Protection mechanisms running in the kernel-level (Ring 0) cannot completely prevent security threats such as rootkits and kernel exploits because the threats can subvert the protections with the same privileges. This means protections need to be provided with higher privileges (Ring -1). Because of this need, we presented lightweight hypervisor-based kernel protector, "Shadow-box v1" at Black Hat Asia 2017.
However, Linux kernel is used for not only PCs' servers but also mobile devices, IoT (Internet of Things) devices. Mobile and IoT devices typically use ARM-based processors. In the fields of mobile processors, Qualcomm and Samsung play a pivotal role and their trusted execution environment (TEE) such as KNOX, QSEE play also a leading role. Unfortunately, their TEEs are not open technology, so they cannot be used for other ARM-based processors which are normally used for IoT such as Broadcom, NXP, Allwinner, etc.
In this talk, we propose a security monitoring framework for operating systems, Shadow-box v2, using virtualization technologies of x86 and ARM processor. Shadow-box v2 inherits a novel architecture inspired by a shadow play from Shadow-box v1, and we made Shadow-box v2 from scratch. Shadow-box v2 for ARM utilizes OP-TEE (Open Platform Trusted Execution Environment) which follows GlobalPlatform TEE system architecture specification. Qualcomm and Samsung also follow the specification. Moreover, OP-TEE supports more than eleven manufacturers including Broadcom and NXP, therefore Shadow-box v2 can be ported many ARM-based devices easily. Shadow-box v2 also utilizes integrity measurement architecture (IMA). IMA can verify signatures of executable files from kernel. Therefore Shadow-box v2 provides strict integrity of executable files. Shadow-box v2 has additional features such as hash-based kernel integrity monitor, workload-concerned monitoring, and remote attestation in comparison with Shadow-box v1.
We will show a demo of Shadow-box v2 and share our know-how about implementing the kernel protector for multi-platform.