Securing Arm Platform: from Software-Based to Hardware-Based Approaches
Total Page:16
File Type:pdf, Size:1020Kb
Wayne State University Wayne State University Dissertations January 2020 Securing Arm Platform: From Software-Based To Hardware-Based Approaches Zhenyu Ning Wayne State University Follow this and additional works at: https://digitalcommons.wayne.edu/oa_dissertations Part of the Computer Sciences Commons Recommended Citation Ning, Zhenyu, "Securing Arm Platform: From Software-Based To Hardware-Based Approaches" (2020). Wayne State University Dissertations. 2393. https://digitalcommons.wayne.edu/oa_dissertations/2393 This Open Access Dissertation is brought to you for free and open access by DigitalCommons@WayneState. It has been accepted for inclusion in Wayne State University Dissertations by an authorized administrator of DigitalCommons@WayneState. SECURING ARM PLATFORM: FROM SOFTWARE-BASED TO HARDWARE-BASED APPROACHES by ZHENYU NING DISSERTATION Submitted to the Graduate School, of Wayne State University, Detroit, Michigan in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY 2020 MAJOR: COMPUTER SCIENCE Approved By: ———————————————————– Advisor Date DEDICATION To my wife and all my family. ii ACKNOWLEDGEMENTS I wish to express my appreciation to those who supported and encouraged me in one way or another during the last five years. First of all, I would like to express my gratefulness to my advisor, Dr. Fengwei Zhang, for his valuable guidance and continuous support during my Ph.D. study at Wayne State University. Dr. Zhang led me into the way of academic research and showed me the essentials of a researcher. His enthusiasm for research has encouraged me to achieve the degree. During the tough times in the Ph.D. pursuit, he showed me great patient and offered numerous hours to discuss with me, without which I cannot succeed. I am also very grateful to Prof. Weisong Shi, Prof. Dongxiao Zhu, and Prof. Anyi Liu for serving as my dissertation committee and giving valuable suggestions on the dissertation. Your attitude on research helps me not only in the dissertation but also in my career. Moreover, I would like to thank all the group members in COMPASS lab. Especially for Dr. Saeid Mofrad, Dr. Lei Zhou, and Dr. Jinghui Liao, we have had many brilliant ideas and exciting discussions. Also, I deeply appreciate the support and love from my wife Qian Jiang. You give me light in the darkness and always make me hopeful. Thanks to my mother Weiping Zhu and my father Guoqiang Ning, I really hope you could see it. iii TABLE OF CONTENTS Dedication . ii Acknowledgements . iii List of Tables . ix List of Figures . x Chapter 1 Introduction . 1 Chapter 2 Background . 5 2.1 Dalvik, Android Runtime, and Android Java Bytecode . 5 2.2 ARM TrustZone and Trusted Firmware . 6 2.3 ARM Debugging Architecture . 6 2.4 Advanced Transportation Controller and Roadside Cabinets . 7 2.4.1 Malfunction Management Unit and Cabinet Monitor Unit . 8 Chapter 3 Reassembleable Bytecode Extraction on Android . 10 3.1 Introduction . 10 3.2 Related Work . 12 3.2.1 Static Analysis Tools . 12 3.2.2 Dynamic Analysis Tools . 13 3.2.3 Hybrid Analysis Tools . 13 3.2.4 Unpacking and Reassembling in Traditional Platforms . 14 3.3 System Overview . 15 3.3.1 Bytecode and Data Collection . 15 3.3.2 DEX File Reassembling . 16 3.3.3 Code Coverage Improvement Module . 17 iv 3.4 Design and Implementation . 17 3.4.1 Bytecode Collection . 18 3.4.2 Bytecode Reassembling . 24 3.4.3 Data Collection and DEX Reassembling . 26 3.4.4 Handling Reflection . 27 3.4.5 Force Execution . 27 3.5 Evaluation . 29 3.5.1 RQ1: Test with Open-source Apps and Public Packers . 29 3.5.2 RQ2: Test with Existing Tools . 30 3.5.3 RQ3: Test with Real-world Packed Applications . 35 3.5.4 RQ4: Code Coverage . 36 3.5.5 RQ5: Performance . 37 Chapter 4 Transparent Malware Analysis on ARM . 40 4.1 Introduction . 40 4.2 Related Work . 41 4.2.1 Transparent Malware Analysis on x86 . 41 4.2.2 Dynamic Analysis Tools on ARM . 43 4.2.3 TrustZone-related Systems . 44 4.3 System Architecture . 45 4.3.1 Reliable Domain Switch . 46 4.3.2 The Trace Subsystem . 46 4.3.3 The Debug Subsystem . 47 4.4 Design and Implementation . 48 v 4.4.1 Bridge the Semantic Gap . 48 4.4.2 Secure Interrupts . 51 4.4.3 The Trace Subsystem . 51 4.4.4 The Debug Subsystem . 54 4.4.5 Interrupt Instruction Skid . 57 4.5 Transparency . 58 4.5.1 Footprints Elimination . 59 4.5.2 Defending Against Timing Attacks . 61 4.6 Evaluation . 63 4.6.1 Output of Tracing Subsystem . 64 4.6.2 Tracing and Debugging Samples . 64 4.6.3 Transparency Experiments . 66 4.6.4 Accessing Memory Mapped Interface . 67 4.6.5 Performance Evaluation . 68 4.6.6 Skid Evaluation . 70 Chapter 5 Understanding the Security of ARM Debugging Features . 72 5.1 Introduction . 72 5.2 Security Implications of the Debugging Architecture . 75 5.2.1 Non-invasive Debugging . 75 5.2.2 Invasive Debugging . 76 5.2.3 Summary . 80 5.3 Debug Authentication Signals in Real-World Devices . 82 5.3.1 Target Devices . 83 vi 5.3.2 Status of the Authentication Signals . 85 5.3.3 Management of the Authentication Signals . 86 5.3.4 Summary . 88 5.4 Nailgun Attack . 89 5.4.1 Threat Model and Assumptions . 89 5.4.2 Attack Scenarios . 90 5.5 Countermeasure . 99 5.5.1 Disabling the Signals? . 99 5.5.2 Comprehensive Countermeasure . 101 Chapter 6 Research on Trusted Execution Environment . 106 6.1 Trusted Execution Environments . 106 6.1.1 Ring 3 TEEs via Memory Encryption . 106 6.1.2 Ring -2 TEEs via Memory Restriction . 108 6.1.3 Ring -3 TEEs via Co-Processors . 110 6.2 Challenges Towards Securing Hardware-assisted TEEs . 112 6.2.1 Introduction . 112 6.2.2 TEE-based Systems . 113 6.2.3 Challenges and Directions . 118 6.3 Preliminary Study of TEEs on Heterogeneous Edge Platforms . 124 6.3.1 Introduction . 124 6.3.2 Evaluation with Intel Fog Node . 125 6.3.3 Evaluation with ARM Juno Board . 129 6.3.4 Evaluation with AMD EPYC CPU . 132 vii Chapter 7 Research on Traffic Signal Infrastructure . 135 7.1 Introduction . 135 7.2 Related Work . 136 7.3 Attack Surface Analysis . 137 7.3.1 Access to the Traffic Signal System . 138 7.3.2 Traffic Signal Control . 141 7.3.3 Conflict Status Control . 143 7.3.4 Troubleshooting of the Traffic Signal System . 144 7.4 Attacks Implementation and Testing . 146 7.4.1 Environment Setup . 147 7.4.2 Thread Model . 147 7.4.3 Attack Scenarios . 148 Chapter 8 Conclusion and Future Work . 157 8.1 Conclusion . 157 8.2 Future Work . ..