Bypassing software-based remote attestation using debug registers
Remote attestation (RA) is an essential feature in many security protocols to verify the memory integrity of remote embedded devices susceptible to malware infections. The attestation process needs to be consecutive and atomic to prevent a self-relocating malware from evading detection. Most of the...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Taylor & Francis Group
2024-12-01
|
| Series: | Connection Science |
| Subjects: | |
| Online Access: | https://www.tandfonline.com/doi/10.1080/09540091.2024.2306965 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850256962834399232 |
|---|---|
| author | Zheng Zhang Jingfeng Xue Tianshi Mu Ting Yu Kefan Qiu Tian Chen Yuanzhang Li |
| author_facet | Zheng Zhang Jingfeng Xue Tianshi Mu Ting Yu Kefan Qiu Tian Chen Yuanzhang Li |
| author_sort | Zheng Zhang |
| collection | DOAJ |
| description | Remote attestation (RA) is an essential feature in many security protocols to verify the memory integrity of remote embedded devices susceptible to malware infections. The attestation process needs to be consecutive and atomic to prevent a self-relocating malware from evading detection. Most of the prior attestation techniques disable interrupts during execution to prevent another process from interrupting the integrity check. This paper investigates the shortcomings of existing software-based attestation techniques and stresses the threat of debug exceptions to existing software-based attestation. We present Debug Register-based Self-relocating Attack (DRSA), a novel self-relocating malware against software-based attestation based on debug registers. DRSA gains control of the checksum function by raising debug exceptions and erasing itself before the next attestation. We further implement DRSA on commodity OSes and validate its effectiveness based on two existing software-based proposals. Our evaluation demonstrates that DRSA incurs low overhead, and it is extremely difficult for the verifier to detect it. can bypass the attestation with very little attack overhead. |
| format | Article |
| id | doaj-art-50411a1681c74567a6d09354f310b7c3 |
| institution | OA Journals |
| issn | 0954-0091 1360-0494 |
| language | English |
| publishDate | 2024-12-01 |
| publisher | Taylor & Francis Group |
| record_format | Article |
| series | Connection Science |
| spelling | doaj-art-50411a1681c74567a6d09354f310b7c32025-08-20T01:56:32ZengTaylor & Francis GroupConnection Science0954-00911360-04942024-12-0136110.1080/09540091.2024.2306965Bypassing software-based remote attestation using debug registersZheng Zhang0Jingfeng Xue1Tianshi Mu2Ting Yu3Kefan Qiu4Tian Chen5Yuanzhang Li6Beijing Institute of Technology, Beijing, People's Republic of ChinaBeijing Institute of Technology, Beijing, People's Republic of ChinaChina Southern Power Grid Digital Grid Group Co., Ltd., Guangzhou, People's Republic of ChinaChina Southern Power Grid Digital Grid Group Co., Ltd., Guangzhou, People's Republic of ChinaBeijing Institute of Technology, Beijing, People's Republic of ChinaBeijing Institute of Technology, Beijing, People's Republic of ChinaBeijing Institute of Technology, Beijing, People's Republic of ChinaRemote attestation (RA) is an essential feature in many security protocols to verify the memory integrity of remote embedded devices susceptible to malware infections. The attestation process needs to be consecutive and atomic to prevent a self-relocating malware from evading detection. Most of the prior attestation techniques disable interrupts during execution to prevent another process from interrupting the integrity check. This paper investigates the shortcomings of existing software-based attestation techniques and stresses the threat of debug exceptions to existing software-based attestation. We present Debug Register-based Self-relocating Attack (DRSA), a novel self-relocating malware against software-based attestation based on debug registers. DRSA gains control of the checksum function by raising debug exceptions and erasing itself before the next attestation. We further implement DRSA on commodity OSes and validate its effectiveness based on two existing software-based proposals. Our evaluation demonstrates that DRSA incurs low overhead, and it is extremely difficult for the verifier to detect it. can bypass the attestation with very little attack overhead.https://www.tandfonline.com/doi/10.1080/09540091.2024.2306965Remote attestationdebug exceptionsindisputable code executionself-relocating malware |
| spellingShingle | Zheng Zhang Jingfeng Xue Tianshi Mu Ting Yu Kefan Qiu Tian Chen Yuanzhang Li Bypassing software-based remote attestation using debug registers Connection Science Remote attestation debug exceptions indisputable code execution self-relocating malware |
| title | Bypassing software-based remote attestation using debug registers |
| title_full | Bypassing software-based remote attestation using debug registers |
| title_fullStr | Bypassing software-based remote attestation using debug registers |
| title_full_unstemmed | Bypassing software-based remote attestation using debug registers |
| title_short | Bypassing software-based remote attestation using debug registers |
| title_sort | bypassing software based remote attestation using debug registers |
| topic | Remote attestation debug exceptions indisputable code execution self-relocating malware |
| url | https://www.tandfonline.com/doi/10.1080/09540091.2024.2306965 |
| work_keys_str_mv | AT zhengzhang bypassingsoftwarebasedremoteattestationusingdebugregisters AT jingfengxue bypassingsoftwarebasedremoteattestationusingdebugregisters AT tianshimu bypassingsoftwarebasedremoteattestationusingdebugregisters AT tingyu bypassingsoftwarebasedremoteattestationusingdebugregisters AT kefanqiu bypassingsoftwarebasedremoteattestationusingdebugregisters AT tianchen bypassingsoftwarebasedremoteattestationusingdebugregisters AT yuanzhangli bypassingsoftwarebasedremoteattestationusingdebugregisters |