Manipulating the ARM Hypervisor and TrustZone

Ben Yehuda, Raz

View/Open

5.3 Mb

Downloads:

Show download details Hide download details

Published in

JYU dissertations

Authors

Ben Yehuda, Raz

Date

2021

ARM architecture keeps extending, and new features are added in each edition of this processor’s architecture. We examine the various techniques to manipulate the ARM hypervisor. In this work, we present a new execution context in the Linux operating system, which we refer to as the hyplet. The hyplet is a technique in which a function of a regular Linux process is executed in the hypervisor. It is through the use of the hyplet that an additional security layer is put inside an executing Linux process, inaccessible to common user space or kernel space privileges. Also, the hyplet provides an infrastructure for a CFI (Control Flow Inspection) technique named C-FLAT, a virtual disk used to trap intruders (honeypot), and a method to acquire coherent memory images for forensics. The acquisition is performed slowly, thereby reduces heat and power, and therefore a good solution for battery-based devices such as smartphones. Also, we show that the hyplet, compared to other RPC (Remote Proced ... showmore

ARM-Architecture jatkuu jatkuvasti, ja uusia ominaisuuksia lisätään prosessorin jokaisessa versiossa. Tutkimme erilaisia tekniikoita ARM-hypervisor manipuloimiseksi. Tässä työssä esitämme uuden suoritusyhteyden Linux-käyttöjärjestelmässä, jota kutsumme Hyplet. Hyplet on tekniikka, jossa tavallisen Linux-prosessin toiminto suoritetaan hypervisor. Hyplet avulla laitetaan suoritettavan Linux-prosessin sisään ylimääräinen turvakerros, johon ei pääse tavalliselle käyttäjä- tai ydintilaa koskeville oikeuksille. Hyplet tarjoaa myös infrastruktuurin CFI (Control Flow Inspection) -tekniikalle, nimeltään C-FLAT, virtuaalilevylle, jota käytetään tunkeilijoiden ansaan (hunajapotti), ja menetelmän yhtenäisten muistikuvien hankkimiseksi Forensics. Hankinta suoritetaan hitaasti, mikä vähentää lämpöä ja virtaa ja on siten hyvä ratkaisu akkupohjaisille laitteille, kuten älypuhelimille. Näytämme myös, että hypletti tarjoaa muihin RPC (Remote Procedure Call) -tekniikoihin verrattuna erittäin nopean RPC: ... showmore

ISBN

978-951-39-8752-7

Contains publications

Artikkeli I: Ben Yehuda, Raz; Wiseman, Yair (2011). The offline scheduler for embedded transportation systems. Proceedings of Industrial Technology (ICIT), IEEE International Conference on. 2011.
Artikkeli II: Ben Yehuda Raz, Zaidenberg Nezer. (2018). Hyplets - Multi Exception Level Kernel towards Linux RTOS. In SYSTOR '18 : Proceedings of the 11th ACM International Systems and Storage Conference June 4-6, 2018, Haifa, Israel (pp. 116-117). ACM. DOI: 10.1145/3211890.3211917
Artikkeli III: Yehuda, R. B., Leon, R., & Zaidenberg, N. (2019). Arm security alternatives. In T. Cruz, & P. Simoes (Eds.), ECCWS 2019 : Proceedings of the 18th European Conference on Cyber Warfare and Security (pp. 604-612). Academic Conferences International. Proceedings of the European conference on information warfare and security. JYX: jyx.jyu.fi/handle/123456789/67099
Artikkeli IV: Kiperberg, Michael; Ben Yehuda, Raz and Zaidenberg. Nezer (2020). HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication. International Conference on Network and System Security. Best paper award. DOI: 10.1007/978-3-030-65745-1_5
Artikkeli V: Ben Yehuda, R., & Zaidenberg, J. (2020). Protection against reverse engineering in ARM. International Journal of Information Security, 19(1), 39-51. DOI: 10.1007/s10207-019-00450-1. JYX: jyx.jyu.fi/handle/123456789/67650
Artikkeli VI: Ben Yehuda, R., & Zaidenberg, N. J. (2020). The hyplet : Joining a Program and a Nanovisor for real-time and Performance. In SPECTS 2020 : International Symposium on Performance Evaluation of Computer & Telecommunication Systems. IEEE. Full text: ieeexplore.ieee.org/abstract/document/9203743/. JYX: jyx.jyu.fi/handle/123456789/74090
Artikkeli VII: Zaidenberg, N. J., Kiperberg, M., Yehuda, R. B., Leon, R., Algawi, A., & Resh, A. (2020). Hypervisor Memory Introspection and Hypervisor Based Malware Honeypot. In P. Mori, S. Furnell, & O. Camp (Eds.), ICISSP 2019 : 5th International Conference on Information Systems Security and Privacy, Revised Selected Papers (pp. 317-334). Springer. Communications in Computer and Information Science, 1221. DOI: 10.1007/978-3-030-49443-8_15
Artikkeli VIII: Ben Yehuda, R., Shlingbaum, E., Gershfeld, Y., Tayouri, S., & Zaidenberg, N. J. (2021). Hypervisor memory acquisition for ARM. Forensic Science International: Digital Investigation, 37, Article 301106. DOI: 10.1016/j.fsidi.2020.301106
Artikkeli IX: Ben Yehuda, Raz and Zaidenberg, Nezer. Offline nanovisor. Submitted.
Artikkeli X: Ben Yehuda, Raz; Aronov, Adam; Ekstein, Or; Kiperberg, Michael and Zaidenberg, Nezer. C FLAT nanovised. Submitted.
Artikkeli XI: Stajnord, Ron; Ben Yehuda, Raz and Zaidenberg, Nezer. Attacking Trust-Zone. Submitted.