TIAN Yu-hong,WANG Ze-bing,FENG Yan

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.24.029

2006-01-01

Abstract:The Java virtual machine(JVM)is used more frequently as the basic engine behind dynamic web services.With the proliferation of network attacks on these network resources,much work are done to provide security for the network environment.Little effort has been placed on securing a Java web server where the attacker has a valid login to the host machine.After describing the vulnerabilities in Java's security mechanisms,an extended security system based on Java 2 security architecture is introduced.It also explains the runtime status of system.The increased assurance of correct system operation and the integrity of Java application server are provided.

Yongzhi Wang,Yulong Shen,Xiaohong Jiang

DOI: https://doi.org/10.1109/tifs.2017.2787993

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Public cloud vendors have been offering a variety of big data computing services on their clouds. However, runtime integrity is one of the major security concerns that hinder the wide adoption of those services. In this paper, we focus on MapReduce, a popular big data computing framework, and propose the runtime integrity audition (RIA), a solution that remotely verifies the runtime integrity of MapReduce applications. RIA records the runtime variable values of the MapReduce application on the public cloud and checks those values against the application’s code on the private cloud. By doing so, RIA protects the runtime integrity of MapReduce applications. Based on the idea of RIA, we developed a prototype system, called MR Auditor, and tested its applicability and performance with several Hadoop applications. Our experimental results showed that MR Auditor is a general tool that can efficiently audit the runtime integrity of all the MapReduce applications that we tested. In addition, MR Auditor incurs a moderate performance overhead. For example, when verifying the Word Count application, a proper parameter setting of MR Auditor incurs 1% of extra execution time on the public cloud and 14% of extra execution time on the private cloud.

Brian Delgado,Karen L. Karavanic

DOI: https://doi.org/10.48550/arXiv.1805.03755

2018-05-09

Cryptography and Security

Abstract:Runtime integrity measurements identify unexpected changes in operating systems and hypervisors during operation, enabling early detection of persistent threats. System Management Mode, a privileged x86 CPU mode, has the potential to effectively perform such rootkit detection. Previously proposed SMM-based approaches demonstrated effective detection capabilities, but at a cost of performance degradation and software side effects. In this paper we introduce our solution to these problems, an SMM-based Extensible, Performance Aware Runtime Integrity Measurement Mechanism called EPA-RIMM. The EPA-RIMM architecture features a performance-sensitive design that decomposes large integrity measurements and schedules them to control perturbation and side effects. EPA-RIMM's decomposition of long-running measurements into shorter tasks, extensibility, and use of SMM complicates the efforts of malicious code to detect or avoid the integrity measurements. Using a Minnowboard-based prototype, we demonstrate its detection capabilities and performance impacts. Early results are promising, and suggest that EPA-RIMM will meet production-level performance constraints while continuously monitoring key OS and hypervisor data structures for signs of attack.

Junning Fu,Chaokun Wang,Zhiwei Yu,Jianmin Wang,Jia-Guang Sun

DOI: https://doi.org/10.1109/chinagrid.2010.15

2010-01-01

Abstract:A software cloud is ready-made for software delivery or Software as a Service (SaaS). As it becomes more and more popular, security problems of software running in the cloud also become an important issue. The threats, such as destroying system softwares and access violation, are frequently emerging in the field of software cloud. In this paper, we propose a watermark-aware trusted running environment to protect the softwares running in the cloud. We implement the scheme which mainly contains two parts: 1) embedding watermark into the Java programs running in the cloud; 2) generating customized JVMs for recognizing the watermarked programs. Experimental results within a real private software cloud to demonstrate that our approach can provide a large-scale protection with a small overhead.

Rui Wu,Ping Chen,Bing Mao,Li Xie

DOI: https://doi.org/10.1109/ARES.2012.11

2012-01-01

Abstract:As a code reuse technique, JIT spraying attack becomes popular on the JITed VM (Virtual Machine) (e.g., Javascript Engine, Flash Engine). Using a bug in web applications, an attacker can reuse the code generated by the JIT (Just-In-Time) compiler, which is used to optimize the performance of web applications. JIT spraying attacks can circumvent DEP and ASLR -- protection mechanisms of modern operating systems. Based on the observation that JIT spraying attack mostly uses the immediate operand of the arithmetic instruction to build a shellcode, we propose RIM, a technique that obfuscates the arithmetic operations in the JITed code and prevents attackers from reusing the native code to construct a malicious code. We implement a prototype on Tamarin flash engine and demonstrate the effectiveness of RIM. Experimental results show that RIM's overhead is very low (less than 1%). And RIM greatly improves the security functionality of JIT compilers.

Romain Brenguier,Lucas Cordeiro,Daniel Kroening,Peter Schrammel

DOI: https://doi.org/10.48550/arXiv.2302.02381

2023-02-05

Software Engineering

Abstract:JBMC is an open-source SAT- and SMT-based bounded model checking tool for verifying Java bytecode. JBMC relies on an operational model of the Java libraries, which conservatively approximates their semantics, to verify assertion violations, array out-of-bounds, unintended arithmetic overflows, and other kinds of functional and runtime errors in Java bytecode. JBMC can be used to either falsify properties or prove program correctness if an upper bound on the depth of the state-space is known. Practical applications of JBMC include but are not limited to bug finding, property checking, test input generation, detection of security vulnerabilities, and program synthesis. Here we provide a detailed description of JBMC's architecture and its functionalities, including an in-depth discussion of its background theories and underlying technologies, including a state-of-the-art string solver to ensure safety and security of Java bytecode.

Mahmoud Ammar,Adam Caulfield,Ivan De Oliveira Nunes

2024-10-22

Abstract:This paper provides a systematic exploration of Control Flow Integrity (CFI) and Control Flow Attestation (CFA) mechanisms, examining their differences and relationships. It addresses crucial questions about the goals, assumptions, features, and design spaces of CFI and CFA, including their potential coexistence on the same platform. Through a comprehensive review of existing defenses, this paper positions CFI and CFA within the broader landscape of runtime defenses, critically evaluating their strengths, limitations, and trade-offs. The findings emphasize the importance of further research to bridge the gaps in CFI and CFA and thus advance the field of runtime defenses.

Cryptography and Security

Rui Chang,Liehui Jiang,Wenzhi Chen,Yang Xiang,Yuxia Cheng,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1007/s10586-017-0833-4

2017-01-01

Cluster Computing

Abstract:With the rapid development of Internet of Things technology and the promotion of embedded devices’ computation performance, smart devices are probably open to security threats and attacks while connecting with rich and novel Internet. Attracting lots of attention in embedded system security community recently, Trusted Execution Environment (TEE), allows for the execution of arbitrary code within environments completely isolated from the rest of a system. However, existing memory protection methods in a TEE are inadequate. In general, the software-based formal methods are not practical and the hardware-based implementation approaches lack of theoretical proof. To address the memory isolation and protection problems in TEE, in this paper, we propose a practical memory integrity protection method on an ARM-based platform, called MIPE, to defend against security threats including kernel data attacks and direct memory access attacks. MIPE utilizes TrustZone technique to create a isolated execution environment, which can protect the sensitive code and data against attacks. To present the integrity protection strategies, we provide the design of MIPE using B method, which is a practical formal method. We also implement MIPE on the Xilinx Zynq ZC702 evaluation board. The evaluation results show that the automatic proof rate of machines using B method is about 78.32%, and the proposed method is effective and feasible in terms of both load time and overhead.

Wu Luo,Qingni Shen,Yutang Xia,Zhonghai Wu

2019-01-01

Abstract:Container-based virtualization has been widely utilized and brought unprecedented influence on traditional IT architecture. How to build trust for containers has become an important security issue as well. Despite the fact that substantial efforts have been made to solve this issue, there are still some challenges to be handled, i.e. how to prevent from exposing information of the underlying host and other users' containers to a remote verifier, how to measure the integrity status of a designated container along with its reliant services in the underlying host and generate a hardware-based integrity evidence. None of the current solutions can counter these challenges and guarantee efficiency simultaneously.In this paper, we present Container-IMA, a novel solution to cope with these challenges. We firstly analyze the essential evidence to validate the integrity of a designated container. Afterwards we make a division of the traditional Measurement Log (ML), which ensures privacy and decreases the latency of attestation. A container-based Platform Configuration Register (cPCR) mechanism is introduced to protect each ML partition with a hardware-based Root of Trust. The attestation mechanism is proposed as well. We implement a prototype based on Docker. The experiment results demonstrate the effectiveness and efficiency of our solution.

Pengfei Wu,Xuhua Ding,Wu Luo,D. Yu,Zhonghai Wu,Chuntao Dong,Qingni Shen

DOI: https://doi.org/10.1109/TDSC.2022.3145814

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:As cloud services have become popular, and their adoption is growing, consumers are becoming more concerned about the cost of cloud services. Cloud Service Providers (CSPs) generally use a pay-per-use billing scheme in the cloud services model: consumers use resources as they needed and are billed for their resource usage. However, CSPs are untrusted and privileged; they have full control of the entire operating system (OS) and may tamper with bills to cheat consumers. So, how to provide a trusted solution that can keep track of and verify the consumers’ resource usage has been a challenging problem. In this article, we propose a T-Counter framework based on Intel SGX. The T-Counter allows applications to construct a trusted solution to measure its CPU usage by itself in cloud computing. These constructed applications are instrumented with counters in basic blocks and added three components in trusted parts to count instructions and defend against malicious CSPs’ manipulations. We propose two algorithms which selectively instrument counters in the CFG. T-Counter is implemented as an extension of the LLVM framework and integrated with the SGX SDK. Theoretical analyses and evaluations show that T-Counter can effectively measure CPU usage and defend against malicious CSPs’ manipulations.

Engineering,Computer Science

Chao Zhang,Mehrdad Niknami,Kevin Zhijie Chen,Chengyu Song,Zhaofeng Chen,Dawn Song

DOI: https://doi.org/10.1109/infocom.2015.7218424

2015-01-01

Abstract:Web browsers are one of the most important enduser applications to browse, retrieve, and present Internet resources. Malicious or compromised resources may endanger Web users by hijacking web browsers to execute arbitrary malicious code in the victims' systems. Unfortunately, the widely-adopted Just-In-Time compilation (JIT) optimization technique, which compiles source code to native code at runtime, significantly increases this risk. By exploiting JIT compiled code, attackers can bypass all currently deployed defenses. In this paper, we systematically investigate threats against JIT compiled code, and the challenges of protecting JIT compiled code. We propose a general defense solution, JITScope, to enforce Control-Flow Integrity (CFI) on both statically compiled and JIT compiled code. Our solution furthermore enforces the W⊕X policy on JIT compiled code, preventing the JIT compiled code from being overwritten by attackers. We show that our prototype implementation of JITScope on the popular Firefox web browser introduces a reasonably low performance overhead, while defeating existing real-world control flow hijacking attacks.

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Pasquale Caporaso,Giuseppe Bianchi,Francesco Quaglia

2024-04-26

Abstract:Modern malware poses a severe threat to cybersecurity, continually evolving in sophistication. To combat this threat, researchers and security professionals continuously explore advanced techniques for malware detection and analysis. Dynamic analysis, a prevalent approach, offers advantages over static analysis by enabling observation of runtime behavior and detecting obfuscated or encrypted code used to evade detection. However, executing programs within a controlled environment can be resource-intensive, often necessitating compromises, such as limiting sandboxing to an initial period. In our article, we propose an alternative method for dynamic executable analysis: examining the presence of malicious signatures within executable virtual pages precisely when their current content, including any updates over time, is accessed for instruction fetching. Our solution, named JITScanner, is developed as a Linux-oriented package built upon a Loadable Kernel Module (LKM). It integrates a user-level component that communicates efficiently with the LKM using scalable multi-processor/core technology. JITScanner's effectiveness in detecting malware programs and its minimal intrusion in normal runtime scenarios have been extensively tested, with the experiment results detailed in this article. These experiments affirm the viability of our approach, showcasing JITScanner's capability to effectively identify malware while minimizing runtime overhead.

Cryptography and Security

Ping Chen,Rui Wu,Bing Mao

DOI: https://doi.org/10.1049/iet-ifs.2012.0142

2013-01-01

IET Information Security

Abstract:A new code-reuse attack, named Just-in-time (JIT) spraying attack, leverages the predictable generated JIT compiled code to launch an attack. It can circumvent the defenses such as data execution prevention and address space layout randomisation built-in in the modern operation system, which were thought the insurmountable barrier so that the attackers cannot construct the traditional code injection attacks. In this study, the authors describe JITSafe, a framework that can be applied to existing JIT-based virtual machines (VMs), in the purpose of preventing the attacker from reusing the JIT compiled code to construct the attack. The authors framework narrows the time window of the JIT compiled code in the executable pages, eliminates the immediate value and obfuscates the JIT compiled code. They demonstrate the effectiveness of JITSafe that it can successfully prevent existing JIT spraying attacks with low performance overhead.

Davide Pizzolotto,Stefano Berlato,Mariano Ceccato

DOI: https://doi.org/10.1145/3631971

IF: 3.685

2024-01-25

ACM Transactions on Software Engineering and Methodology

Abstract:Java bytecode is a quite high-level language and, as such, it is fairly easy to analyze and decompile with malicious intents, e.g., to tamper with code and skip license checks. Code obfuscation was a first attempt to mitigate malicious reverse engineering based on static analysis. However, obfuscated code can still be dynamically analyzed with standard debuggers to perform step-wise execution and to inspect (or change) memory content at important execution points, e.g., to alter the verdict of license validity checks. Although some approaches have been proposed to mitigate debugger-based attacks, they are only applicable to binary compiled code and none address the challenge of protecting Java bytecode. In this paper, we propose a novel approach to protect Java bytecode from malicious debugging. Our approach is based on automated program transformation to manipulate Java bytecode and split it into two binary processes that debug each other (i.e., a self-debugging solution). In fact, when the debugging interface is already engaged, an additional malicious debugger cannot attach. To be resilient against typical attacks, our approach adopts a series of technical solutions, e.g., an encoded channel is shared by the two processes to avoid leaking information, an authentication protocol is established to avoid Man-in-the-Middle attacks and the computation is spread between the two processes to prevent the attacker to replace or terminate either of them. We test our solution on 18 real-world Java applications, showing that our approach can effectively block the most common debugging tasks (either with the Java debugger or the GNU debugger) while preserving the functional correctness of the protected programs. While the final decision on when to activate this protection is still up to the developers, the observed performance overhead was acceptable for common desktop application domains.

computer science, software engineering

Lican Huang

DOI: https://doi.org/10.48550/arXiv.1610.09231

2016-10-28

Cryptography and Security

Abstract:This paper presents an integrity checker of JAVA P2P distributed system with auto source code composition. JAVA distributed system must guarantee the integrity of program itself and the system components of JAVA virtual machine against attackers, hackers, spies, cheaters, conspirators, etc. There are lots of trusted computing methods to guarantee the integrity of the system. We here present a novel method using just-in-time auto source code composition to generate autocheck class for integrity measure and encrypt of integrity reporting. By companies' effort, we have implemented and use it in DSCloud platform.

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/qsic.2010.50

2010-01-01

Abstract:Automated verification of noninterference is commonly considered more precise than type-based approach on enforcing secure information flow for program. We propose an approach on model checking symbolic pushdown system generated from Java bytecode, and develop a deployment-time verification framework to ensure noninterference of bytecode. In order to overcome the constraints brought by the nature of object-oriented language and application scenario, we extend self-composition to low-recorded self-composition to reduce the partial correctness judgements on safety property to reachability analysis. In this variation, meta-level indices of heap are recorded into the self-composed pushdown system for the construction of auxiliary interleaving assignments and branch condition to illegal-flow state. Our experiments show that the approach is more scalable than previous work based on automated verification.

Qi Qin,JulianAndres JiYang,Fu Song,Taolue Chen,Xinyu Xing

DOI: https://doi.org/10.48550/arXiv.2202.13134

2022-02-26

Programming Languages

Abstract:Recent work has shown that Just-In-Time (JIT) compilation can introduce timing side-channels to constant-time programs, which would otherwise be a principled and effective means to counter timing attacks. In this paper, we propose a novel approach to eliminate JIT-induced leaks from these programs. Specifically, we present an operational semantics and a formal definition of constant-time programs under JIT compilation, laying the foundation for reasoning about programs with JIT compilation. We then propose to eliminate JIT-induced leaks via a fine-grained JIT compilation for which we provide an automated approach to generate policies and a novel type system to show its soundness. We develop a tool DeJITLeak for Java based on our approach and implement the fine-grained JIT compilation in HotSpot. Experimental results show that DeJITLeak can effectively and efficiently eliminate JIT-induced leaks on three datasets used in side-channel detection

Mathias Morbitzer

DOI: https://doi.org/10.48550/arXiv.1907.09906

2019-07-23

Abstract:Data hosted in a cloud environment can be subject to attacks from a higher privileged adversary, such as a malicious or compromised cloud provider. To provide confidentiality and integrity even in the presence of such an adversary, a number of Trusted Execution Environments (TEEs) have been developed. A TEE aims to protect data and code within its environment against high privileged adversaries, such as a malicious operating system or hypervisor. While mechanisms exist to attest a TEE's integrity at load time, there are no mechanisms to attest its integrity at runtime. Additionally, work also exists that discusses mechanisms to verify the runtime integrity of programs and system components. However, those verification mechanisms are themselves not protected against attacks from a high privileged adversary. It is therefore desirable to combine the protection mechanisms of TEEs with the ability of application runtime integrity verification. In this paper, we present Scanclave, a lightweight design which achieves three design goals: Trustworthiness of the verifier, a minimal trusted software stack and the possibility to access an application's memory from a TEE. Having achieved our goals, we are able to verify the runtime integrity of applications even in the presence of a high privileged adversary. We refrain from discussing which properties define the runtime integrity of an application, as different applications will require different verification methods. Instead, we show how Scanclave enables a remote verifier to determine the runtime integrity of an application. Afterwards, we perform a security analysis for the different steps of our design. Additionally, we discuss different enclave implementations that might be used for the implementation of Scanclave.

Cryptography and Security

Weijie Liu,Ximeng Liu,Zhi Li,Bin Liu,Rongwei Yu,Lina Wang

DOI: https://doi.org/10.1109/tifs.2022.3183409

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Cloud attack provenance is a well-established industrial practice for assuring transparency and accountability for a service provider to tenants. However, the multi-tenancy and self-service nature coupled with the sheer size of a cloud implies many unique challenges to cloud forensics. Although Virtual Machine Introspection (VMI) is a powerful tool for attack provenance due to the privilege isolation, the stealthiness of state-of-the-art attacks and the lack of precise information make existing attack provenance solutions difficult to fulfill real-time forensics when tracking enormous suspicious behaviors. To this end, we propose an instruction-level tracing framework for inspecting the presence of attacks by dynamically tracking shared processor hardware event patterns and analyzing the attack traces. To overcome the challenges of real-time detection and provenance, we advocate Last Branch Record (LBR) profiling, to extract the suspicious execution flows. With the hardware assistance and software-based virtualization introspection, we show that the framework can provide an effective response to threats in different cases, thereby enabling a quick attack provenance with high fidelity. The evaluation shows that our prototype introduces negligible performance penalties.