Read PDF Detecting Peripheral-based Attacks on the Host Memory

Free download. Book file PDF easily for everyone and every device. You can download and read online Detecting Peripheral-based Attacks on the Host Memory file PDF Book only if you are registered here. And also you can download or read online all Book PDF file that related with Detecting Peripheral-based Attacks on the Host Memory book. Happy reading Detecting Peripheral-based Attacks on the Host Memory Bookeveryone. Download file Free Book PDF Detecting Peripheral-based Attacks on the Host Memory at Complete PDF Library. This Book have some digital formats such us :paperbook, ebook, kindle, epub, fb2 and another formats. Here is The CompletePDF Book Library. It's free to register here to get Book file PDF Detecting Peripheral-based Attacks on the Host Memory Pocket Guide.
This work addresses stealthy peripheral-based attacks on host computers and presents a new approach to detecting them. Peripherals can be regarded as.
Table of contents

In contrast, hypervisor 34 is said to execute outside VMs 50 a - b. In the embodiment illustrated in FIG.

There may be a security application executing within each VM exposed by hypervisor 34 , each such security application protecting the respective VM. Alternatively, one such security application may protect multiple guest VMs executing on host system In such embodiments, inter-VM communication necessary for anti-malware operations may be managed by hypervisor In some embodiments, an event handler executes below OSs 40 a - b , at a processor privilege level similar to that of hypervisor Handler may be incorporated into hypervisor 34 , or may be installed as a separate component.

Event handler may be configured to detect the occurrence of a processor switch event generated by counter control unit 28 of processor 20 , and in response, to instruct security application to perform a code reuse analysis of a thread executing within guest VM 50 b. In some embodiments, VM exit events suspend the execution of in-VM code and transfer control of processor 20 to hypervisor Such transfer of control may allow event handler to detect the occurrence of the switch event.

Upon detecting the switch event, handler may need to signal to application to launch the code reuse analysis routines. In one example, handler may inject an interrupt into guest VM 50 b in response to detecting the occurrence of the switch event. Security application may comprise an interrupt handler configured to intercept the respective interrupt, thus receiving notification of the switch event.

In the example of FIG. A security application including an event handler executes below guest VMs 50 a - b , at a processor privilege level similar to that of hypervisor Security application may be configured to protect guest VMs 50 a - b from code reuse attacks using methods described below. Event handler may detect the occurrence of a processor switch event generated by counter control unit 28 FIG. Virtual machines typically operate with virtualized physical memory spaces, each such space isolated from the memory spaces of other VMs and from the memory space used by hypervisor Memory isolation may thus protect components such as application from malware executing within guest VMs 50 c - d.

Although possible, operations such as determining memory addresses of various software objects and intercepting various events e. Therefore, some embodiments may achieve a compromise between security and simplicity by including a software component, such as security agents 48 a -b in FIG.

source url

Detecting Peripheral-based Attacks on the Host Memory

Agents 48 a - b may include modules with minimal functionality, configured to perform operations which are rather difficult to carry out from outside the respective VM, and to communicate key data to security application To transfer data e. Security application may then intercept the VM exit event, and in response, read the data from the respective memory location. The illustrated sequence of steps may be included within the processor pipeline, for instance, at the execution stage, following instruction fetching and decoding.


  1. Healing Your Grieving Soul: 100 Spiritual Practices for Mourners.
  2. Irish Session Tunes - The Celtic Cats!.
  3. Title: ATM logic attacks: scenarios, vulnerabilities and security flaws !
  4. Detecting peripheral-based attacks on the host memory.

Other embodiments may implement various steps at other stages of the pipeline. A step determines whether branch monitoring is currently on, and when no, processor 20 may advance to the next fetched instruction step Branch monitoring may be turned off for a variety of reasons, such as hardware interrupts and changes of execution context. Step may comprise looking up a value of a flag bit within counter configuration register s Processor 20 may further consider whether a processor event such as a hardware interrupt has recently occurred, and when such an event has occurred, to determine whether the occurrence of the event should affect branch monitoring.

When branch monitoring is on, a step may determine whether the current processor instruction is a monitored branch instruction. In some embodiments, security application 44 may be interested in monitoring a particular category of instructions, which may be used in code reuse attacks. For instance, ROP exploits rely on executing a succession of code snippets, each snippet ending in a return instruction e. In contrast, JOP exploits rely on repeated jump instructions e. Some embodiments include return and jump instructions as monitored branch instructions, to enable processor 20 to count occurrences of such instructions in the course of execution.

In some embodiments, monitored branch instructions include indirect jump instructions, such as JMP and CALL among others, wherein the destination address is read from a memory address or from a processor register. An example of such indirect jump is JMP r, wherein r denotes one of the processor registers e. Some embodiments use a dedicated field of counter configuration register s 26 FIG. Step may include looking up the contents of register s When the current instruction is a monitored branch instruction, in a sequence of steps - , counter control unit 28 may increment branch counter 24 and reset inter-branch instruction counter 22 to zero.

In some embodiments, in step , processor 20 may save a memory address of the current instruction e.

Title: ATM logic attacks: scenarios, vulnerabilities and security flaws

Next, in a step , counter control unit 28 may compare the current value stored in branch counter 24 to a pre-determined threshold e. The branch count threshold value may be written by software, such as security application 44 or OS 40 , into a dedicated field of counter configuration register s 26 , and read by unit 28 from register s When the value currently stored in branch counter 24 does not exceed the threshold, processor 20 may advance to the next fetched instruction step Such a switch event may be used to signal to software, such as security application 44 , that a code reuse analysis is opportune.

Exemplary switch events include interrupts, exceptions, and VM exit events, among others. The type of event generated in step may vary among embodiments. Exception types may include fault, trap, and abort. Interrupts typically occur in response to signals from hardware devices apart from processor 20 , but some interrupts may be generated internally, for instance by a LAPIC of processor Some types of switch events may be injected at specific stages of the processor pipeline e.

When the current instruction is not a monitored branch instruction step above , a step may increment inter-branch instruction counter Some embodiments may also save a memory address e. Next, in a step , counter control unit 28 may compare the value currently stored in inter-branch instruction counter 22 with a second threshold, which may differ in value from the branch count threshold used in step The second threshold may indicate an upper limit e.

When the current value stored by inter-branch instruction counter 22 does not exceed the second threshold, processor 20 may advance to the next fetched instruction step In some embodiments, when the length of a snippet of code between two consecutive monitored branch instructions exceeds a certain length e.

Malindo Air says data leak caused by ex-staffers at contractor firm

Therefore, in some embodiments, when the value stored by inter-branch instruction counter 22 exceeds the second threshold, a step resets branch counter 24 to zero. Overall, the sequence of steps illustrated in FIG. A sequence of steps - may listen for the occurrence of a processor switch event triggered by counter control unit 28 step above.

In a step , security application 44 may further identify a set of executable modules loaded by the target process. Unless otherwise specified, an executable module is a component or a building block of a process; each such module comprises executable code. In some embodiments, the main executable module of a process comprises the first processor instruction of the process, executed when the respective process is launched.

ATM logic attacks: scenarios, 2018

Libraries are self-contained sections of code implementing various functional aspects of a program. Shared libraries may be used independently by more than one program. In an embodiment as illustrated in FIG. In a step , security application 44 performs a code reuse analysis of the target thread. Exemplary anti-malware actions include stopping or restricting the execution of the target process, quarantining the target process, and notifying a user of host system 10 , among others. Several methods are known in the art for determining whether the target thread is subject to a code reuse attack, such as a ROP or JOP exploit.

In one example, pertaining to ROP exploits, security application 44 may analyze the call stack of the target thread in response to detecting the switch event triggered by counter control unit Analyzing the stack may include identifying items on the stack, which point to addresses within an executable module loaded by the target process. To determine whether a stack item points to a loaded module, application 44 may use data determined in steps - see above.

In some embodiments, counter control unit 28 may save memory addresses e.

Welcome to the University Library E-book Catalogue

When this mechanism is enabled, security application 44 may retrieve such addresses directly from a dedicated location, such as a dedicated internal stack or circular buffer of the CPU. Next, security application 44 may determine whether the target thread is subject to a ROP exploit according to a count of such stack items pointing to short snippets of code, commonly termed ROP gadgets.

A more detailed example is shown below, in relation to FIGS. In another example, relevant to JOP exploits, security application 44 may analyze a sequence of branches counted by counters 22 - A typical JOP attack relies on a gadget dispatcher using a dispatch table to redirect execution from one snippet of code termed gadget to another.

The dispatch table may be injected into the memory space of a target process, for instance via a buffer overflow. An exemplary branching pattern of a JOP attack may include a sequence:. In modern hardware and operating systems, execution is prone to frequent context switches, which change the processor from executing one thread to executing another thread.

Some context switches may occur, for instance due to scheduling. Other context switches are caused by hardware interrupts and other processor events, which suspend execution of the current thread, and switch the processor to executing an interrupt handler routine. In host systems employing hardware virtualization, a particular type of context switch transfers control of the processor between the hypervisor and a virtual machine. Some embodiments of the present invention may be configured to perform context-specific branch monitoring.

Switching branch monitoring on and off may be achieved by setting a flag of configuration register s 26 to 1 or 0, respectively. The respective value may be used by processor 20 in step FIG. Processor 20 may thus handle various code reuse analysis scenarios. For instance, processor 20 may be configured to monitor only code executing in ring 3 user mode , by switching branch monitoring off while executing in ring 0 kernel mode.

In another example, processor 20 may be configured to turn branch monitoring off in response to a hardware interrupt, and to resume branch monitoring when returning from the interrupt handler e. In yet another example, branch monitoring may be turned off in response to a VM exit processor event. When a processor event occurs, a step analyzes the respective event, for instance to identify a type of the event e.