SystemWall: An Isolated Firewall using Hardware-based Memory Introspection Sebastian Biedermann1 and Jakub Szefer2 1 Security Engineering Group Department of Computer Science Technische Universit¨atDarmstadt [email protected] 2 Computer Architecture and Security Laboratory Department of Electrical Engineering Yale University [email protected] Abstract. Memory introspection can be a powerful tool for analyz- ing contents of a system's memory for any malicious code. Current ap- proaches based on memory introspection have focused on Virtual Ma- chines and using a privileged software entity, such as a hypervisor, to perform the introspection. Such software-based introspection, however, is susceptible to variety of attacks that may compromise the hypervi- sor and the introspection code. Furthermore, a hypervisor setup is not always wanted. In this work, we present a hardware-based approach to memory introspection. Dedicated hardware is introduced to read and analyze memory of the target system, independent of any hypervisor or OSes running on the system. We apply the new hardware approach to memory introspection to built-up an architecture that uses DMA and fine-grained memory introspection techniques in order to match network connections to the application-layer while being isolated and undetected from the operating system or the hypervisor. We call the proposed archi- tecture SystemWall since it can be a standalone physical device which can be added as an expansion card to the mother board or a dedicated external box. The architecture is transparent and cannot be manipulated or deactivated by potential malware on the target system. We use the SystemWall in the evaluation to analyze the target system for malicious code and prevent unknown (malicious) applications from establishing network connections which can be used to spread viruses, spam or mal- ware and to leak sensitive information. 1 Introduction Memory introspection is a powerful technique for analyzing code and data con- tained in memory of a running system. Past approaches have focused on Virtual Machine (VM) based introspection techniques. In this work, we present another type of introspection, based on dedicated hardware components and software that can perform the introspection independent of any software running on the target system. We apply the introspection techniques to build the SystemWall, a firewall- like system that can analyze memory of the running target computer, detect malicious or unknown applications and block their connections to the external world. This can prevent spread of viruses, malware, spam or even leakage of sensitive documents by malicious, unknown applications. SystemWall is logically fully external to the target computer system: it can be implemented as a stand- alone box that connects to target system or a dedicated extension card on the motherboard. 1.1 Security through Firewalls In general, firewalls are either an external device only connected to the network or software-based and installed on a target computer. Firewalls control the in- coming and outgoing network traffic depending on network events and predefined rules. Firewalls can be simple packet filters blocking or allowing network packets depending on their header information like the source and the destination. Other firewalls can analyze the content of network packets (deep packet inspection), for example with regular expressions [33], which allows the definition of more sophisticated rules. External firewalls, however, do not have insight into the contents of physical memory of a target system and cannot make decisions based on what code is ac- cessing or handling the network traffic on that system. Software-based firewalls, on the other hand, monitor the network traffic as well as the application-layer of a target computer system and control the incoming and outgoing traffic de- pending on rules which refer to protocols and states of the involved applications. Software-based firewalls are widely used as personal firewalls. However, software- based firewalls are installed on a target system and can be the target of attacks themselves. In particular, malware can successfully execute attacks against the operating system and can manipulate deployed rules, disable or change the mode of the installed software-based firewall's operation. This way, the user does not even notice the infiltration of the operating system and deems the system to be secured by trusting the running firewall and assuming its correct operation. External firewalls with added ability to analyze memory of the target, like software-based firewalls, would combine best of both approaches { this is the motivation for SystemWall design. 1.2 Leveraging DMA for Security DMA (Direct Memory Access) is a specification that allows hardware devices to bypass the Central Processing Unit (CPU) and access the system memory directly. This brings the advantage that the CPU can perform other useful tasks while DMA operations are in progress and it can also accelerate certain tasks. A lot of hardware devices like graphic cards, disk controllers or network cards use DMA. Fig. 1. The SystemWall deployed as an external hardware device which can read the memory of the target and regulate the target's network traffic. Only one ethernet con- nection is shown for the target in this figure, if target has multiple network interfaces, such as two ethernet ports, SystemWall should regulate each ethernet connection. DMA has been the focus of security researchers for some years, because it allows to dump the memory of a system through certain external interfaces while bypassing the operating system and any software-based security restrictions. In particular, DMA can be exploited by an attacks on unattended, running systems which provide DMA via an external buses like ExpressCard, FireWire or Thunderbolt to create a dump of the memory. Afterwards, the memory dump can be investigated using forensic techniques in order to retrieve passwords or other sensitive information. However, DMA can also be used to increase security of a computer system and prevent numerous attacks. In particular, DMA can be used to transparently read the memory contents via the hardware, contents which can later be analyzed for malicious programs or network connections { as we do in SystemWall. 1.3 SystemWall Overview In this work, we benefit from DMA to setup an isolated firewall-like system which we call SystemWall, shown in Figure 1. The SystemWall can be deployed between the system which it protects and the Internet, and intercept all packets traveling from and to the target system. Placing SystemWall between the Inter- net and the target system allows for it to, for example, delay network packets going to or from the target while the target's memory is analyzed to validate the packets are related to a legitimate, non-malicious application. To perform the analysis, SystemWall transparently uses DMA and fine-grained memory in- trospection techniques to match detected initiations of new network connections to applications running on the system. It can use application names, hashes or even scan for shellcode to detect malicious applications and prevent them from making network connections. The SystemWall remains undetected from the operating system and is a combination of a personal software-based firewall and hardware-based memory introspection. This way, the SystemWall cannot be manipulated or disabled by potential malware which could infect the system. Given its access to target's memory, it can monitor the applications and control network connections of these applications to prevent spread of malware, viruses or potentially leakage of sensitive files. Figure 1 shows a block diagram of the SystemWall architecture, fully described in Section 3. 1.4 Paper Organization The remainder of the paper is organized as follows. Section 2 presents related work. Section 3 explains the architecture and details of the SystemWall imple- mentation. Section 4 evaluates the proposed architecture and Section 5 discusses limitations. Finally, Section 6 concludes. 2 Related Work This section presents related work in the field of physical memory acquisition with the help of hardware extensions, attacks based on this, countermeasures and methods that use DMA for other purposes. Furthermore, we list some related work in the field of tamper-resistant security architectures that can run isolated from the target system and that are based on hardware extensions or a hypervisor setup. 2.1 Physical Memory Acquisition DMA has been previously exploited to execute attacks against a running system. Attackers have used buses like USB, FireWire, Thunderbolt or PCMCIA cards to transparently acquire the volatile memory of a running system without being detected and without being the subject to software-based control mechanisms. Afterwards, the memory dump can be analyzed for sensitive data like passwords. However, attackers can also write to the memory pages of the running system and this way modify the system's properties or work-flow on-the-fly. For example, a Windows 7 kernel can be directly manipulated in the memory in order to allow an attacker to log-in using a blank password [2]. Nowadays, standard DMA attacks and further procedures are even implemented in exploitation frameworks [7]. As a consequence of these attacks, several countermeasures have been sug- gested and are of interest, e.g., [23] or [24]. In particular, hardware-based mem- ory acquisition of specific memory regions can be prevented by modifying the processor's North Bridge's memory map [22]. Also, malware that uses DMA to infiltrate an operating system can be detected using techniques such as those presented by [29] or [28]. Furthermore, memory acquisition can be also used for non-attacking pur- poses, for example for the transparent acquisition and analysis of volatile mem- ory of a compromised system [8]. Seger et al. [26] presented a memory sampling mechanism based on DMA using a GPU coprocessor as an extension. Schwarz et al. [25] presented an architecture that prevents virtual guest machines access- ing memory regions of other virtual guest machines using DMA only by using software and standard hardware.