PROMISE：零信任网络中安全执行的可编程硬件监控器

IF 1.7 4区计算机科学 Q3 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

IEEE Embedded Systems Letters Pub Date : 2024-01-16 DOI:10.1109/LES.2024.3354831

Nikhilesh Singh;Shagnik Pal;Rainer Leupers;Farhad Merchant;Chester Rebeiro

{"title":"PROMISE：零信任网络中安全执行的可编程硬件监控器","authors":"Nikhilesh Singh;Shagnik Pal;Rainer Leupers;Farhad Merchant;Chester Rebeiro","doi":"10.1109/LES.2024.3354831","DOIUrl":null,"url":null,"abstract":"With the inevitable adoption of zero trust architectures (ZTAs) for enterprise networks, there is a need to continuously gauge the security health of connected devices. This requires runtime monitoring of the devices in the network. The challenge, especially in resource-constrained environments, is to ensure trusted monitoring at a fine granularity. In this letter, we propose ProMiSE, a framework that overcomes this challenge and provides an online non-tamperable metric called trust score to quantify the security health of devices in a ZTA network. We use real-time hardware tracking of microarchitectural signals in the CPU to compute the trust score in a security co-processor that is isolated from the device’s computing stack. The trust score for each device is sent to the ZTA host for corresponding responses. We evaluate ProMiSE on an open-source RISC-V processor with different threat vectors, including ransomware, return-oriented programming (RoP) attacks, and cache-based microarchitectural attacks. We also deploy the framework on an AMD Artix 7AC701 FPGA and present the area overheads.","PeriodicalId":56143,"journal":{"name":"IEEE Embedded Systems Letters","volume":"16 4","pages":"433-436"},"PeriodicalIF":1.7000,"publicationDate":"2024-01-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"ProMiSE: A Programmable Hardware Monitor for Secure Execution in Zero Trust Networks\",\"authors\":\"Nikhilesh Singh;Shagnik Pal;Rainer Leupers;Farhad Merchant;Chester Rebeiro\",\"doi\":\"10.1109/LES.2024.3354831\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"With the inevitable adoption of zero trust architectures (ZTAs) for enterprise networks, there is a need to continuously gauge the security health of connected devices. This requires runtime monitoring of the devices in the network. The challenge, especially in resource-constrained environments, is to ensure trusted monitoring at a fine granularity. In this letter, we propose ProMiSE, a framework that overcomes this challenge and provides an online non-tamperable metric called trust score to quantify the security health of devices in a ZTA network. We use real-time hardware tracking of microarchitectural signals in the CPU to compute the trust score in a security co-processor that is isolated from the device’s computing stack. The trust score for each device is sent to the ZTA host for corresponding responses. We evaluate ProMiSE on an open-source RISC-V processor with different threat vectors, including ransomware, return-oriented programming (RoP) attacks, and cache-based microarchitectural attacks. We also deploy the framework on an AMD Artix 7AC701 FPGA and present the area overheads.\",\"PeriodicalId\":56143,\"journal\":{\"name\":\"IEEE Embedded Systems Letters\",\"volume\":\"16 4\",\"pages\":\"433-436\"},\"PeriodicalIF\":1.7000,\"publicationDate\":\"2024-01-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Embedded Systems Letters\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/10400817/\",\"RegionNum\":4,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Embedded Systems Letters","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10400817/","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

摘要

随着企业网络不可避免地采用零信任架构（zta），有必要持续评估连接设备的安全状况。这需要对网络中的设备进行运行时监控。其中的挑战，特别是在资源受限的环境中，是确保在细粒度上进行可信监视。在这封信中，我们提出了ProMiSE，这是一个克服这一挑战的框架，并提供了一个称为信任分数的在线不可篡改度量来量化ZTA网络中设备的安全健康状况。我们使用CPU中微架构信号的实时硬件跟踪来计算与设备计算堆栈隔离的安全协处理器中的信任分数。每个设备的信任分数被发送到ZTA主机，以获得相应的响应。我们在开源RISC-V处理器上对ProMiSE进行了不同威胁向量的评估，包括勒索软件、面向返回的编程（RoP）攻击和基于缓存的微架构攻击。我们还将该框架部署在AMD Artix 7AC701 FPGA上，并给出了面积开销。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

ProMiSE: A Programmable Hardware Monitor for Secure Execution in Zero Trust Networks

With the inevitable adoption of zero trust architectures (ZTAs) for enterprise networks, there is a need to continuously gauge the security health of connected devices. This requires runtime monitoring of the devices in the network. The challenge, especially in resource-constrained environments, is to ensure trusted monitoring at a fine granularity. In this letter, we propose ProMiSE, a framework that overcomes this challenge and provides an online non-tamperable metric called trust score to quantify the security health of devices in a ZTA network. We use real-time hardware tracking of microarchitectural signals in the CPU to compute the trust score in a security co-processor that is isolated from the device’s computing stack. The trust score for each device is sent to the ZTA host for corresponding responses. We evaluate ProMiSE on an open-source RISC-V processor with different threat vectors, including ransomware, return-oriented programming (RoP) attacks, and cache-based microarchitectural attacks. We also deploy the framework on an AMD Artix 7AC701 FPGA and present the area overheads.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IEEE Embedded Systems Letters Engineering-Control and Systems Engineering

CiteScore

3.30

自引率

0.00%

发文量

期刊介绍： The IEEE Embedded Systems Letters (ESL), provides a forum for rapid dissemination of latest technical advances in embedded systems and related areas in embedded software. The emphasis is on models, methods, and tools that ensure secure, correct, efficient and robust design of embedded systems and their applications.