TY - GEN
T1 - A Machine Learning-Assisted Compartmentalization Scheme for Bare-Metal Systems
AU - Huo, Dongdong
AU - Liu, Chao
AU - Wang, Xiao
AU - Li, Mingxuan
AU - Wang, Yu
AU - Wang, Yazhe
AU - Liu, Peng
AU - Xu, Zhen
N1 - Publisher Copyright:
© 2020, Springer Nature Switzerland AG.
PY - 2020
Y1 - 2020
N2 - A primary concern in creating compartments (i.e., protection domains) for bare-metal systems is to adopt the applicable compartmentalization policy. Existing studies have proposed several typical policies in literature. However, neither of the policies consider the influence of unsafe functions on the compartment security that a vulnerable function would expose unpredictable attack surfaces, which could be exploited to manipulate any contents that are stored in the same compartment. In this paper, we design a machine learning-assisted compartmentalization scheme, which adopts a new policy that takes every function’s security into full account, to create compartments for bare-metal systems. First, the scheme takes advantage of the machine learning method to predict how likely a function holds an exploitable security bug. Second, the prediction results are used to create a new instrumented firmware that isolates vulnerable and normal functions into different compartments. Further, the scheme provides some optional optimization plans to the developer to improve the performance. The PoC of the scheme is incorporated into an LLVM-based compiler and evaluated on a Cortex-M based IoT device. Compared with the firmware adopting other typical policies, the firmware with the new policy not only shows better security but also assures the overhead basically unchanged.
AB - A primary concern in creating compartments (i.e., protection domains) for bare-metal systems is to adopt the applicable compartmentalization policy. Existing studies have proposed several typical policies in literature. However, neither of the policies consider the influence of unsafe functions on the compartment security that a vulnerable function would expose unpredictable attack surfaces, which could be exploited to manipulate any contents that are stored in the same compartment. In this paper, we design a machine learning-assisted compartmentalization scheme, which adopts a new policy that takes every function’s security into full account, to create compartments for bare-metal systems. First, the scheme takes advantage of the machine learning method to predict how likely a function holds an exploitable security bug. Second, the prediction results are used to create a new instrumented firmware that isolates vulnerable and normal functions into different compartments. Further, the scheme provides some optional optimization plans to the developer to improve the performance. The PoC of the scheme is incorporated into an LLVM-based compiler and evaluated on a Cortex-M based IoT device. Compared with the firmware adopting other typical policies, the firmware with the new policy not only shows better security but also assures the overhead basically unchanged.
UR - http://www.scopus.com/inward/record.url?scp=85097654230&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85097654230&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-61078-4_2
DO - 10.1007/978-3-030-61078-4_2
M3 - Conference contribution
AN - SCOPUS:85097654230
SN - 9783030610777
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 20
EP - 35
BT - Information and Communications Security - 22nd International Conference, ICICS 2020, Proceedings
A2 - Meng, Weizhi
A2 - Gollmann, Dieter
A2 - Jensen, Christian D.
A2 - Zhou, Jianying
PB - Springer Science and Business Media Deutschland GmbH
T2 - 22nd International Conference on Information and Communications Security, ICICS 2020
Y2 - 24 August 2020 through 26 August 2020
ER -