Design and implementation of an attestation protocol for measured dynamic behavior

Abstract

Security of applications running on remote devices has become an essential need of enterprises. For this purpose, several software-based solutions have been proposed. However, it has been observed that software solutions are vulnerable to several kinds of attacks. Moreover, they cannot protect and monitor all parts of the system. To overcome this problem, researchers have proposed to monitor a target system from an isolated hardware and store system’s sensitive information in its tamper-proof memory locations. To realize such a solution, Trusted Computing Group (TCG) has proposed the specifications of a co-processor called Trusted Platform Module which is widely available in commodity hardware. Integrity Measurement Architecture is one of the well-known static techniques that brings TCG’s attestation from kernel to the application level. However, this method cannot measure runtime behavior of applications, which is necessary to detect runtime attacks such as buffer overflow and return-oriented programming. In this paper, we have extended the base work which aims to detect runtime vulnerabilities. Current high-level-based attestation protocol has been extended for dynamic behavior collection and verification, and the dynamic behavior is verified via several machine learning algorithms. Our results justify the use of this approach and show that a high rate detection was achieved for datasets of real-world vulnerabilities in the popular Firefox browser.