Shadow-Box v2: The Practical and Omnipotent Sandbox for ARM

Presented at Black Hat Asia 2018, March 22, 2018, 2:15 p.m. (60 minutes)

Protection mechanisms running in the kernel-level (Ring 0) cannot completely prevent security threats such as rootkits and kernel exploits because the threats can subvert the protections with the same privileges. This means protections need to be provided with higher privileges (Ring -1). Because of this need, we presented lightweight hypervisor-based kernel protector, "Shadow-box v1" at Black Hat Asia 2017.

However, Linux kernel is used for not only PCs' servers but also mobile devices, IoT (Internet of Things) devices. Mobile and IoT devices typically use ARM-based processors. In the fields of mobile processors, Qualcomm and Samsung play a pivotal role and their trusted execution environment (TEE) such as KNOX, QSEE play also a leading role. Unfortunately, their TEEs are not open technology, so they cannot be used for other ARM-based processors which are normally used for IoT such as Broadcom, NXP, Allwinner, etc.

In this talk, we propose a security monitoring framework for operating systems, Shadow-box v2, using virtualization technologies of x86 and ARM processor. Shadow-box v2 inherits a novel architecture inspired by a shadow play from Shadow-box v1, and we made Shadow-box v2 from scratch. Shadow-box v2 for ARM utilizes OP-TEE (Open Platform Trusted Execution Environment) which follows GlobalPlatform TEE system architecture specification. Qualcomm and Samsung also follow the specification. Moreover, OP-TEE supports more than eleven manufacturers including Broadcom and NXP, therefore Shadow-box v2 can be ported many ARM-based devices easily. Shadow-box v2 also utilizes integrity measurement architecture (IMA). IMA can verify signatures of executable files from kernel. Therefore Shadow-box v2 provides strict integrity of executable files. Shadow-box v2 has additional features such as hash-based kernel integrity monitor, workload-concerned monitoring, and remote attestation in comparison with Shadow-box v1.

We will show a demo of Shadow-box v2 and share our know-how about implementing the kernel protector for multi-platform.


Presenters:

  • Seunghun Han - Senior Security Researcher, National Security Research Institute of South Korea
    Seunghun Han is a Hypervisor and an Operating System Security Researcher at National Security Research Institute of South Korea and before that was a Firmware Engineer at Samsung Electronics. He is an expert in the hypervisor and had his own hypervisor, Shadow-Box. He also had several CVEs on Linux kernel and BIOS/UEFI firmware, and he contributed patches to various system and security software. He was a speaker at Black Hat Asia and HITBSecConf. He authored the below works: - 64-bit multi-core OS principles and structure, volume 1 (ISBN-13: 978-8979148367) - 64-bit multi-core OS principles and structure, volume 2 (ISBN-13: 978-8979148374)
  • Jun-Hyeok Park - Security Researcher, National Security Research Institute of South Korea
    Jun-Hyeok Park is a researcher of the Attached Institute of Electronics and Technologies Research Institute whose primary concern is to conduct scientific research on system and network security. He is currently working on developing a secure cloud access platform. He received the M.S. degree in electrical and computer engineering from Ajou University, Suwon, Korea.

Links:

Similar Presentations: