Introduction Proposed Solution: VIMS Conclusion Measuring Semantic Integrity for Remote Attestation Fabrizio Baiardi 1 Diego Cilea 2 Daniele Sgandurra 2 Francesco Ceccarelli 3 1 Polo G. Marconi - La Spezia, Università di Pisa, Italy 2 Dipartimento di Informatica, Università di Pisa, Italy 3 ENEL SpA, Italy Trust 2009 1/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Proposed Solution: VIMS Conclusion Outline Introduction 1 Integrity of a Remote System Case Study Proposed Solution: VIMS 2 Overall Architecture Implementation Conclusion 3 Results and Future Works 2/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Integrity of a Remote System Proposed Solution: VIMS Case Study Conclusion Integrity of a Remote System Network administrators cannot guarantee the confidentiality and the integrity of Intranet data accessed by remote clients: little assurance about the integrity of remote clients can be established; an attacker may have compromised a remote client’s application. We need a general notion of integrity the should consider that: a remote client can be trusted only if it executes applications in a predefined set; remote client’s applications should be continuously monitored to discover if they have been attacked. Checking run-time attacks against remote client’s applications and OS. 3/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Integrity of a Remote System Proposed Solution: VIMS Case Study Conclusion Case Study: Enel SPA Livorno Lab The private network host SCADA devices that can be remotely administered by remote nodes inside the Intranet. Remote nodes are commodity PCs, which can also be connected to Internet or run arbitrary software. Goal: when accessing SCADA device, the integrity of the remote nodes must be assured: the remote PC should run only authorised software; the behaviour of the software should be continuously monitored. 4/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Integrity of a Remote System Proposed Solution: VIMS Case Study Conclusion Case Study: Enel SPA Livorno Lab 5/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Integrity of a Remote System Proposed Solution: VIMS Case Study Conclusion Integrity Measurements: Current Approaches Only static checks (e.g., at boot-time). 6/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Overall Architecture Proposed Solution: VIMS Implementation Conclusion VIMS Virtual machine Integrity Measurement System (VIMS) is an architecture that implements a dynamic-based approach to integrity. The notion of integrity includes not only the correct configuration of the system and of the software it runs, but also that the remote client does not execute some malware that changes the behaviour of its applications. VIMS exploits virtualization technology to run two virtual machines (VMs) on the remote host: the Client VM: it runs the VPN client to access the SCADA network; the Assurance VM: the VM that implements remote attestation. Moreover, “dangerous” applications are run in a distinct VM. 7/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Overall Architecture Proposed Solution: VIMS Implementation Conclusion Virtual Machine Introspection Introspection is a generic technique to detect intrusions. With virtualization, no need of additional hardware units: visibility: access VM’s state from a lower level; robustness: introspect a VM from another VM. 8/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Overall Architecture Proposed Solution: VIMS Implementation Conclusion Kernel Integrity With virtual machine introspection, the Assurance VM can dynamically check from the “outside”: integrity of the kernel code (also modules); modifications to the interrupt descriptor table; modifications to the system call table; the list of running processes; the list of open files. 9/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Overall Architecture Proposed Solution: VIMS Implementation Conclusion Process Integrity: Defining the Process Self Protecting a process from attacks that alter the intended behaviour of the process’ program. We want to preserve the original semantics of the program (VPN client). Notion of process self: the program that the process executes. Based on traces of system calls: dynamic analysis: Forrest et al; static analysis: Wagner and Dean. 10/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Overall Architecture Proposed Solution: VIMS Implementation Conclusion Grammar of System Call Sequences We deduce the possible valid sequences of system calls that the process can issue from the source code: we encode them using a context-free grammar. A static tool computes a context-free grammar CFG that models the legal system call traces the remote VPN client can issue. At run-time, a sequence of system calls is valid only if it is a prefix of at least one string generated by the grammar. 11/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Overall Architecture Proposed Solution: VIMS Implementation Conclusion Grammar of System Call Sequences: An Example int n = 5; foo() { n--; open(); write() if(n) foo(); close(); � main �→ � foo � | open read close ; } � foo �→ open write ( � foo � )? close ; int main(int argc) { if(argc) foo(); else { open(); read(); close(); } } 12/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Overall Architecture Proposed Solution: VIMS Implementation Conclusion VIMS The Client VM (C-VM) runs the remote client software, i.e. the VPN client application to connect to the VPN server. the Assurance VM (A-VM) is a shadow VM that applies a set of security checks on the memory of the C-VM: integrity checks (kernel-level); sense of self checks (user-level). These checks measure, on behalf of the VPN server, the integrity of the software that the C-VM runs. The A-VM can either apply consistency checks periodically or on demand when requested by the VPN server. 13/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Overall Architecture Proposed Solution: VIMS Implementation Conclusion Threat Model TPM, CPU and BIOS are trusted. Memory cannot be hacked at run-time, e.g. via DMA. VMM and A-VM are trusted: small size, no Internet services open. All the nodes belong to the Intranet. 14/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Overall Architecture Proposed Solution: VIMS Implementation Conclusion Current Prototype Xen. TrustedBoot. TrouSerS. Simple client VPN + remote attestation protocol. Assurance Module: Introspection Library: VCPU introspection; memory introspection. kernel code integrity checks; grammar generating algorithm + parser for sense of self: Icaria + Ponder + Grappa; Bison. Server OpenVPN plugin for remote attestation. 15/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Overall Architecture Proposed Solution: VIMS Implementation Conclusion Introspection Library The Introspection Library is invoked by the Assurance Module periodically and whenever the VPN client issues a system call. Memory Introspection, to access the memory of a Client VM both at the kernel and at the user-level. VCPU-Context Introspection, to retrieve the state of the Client VM’s virtual processor. 16/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Overall Architecture Proposed Solution: VIMS Implementation Conclusion Kernel Integrity Checks 17/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Introduction Overall Architecture Proposed Solution: VIMS Implementation Conclusion Sense of Self Definition We build CFG (context-free grammar) by exploiting Icaria + Ponder, Grappa and Bison to generate a parser for the system call grammar: modified Icaria + Ponder to produce an AST; 1 from the AST, using our extended Grappa Lib (specialised for AST 2 analysis), we generate the CFG in Bison syntax; invoke Bison to CFG to build the on-line parser that checks that the VPN 3 client generates a legal trace. 18/26 F. Baiardi, D. Cilea, D. Sgandurra, F. Ceccarelli Measuring Semantic Integrity for Remote Attestation
Recommend
More recommend