Article

Enabling trusted software integrity

Authors:

Darko Kirovski,

Milenko Drinić,

Miodrag PotkonjakAuthors Info & Claims

ASPLOS X: Proceedings of the 10th international conference on Architectural support for programming languages and operating systems

Pages 108 - 120

https://doi.org/10.1145/605397.605409

Published: 01 October 2002 Publication History

Abstract

Preventing execution of unauthorized software on a given computer plays a pivotal role in system security. The key problem is that although a program at the beginning of its execution can be verified as authentic, while running, its execution flow can be redirected to externally injected malicious code using, for example, a buffer overflow exploit. Existing techniques address this problem by trying to detect the intrusion at run-time or by formally verifying that the software is not prone to a particular attack.We take a radically different approach to this problem. We aim at intrusion prevention as the core technology for enabling secure computing systems. Intrusion prevention systems force an adversary to solve a computationally hard task in order to create a binary that can be executed on a given machine. In this paper, we present an exemplary system--SPEF--a combination of architectural and compilation techniques that ensure software integrity at run-time. SPEF embeds encrypted, processor-specific constraints into each block of instructions at software installation time and then verifies their existence at run-time. Thus, the processor can execute only properly installed programs, which makes installation the only system gate that needs to be protected. We have designed a SPEF prototype based on the ARM instruction set and validated its impact on security and performance using the MediaBench suite of applications.

References

[1]

ARM Corp. The ARM hardware-software development kit. Available online at http://www.arm.com.

[2]

N. Borisov, I. Goldberg, and D. Wagner. Intercepting mobile communications: the insecurity of 802.11. MOBICOM, 2001.

Digital Library

[3]

S. Chari and P.-C. Cheng. Bluebox: A policy driven, host-based intrusion detection system. Network and Distributed System Security, February 2002.

Digital Library

[4]

H. Chen, D. Wagner, and D. Dean. Setuid demystified. USENIX Security Symposium, 2002.

Digital Library

[5]

C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, and P. W. Q. Zhang. Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. USENIX Security Symposium, pages 63-77, Jan. 1998.

Digital Library

[6]

C. Cowan, F. Wagle, P. Calton, S. Beattie, and J. Walpole. Buffer overflows: attacks and defenses for the vulnerability of the decade. DARPA Information Survivability Conference and Exposition. IEEE Computer Soc, 2:95-107, 2000.

[7]

D. Evans. Static detection of dynamic memory errors. Programming Language Design and Implementation, pages 44-53, 1996.

Digital Library

[8]

D. Evans, J. Guttag, J. Horning, and Y. Tan. LCLint: A tool for using specifications to check code. ACM SIGSOFT Symposium on the Foundations of Software Engineering, pages 87-96, 1994.

Digital Library

[9]

I. Goldberg, D. Wagner, R. Thomas, and E. Brewer. A secure environment for untrusted helper applications. USENIX Security Symposium, pages 1-13, July 1996.

Digital Library

[10]

Intel Corp. Processor Serial Number Technical Notes. Available on-line at http://www.intel.com.

[11]

S. Johnson. Lint, a C program checker. Unix Programmer's Manual, AT&T Bell Laboratories, 1978.

[12]

D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. USENIX Security Symposium, pages 177-89, Aug. 2001.

Digital Library

[13]

C. Lee, M. Potkonjak, and W. H. Mangione-Smith. Mediabench: A tool for evaluating and synthesizing multimedia and communications systems. International Symposium on Microarchitecture, 330-351, 1997.

Digital Library

[14]

D. Martin, Jr, S. Rajagopalan, and A. Rubin. Blocking java applets at the firewall. Network and Distributed System Security, pages 16-26, 1997.

Digital Library

[15]

A. Menezes, P. V. Oorschot, and S. Vanstone. Handbook of Applied Cryptography. CRC Press, Boca Raton, FL, October 1996.

Digital Library

[16]

R. Minnich. The Linux BIOS Home Page. Available on-line at http://www.acl.lanl.gov/linuxbios.

[17]

G. Necula. Proof-carrying code. Symposium on Principles of Programming Languages, pages 106-119, 1997.

Digital Library

[18]

A. One. Smashing the stack for fun and profit. Phrack, 49, 1996.

[19]

Phoenix Technologies Ltd. System BIOS for IBM PCs, Compatibles, and EISA Computers. Addison-Wesley, Reading, MA, 1991.

[20]

A. Rubin and D. Geer, Jr. Mobile code security. IEEE Internet Computing, 2(6):30-34, 1998.

Digital Library

[21]

Sci-Worx GmbH. AES Rijndael core. Available on-line at http://www.sci-worx.com.

[22]

D. Seeley. The internet worm, password cracking: a game of wits. Communications of the ACM, 32(6):700-3, June 1989.

Digital Library

[23]

R. Sekar and P. Uppuluri. Synthesizing fast intrusion prevention/detection systems from high-level specifications. USENIX Security Symposium, pages 63-78, 1999.

Digital Library

[24]

U. Shankar, K. Talwar, J. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. pages 201-20, 2001.

[25]

M. Smith. Support for speculative execution in high-performance processors. PhD thesis, Stanford University, 1992.

Digital Library

[26]

R. Tomasulo. An efficient algorithm for exploiting multiple arithmetic units. IBM Journal, pages 25-33, 1967.

Digital Library

[27]

D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. Network and Distributed System Security, 2000.

[28]

C. Wilson and L. Osterweil. Omega - a data flow analysis tool for the C programming language. IEEE Trans. on Software Engineering, 11(9):832-8, 1985.

Digital Library

[29]

Zero Knowledge Systems Inc. The Intel Pentium III Exploit Page. Available on-line at http://www.zeroknowledge.com/p3/home.asp.

Cited By

Zhang HGhosh SFix JApostolakis SBeard SNagendra NOh TAugust DBahar IHerlihy MWitchel ELebeck A(2019)Architectural Support for Containment-based SecurityProceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3297858.3304020(361-377)Online publication date: 4-Apr-2019
https://dl.acm.org/doi/10.1145/3297858.3304020
Andel TWhitehurst LMcDonald JAl-Assadi W(2018)Enhancing Security Against Software Attacks with Reprogrammable Hardware2018 1st International Conference on Data Intelligence and Security (ICDIS)10.1109/ICDIS.2018.00049(258-266)Online publication date: Apr-2018
https://doi.org/10.1109/ICDIS.2018.00049
Chellappa SClark L(2016)SRAM-Based Unique Chip Identifier TechniquesIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2015.244575124:4(1213-1222)Online publication date: Apr-2016
https://doi.org/10.1109/TVLSI.2015.2445751
Show More Cited By

Enabling trusted software integrity
1. Security and privacy
  1. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Enabling trusted software integrity

Preventing execution of unauthorized software on a given computer plays a pivotal role in system security. The key problem is that although a program at the beginning of its execution can be verified as authentic, while running, its execution flow can ...
Enabling trusted software integrity
Special Issue: Proceedings of the 10th annual conference on Architectural Support for Programming Languages and Operating Systems

Preventing execution of unauthorized software on a given computer plays a pivotal role in system security. The key problem is that although a program at the beginning of its execution can be verified as authentic, while running, its execution flow can ...
Enabling trusted software integrity

Preventing execution of unauthorized software on a given computer plays a pivotal role in system security. The key problem is that although a program at the beginning of its execution can be verified as authentic, while running, its execution flow can ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPLOS X: Proceedings of the 10th international conference on Architectural support for programming languages and operating systems

October 2002

318 pages

ISBN:1581135742

DOI:10.1145/605397

Conference Chair:
Kourosh Gharachorloo
Compaq Western Research Lab
,
Program Chair:
David A. Wood

ACM SIGPLAN Notices Volume 37, Issue 10
October 2002
296 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/605432
Issue’s Table of Contents
ACM SIGOPS Operating Systems Review Volume 36, Issue 5
December 2002
296 pages
ISSN:0163-5980
DOI:10.1145/635508
Issue’s Table of Contents
ACM SIGARCH Computer Architecture News Volume 30, Issue 5
Special Issue: Proceedings of the 10th annual conference on Architectural Support for Programming Languages and Operating Systems
December 2002
296 pages
ISSN:0163-5964
DOI:10.1145/635506
Issue’s Table of Contents

Copyright © 2002 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2002

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Article

Conference

ASPLOS02

Sponsor:

ASPLOS02: Tenth International Conference on Architectural Support for Programming Languages and Operating Systems

October 5 - 9, 2002

California, San Jose

Acceptance Rates

ASPLOS X Paper Acceptance Rate 24 of 175 submissions, 14%;

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

52
Total Citations
View Citations
9,945
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang HGhosh SFix JApostolakis SBeard SNagendra NOh TAugust DBahar IHerlihy MWitchel ELebeck A(2019)Architectural Support for Containment-based SecurityProceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3297858.3304020(361-377)Online publication date: 4-Apr-2019
https://dl.acm.org/doi/10.1145/3297858.3304020
Andel TWhitehurst LMcDonald JAl-Assadi W(2018)Enhancing Security Against Software Attacks with Reprogrammable Hardware2018 1st International Conference on Data Intelligence and Security (ICDIS)10.1109/ICDIS.2018.00049(258-266)Online publication date: Apr-2018
https://doi.org/10.1109/ICDIS.2018.00049
Chellappa SClark L(2016)SRAM-Based Unique Chip Identifier TechniquesIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2015.244575124:4(1213-1222)Online publication date: Apr-2016
https://doi.org/10.1109/TVLSI.2015.2445751
Liu BQu G(2016)VLSI supply chain security risks and mitigation techniques: A surveyIntegration10.1016/j.vlsi.2016.03.00255(438-448)Online publication date: Sep-2016
https://doi.org/10.1016/j.vlsi.2016.03.002
Kanuparthi AKarri R(2015)Reliable Integrity Checking in Multicore ProcessorsACM Transactions on Architecture and Code Optimization10.1145/273805212:2(1-23)Online publication date: 11-May-2015
https://dl.acm.org/doi/10.1145/2738052
Lee R(2014)University research in hardware security2014 IEEE Hot Chips 26 Symposium (HCS)10.1109/HOTCHIPS.2014.7478799(1-27)Online publication date: Aug-2014
https://doi.org/10.1109/HOTCHIPS.2014.7478799
Arora DAaraj NRaghunathan AJha N(2012)INVISIOSACM Transactions on Embedded Computing Systems10.1145/2345770.234577211:3(1-20)Online publication date: 1-Sep-2012
https://dl.acm.org/doi/10.1145/2345770.2345772
Kanuparthi AZahran MKarri R(2012)Architecture Support for Dynamic Integrity CheckingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2011.21669607:1(321-332)Online publication date: 1-Feb-2012
https://dl.acm.org/doi/10.1109/TIFS.2011.2166960
Yan YQian YSharif HTipper D(2012)A Survey on Cyber Security for Smart Grid CommunicationsIEEE Communications Surveys & Tutorials10.1109/SURV.2012.010912.0003514:4(998-1010)Online publication date: Dec-2013
https://doi.org/10.1109/SURV.2012.010912.00035
Kanuparthi A(2012)A high-performance, low-overhead microarchitecture for secure program executionProceedings of the 2012 IEEE 30th International Conference on Computer Design (ICCD 2012)10.1109/ICCD.2012.6378624(102-107)Online publication date: 30-Sep-2012
https://dl.acm.org/doi/10.1109/ICCD.2012.6378624
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents