Secure Framework for Monitoring Operating Systems Using SPEs

Secure Framework for Monitoring Operating Systems Using SPEs
Slide Note
Embed
Share

Attacks against operating systems are prevalent, necessitating the need for secure OS monitoring. Various approaches, including VM-based and hardware-based methods, have been proposed to enhance system integrity. A notable solution is the SPE Observer framework, which securely monitors OSes using Cell/B.E. technology.

  • Secure Framework
  • Monitoring Systems
  • Operating Systems
  • SPEs
  • Cell/B.E.
liet_ec
liet_ec Follow

Uploaded on Mar 05, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. A Secure Framework for Monitoring Operating Systems Using SPEs in Cell/B.E. Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology)

  2. Attacks against OSes OSes are not an exception of attacks e.g. kernel rootkits All the applications are also compromised if the OS is compromised It is necessary to check the integrity of OSes Not only at the boot time, but also at runtime OSes are long-running software This can increase the reliability of the system application application kernel rootkit OS

  3. Secure OS Monitoring is not Easy Running on top of the OS Monitoring systems must issue system calls to the OS e.g. obtaining process information e.g. reading the kernel memory The results cannot be trusted if the OS is compromised Embedded into the OS Monitoring systems can directly examine the kernel They are easily disabled by the compromised OS monitoring system system calls monitoring system OS

  4. VM-based Approaches Two approaches have been proposed The underlying hypervisor monitors the OS in a virtual machine (VM) A privileged VM monitors the OS in a target VM The hypervisor and the privileged VM can be also compromised There are vulnerabilities in software privileged VM target VM monitoring system OS monitoring system hypervisor

  5. Hardware-based Approaches Using System Management Mode (SMM) in x86 One of many hardware-based approaches A CPU can securely execute a monitoring system in SMM A monitoring system is located in isolated SMRAM Several drawbacks SMM is much slower than the normal mode A monitoring system must be embedded in BIOS normal mode SMM SMRAM monitoring system main memory CPU

  6. SPE Observer A framework for securely monitoring OSes using Cell/B.E. Runs a monitoring system on an SPE An SPE is a general-purpose CPU core Its isolation mode enables secure execution Monitors the running status of the monitoring system from an external security proxy target host monitoring system security proxy OS PPE SPE Cell/B.E.

  7. Architecture of Cell/B.E. Heterogeneous multicore processor PPE (control processing core) Runs the OS and regular processes SPE (arithmetic processing core) Runs parallel applications Contains the memory called a local store Accesses the main memory using DMA PPE SPE SPE SPE main memory DMA local store SPE SPE SPE DMA

  8. Isolation Mode Protects the local store in an SPE from the PPE and the other SPEs Preserving integrity Attackers cannot modify a running monitoring system or processing data Preserving confidentiality Attackers cannot analyze a monitoring system or steal sensitive information local store monitoring system OS application PPE isolated SPE SPE

  9. Secure Loader Securely loads a monitoring system into the local store of an isolated SPE Preserving integrity Attackers cannot load compromised images of monitoring systems Preserving confidentiality Attackers cannot decrypt images of monitoring systems DMA encrypted image monitoring system verify & decrypt DMA secure loader encrypted image verify & decrypt main memory isolated SPE

  10. Availability Issue The isolation mode is not perfect for secure execution of monitoring systems The PPE can stop the execution of even isolated SPEs It must control all the SPEs Attackers can disable monitoring systems! The isolation mode is not designed for PPE monitoring Fortunately, the confidentiality of monitoring systems is still preserved stop monitoring system OS PPE isolated SPE

  11. Security Proxy Externally monitors the running status of monitoring systems on SPEs Periodically sends heartbeats to monitoring systems via the relay process Cuts the network if monitoring systems do not respond to the heartbeats correctly target host heartbeats relay process monitoring system security proxy OS external network internal network PPE SPE

  12. Secure Heartbeats The security proxy sends an encrypted challenge to a monitoring system The monitoring system decrypts it and returns an encrypted response Attackers cannot return correct responses Only legitimate monitoring systems and the security proxy share secret keys A malicious relay process cannot mount man-in-the-middle attacks encrypted challenge security proxy relay process monitoring system encrypted response

  13. Scheduled Monitoring SPE Observer can schedule monitoring systems Application performance is improved by not occupying one SPE for a monitoring system Scheduling by the security proxy and the SPE scheduler The security proxy periodically sends commands The OS schedules SPEs if necessary commands relay process application monitoring system security proxy ... OS ... PPE SPE SPE SPE

  14. Examples of Monitoring Systems Integrity monitor for the OS kernel Obtains the contents of the kernel memory using DMA Calculates SHA-1 hash and compares it with correct one Overlaps DMA with calculation using double buffering Other possible monitors Monitors for dynamic kernel data Using a technique similar to VM introspection buffers DMA integrity monitor DMA SHA-1 OS kernel DMA SHA-1 PPE SPE

  15. Accessing the Kernel Memory SPE Observer configures an isolated SPE to enable accessing the kernel memory Clears the Problem-State bit in the status register of the MFC The MFC is used for DMA transfers Registers an address mapping for the kernel memory to the SLB The SLB is an address translation table main memory SPE local store DMA MFC SLB kernel memory

  16. Experiments We conducted several experiments to examine Effectiveness and performance of the integrity monitor Impacts on application performance We used the emulation of the isolation mode because we could not obtain the secure loader supporting the hardware-level isolation mode Security proxy PlayStation 3 CPU: Xeon E5630 Memory: 4 GB NIC: Gigabit Ethernet CPU: 1 PPE, 6 SPEs Local store: 256 KB Main memory: 256 MB NIC: Gigabit Ethernet OS: Linux 2.6.27

  17. Integrity Check of the Kernel We ran the integrity monitor on an SPE It could detect the compromised kernels Modified system call table Modified function for a system call 30 25 We measured the time for integrity check Hash calculation: 70% DMA was hidden by calculation 20 time (ms) 15 10 5 0 heartbeat hash calculation

  18. Impacts on Application Performance We ran various applications with various monitors CPU- and DMA-bound applications Using various numbers of SPEs CPU- and DMA-bound monitors Using one SPE CPU-bound application DMA-bound monitor DMA monitoring system main memory SPE SPE SPE SPE SPE SPE

  19. Impacts on Application Performance We ran various applications with various monitors Any monitors did not affect CPU-bound applications Linear performance improvement All monitors affected DMA-bound applications Especially DMA-bound monitors CPU-bound Application DMA-bound Application 6 2.5 5 improvement improvement 2.0 4 1.5 3 1.0 2 DMA-bound monitor CPU-bound monitor 0.5 1 0 0.0 0 1 2 # of SPEs 3 4 5 0 1 2 # of SPEs 3 4 5

  20. Performance Degradation We ran various applications using 6 threads with the integrity monitor The monitor occupied one SPE An application could use only 5 SPEs application thread 5 thread 6 thread 4 thread 3 integrity monitor thread 1 thread 2 SPE SPE SPE SPE SPE SPE

  21. Performance Degradation We ran various applications using 6 threads with the integrity monitor The monitor occupied one SPE An application could use only 5 SPEs Application performance CPU-bound: 83% (= 5/6) DMA-bound: 98% DMA bandwidth was saturated Matrix: 18% Waiting for synchronization CPU-bound DMA-bound Matrix 1.0 0.8 performance 0.6 0.4 0.2 0.0

  22. Improvement by Scheduling (1/2) SPE Observer scheduled the integrity monitor at various intervals We measured the performance of matrix multiplication application thread 5 thread 6 thread 4 thread 3 integrity monitor thread 1 thread 2 SPE SPE SPE SPE SPE SPE

  23. Improvement by Scheduling (1/2) SPE Observer scheduled the integrity monitor at various intervals We measured the performance of matrix multiplication Matrix The performance was improved as the interval became longer 83% at a 200-ms interval = 5/6 1 0.8 performance scheduling 0.6 no scheduling 0.4 0.2 0 0 200 400 interval (ms) 600 800 1000

  24. Improvement by Scheduling (2/2) We measured the performance of CPU- and DMA- bound applications CPU-bound: 96% at a 100-ms interval DMA-bound: almost 100% at a short interval CPU-bound Application DMA-bound Application 1.0 1.00 0.8 performance performance 0.95 0.6 0.90 scheduling scheduling 0.4 no scheduling no scheduling 0.85 0.2 0.0 0.80 0 500 1000 0 500 1000 interval (ms) interval (ms)

  25. Related Work Copilot [Petroni et al.'04] Sends the contents of the physical memory to a remote host using a special PCI card The remote host checks the integrity of the OS Flicker [McCune et al.'08] Executes security-sensitive code using Intel TXT The whole system is suspended while such code is running Code verification service [Murase et al.'09] An isolated SPE checks the integrity of applications for running on the PPE Not assume that the OS is compromised

  26. Conclusion We proposed SPE Observer A framework for secure execution of OS monitoring systems Using the isolation mode of SPEs to guarantee the integrity and confidentiality Using the security proxy to monitor the running status of monitoring systems Scheduling monitoring systems to mitigate performance degradation Future work Developing various monitoring systems Developing middleware for better SPE scheduling

Related


Operating Systems

Operating Systems

lucy
Effective Monitoring and Evaluation Practices in Program Management

Effective Monitoring and Evaluation Practices in Program Management

sahil
NIMH Clinical Research Education and Monitoring Program Overview

NIMH Clinical Research Education and Monitoring Program Overview

eyad
Metamodel-based Photovoltaic Monitoring System for Renewable Energies at Hongik University

Metamodel-based Photovoltaic Monitoring System for Renewable Energies at Hongik University

myfanwy
Operating Systems: Functions and Evolution

Operating Systems: Functions and Evolution

agatha
Framework for Building National Forest Monitoring Systems for REDD+

Framework for Building National Forest Monitoring Systems for REDD+

finnigan
Developing Monitoring Tools for Programmatic Oversight

Developing Monitoring Tools for Programmatic Oversight

zdild
Tamper-Evident Pairing (TEP) Protocol for Secure Wireless Pairing Without Passwords

Tamper-Evident Pairing (TEP) Protocol for Secure Wireless Pairing Without Passwords

quer_sna
Unpredictable Arctic Monitoring Framework for Extreme Event Integration

Unpredictable Arctic Monitoring Framework for Extreme Event Integration

tre_ki
Effective Monitoring Practices for Federal Programs in Education

Effective Monitoring Practices for Federal Programs in Education

marah
Importance of Field Monitoring in Adventure Activities

Importance of Field Monitoring in Adventure Activities

alawr
Introduction to Operating Systems and Processes

Introduction to Operating Systems and Processes

jay_par
UNIX Operating System

UNIX Operating System

bordonaro_k
Introduction to Linux: Course Overview and Objectives

Introduction to Linux: Course Overview and Objectives

hadri
Insights from RIS3 Monitoring Working Group Meeting at Ken Guy Wise Guys Ltd.

Insights from RIS3 Monitoring Working Group Meeting at Ken Guy Wise Guys Ltd.

rel_hon
Embedded Operating System Security

Embedded Operating System Security

kace_580
Operating Systems: An Introduction and Overview

Operating Systems: An Introduction and Overview

linh_706
Introduction to Processes and Operating Systems in Embedded Systems

Introduction to Processes and Operating Systems in Embedded Systems

swaydebo
Side Channel Monitoring in Additive Manufacturing for Cybersecurity and Quality Assurance

Side Channel Monitoring in Additive Manufacturing for Cybersecurity and Quality Assurance

ckel
IAEA Safety Standards Development Process: SPES.B Step-by-Step Review and Preparation

IAEA Safety Standards Development Process: SPES.B Step-by-Step Review and Preparation

snowl
Operating Systems: Principles and Practice in CSE Curriculum

Operating Systems: Principles and Practice in CSE Curriculum

lind_ma
An Overview of Network Operating Systems and Multitasking

An Overview of Network Operating Systems and Multitasking

eckerman_c

More Related Content