Trusted Computing -- Summer 2010  

 

Instructor

Heng Yin

Office: SciTech Building, Room 4-283

Phone: 315-443-2483

Email: heyin@syr.edu

Overview

This is an advanced security course, with an emphasis on trusted computing technology. Trusted computing, in a narrow definition, means a set of techniques implemented and promoted by trusted computing group (i.e., TCG). The most well-known examples are trusted platform module and Intel Trusted Execution Technology. In a broader scope, trusted computing can be treated as a combination of software and hardware security mechanisms and new security architectures, by which strong security properties can be ensured. In this course, we go with the broader scope, such that students can understand the material in a bigger context.

To motivate the problem of trusted computing, students need to think from both the attacker and defender side. Students need to catch up with the state-of-the ¨Cart techniques attack techniques. Then students can understand better why each defense technique is needed, and how the existing and potential attacks can be prevented or mitigated. Therefore, the advanced software attacks need to be covered, including software exploits, malware, and kernel rootkits.  The corresponding defense techniques will also be discussed accordingly to tell stories on both sides. 

Before delving into the core techniques (namely TPM and TXT), we need to talk about virtualization technology, as an important building block of trusted computing. Different virtualization techniques will be discussed, including full system emulation, software virtualization, and hardware virtualization. For hardware virtualization, we will also talk about several extensions, such as extended page table (EPT) and virtualization of directed IO (VT-d).  Then several virtual-machine based security solutions will be discussed.

Eventually, with adequate background knowledge, we will talk about the core techniques for trusted computing. The main focus will be Intel TXT (Trusted eXecution Technology). More specifically, we will cover the following key concepts, including attestation, sealed storage, measured launched environment, late launch, trusted channel, protected execution, etc.

To help student gain in-depth understanding of the key concepts, in-class quizzes and hands-on projects will be given. There are no midterms and final exam.

Recommended Text Books

¡¤         Secure Coding in C and C++

¡¤         Malware: Fighting Malicious Code

¡¤         Rootkits: Subverting the Windows Kernel

¡¤         A Practical Guide to Trusted Computing

¡¤         Dynamics of a Trusted Platform

Course Structure

The tentative course structure is listed below.

¡¤         Software Vulnerability and Defense

o   Attack & Mitigation Schemes:

¡́  Vulnerabilities: Buffer Overflow/Initialized variables/Integer Overflow/Logic flaw

¡́  Exploits: Control flow hijack, non-control-data attack, return-into-libc

¡́  Mitigation: ASLR, NX, Canary

o   Secure Software Development

 

o   Research Ideas:

¡́  SFI/NativeClient/Sandbox

¡́  WIT/CFI/DFI

¡́  TaintCheck

 

¡¤         Malware Attack and Defense

o   Obfuscation and Deobfuscation

o   Rootkit Technique

¡́  Hooks, DKOM, VMM-based Rootkit

¡́  Rootkit Analysis, Detection and Prevention

o   Botnet Analysis and Inflitration

o   Drive-by Download Attacks

o   Automatic Malware Analysis

o   Semantics-aware/Behavior-based Malware Detection

 

¡¤         Security via Virtualization Technology

o   Background

¡́  Full System Emulation

¡́  Software virtualization

¡́  Hardware Virtualization (EPT/VT-d)

o   Virtual Machine Introspection

o   Intrusion Detection and Prevention

 

¡¤         Trusted Computing Platform

o   Attestation

o   Sealed Storage

o   Trusted Channel/Trusted Path

o   Measured Launched Environment

o   Late Launch

o   Trusted Third Party

o   Case Studies

Projects

 

There will be a number of small practices and demonstrations and at least 5 big projects.

Live CD can be downloaded at http://amun.ecs.syr.edu/~hyin/TC2010/livecd.iso.

Project 1: Constructing Buffer Overflow Exploits

Project 2: Dynamic Taint Analysis for Exploit Detection and Analysis

Project 3: Implementing Kernel Rootkits

Project 4: Hacking with QEMU and KVM

Project 5: Programming with TPM

Tentative Schedule

 

No.

Date

Topic

Location

Slides

Homework

1

June 15

Overview

Software Vulnerability in C/C++

Project 1: Constructing Buffer Overflow Exploits

Computer Lab

Lecture01

HW01

2

June 22

Recent Research on Software Defense:

¡¤         Software Hardening

¡¤         Native Code Sandoxing

¡¤         Taint analysis & Symbolic Execution

2nd Floor Conference Room

Lecture02

HW02

3

June 29

Project 2: Use taint analysis to detect exploits

Malware Defense Overview

Computer Lab

Lecture03

HW03

4

July 6

Project 3: Implement kernel rootkits

Rootkit analysis and detection

Computer Lab

Lecture04

HW04

5

July 13

Malware Obfuscation/De-obfuscation

Semantics-aware and Behavior-based Malware Detection

2nd Floor Conference Room

Lecture05

HW05

6

July 21 (rescheduled)

Overview of Virtual Machine Techniques

CPU virtualization

2nd Floor Conference Room

Lecture06

HW06

7

July 27

Memory Virtualization

IO Virtualization

2nd Floor Conference Room

Lecture07

HW07

8

Aug 3

Project 4: Hacking with QEMU and KVM

Malware analysis via Hardware Assisted Virtualization

Computer Lab

Lecture08

HW08

9

Aug 10

Trusted Computing Techniques

TPM, Dynamic Root of Trust, etc.

Computer Lab

Lecture09

HW09

10

Aug 17

Project 5: Programming with TPM

Case Study

Open Discussion

Computer Lab

Qubes-OS

 

 

Reading List

Software Security

¡¤         Securing software by enforcing data-flow integrity

¡¤         Dynamic Taint Analysis: Automatic Detection, Analysis, and Signature Generation of Exploit Attacks on Commodity Software

¡¤         Bouncer: Securing Software by Blocking Bad Input

¡¤         Native Client: A Sandbox for Portable, Untrusted x86 Native Code

Malware Defense

¡¤         Renovo: A Hidden Code Extractor for Packed Executables

¡¤         Automatic Reverse Engineering of Malware Emulators

¡¤         Semantics-aware Malware Detection

¡¤         Effective and Efficient Malware Detection at the End Host

¡¤          Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis 

¡¤         HookFinder: Identifying and Understanding Malware Hooking Behaviors.

Virtualization

¡¤         Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization

¡¤         Intel Virtualization Technology for Directed I/O

¡¤         Stealthy Malware Detection Through VMM-Based 'Out-of-the-Box' Semantic View Reconstruction

¡¤         Ether: Malware Analysis via Hardware Virtualization Extensions

Trusted Computing

¡¤         Flexible OS Support and Applications for Trusted Computing

¡¤         Trusted Computing: Promise and Risk

¡¤         Trusted Computing¡¯ Frequently Asked Questions

¡¤         Flicker: An execution infrastructure for TCB minimization