Compact Integrity-Aware Architectures
Malware often injects and executes new code to infect hypervisors, OSs and applications on a wide range of systems, from embedded systems to servers in data centers. In this dissertation, we design and evaluate approaches for remotely attesting software integrity and blocking infections on a variety of systems using integrity kernels. Existing hardware architectures provide inadequate support for integrity kernels. Despite this, we equip commodity embedded systems with compact integrity kernels. We also describe the limitations of existing non-embedded processors. Then, we develop an extended processor architecture that provides superior isolation, visibility, performance, and compatibility for integrity kernels. We were the ﬁrst to demonstrate practical remote attestation for Advanced Metering Infrastructure (AMI), a core technology in emerging smart power grid systems that requires integrity guarantees for each meter over an interval of time rather than just at a given instant. Our prototype Cumulative Attestation Kernel (CAK) uses less than one quarter of the memory available on 32-bit Atmel AVR32 ﬂash MCUs similar to those used in AMI deployments. We analyze one of the specialized features of such applications by constructing the ﬁrst formal proof that security requirements are met by a system even when it experiences unexpected, repeated halt conditions, speciﬁcally concerning our prototype. We also developed the only remote attestation mechanism for 8-bit Atmel AVR microcontrollers that communicate over networks like those in AMI and that run untrusted application ﬁrmware that can be remotely upgraded. We created the Integrity-Aware Processor (IAP), which is the only processor architecture with direct support for detecting attempts to execute unveriﬁed code. Using the IAP as a base, we developed the smallest integrity kernel that checks all code that ever executes in a target Linux system. It uses a network-hosted whitelist.