Applications can be protected against runtime attacks! by Ravi Sahita

We have seen regular reports from security vendors of malware becoming increasingly stealthier and polymorphic. Most countermeasures have focused in the area of reactive approaches such as anti-virus scanning, which doesn’t help much here. Intrusion prevention systems help, but are susceptible to attacks themselves – this is a problem since the protection and the attacks are operating in a level playing field! We have been analyzing these types of attacks in our lab and have approached the mitigation of this problem from a different view of protecting the applications in-place such that malware may still execute but will not have any negative impact on the security of the application. What we mean by in-place, is that the applications do not have to change their programming model or use of OS services, instead the program is protected in the environment within which it executes. Given these advanced attacks, in-place protection is important to today’s critical applications!

Our approach has been to protect the program at a fundamental level and from a higher privilege to ensure separation between the protected piece and the protector. To that end, we have been using our virtualization extensions (Intel® VT) to build a research prototype security visor. VT provides the necessary hardware hooks to virtualize OS page tables – using this, we have designed a page table partitioning algorithm to protect program memory such that the program cannot be tampered with, any dynamic data it allocates is accessible only to the program and any API attacks into the program can be prevented. Our protection scheme is driven by software measurement schemes we have described earlier in a paper published in the Technology@Intel magazine. Our page table partitioning approach is called VT Integrity Services and is described in more detail here, and we would love to hear your feedback on this approach.

The runtime protection for the application is important not just from the correct local execution of the application but also to be able to subsequently perform remote attestation of the protected application. This approach has applications to many usages. Intel® TXT provides us with the necessary secure storage and reporting mechanisms to ensure that the security visor we load, is the correct (read trusted) one. Additionally, the hardware platform can enforce that virtualization mode is turned on only when it is used via TXT – which enforces that the security visor should be a signed piece of code. What we are demonstrating at the current Research @ Intel day is the on-demand protection of an application – this is an avenue we have been investigating to be able to use this approach on power-sensitive devices like ultra-mobile devices. We are demonstrating that the on-demand trusted launch of the security visor can be used to protect the application only when required, so that the power usage due to running the Security Visor can be minimized to the application lifetime. Hope to hear your feedback on our research.

Ravi Sahita is a Senior Researcher in the Communication Technology Lab in Intel’s Corporate Technology Group. Ravi is currently working on platform approaches to address computer security issues. Ravi has contributed to Intel® AMT, Intel® NetStructure® products and the open sourced Intel® Common Open Policy Services (COPS) client SDK. Ravi is a contributing member of the Internet Engineering Task Force (IETF) and the Trusted Computing Group (TCG) standards bodies. He received his B.E. in Computer Engineering from the University of Bombay, and an M.S. in Computer Science from Iowa State University.

Comments are closed.