Author: Raz Ben Yehuda

0000000000291413

AUTHOR

Raz Ben Yehuda

showing 11 related works from this author

HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication

2020

Malicious programs vary widely in their functionality, from key-logging to disk encryption. However, most malicious programs communicate with their operators, thus revealing themselves to various security tools. The security tools incorporated within an operating system are vulnerable to attacks due to the large attack surface of the operating system kernel and modules. We present a kernel module that demonstrates how kernel-mode access can be used to bypass any security mechanism that is implemented in kernel-mode. External security tools, like firewalls, lack important information about the origin of the intercepted packets, thus their filtering policy is usually insufficient to prevent c…

021110 strategic defence & security studiesSoftware_OPERATINGSYSTEMSNetwork securitybusiness.industryComputer scienceNetwork packet0211 other engineering and technologiesHypervisor02 engineering and technologyAttack surfaceComputer securitycomputer.software_genreOperator (computer programming)Trusted computing baseDisk encryptionKernel (image processing)020204 information systems0202 electrical engineering electronic engineering information engineeringbusinesscomputer

researchProduct

Virtual USB honeypot

2019

This paper presents the implementation of a malware trap device. We created a virtual usb device through the use of microvisor on the ARM platform.

Trap (computing)ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMSSoftware_OPERATINGSYSTEMSHoneypotComputer sciencelawOperating systemMalwareUSBcomputer.software_genrecomputerlaw.inventionProceedings of the 12th ACM International Conference on Systems and Storage

researchProduct

Hyplets - Multi Exception Level Kernel towards Linux RTOS

2018

This paper presents the concept of a Multi-Exception level operating system. We add a hypervisor awareness to the Linux kernel and execute code in hyp exception level. We do that through the use of Hyplets. Hyplets are an innovative way to code interrupt service routines under ARM. Hyplets provide high performance, security, running time predictability, an RPC mechanism and a possible solution for the priority inversion problem. Hyplets uses special features of ARM8va hypervisor memory architecture.

Priority inversionSoftware_OPERATINGSYSTEMSComputer scienceKernel (statistics)Memory architectureCode (cryptography)Operating systemHypervisorLinux kernelInterruptcomputer.software_genreReal-time operating systemcomputerProceedings of the 11th ACM International Systems and Storage Conference

researchProduct

Arm Hypervisor and Trustzone Alternatives

2020

Many scenarios such as DRM, payments, and homeland security require a trusted and verified trusted execution environment (TEE) on ARM. In most cases such TEE should be available in source code mode. The vendor cannot conduct code review and ensure that the operating system is trustworthy unless source code is available. Android and other rich execution environments (REEs) support various TEE implementations. Each TEE implementation has its own unique way of deploying trusted applications and features. Most TEEs in ARM can be started at TrustZone™ or Hyp (Hypervisor) mode. Choosing a proper TEE operating system can be a problem for trusted application developers and hardware vendors. This ar…

0303 health sciences03 medical and health sciencesComputer science0202 electrical engineering electronic engineering information engineeringOperating system020206 networking & telecommunicationsHypervisor02 engineering and technologycomputer.software_genrecomputer030304 developmental biology

researchProduct

Nanovised Control Flow Attestation

2022

This paper presents an improvement of control flow attestation (C-FLAT) for Linux. C-FLAT is a control attestation system for embedded devices. It was implemented as a software executing in ARM’s TrustZone on bare-metal devices. We extend the design and implementation of C-FLAT through the use of a type 2 Nanovisor in the Linux operating system. We call our improved system “C-FLAT Linux”. Compared to the original C-FLAT, C-FLAT Linux reduces processing overheads and is able to detect the SlowLoris attack. We describe the architecture of C-FLAT Linux and provide extensive measurements of its performance in benchmarks and real-world scenarios. In addition, we demonstrate the…

Fluid Flow and Transfer ProcessespääsynvalvontaSoftware_OPERATINGSYSTEMSvirtualisointiProcess Chemistry and TechnologyLinuxhypervisor; ARM; Linux; control flow; SlowLoris; TrustZoneSlowLorisGeneral EngineeringTrustZonecontrol flowComputer Science ApplicationsARMGeneral Materials SciencehypervisortietoturvaInstrumentationApplied Sciences; Volume 12; Issue 5; Pages: 2669

researchProduct

Protection against reverse engineering in ARM

2020

With the advent of the mobile industry, we face new security challenges. ARM architecture is deployed in most mobile phones, homeland security, IoT, autonomous cars and other industries, providing a hypervisor API (via virtualization extension technology). To research the applicability of this virtualization technology for security in this platform is an interesting endeavor. The hypervisor API is an addition available for some ARMv7-a and is available with any ARMv8-a processor. Some ARM platforms also offer TrustZone, which is a separate exception level designed for trusted computing. However, TrustZone may not be available to engineers as some vendors lock it. We present a method of appl…

IoTmobiililaitteetARMtakaisinmallinnusesineiden internetsecuritymobilelangaton tekniikkahypervisortietoturvamikroprosessorit

researchProduct

Attacking TrustZone on devices lacking memory protection

2021

AbstractARM TrustZone offers a Trusted Execution Environment (TEE) embedded into the processor cores. Some vendors offer ARM modules that do not fully comply with TrustZone specifications, which may lead to vulnerabilities in the system. In this paper, we present a DMA attack tutorial from the insecure world onto the secure world, and the design and implementation of this attack in a real insecure hardware.

sulautettu tietotekniikkaComputational Theory and MathematicsHardware and ArchitectureComputer Science (miscellaneous)esineiden internetTrustZonesecuritytietoturvaverkkohyökkäyksetSoftwarehaavoittuvuus

researchProduct

Hypervisor memory acquisition for ARM

2021

Abstract Cyber forensics use memory acquisition in advanced forensics and malware analysis. We propose a hypervisor based memory acquisition tool. Our implementation extends the volatility memory forensics framework by reducing the processor's consumption, solves the in-coherency problem in the memory snapshots and mitigates the pressure of the acquisition on the network and the disk. We provide benchmarks and evaluation.

Hardware_MEMORYSTRUCTURESComputer scienceHypervisorcomputer.software_genreMemory forensicsComputer Science ApplicationsPathology and Forensic MedicineMedical Laboratory TechnologyData_FILESOperating systemMemory acquisitionVolatility (finance)Malware analysisLawcomputerInformation SystemsForensic Science International: Digital Investigation

researchProduct

Hypervisor Memory Introspection and Hypervisor Based Malware Honeypot

2020

Memory acquisition is a tool used in advanced forensics and malware analysis. Various methods of memory acquisition exist. Such solutions are ranging from tools based on dedicated hardware to software-only solutions. We proposed a hypervisor based memory acquisition tool. [22]. Our method supports ASLR and Modern operating systems which is an innovation compared to past methods [27, 36]. We extend the hypervisor assisted memory acquisition by adding mass storage device honeypots for the malware to cross and propose hiding the hypervisor using bluepill technology.

021110 strategic defence & security studiesAtomicitySoftware_OPERATINGSYSTEMSHoneypotComputer science0211 other engineering and technologiesHypervisor02 engineering and technologycomputer.software_genreVirtualizationMemory forensicsMass storage0202 electrical engineering electronic engineering information engineeringOperating systemMalware020201 artificial intelligence & image processingMalware analysiscomputer

researchProduct

The hyplet : Joining a Program and a Nanovisor for real-time and Performance

2020

This paper presents the concept of sharing a hyper-visor address space with a standard Linux program. In this work, we add hypervisor awareness to the Linux kernel and execute code in the HYP exception level through using the hyplet. The hyplet is an innovative way to code interrupt service routines and remote procedure calls under ARM. The hyplet provides high performance and run-time predictability. We demonstrate the hyplet implementation using the C programming language on an ARM8v-a platform and under the Linux kernel. We then provide performance measurements, use cases, and security scenarios. peerReviewed

Software_OPERATINGSYSTEMSvirtualisointiLinuxtietoturva

researchProduct

Arm security alternatives

2019

Many real-world scenarios such as protecting DRM, online payments and usage in NFC payments in embedded devices require a trustworthy “trusted execution environment” (TEE) platform. The TEE should run on the ARM architecture. That is popular in embedded devices. Furthermore, past experience has proved that such TEE platform should be available in source code form. Without the source code 3rd parties and user cannot be conducted code review audit. Lack of review put doubt on the system as a trustworthy environment. The popular Android OS supports various TEE implementations. Each TEE OS implementation has its own unique way of deploying trusted applications(trustlets) and its own distinct fe…

avoin lähdekoodiverkkomaksaminenvirtualisointitrusted computingARM architectureTrustZonekyberturvallisuusvirtualization

researchProduct