registers BIOS SMM monitor CPU

  9. 9 Obtaining Memory Data The SMM monitor obtains requested memory data Translate the virtual to physical address using the OS page tables Store the obtained data in the passed buffer The SSdetector runtime returns the memory data to HIDS Cache the memory data in the SGX enclave HIDS monitors the internal system states using the memory data SGX application enclave memory cache buffer physical address HIDS data page table SMM monitor BIOS

  10. 10 Protecting Memory Data Acquisition Prevent information leakage via addresses and data Encrypt an AES block containing two addresses in the SGX enclave Encrypt obtained 4-KB memory data in the SMM monitor Detect tampering with memory data Calculate the hash value of memory data in the SMM monitor Compare it with a re-calculated hash value in the SGX enclave SGX application enclave encrypt address decrypt data cache buffer HIDS registers SMM monitor encrypt data BIOS CPU decrypt address

  11. 11 HIDS for SSdetector We have developed a simple HIDS for SSdetector Collect system information provided by the proc filesystem E.g., information on the system, processes, networks, and devices The HIDS analyzes OS data using LLView [Ozaki+, CLOUD 23] Write HIDS code using the source code of the Linux kernel Transform the intermediate code to invoke the SMM monitor SMM monitor LLView kernel code

  12. 12 Experiments We ran our HIDS using SSdetector Examine the overhead of SGX and SMM Exemine the overhead of data protection Comparisons SGX only, SMM only, and no SGX/SMM encryption only, integrity checking only, and no protection host Intel Core i7-9700 16 GB AMI F14 Linux 5.6.0-rc5+ QEMU SGX 4.0.0-r1 VM 1 6 GB TianoCore Linux 5.8.18 - CPU Memory BIOS OS Virtualization

  13. 13 Overhead of SGX and SMM We measured the execution time without data protection SSdetector was 5.1x longer than no SGX/SMM The overheads of SGX and SMM were 52% and 46%, respectively We estimated the time in a physical machine (PM) The time needed for SMI was reduced by 84% in a PM SSdetector could be only 2.3x longer than no SGX/SMM 1.5 1.5 5.1x time (sec) time (sec) 1.0 1.0 2.3x 0.5 0.5 0.0 0.0 SSdetector SGX only SMM only no SGX/SMM SSdetector (VM) SSdetector (PM) no SGX/SMM

  14. 14 Overhead of Data Protection We measured the execution time with data protection 4.2x longer than no data protection Encryption and integrity checking occupied 39% and 38% The overhead could be reduced by using CPU support Can use AES-NI in the SMM monitor and the SHA Extension Could be only 1.6x longer than no protection 6.0 4.2x 5.0 4.0 time (sec) time (sec) 4.0 3.0 1.6x 2.0 2.0 1.0 0.0 0.0 SSdetector SSdetector (possible) no protection SSdetector integrity only encryption only no protection base encryption integrity

  15. 15 Conclusion We proposed SSdetector for both the security and manageability of HIDS by combining SGX and SMM Run HIDS in SGX enclaves Obtain memory data via the SMM program Examined the overhead of SGX, SMM, and data protection Future work Run various HIDS using SSdetector Reduce the overhead of data protection Apply SSdetector to physical machines

Related


Characterising Risk and Biology of Smouldering Myeloma for Early Detection of Symptomatic Myeloma

Characterising Risk and Biology of Smouldering Myeloma for Early Detection of Symptomatic Myeloma

lara
Understanding IDS/IPS: Enhancing Security with SecurityGen's Advanced Solutions

Understanding IDS/IPS: Enhancing Security with SecurityGen's Advanced Solutions

Security
Get More YouTube Views Fast with These SMM Panels

Get More YouTube Views Fast with These SMM Panels

Fans
Linux User Capabilities and Namespace Management

Linux User Capabilities and Namespace Management

esa
P&IDs and Symbols in Process Engineering

P&IDs and Symbols in Process Engineering

veer
Comprehensive Overview of the Intelligence and Development Scales - Second Edition (IDS-2)

Comprehensive Overview of the Intelligence and Development Scales - Second Edition (IDS-2)

amarantha
System Management Mode (SMM) in x86 Processors

System Management Mode (SMM) in x86 Processors

justice
Understanding Devices and Network Security Implementation

Understanding Devices and Network Security Implementation

lilymay
Host Stars and Their Importance in Exoplanet Research

Host Stars and Their Importance in Exoplanet Research

annabell
Get SMM social panel at Socialmediamarketplace.com. SMM Social Panel

Get SMM social panel at Socialmediamarketplace.com. SMM Social Panel

Social3
Enhancing Discovery with OCLC Work IDs

Enhancing Discovery with OCLC Work IDs

ger_ash
Signature-Based IDS Schemes for Heavy Vehicles

Signature-Based IDS Schemes for Heavy Vehicles

grer400
IDS and IPS for Network Security

IDS and IPS for Network Security

brec932
Intrusion Detection Systems (IDS)

Intrusion Detection Systems (IDS)

leon_m
Intrusion Detection Systems (IDS) and Snort in Network Security

Intrusion Detection Systems (IDS) and Snort in Network Security

adrol
Proposal for Network-Generated Device ID Scheme in IEEE 802.11

Proposal for Network-Generated Device ID Scheme in IEEE 802.11

kobe_hen
Enhancing Cloud Security Through Virtual Machine Co-Migration for IDS Offloading

Enhancing Cloud Security Through Virtual Machine Co-Migration for IDS Offloading

acozz
The Complexities of Parasite Life Cycles and Host Interactions

The Complexities of Parasite Life Cycles and Host Interactions

akshayje
In India, 99 Exch Is A Leading Provider Of Online Gaming IDs

In India, 99 Exch Is A Leading Provider Of Online Gaming IDs

exchh20
Secure Cloud Applications with Intel SGX - OSDI 2014 Presentation Summary

Secure Cloud Applications with Intel SGX - OSDI 2014 Presentation Summary

albritton_a
SEO Services in Pakistan

SEO Services in Pakistan

Muhammad5
SEO and SMM Training in Lahore

SEO and SMM Training in Lahore

Muhammad5

More Related Content