Professional Documents
Culture Documents
ABSTRACT
We examine how the hardware level security features in the OS Friendly Microprocessor Architecture improves
cybersecurity against a rootkit attack. A rootkit (root + kit) is a malicious program or tool -“kit” of programs designed to
obtain “root” level privileges (root for Unix, admin for Windows). Rootkits operate at the same security ring level as an
operating system. This gives rootkits access to kernel level data structures. Even with state-of-the-art security
technologies, it is very difficult to detect a rootkit. Rootkits have been used for digital rights management and copy
protection; however, the 2005 CD copy protection scandal illustrates how poor computer security can leave an open door
for other malware.
We present a security model of the OS Friendly Microprocessor Architecture and we present a short introduction to
rootkits. For this paper, we will focus on OS-kernel level rootkits. We will illustrate how the hardware security features
of the OS Friendly Microprocessor Architecture increases the difficulty for rootkit malware to compromise a computer
system.
Keywords: Microprocessor, OS, cyber security, rootkit, privacy
1. INTRODUCTION
We present a short introduction to cybersecurity covering the motivation for the OS Friendly Microprocessor Architecture.
“Cyber” security history examples provide illustrations of poor system security and some ideas for more secure systems.
Back in 1975, “Security Kernel Evaluation for Multics,” [1] presented a forward thinking definition of a secure system:
“A system is secure if it is Known to prevent all actions defined as unauthorized by the specification of its security
properties.” We point out system complexity is the bane of system security. We are interested in a simple, hardware
security mechanism that completely separates control from untrusted “data.” In this paper, we are going to look at the
hardware computer security mechanism in the OS Friendly Microprocessor Architecture to protect against rootkit attacks.
Cyber security can be compared to defending a medieval castle. The attacker only needs to find one weakness
(vulnerability) to get in. After a decade long siege on a seemingly impenetrable fortress, the Greek army devised a “social
engineering” attack and gained entry into Troy with the “Trojan Horse” [2]. A cyber-attack starts be gaining entry into a
system. The ultimate goal of a cyber-attack is to achieve administrator privileges without being detected. Administrator
privileges for a cyber-attacker is equivalent to Dark Lord Sauron’s ring: “O ne Ring to rule them all …” [3].
Current cyber security practices can be compared to in-band signaling. With in-band signaling, the system hacker already
has gained access. The 1970’s telephone network [4-5] used in-band signaling for control signals (tones). In-band
signaling combines voice (data) and control signals on the same telephone circuit. A blue box [6] provided the control
codes for the telephone network. Any hobbyist with electronics knowledge could easily build a blue box to control the
telephone network. In-band signaling could not tell the difference between the telephone service provider and a prankster.
Control information needs to come from a trusted source and/or be authenticated.
Cyber Sensing 2017, edited by Igor V. Ternovskiy, Peter Chin, Proc. of SPIE Vol. 10185,
1018503 · © 2017 SPIE · CCC code: 0277-786X/17/$18 · doi: 10.1117/12.2258235
There is a rift between rival camps in the computer world. In the 1980’s, Gulliver’s Travels met the computer world.
There are two rival computer memory formats: big endian and little endian named by Cohen [14] after Gulliver’s Travels
and which end of the egg do you break first. In the 90’s up to today, there are two rival computer platforms: Windows
and Apple. The authors believe there is a similar disconnect between microprocessor architectures and Operating System
developers. Microprocessor architectures always lead the OS developers by several years. Computer security does not
have a high priority with the commodity microprocessor offerings. More research into simple hardware features that can
significantly reduce OS and software complexity is needed. We need a more balanced approach to hardware and software.
Both defense (computer security) and offense (system hackers) are moving computer security closer to the system
hardware level. In this paper, we will look at the hardware security mechanism in the OSFA. We will illustrate how the
hardware security mechanism defends against rootkit attacks.
2. ROOTKIT HISTORY
‘Root’ is the highest privilege level inside an operating system. Root has complete access to a computer system’s
hardware, memory and software. For an operating system to manage a computer’s system resources, it requires root level
access. ‘Kernel’ is the general term referring to the core of an operating system with root level access.
A rootkit is a toolbox of malicious programs to by-pass kernel protections and take control of a computer. The goal of the
attacker is to obtain root level privileges and hide the attack from the system administrators. “Leave no trace behind,” is
the outdoor code followed by backpackers and campers. Rootkit attacker’s goal is to leave no trace behind without even
going there (to the computer under attack). In 1999, Brumley [15] wrote: “Rootkits are used by intruders to hide and
secure their presence on your system. … To catch a cracker you must understand the tools and techniques he will use to
try to defeat you.” A practical definition of a rootkit is given in {1}.
We will review hardware virtualization and hypervisors next. The next battleground for rootkits is hardware virtualization.
3. INTRODUCTION TO VIRTUALIZATION
Modern virtualization concepts can be traced back to Popek and Goldberg’s influential 1973 paper [20]. Singh describes
virtualization as a framework for partitioning computer resources.
Virtualization is a framework or methodology of dividing the resources of a computer into multiple execution environments,
by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or
complete machine simulation, emulation, quality of service, and many others. [21]
Burger in 2012 describes virtualization as an all-encompassing technology for information technology (IT) industry.
Virtualization technology is possibly the single most important issue in IT and has started a top to bottom overhaul of the
computing industry. The growing awareness of the advantages provided by virtualization technology is brought about by
economic factors of scarce resources, government regulation, and more competition. [22]
Application Application
Application Application Software Software
Software Software
Guest OS Guest OS
Guest OS Guest OS
Hypervisor
(Virtual Machine Monitor)
Hypervisor
(Virtual Machine Monitor) Host Operating System
Virtualization technology allows a single computer to host multiple virtual machines. Each virtual machine may host an
operating system (called a guest operating system) and application software. Popek and Goldberg define two classes of
virtual machines as illustrated in Figure 1. A Type 1 hypervisor or virtual machine directly connects to the system
Pag
Separation IKCePneO eases lbls
Hardware
Hardware ViP4maOIIa4iow
Features to G^Q¢¢eOera4e
Virtualization
OlbperrNrisoP Fundions Support
Ho direct interaction, or
communication between
processes is aOOowed
T i/ ' 7r Application
i/ Software
Application
Application Software L' Operating
Software U System
Hypervisor
Operating
System
System 1111111
c
System
Hardware Hardware
.
System
Hardware
Under Attack Hacked System
The rootkit infiltrates the computer through any number of potential vulnerabilities. For discussion, we assume the rootkit
has gained root level access and begins to install a hypervisor. The malicious hypervisor then subverts the host operating
system and transfers the host operating system and its system state into a virtualized environment as a “guest” operating
system. At this point the guest operating system is completely isolated from the system hardware and the rootkit installed
hypervisor “owns” (completely controls) the guest operating system and application software. The rootkit’s hypervisor
has full access to all kernel data structures, and “guest” OS code. The rootkit hypervisor can manipulate, alter, and spoof
any “guest” OS system call to the system hardware. Even with state-of-the-art technologies, it is very difficult to detect a
virtual machine or hardware assisted virtual machine rootkit.
Some hardware virtualization based rootkit protection techniques are summarized in Table 1: ① kernel integrity; ② block
rootkit from executing malicious code; ③ enforce control flow as an invariant; and ④ enforce security properties. Fannon
[24] points out the security issues with hardware virtualization are becoming worse: “Although the use of hardware-based
virtualization has been expanding, security mechanisms specific to hardware virtualization have not been keeping pace
r r Instruction
Cache Bank
Pipeline
Memory Pipeline Architecture
L J
DMA
ContrIler
Cache Bank
Cache Bank
Cache Bank
In Figure 6, the active cache banks are connected to the execution pipeline, inactive cache banks are idle, and swapping
set cache banks are connected to the DMA controller. Swapping set cache banks are copied to upper level caching and
main memory in the background. The register memory pipeline and pipeline state memory pipeline are the cost for the
single cycle context switch. The extra pipelines also provide for more isolation between running processes. The memory
required for both is relatively small. A more detailed description of the cache bank memory pipeline architecture is found
in [40-41].
The key features of the OSFA are the cache bank memory pipeline architecture, cache bank security header, and memory
cell permission bits. The architecture focuses on completely isolating shared resources, and blocking all actions that
exceed the bounds of an execution sandbox. For the OSFA, the basic memory block is a cache bank. Cache bank security
header and memory cell permission bits provide for a hardware level security system. All I/O operations are direct memory
access based on cache banks. The trusted OS is a separation kernel that configures and manages the hardware security
mechanism in the OSFA. The OSFA hardware is the gatekeeper. All authorized operations do not incur any runtime
overhead. Any unauthorized operation (outside the bounds of the hardware sandbox) immediately raises a hardware
exception handled by the trusted OS.
Cache Bank
r Instruction Data
I Register r Execution
Pipeline Pipelin Pipeline Pipeline State
Memory Pipeline
Architecture emory emory
and and
4 Memory Pipelines Caches Caches
L
DMA
ontroller
L
Cache Bark v
t.
Trusted
Operating System
(separation kernel)
r, OSFA
Hardware
`` °i 11
Osok4ad SandbottQ2 Cache Bank Cache Bank Cache Bank
NM
7
Untrusted
.10
Untrusted
OS
r OS
Logon Untrusted
Shell Application
OS Friendly Microprocessor
Memory Pipeline Architecture [Cache Bank Memory Format
Memory
and Security Header
Caches
Permission
Memory Cell
Bits
Permission
Memory Cell
Bits
Permission
Memory Cell
Bits
Cache Bank
Permission
Memory Cell
Bits
Cache Bank
Trusted OS
Trusted OS
Modules Hypercalls Malloc
DMA
I/O Ports
Trusted OS
1 , and 2) Trusited OS
ercalls
Sepa a :ion Kerr (Level 3)
kor Kernel
Drivers extensions
Drivers Extensions
Guest OS
(Level 5) (Level 5) (Level 5)
(Level 5) (Level 5)
Guest OS Guest OS
(Level 6) (Level 6)
No objects
below Rootkit_O
1
r
Application Application Application Application
(Level7) (Level7) (Level 7) (Level 7)
Application
trd
coftwa
i
(Level 3) (Level 3)
trusted OS
Trusted OS
Boot
11111IÌ a - Each Object has a set of
Permission Bits
Security Header
Access = 1, and 2
Security Header '
Access = 0 Security Header
C
Access = 3
Trusted OS
(1, and 2) Trusted OS
Hypercalls
Separation Kernel (Level 3)
I
Security Header
/
14
Security Header 4
Guest OS Hardware blocks attacks
(Level 6)
across sandboxes
Access = 5
An OS function call with a malicious pointer is presented in Figure 14. The malicious pointer, m_ptr, points to a memory
page with a security header showing the Guest OS and Application software do not have access rights to the memory page.
A hardware level exception is raised when m_ptr tries to access the memory page.
Clean up
Application Space
Memory Permission
Page Bits = Not Allowed
Security Header
Access = 1, 2, and 3
Application
1
Guest OS Trusted OS
Software
Rootkit Permission Bits =
t
I i
1
In Figure 16, we include a rootkit in the application software. The rootkit’s goal is to obtain administrator level privileges,
and then subvert the OS as illustrated in Figure 3. In a traditional architecture, the OS function calls and memory pointers
present numerous opportunities to exploit a vulnerability and achieve administration level privileges. Figure 16 presents
a high level overview of the OSFA’s security mechanism and system hardware. The rootkit inside an application software
“sheepskin” is blocked by the cache bank security header and memory cell permission bits.
Step 1, Ethernet I/O function call, is to create a pointer to a memory page to store an Ethernet packet. The pointer is
marked Read, Write, and Modify = Not allowed and RegIO is set (pointer to I/O port). The memory page {2} security
header is set to I/O and type = Ethernet. The memory cell permission bits are configured to hold a source address,
destination address, and packet length. These parameters are marked Read, Write, and Modify = Not allowed and they
will configure the Ethernet controller.
Step 2, application sets up parameters and loads Ethernet packet data. To set the Ethernet parameters, the application
program must call the OS and then the trusted OS to set them. The trusted OS checks the parameters to make sure the
parameters are valid. We must verify the parameters are valid before trusting them. The application software cannot read,
write, or modify these parameters. The memory cells for the packet data are configured Write = allowed and Read and
Modify = Not allowed. Write only access {2} provides an additional roadblock for malware attempting to read data
from another running application. The application software copies the packet data into the message block in the memory
page.
Permission Bits =
Access Pointer Address A i READ, WRITE, MODIFY are
A = NOT ALLOWED
NOT ALLOWED
Configure Ethernet
Application
i
Security Header Ethernet I/O Security Header Ethernet I/O Security Header Ethernet I/O Security Header Ethernet I/O
==!=
rIM
rt=
Source Not allowed Not allowed
Destination Not allowed
{2} Not allowed
{3}
Length Not allowed Not allowed
Message Not allowed
In Figure 15, Step 3, the rootkit could maliciously modify the pointer. Any attempt to read the address of the pointer will
raise a hardware level exception. As described in [41], buffer overflows, and stack overflow attacks are blocked by
separating instructions and data (extended Harvard architecture), and cache bank security header, and memory cell
permission bits.
9. CONCLUSION
More research into simple hardware features that can significantly reduce OS and software complexity is needed. The
research community needs more interaction between OS developers and hardware developers. A good starting point for
researching hardware and OS trade spaces would be to break down the code in a high assurance OS, like seL4 [12], by
function points. What hardware features could help reduce a significant amount of code? We believe hardware security
features similar to the security mechanism in the OSFA are a good starting point.
The papers by Weaver et al. [4] and Breen et al. [5] described in-band control signaling for the telephone network. Without
a way to authenticate the control signals, anyone could control the 1970’s era telephone network. The computer industry
needs to leave in-band signaling in the 1970’s.
We have provided an introduction to a new architecture with a hardware based security mechanism. The cache bank
security headers, and memory cell permission bits are an extension of Unix file permission bits. The permission bits in
the OSFA create a simple hardware security mechanism. The hardware security mechanism creates sandboxes defined by
the cache banks’ security headers and memory cell permission bits. Any attempt to access a resource outside the sandbox
results in a hardware exception handle by the trusted OS. There is no run time overhead for authorized operations.
We believe the next generation of computer security will incorporate more hardware computer security features.
Hypervisors will use more hardware for security sensitive operations. “Although the use of hardware-based virtualization
has been expanding, security mechanisms specific to hardware virtualization have not been keeping pace …” [24]. We
will need to fully understand all the security tradeoffs.
We are interested in computer security professionals, hardware developers, and OS developers reviewing our security
features for limitations, and performance issues. We are interested in receiving feedback from technology professionals.
10. ACKNOWLEDGEMENT
The authors wishes to thank RDECOM community for the opportunity to develop the OS Friendly Microprocessor
Architecture and improvements. The authors would like to thank our colleagues at AMRDEC for reviewing our paper.
The authors also would like to thank our colleagues at the Army High Performance Computing Research Center at Stanford
University. This work was partially supported through funding provided by the U.S. Army Research Laboratory (ARL)
under contract No. W911NF-07-2-0027.
[1] Schroeder, M. “Security Kernel Evaluation for Multics (Interim Report),” Report # ESD-TR-75-95, M.I.T - Project
MAC, September 1975.
[2] Wikipedia.org. “Trojan Horse,” 2-3-2017. https://en.wikipedia.org/wiki/Trojan_Horse
[3] Tolkien, J. R. R. The Lord of the Rings, George Allen & Unwin UK, 1954-1955.
[4] Weaver, A. and Newall, N., “In-Band Single Frequency Signaling,” Bell System Technical Journal, 33(6),
1309-1330, (November 1954). https://archive.org/details/bstj33-6-1309
[5] Breen, C. and Dahlbom, C., “Signaling Systems for Control of Telephone Switching,” Bell System Technical Journal,
39(6), 1381-1444 (November 1960). https://archive.org/details/bstj39-6-1381 (January 2016)
[6] Computer History Museum, “Blue Box,” (Dec. 2014). www.computerhistory.org/collections/catalog/102713487
[7] Wikipedia.org. “Evaluation Assurance Level ,” 1-31-2017.
https://en.wikipedia.org/wiki/Evaluation_Assurance_Level#EAL5:_Semiformally_Designed_and_Tested
[8] Schaffer, K. and Voas, J. “What Happened to Formal Methods for Security?” Computer, pp. 70-79, August 2016.
[9] Voas, J. “Insights on Formal Methods in Cybersecurity,” Computer, pp. 102-105, May 2015.
[10] Brosgol, B. “Safety and Security: Certification Issues and Technologies,” CrossTalk: The Journal of Defense
Software Engineering, pp. 9-14, October 2008.
http://static1.1.sqspcdn.com/static/f/702523/9242461/1288742834583/200810-
Brosgol.pdf?token=O%2FzGvGaT3zGAbjAKd9oJcqfMZDI%3D
[11] Harrison, W., et al. “The MILS Architecture for a Secure Global Information Grid,” CrossTalk: The Journal of
Defense Software Engineering, pp. 20-24, October 2005.
http://static1.1.sqspcdn.com/static/f/702523/9277782/1288928922607/200510-
Harrison.pdf?token=jxJuDBgj5pMiQTipExE1AXNNVPQ%3D
[12] Klein, G., et al.: “seL4: formal verification of an OS kernel,” Proceedings of the ACM SIGOPS 22nd symposium on
Operating systems principles, Big Sky, Montana, pp. 207-220, October 11 - 14, 2009.
[13] Keegan, W. “Separation Kernels Enable Rapid Development of Trustworthy Systems,” COTS Journal, pp. 1-3, |
February 2014. www.lynx.com/pdf/Separation_Kernels_Enable_Rapid_Development.pdf
[14] Cohen, D. IE137, April 1990. http://www.ietf.org/rfc/ien/ien137.txt
[15] Brumley, D. “Invisible Intruders: Rootkits in Practice,” Usenix Special Issue on Intrusion Detection, September 1999.
https://www.usenix.org/system/files/login/articles/login_apr15_18_brumley.pdf
[16] J. Hannel: "Linux RootKits For Beginners – From Prevention to Removal,” SANS Institute 2003.
https://www.sans.org/reading-room/whitepapers/linux/linux-rootkits-beginners-prevention-removal-901
[17] M. Russinovich: “Sony, Rootkits and Digital Rights Management Gone Too Far,” October 2005.
https://blogs.technet.microsoft.com/markrussinovich/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far/
[18] Halderman J., and Felten E., “Lessons from the Sony CD DRM Episode,” Center for Information Technology Policy,
Department of Computer Science, Princeton University, Feb., 2006.
https://www.copyright.gov/1201/2006/hearings/sonydrm-ext.pdf
[19] Wikipedia.org: “Sony BMG copy protection rootkit scandal,” accessed 1/30/2017.
https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal
[20] Popek, G. and R. Goldberg, R. “Formal Requirements for Virtualizable Third Generation Architectures
Communications of the ACM, Vol. 17, No. 7, pp. 412-421, July 1974. http://dl.acm.org/citation.cfm?id=361073
[21] Singh, A. “An introduction to virtualization,” (2004, Jan) www.kernelthread.com/publications/virtualization.
[22] Burger, T. “The Advantages of Using Virtualization Technology in the Enterprise,” Intel Developer Zone, March 5,
2012. https://software.intel.com/en-us/articles/the-advantages-of-using-virtualization-technology-in-the-enterprise
[23] Kulkarni, O., et al.: “Virtualization Technology: A Leading Edge,” International Journal of Computer Application,
Issue 2, Volume 2, pp. 272-287, APRIL 2012. rspublication.com/ijca/april%2012%20pdf/32.pdf
[24] Fannon, R. An analysis of hardware-assisted virtual machine based rootkits, Thesis , Naval Postgraduate School,
June 2014. calhoun.nps.edu/handle/10945/42621
[25] Irvine, C., et. al.: “The Trusted Computing Exemplar Project,” Proceedings of the 5th IEEE Systems, Man and
Cybernetics Information Assurance Workshop, Military Academy, West Point, NY, pp. 109-115 June 2004.
[26] Grace, M., et al.: “Transparent Protection of Commodity OS Kernels Using Hardware Virtualization,” Security and
Privacy in Communication Networks, pp 162-180, 2010.
[27] Xiong, X., et al.: “Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions,” NDSS
Symposium, 2011. http://www.internetsociety.org/sites/default/files/xipdf.pdf