Deep Introspection

Deep Introspection is a concept for bridging the semantic gap between high-level security policy and low-level system facilities for trapping, aggregating low-level events, and extracting low-level state in an efficient fashion.

Deep Introspection is an attempt to bridge the semantic gap between high-level security policy languages, the primitives that exist in these languages, and the efficient event aggregation and state extraction that such data implies or assumes.

This page is a collection of work related to the idea of Security Acceleration, or speeding up security checks / security policy interpretation and enforcement.

Research Page
http://tsg.cpsc.ucalgary.ca/research/deepi

Research Notes / Links
http://www.muppetlabs.com/~breadbox/software/ELF.txt

Debug registers: http://www.logix.cz/michal/doc/i386/chp12-02.htm

do_debug kernel function

GCC attributes: http://gcc.gnu.org/onlinedocs/gcc-3.2/gcc/Variable-Attributes.html (useful for declaring in source that a particular variables belongs to a particular ELF section)

GCC inline assembly: http://ibiblio.org/gferg/ldp/GCC-Inline-Assembly-HOWTO.html

http://www.cl.cam.ac.uk/research/security/capsicum/documentation.html

Related Work

 * Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. Brendan Dolan-Â­â€Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. In Proceedings of The 2011 IEEE Symposium on Security and Privacy. Oakland, CA, May 2011.


 * "Mystifying the debugger for ultimate stealthiness" http://www.phrack.org/issues.html?issue=65&id=8&mode=txt


 * "A Hardware Architecture for Implementing Protection Rings" (Multics classic paper)


 * "Hardware Enforcement of Application Security Policies Using Tagged Memory" (this is very related) (OSDI 2008)


 * "Enhancing software reliability with speculative threads" (this is very related) (ASPLOS-X 2002)


 * Edmund B. Nightingale, Daniel Peek, Peter M. Chen, and Jason Flinn, "Parallelizing Security Checks on Commodity Hardware", in Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '08), Seattle, WA, March 2008


 * "Make Least Privilege a Right (Not a Privilege)" (HotOS 2005)


 * "Vx32: Lightweight User-level Sandboxing on the x86" (USENIX ATC 2008)


 * "Native Client: A Sandbox for Portable, Untrusted x86 Native Code" (Oakland 2009)


 * "A Virtual Machine Introspection Architecture for Intrusion Detection" (NDSS 2003)


 * "XFI: Software Guards for System Address Spaces"


 * Flicker: Minimal TCB code execution: http://sparrow.ece.cmu.edu/group/flicker.html


 * Watson, R. N. M., Anderson, J., Laurie, B., and Kennaway, K. Capsicum: practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium, Washington, DC, August 2010


 * Efficient Monitoring of Untrusted Kernel-Mode Execution (NDSS 2011)

Own Related Work
(see related work quoted herein)


 * VM-based Security Overkill: A Lament for Applied Systems Security Research. Sergey Bratus, Michael E. Locasto, Ashwin Ramaswamy, and Sean W. Smith. Proceedings of the 19th New Security Paradigms Workshop (NSPW 2010). September 2010. Concord, MA, USA.


 * The Cake is a Lie: Privilege Rings as a Policy Resource. Sergey Bratus, Peter Johnson, Michael E. Locasto, Ashwin Ramaswamy, and Sean W. Smith. In Proceedings of the 2nd Workshop on Virtual Machine Security (VMSec 2009), held in conjunction with ACM CCS 2009.


 * Traps, Events, Emulation, and Enforcement: Managing the Yin and Yang of Virtualization-based Security" Sergey Bratus, Michael E. Locasto, Ashwin Ramaswamy, and Sean W. Smith. In Proceedings of the 1st Workshop on Virtual Machine Security (VMSec 2008), held in conjunction with ACM CCS 2008. October 31, 2008. Alexandria, VA.


 * Speculative Virtual Verification: Policy-Constrained Speculative Execution. Michael E. Locasto, Stelios Sidiroglou, and Angelos D. Keromytis. In Proceedings of the 14th New Security Paradigms Workshop (NSPW 2005). pp. 119--124. Sept. 20-23, 2005. Lake Arrowhead, CA.

Blurbs
From our VMSec 2009 paper "The ill-fated Intel iAPX-432 [4] implemented the concept of “roles” and “objects” at the hardware level and encouraged separation of OS duties similar to our concept of vertical isolation, but it never caught on. Burroughs 5000 machines [1] also employed a tagged architecture, but only used 3 bits for the tag and explicitly defined the meaning of all values, disallowing arbitrary semantics."