COMMSEC: Pwning ARM Debug Components for Sec-Related Stuff

PRESENTATION SLIDES (PDF)

In this talk, we propose an approach portable to ARM where we demonstrate how we can use debug components not only for information flow tracking but also for other security primitives.

During the last decade, several security vulnerabilities have been discovered. Even if patches were delivered, there is always a game of cat and mouse between security developers and attackers. Nowadays, many attacks (such as code reuse or buffer overflow) exploit low-level mechanisms. In the context of computer security, one major goal is to verify the behavior of the main application at runtime. Several techniques, such as information  flow tracking, have been proposed to tackle such attacks. Access controls and cryptography can limit the dissemination and modification of confidential data. Recent responsive techniques, such as IFT (Information Flow Tracking), are able to monitor the application in order to detect intrusions and abnormal behaviors. IFT is a fine-grained technique able to monitor data security once access is allowed or when data is decrypted.

Two approaches can be defined:

– SIFT (Static Information Flow Tracking). This is an offline analysis of the application aiming to check that all branches of the control flow graph are reliable.
– DIFT (Dynamic Information Flow Tracking). DIFT is performed at runtime: it monitors or instruments the application binary in order to check if the execution is secure.

DIFT consists of performing three operations:

1. Tag initialization: Attaching tags to information containers (e.g. file, variable, memory word, etc. depending on which level the IFT is being done).

2. Tag propagation: As the program runs on the CPU, information flows between information containers. The tags (attached to information containers) need to be propagated to take into account these information flows.

3. Tag Check: Tags are checked with a security policy, at runtime and on a regular basis, to ensure that critical information is not handled by untrusted functions or entities.

COMMSEC
Location: Track 4 / CommSec Date: April 14, 2017 Time: 10:45 am - 11:15 am Pascal Cotret Muhammad Abdul Wahab