On the Detectability of Control Flow Using Memory Access Patterns

Proceedings of the 3rd Workshop on System Software for Trusted Execution Pub Date : 2018-01-15 DOI:10.1145/3268935.3268941

Robert Buhren, Felicitas Hetzelt, Niklas Pirnay

{"title":"On the Detectability of Control Flow Using Memory Access Patterns","authors":"Robert Buhren, Felicitas Hetzelt, Niklas Pirnay","doi":"10.1145/3268935.3268941","DOIUrl":null,"url":null,"abstract":"Shielding systems such as AMD's Secure Encrypted Virtualization aim to protect a virtual machine from a higher privileged entity such as the hypervisor. A cornerstone of these systems is the ability to protect the memory from unauthorized accesses. Despite this protection mechanism, previous attacks leveraged the control over memory resources to infer control flow of applications running in a shielded system. While previous works focused on a specific target application, there has been no general analysis on how the control flow of a protected application can be inferred. This paper tries to overcome this gap by providing a detailed analysis on the detectability of control flow using memory access patterns. To that end, we do not focus on a specific shielding system or a specific target application, but present a framework which can be applied to different types of shielding systems as well as to different types of attackers. By training a random forest classifier on the memory accesses emitted by syscalls of a shielded entity, we show that it is possible to infer the control flow of shielded entities with a high degree of accuracy.","PeriodicalId":142419,"journal":{"name":"Proceedings of the 3rd Workshop on System Software for Trusted Execution","volume":"29 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 3rd Workshop on System Software for Trusted Execution","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3268935.3268941","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

Shielding systems such as AMD's Secure Encrypted Virtualization aim to protect a virtual machine from a higher privileged entity such as the hypervisor. A cornerstone of these systems is the ability to protect the memory from unauthorized accesses. Despite this protection mechanism, previous attacks leveraged the control over memory resources to infer control flow of applications running in a shielded system. While previous works focused on a specific target application, there has been no general analysis on how the control flow of a protected application can be inferred. This paper tries to overcome this gap by providing a detailed analysis on the detectability of control flow using memory access patterns. To that end, we do not focus on a specific shielding system or a specific target application, but present a framework which can be applied to different types of shielding systems as well as to different types of attackers. By training a random forest classifier on the memory accesses emitted by syscalls of a shielded entity, we show that it is possible to infer the control flow of shielded entities with a high degree of accuracy.

查看原文本刊更多论文

基于内存访问模式的控制流可检测性研究

屏蔽系统，如AMD的安全加密虚拟化，旨在保护虚拟机免受更高特权实体(如管理程序)的攻击。这些系统的基石是能够保护内存免受未经授权的访问。尽管有这种保护机制，但以前的攻击利用对内存资源的控制来推断在屏蔽系统中运行的应用程序的控制流。虽然以前的工作集中在特定的目标应用程序上，但没有对如何推断受保护应用程序的控制流进行一般分析。本文试图通过详细分析使用内存访问模式的控制流的可检测性来克服这一缺陷。为此，我们不关注特定的屏蔽系统或特定的目标应用，而是提出一个框架，可以应用于不同类型的屏蔽系统以及不同类型的攻击者。通过在屏蔽实体的系统调用所发出的内存访问上训练随机森林分类器，我们证明了以高精度推断屏蔽实体的控制流是可能的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 3rd Workshop on System Software for Trusted Execution

自引率

0.00%

发文量