%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
ScaRR
1. ScaRR: Scalable Runtime
Remote Attestation for
Complex Systems
Flavio Toffalini - Singapore University of Technology and Design
Eleonora Losiouk, Andrea Biondo - University of Padua
Jianying Zhou - Singapore University of Technology and Design
Mauro Conti - University of Padua
RAID - September 23-25, 2019 - Beijing, China
2. Problem: Remote Attestation
Verifier (trust) Prover (not-so-trust)
Challenge
Report
Application
Is this ok?
2/27Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
3. What we can verify: Static properties
- Software loaded
- Hardware integrity
What we can’t verify: Dynamic properties
- Execution path
- Data correctness
ScaRR
3/27
Static Remote Attestation
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
5. Limitations
1. Offline analysis does not scale for big applications
2. Based on heuristics
3. Symbolic execution too slow for the verification
5/27
Previous Runtime Remote Attestation
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
6. V P
V
More complex applications
More advanced systems
No-physical attacks
6/27
Scenario: Virtual Machines in a Cloud
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
intra-cloud
communication
ext-cloud
com
m
unication
7. N1
N2
N3
N5
N4
N6
a
N1
N2
N3
N4
N5
N6
x = input()
if x == ‘auth’:
y = get_privileged_info()
else:
y = get_unprivileged_info()
output(y)
terminate
= return address corruption
7/27
Basic Example
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
8. Attacks:
- Standard code-reuse attack (e.g., ROP, JOP)
- Code injection (e.g., shellcode)
- Function hooks
- Attacker takes control of user-space
Prover Assumptions:
- Prover is equipped with a trusted anchor
- Standard defences like W⊕X
- CFI != The attack could come anywhere from within the machine
8/27
Assumptions and Attacker Model
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
9. N1
−N4
=> [ (N2
,N4
) ]
N1
−N3
=> [ (N2
,N3
) ]
N3
−N6
=> [ ]
N4
−N6
=> [ ]
NOTE: ScaRR does not consider (N4
,N5
) and (N3
,N5
)
N1
N2
N3
N5
N4
N6
Checkpoint
(e.g., beginning
thread, syscall,
API call)
List of
Actions
Edge
9/27
Idea of ScaRR
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
10. - Loop
- Recursion
- Signal
- Exception
10/27
Model Challenges
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
11. SA
−N1
=> [ ]
N1
−N1
=> [ (N1
,N2
) ]
N1
−SB
=> [ (N1
,N3
) ]
SA
N1
SB
N2
N3
virtual -checkpoint
11/27
Loop
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
13. SA
EA
EB
N1
SB
N2
Catch Block
or
Signal Handler
Thread
1. Pause thread LoA
2. Trace new LoA for catch block
signal handler
3. Resume thread LoA
13/27
Signal and Exception
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
14. 14/27
ScaRR Design
Verifier ProverChallenge
(nonce, input)
ApplicationOffline
Measurements**
analyze(Application)
Offline Analysis Online Analysis
*list of reports and output go in parallel
**LoA + extra info
(output)
List of Reports*
(Cb, Cr, H(LoA))
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
15. Offline Measurements
(Verifier side)
Partial Report (Online Measurements)
(Prover side)
(Cb, Ce, H(LoA))(Cb,Ce,H(LoA)) => [ (M1
,A1
) ... ]
Hash of LoA
Beginning
checkpoint
End
checkpoint
List of Action
15/27
Measurements
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
16. (Cb, Ce, H(LoA))
Hash of LoA
Beginning
checkpoint
End
checkpoint
H(LoA) is in
DB?
Cet-1
== Cbt
ss(H(LoA))
(Check1)
(Check2)
(Check3)
OK!
abort()
abort()
abort()
n
y
y
y
n
n
/* shadow stack */
Partial Report
16/27
Verification
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
17. S
M1
M2
M3
M4
E
A1
C
A2
int main(int argc, char ** argv) {
a(10);
/* irrelevant code */
a(6);
return 0;
}
void a(int x) {
/* irrelevant code */
printf("%dn", x);
return;
}
(S,C,H1
) => [ (M1
,A1
) ]
(C,C,H2
) => [ (A2
,M2
), (M3
,A1
) ]
(C,E,H3
) => [ (A2
,M4
) ]
Offline measurement, a map between
valid Partial Report and LoA
17/27
Remote Shadow Stack
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
21. User-Space
Application Process // instrumented
Kernel-Space
ScaRR Libraries // to communicate with the kernel
ScaRR sys_measureScaRR ModuleScaRR sys_addaction// custom kernel
// as trusted anchor
// 2 new syscalls
21/27
Prover
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
22. Evaluation
Based on SPEC-CPU 2017
- Attestation Speed
- Verification Speed
- Network Impact
- Security Properties
22/27Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
24. From 1.4 M/s to 2.7 M/s
Previous work from 110 to 30k cf-events/s
(Check1) => constant hashmap fetching
(Check2) => constant operation
(Check3) => O(#actions for LoA)
Average LoA size
24/27
Verification Speed
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
25. Problem:
Too many reports -> network
overload
Solution:
Compress groups of reports
25/27
Network Impact
Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
26. Security Properties
✓ Code Injection: jumping to shellcode produces wrong LoA
✓ Code-reuse Attacks: produces wrong LoA
✓ Overwrite Nodes: invalid static attestation
26/27Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
27. Technical Limitation
- Context switch still too slow (considered PT too)
- Be kernel-agnostic by using other trusted anchor
(e.g., SGX, TrustZone)
- Require source code
- CFG generation affects precisions of attack detections
27/27Toffalini et al., (2019) ScaRR: Scalable Runtime Remote Attestation for Complex Systems
28. Thank you for attention…
Flavio Toffalini - flavio_toffalini@mymail.sutd.edu.sg
28