A Hardware Platform for Ensuring OS Kernel Integrity on RISC-V
The OS kernel is typically preassumed as a trusted computing base in most computing systems. However, it also implies that once an attacker takes control of the OS kernel, the attacker can seize the entire system. Because of such security importance of the OS kernel, many works have proposed securit...
Main Authors: | , , |
---|---|
Format: | Article |
Language: | English |
Published: |
MDPI AG
2021-08-01
|
Series: | Electronics |
Subjects: | |
Online Access: | https://www.mdpi.com/2079-9292/10/17/2068 |
_version_ | 1797521546551492608 |
---|---|
author | Donghyun Kwon Dongil Hwang Yunheung Paek |
author_facet | Donghyun Kwon Dongil Hwang Yunheung Paek |
author_sort | Donghyun Kwon |
collection | DOAJ |
description | The OS kernel is typically preassumed as a trusted computing base in most computing systems. However, it also implies that once an attacker takes control of the OS kernel, the attacker can seize the entire system. Because of such security importance of the OS kernel, many works have proposed security solutions for the OS kernel using an external hardware module located outside the processor. By doing this, these works can realize the physical isolation of security solutions from the OS kernel running in the processor, but they cannot access the inner state of the processor, which attackers can manipulate. Thus, they elaborated several methods to overcome such limited capability of external hardware. However, those methods usually come with several side effects, such as high-performance overhead, kernel code modifications, and/or excessively complicated hardware designs. In this paper, we introduce RiskiM, a new hardware-based monitoring platform to ensure kernel integrity from outside the host system. To deliver the inner state of the host to RiskiM, we have devised a hardware interface architecture, called PEMI. Through PEMI, RiskiM is supplied with all internal states of the host system essential for fulfilling its monitoring task to protect the kernel. To empirically validate our monitoring platform’s security strength and performance, we have fully implemented PEMI and RiskiM on a RISC-V based processor and FPGA, respectively. Our experiments show that RiskiM succeeds in the host kernel protection by detecting even the advanced attacks which could circumvent previous solutions, yet suffering from virtually no aforementioned side effects. |
first_indexed | 2024-03-10T08:14:03Z |
format | Article |
id | doaj.art-d1294d06abb747cca0c7e6c6d1f6939f |
institution | Directory Open Access Journal |
issn | 2079-9292 |
language | English |
last_indexed | 2024-03-10T08:14:03Z |
publishDate | 2021-08-01 |
publisher | MDPI AG |
record_format | Article |
series | Electronics |
spelling | doaj.art-d1294d06abb747cca0c7e6c6d1f6939f2023-11-22T10:29:27ZengMDPI AGElectronics2079-92922021-08-011017206810.3390/electronics10172068A Hardware Platform for Ensuring OS Kernel Integrity on RISC-VDonghyun Kwon0Dongil Hwang1Yunheung Paek2School of Computer Science and Engineering, Pusan National University, Busan 46241, Korea Department of Electrical and Computer Engineering (ECE) and Inter-University Semiconductor Research Center (ISRC), Seoul National University, Seoul 08826, KoreaDepartment of Electrical and Computer Engineering (ECE) and Inter-University Semiconductor Research Center (ISRC), Seoul National University, Seoul 08826, KoreaThe OS kernel is typically preassumed as a trusted computing base in most computing systems. However, it also implies that once an attacker takes control of the OS kernel, the attacker can seize the entire system. Because of such security importance of the OS kernel, many works have proposed security solutions for the OS kernel using an external hardware module located outside the processor. By doing this, these works can realize the physical isolation of security solutions from the OS kernel running in the processor, but they cannot access the inner state of the processor, which attackers can manipulate. Thus, they elaborated several methods to overcome such limited capability of external hardware. However, those methods usually come with several side effects, such as high-performance overhead, kernel code modifications, and/or excessively complicated hardware designs. In this paper, we introduce RiskiM, a new hardware-based monitoring platform to ensure kernel integrity from outside the host system. To deliver the inner state of the host to RiskiM, we have devised a hardware interface architecture, called PEMI. Through PEMI, RiskiM is supplied with all internal states of the host system essential for fulfilling its monitoring task to protect the kernel. To empirically validate our monitoring platform’s security strength and performance, we have fully implemented PEMI and RiskiM on a RISC-V based processor and FPGA, respectively. Our experiments show that RiskiM succeeds in the host kernel protection by detecting even the advanced attacks which could circumvent previous solutions, yet suffering from virtually no aforementioned side effects.https://www.mdpi.com/2079-9292/10/17/2068securityintegrity monitorRISC-V |
spellingShingle | Donghyun Kwon Dongil Hwang Yunheung Paek A Hardware Platform for Ensuring OS Kernel Integrity on RISC-V Electronics security integrity monitor RISC-V |
title | A Hardware Platform for Ensuring OS Kernel Integrity on RISC-V |
title_full | A Hardware Platform for Ensuring OS Kernel Integrity on RISC-V |
title_fullStr | A Hardware Platform for Ensuring OS Kernel Integrity on RISC-V |
title_full_unstemmed | A Hardware Platform for Ensuring OS Kernel Integrity on RISC-V |
title_short | A Hardware Platform for Ensuring OS Kernel Integrity on RISC-V |
title_sort | hardware platform for ensuring os kernel integrity on risc v |
topic | security integrity monitor RISC-V |
url | https://www.mdpi.com/2079-9292/10/17/2068 |
work_keys_str_mv | AT donghyunkwon ahardwareplatformforensuringoskernelintegrityonriscv AT dongilhwang ahardwareplatformforensuringoskernelintegrityonriscv AT yunheungpaek ahardwareplatformforensuringoskernelintegrityonriscv AT donghyunkwon hardwareplatformforensuringoskernelintegrityonriscv AT dongilhwang hardwareplatformforensuringoskernelintegrityonriscv AT yunheungpaek hardwareplatformforensuringoskernelintegrityonriscv |