Poster. - University of Washington

TRIE: Runtime Integrity Measurement and Enforcement
with Automated Whitelist Generation
Anna Kornfeld Simpson1, Nabil Schear2, Thomas Moyer2
1 University of Washington, 2 MIT Lincoln Laboratory
TRIE: Taint-based Runtime Integrity Enforcement
Background
• Need to establish trust in remote systems
- Is this the machine I expect?
- What is the machine’s integrity state at
the time that I communicated with it?
Trusted Platform
Module (TPM)
Approach: Trace all executed code back to source files
Enforce or attest system integrity at runtime
Learning Phase
• Solution: Build from a hardware root of trust
Root of
Trust
(TPM)
BIOS
Firmware
Boot
Loader
Runtime Phase
1. Keep cryptographic hashes of files on disk
2. Track file I/O per process
3. Trace all executed code back to source
files using Dynamic Taint Analysis (DTA)
4. Create whitelist of execution-relevant files
(e.g., executables, byte code, scripts)
1. Each component measures (hashes) the next component at load time
before transferring control
2. Use measurements to create a hash chain rooted in TPM
3. Present a hash chain signed by the TPM (quote) to other hosts to
prove system integrity state
App
Mem
DTA
Load-Time Integrity Measurement
1. Track all I/O per process
2. Trace all executed code back to source
using Dynamic Taint Analysis (DTA)
3. Check execution sources against whitelist
4. Disallow network and unknown sources
(depending on policy)
App
Mem
Whitelist
File, Hash
File, Hash
…
Whitelist
?
File, Hash
File, Hash
…
DTA
Net
Configuration Files
Application
Linux Integrity Measurement
Architecture (IMA) [1]
System software
• Dynamic Taint Analysis (DTA)
- Color memory and CPU registers that contain data from file input
- Check for taint before JMP/CALL/RET to memory/registers
Operating System
Firmware
Trusted/Secure Boot
0x80eaf = mmap(NULL, “libc.so”,0x82966)
Hardware (TPM)
read(0xb7548, “app.exe”, 318)
• Limitations of load time integrity measurement
- Stale measurements for long running processes
- Does not detect compromised code created after load time (Just-intime (JIT) compiled code, interpreted scripts
ECX = 0xb7548
Mark 0x80eaf-0x103815 as libc.so
Mark 0xb7548-0xb7860 as app.exe
RET 0x80eb1
Mark ECX register as app.exe
Add libc.so to whitelist
JMP ECX
Add app.exe to whitelist
• No general solution to runtime integrity measurement for many
common use cases
- e.g., Internet services, cloud, critical infrastructure
Application
File System with
SHA-1 file hashes
Runtime Integrity Measurement
TRIE
libdft
Linux Kernel
Intel PIN
IMA
Application
System software
Operating System
Firmware
Hardware (TPM)
LKIM [2]
Short lived, N/A
General
Approach
Needed
• Execution Coverage
- Is there DTA failure due to implicit
information flow?
- Missed coverage during whitelisting
result in false positive at runtime
a = tainted_var
if (a == 1)
b = 0;
else
b = 1;
• Performance of DTA at runtime
- What is the added overhead of positive tainting
approach of TRIE over standard DTA?
Binary
# JMP/
/CALL/RET
Code
Coverage
Colors
Used
empty C
prog
1,344
100%
6
cat hello.txt
3,040
100%
11
grep
6,561
100%
17
ls ~
11,021
100%
26
exec(“ls ~”)
11,021
100%
26
python
hello.py
676,201
100%
293
Python
prompt
699,352
100%
329
Slowdown
(Relative to PIN)
9
8
7
6
5
4
3
2
1
0
• Future Evaluation Plan
- Run TRIE on existing testing frameworks from cloud applications
(e.g., Apache Web server, MySQL, Hadoop) to learn whitelists
- Study applicability of hardware-based DTA for better performance
Conclusions
• TRIE provides runtime measurement of all executed code
- Stand-alone enforcement of allowed execution-relevant files
- Integration with trusted computing architecture via IMA
• Explicit DTA can provide sufficient coverage to ensure high trust in
complex applications at runtime
References
Configuration Files
Targeted
solutions
[3]
Taint lost
via implicit
information flow
• Load time integrity measurement not sufficient for long running or
dynamically loaded/compiled applications
Implementation
Problem
Evaluation
• TRIE taint tracking engine built on top of libdft [4] and Intel PIN emulator
- Tracks taint/color at the byte level through all ISA operations using shadow memory
- Hooks relevant system calls (e.g., open, mmap, read) to add or check for taint
• Kernel IMA-appraisal provides up to date immutable file hashes in FS extended attributes
• TRIE with IMA provides runtime-measurement-based remote attestations
- Extend TPM register and kernel measurement list with TRIE measurements
- Remote party verifies TRIE measurements with whitelist created during learning phase
Contact Information: Anna Kornfeld Simpson: aksimpso@cs.washington,edu, Nabil Schear: nabil@ll.mit.edu, Thomas Moyer: thomas.moyer@ll.mit.edu
This work is sponsored by Assistant Secretary of Defense for Research & Engineering under Air Force Contract FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the author and are not necessarily endorsed by the United States Government.
[1] Sailer et. al. “Design and Implementation of a TCG-based Integrity
Measurement Architecture”, USENIX Security 2004.
[2] Loscocco et. al. “Linux Kernel Integrity Measurement Using
Contextual Inspection”, STC 2007.
[3] Davi et. al. “Dynamic Integrity Measurement and Attestation:
Towards Defenses Against ROP Attacks”, STC 2009.
[4] Kemerlis et. al. “libdft: Practical dynamic data flow tracking for
commodity systems”, VEE 2012