SecArch’18- Proceedings of the 1st Workshop on Security-Oriented Designs of Computer Architectures and Processors
SESSION: Keynote Address
Security-first Architecture: Deploying Single-direction Physically Isolated Active Security Processors for Safeguarding the Future Computing
It is fundamentally challenging to build a secure system atop the current computer architecture. The complexity in software, hardware and ASIC manufacture has reached beyond the capability of existing verification methodologies. Without whole-system verification, current systems have no proven security. It is observed that current systems are exposed to a variety of attacks due to the existence of a large number of exploitable security vulnerabilities. Some vulnerabilities are difficult to remove without significant performance impact because performance and security can be conflicting with each other. Even worse, attacks are constantly evolving, and sophisticated attacks are now capable of systematically exploiting multiple vulnerabilities while remain hidden from detection. In order to achieve security hardening of current computer architecture, existing defenses are mostly ad hoc and passive in nature. They are normally developed in responding to specific attacks spontaneously after specific vulnerabilities were discovered. As a result, they are not yet systematic in protecting systems from existing attacks and likely defenseless in front of zero-day attacks. In this talk, I will introduce the Security-first Architecture to confront the aforementioned challenges, as well as our recent works on this direction. The Security-first Architecture is a concept which enforces systematic and active defenses using Active Security Processors. In systems built based on this concept, traditional processors are monitored and protected by Active Security Processors. The two types of processors execute on their own physically-isolated resources, including memory, disks, network and I/O devices. The Active Security Processors are provided with dedicated channels to access all the resources of the Computation Processors but not vice versa. This allows the Active Security Processors to actively detect and tackle malicious activities in the Computation Processors with minimum performance degradation while protecting themselves from the attacks launched from the Computation Processors thanks to the resource isolation.
SESSION: Full Papers
Trusted computing is one of the main development trend in information security. However, there are still two limitations in existing trusted computing model. One is that the measurement process of the existing trusted computing model can be bypassed. Another is it lacks of effective runtime detection methods to protect the system, even the measurement process itself. In this paper, we introduce an active trusted model which can solve those two problems. Our active trusted computing model is comprised of two components: normal computation world and isolated security world. All the security tasks of active trusted computing model are assigned to the isolated security world. In this model, the static trusted measurement measures BIOS and operating system at the start-up of the computer system; and the dynamic trusted measurement measures the code segment, the data segment, and other critical structures actively and periodically at runtime. We have implemented a prototype of the active trusted computing model and done preliminary evaluation. Our experimental results show that this prototype can perform trusted computing on-the-fly effectively with an acceptable performance overhead.
The current electronic-economy is booming, electronic-wallets, encrypted virtual-money, mobile payments, and other new generations of economic instruments are springing up. As the most important cornerstone, CPU is facing serious security challenges. And with the blowout of actual application requirements, the importance of CPU security testing is increasing. However, the actual security threats to computer systems are also becoming increasingly rampant (now attackers often use multiple different types of vulnerabilities to construct complex attack systems, not just a single attack chain). The traditional vulnerability detection model is not capable of comprehensive security assessment. We first proposed a comprehensive CPU Security Benchmark solution with high coverage for existing known vulnerabilities, including Undocumented Instructions detection, Control Flow Integrity test, Memory Errors detection, and Cache Side Channels detection, Out of Order and Speculative execution vulnerabilities (Meltdown and Spectre series) tests, and more. Our benchmark provides meaningful and constructive feedbacks for evading architecture/microarchitecture design flaws, system security (OS and libraries) software patches design, and user programming vulnerabilities tips. We hope that the work of this paper will promote the computer system security testing from the past scatter point and line mode (single specific vulnerability and attack chain testing) to coordinated and whole surface mode (multi-type vulnerabilities and attack network testing), thus creating a new research direction of the comprehensive and balanced CPU Security Benchmark. Our test suite will play an inspiring role in the comprehensive assessment of security in personal computer devices (PC/Mobile Phone) and large server clusters (Servers/Cloud), as well as the construction of more secure Block-Chain nodes (IOT), and many other practical applications.
SESSION: Short Papers
This paper proposes a deep learning based method for efficient malware classification. Specially, we convert the malware classification problem into the image classification problem, which can be addressed through leveraging convolutional neural networks (CNNs). For many malware families, the images belonging to the same family have similar contours and textures, so we convert the Binary files of malware samples to uncompressed gray-scale images which possess complete information of the original malware without artificial feature extraction. We then design classifier based on Tensorflow framework of Google by combining the deep learning (DL) and malware detection technology. Experimental results show that the uncompressed gray-scale images of the malware are relatively easy to distinguish and the CNN based classifier can achieve a high success rate of 98.2%
Insider threats have shown their great destructive power in information security and financial stability and have received widespread attention from governments and organizations. Traditional intrusion detection systems fail to be effective in insider attacks due to the lack of extensive knowledge for insider behavior patterns. Instead, a more sophisticated method is required to have a deeper understanding for activities that insiders communicate with the information system. In this paper, we design a classifier, a neural network model utilizing Long Short Term Memory (LSTM) to model user log as a natural language sequence and achieve role-based classification. LSTM Model can learn behavior patterns of different users by automatically extracting feature and detect anomalies when log patterns deviate from the trained model. To illustrate the effective of classification model, we design two experiments based on cmu dataset. Experimental evaluations have shown that our model can successfully distinguish different behavior pattern and detect malicious behavior.