Benedikt Jung, Christian Eichler, Jonas Röckl, R. Schlenk, Timo Hönig, Tilo Müller
{"title":"Trusted Monitor: TEE-Based System Monitoring","authors":"Benedikt Jung, Christian Eichler, Jonas Röckl, R. Schlenk, Timo Hönig, Tilo Müller","doi":"10.1109/SBESC56799.2022.9964869","DOIUrl":null,"url":null,"abstract":"As trusted computing becomes increasingly important, Trusted Execution Environments (TEEs) see more widespread use. A particular high demand for security arises in the context of embedded systems in critical infrastructures. We present a novel intrusion detection system called the Trusted Monitor (TM) that protects its integrity even in the presence of a system-level attacker by running inside the ARM TrustZone TEE. The TM constantly monitors the system using hardware performance counters and detects intrusions based on the classification by an application-specific machine learning model. Our evaluation shows that the TM correctly classifies 86% of 183 evaluated workloads, while the performance overhead stays below 2%. In particular, we show that a real-world kernel-level rootkit observably influences the hardware performance counters and, thus, can be detected.","PeriodicalId":130479,"journal":{"name":"2022 XII Brazilian Symposium on Computing Systems Engineering (SBESC)","volume":"41 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 XII Brazilian Symposium on Computing Systems Engineering (SBESC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SBESC56799.2022.9964869","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1
Abstract
As trusted computing becomes increasingly important, Trusted Execution Environments (TEEs) see more widespread use. A particular high demand for security arises in the context of embedded systems in critical infrastructures. We present a novel intrusion detection system called the Trusted Monitor (TM) that protects its integrity even in the presence of a system-level attacker by running inside the ARM TrustZone TEE. The TM constantly monitors the system using hardware performance counters and detects intrusions based on the classification by an application-specific machine learning model. Our evaluation shows that the TM correctly classifies 86% of 183 evaluated workloads, while the performance overhead stays below 2%. In particular, we show that a real-world kernel-level rootkit observably influences the hardware performance counters and, thus, can be detected.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
