Amit Vasudevan

Carnegie Mellon University, Pittsburgh, Pennsylvania, United States

Are you Amit Vasudevan?

Claim your profile

Publications (22)0.66 Total impact

  • Amit Vasudevan · Jonathan M. McCune · James Newsome
    [Show abstract] [Hide abstract]
    ABSTRACT: In this chapter we discuss currently-available hardware security primitives with a focus on existing smartphone and tablet platforms. As the vast majority of these platforms are built for the ARM architecture, we first present a generic ARM platform hardware and security architecture, focusing our discussion on platform hardware components that help realize the features discussed in Chap. 3. We then identify design gaps and implementation challenges in off-the-shelf mobile devices that prevent third-party application developers from fully realizing the desired security properties. Finally, we provide two case studies of inexpensive mobile development platforms with myriad security features, to serve as references against which to compare mass-market devices.
    No preview · Chapter · Jan 2014
  • [Show abstract] [Hide abstract]
    ABSTRACT: We present OASIS, a CPU instruction set extension for externally verifiable initiation, execution, and termination of an isolated execution environment with a trusted computing base consisting solely of the CPU. OASIS leverages the hardware components available on commodity CPUs to achieve a low-cost, low-overhead design.
    No preview · Conference Paper · Nov 2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: We present the design, implementation, and verification of XMHF- an eXtensible and Modular Hypervisor Framework. XMHF is designed to achieve three goals -- modular extensibility, automated verification, and high performance. XMHF includes a core that provides functionality common to many hypervisor-based security architectures and supports extensions that augment the core with additional security or functional properties while preserving the fundamental hypervisor security property of memory integrity (i.e., ensuring that the hypervisor's memory is not modified by software running at a lower privilege level). We verify the memory integrity of the XMHF core -- 6018 lines of code -- using a combination of automated and manual techniques. The model checker CBMC automatically verifies 5208 lines of C code in about 80 seconds using less than 2GB of RAM. We manually audit the remaining 422 lines of C code and 388 lines of assembly language code that are stable and unlikely to change as development proceeds. Our experiments indicate that XMHF's performance is comparable to popular high-performance general-purpose hypervisors for the single guest that it supports.
    No preview · Conference Paper · May 2013
  • Chen Chen · Petros Maniatis · Adrian Perrig · Amit Vasudevan · Vyas Sekar
    [Show abstract] [Hide abstract]
    ABSTRACT: Outsourced computation services should ideally only charge customers for the resources used by their applications. Unfortunately, no verifiable basis for service providers and customers to reconcile resource accounting exists today. This leads to undesirable outcomes for both providers and consumers - providers cannot prove to customers that they really devoted the resources charged, and customers cannot verify that their invoice maps to their actual usage. As a result, many practical and theoretical attacks exist, aimed at charging customers for resources that their applications did not consume. Moreover, providers cannot charge consumers precisely, which causes them to bear the cost of unaccounted resources or pass these costs inefficiently to their customers. We introduce ALIBI, a first step toward a vision for verifiable resource accounting. ALIBI places a minimal, trusted reference monitor underneath the service provider's software platform. This monitor observes resource allocation to customers' guest virtual machines and reports those observations to customers, for verifiable reconciliation. In this paper, we show that ALIBI efficiently and verifiably tracks guests' memory use and CPU-cycle consumption.
    No preview · Article · Mar 2013 · ACM SIGPLAN Notices
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: A detailed understanding of the behavior of exploits and malicious software is necessary to obtain a comprehensive overview of vulnerabilities in operating systems or client applications, and to develop protection techniques and tools. To this end, a lot of research has been done in the last few years on binary analysis techniques to efficiently and precisely analyze code. Most of the common analysis frameworks are based on software emulators since such tools offer a fine-grained control over the execution of a given program. Naturally, this leads to an arms race where the attackers are constantly searching for new methods to detect such analysis frameworks in order to successfully evade analysis. In this paper, we focus on two aspects. As a first contribution, we introduce several novel mechanisms by which an attacker can delude an emulator. In contrast to existing detection approaches that perform a dedicated test on the environment and combine the test with an explicit conditional branch, our detection mechanisms introduce code sequences that have an implicitly different behavior on a native machine when compared to an emulator. Such differences in behavior are caused by the side-effects of the particular operations and imperfections in the emulation process that cannot be mitigated easily. Motivated by these findings, we introduce a novel approach to generate execution traces. We propose to utilize the processor itself to generate such traces. Mores precisely, we propose to use a hardware feature called branch tracing available on commodity x86 processors in which the log of all branches taken during code execution is generated directly by the processor. Effectively, the logging is thus performed at the lowest level possible. We evaluate the practical viability of this approach.
    Full-text · Conference Paper · Dec 2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: We are now in the post-PC era, yet our mobile devices are insecure. We consider the different stake-holders in today's mobile device ecosystem, and analyze why widely-deployed hardware security primitives on mobile device platforms are inaccessible to application developers and end-users. We systematize existing proposals for leveraging such primitives, and show that they can indeed strengthen the security properties available to applications and users, all without reducing the properties currently enjoyed by OEMs and network carriers. We also highlight shortcomings of existing proposals and make recommendations for future research that may yield practical, deployable results.
    No preview · Conference Paper · Jun 2012
  • Source
    Amit Vasudevan · Bryan Parno · Ning Qu · Virgil D. Gligor · Adrian Perrig
    [Show abstract] [Hide abstract]
    ABSTRACT: We investigate a new point in the design space of red/green systems [19,30], which provide the user with a highly-protected, yet also highly-constrained trusted ("green") environment for performing security-sensitive transactions, as well as a high-performance, general-purpose environment for all other (non-security-sensitive or "red") applications. Through the design and implementation of the Lockdown architecture, we evaluate whether partitioning, rather than virtualizing, resources and devices can lead to better security or performance for red/green systems. We also design a simple external interface to allow the user to securely learn which environment is active and easily switch between them. We find that partitioning offers a new tradeoff between security, performance, and usability. On the one hand, partitioning can improve the security of the "green" environment and the performance of the "red" environment (as compared with a virtualized solution). On the other hand, with current systems, partitioning makes switching between environments quite slow (13-31 seconds), which may prove intolerable to users.
    Preview · Conference Paper · Jun 2012
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The address translation subsystem of operating systems, hypervisors, and virtual machine monitors must correctly enforce address space separation in the presence of adversaries. The size, and hierarchical nesting, of the data structures over which such systems operate raise challenges for automated model checking techniques to be fruitfully applied to them. We address this problem by developing a sound and complete parametric verification technique that achieves the best possible reduction in model size. Our results significantly generalize prior work on this topic, and bring interesting systems within the scope of analysis. We demonstrate the applicability of our approach by modeling shadow paging mechanisms of Xen version 3.0.3 and ShadowVisor, a research hypervisor developed for the x86 platform. 1
    Preview · Article · May 2012
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Much effort has been spent to reduce the software Trusted Computing Base (TCB) of modern systems. However, the hardware TCB remains complex and untrustworthy. Com-ponents such as memory, peripherals, and system buses may become malicious via firmware compromise, a malicious manufacturer, a malicious supply chain, or local physical tampering. We seek to reduce the hardware TCB to a min-imal set of hardware components that must be trusted. We describe the design and implementation of an isolated execu-tion environment on commodity x86 platforms that only re-lies on the CPU, without needing to trust the memory, buses, peripherals, or any other system components.
    Full-text · Article · May 2012
  • Source
    A. Vasudevan · Ning Qu · A. Perrig
    [Show abstract] [Hide abstract]
    ABSTRACT: We propose XTRec, a primitive that can record the instruction-level execution trace of a commodity computing system. Our primitive is resilient to compromise to provide integrity of the recorded execution trace. We implement XTRec on the AMD platform running the Windows OS. The only software component that is trusted in the system during runtime is XTRec itself, which contains only 2,195 lines of code permitting manual audits to ensure security and safety. We use XTRec to show whether a particular code has been executed on a system, or conversely to prove that some malware has not executed on the system. This is a highly desirable property to ensure information assurance, especially in critical e-government infrastructure. Our experimental results show that the imposed overhead is 2x-4x for real-world applications. This overhead is primarily due to CPU Branch Trace Messages(BTM), a ubiquitous debugging feature used to record control-flow instructions. Hardware improvements to BTM would therefore enable XTRec to run with minimal overhead.
    Preview · Conference Paper · Feb 2011
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Virtualization has been purported to be a panacea for many security problems. We analyze the feasibility of constructing an integrity-protected hypervisor on contemporary x86 hardware that includes virtualization support, observing that without the fundamental property of hypervisor integrity, no secrecy properties can be achieved. Unfortunately, we find that significant issues remain for constructing an integrity-protected hypervisor on such hardware. Based on our analysis, we describe a set of necessary rules that must be followed by hypervisor developers and users to maintain hypervisor integrity. No current hypervisor we are aware of adheres to all the rules. No current x86 hardware platform we are aware of even allows for the construction of an integrity-protected hypervisor. We provide a perspective on secure virtualization and outline a research agenda for achieving truly secure hypervisors. 1
    Full-text · Conference Paper · Jul 2010
  • Amit Vasudevan
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper extends VAMPiRE, a stealth breakpoint framework specifically tailored for microscopic malware analysis. Stealth breakpoints are designed to provide unlimited number of code, data and I/O breakpoints that cannot be detected or countered. However, in this paper we present several attacks that can be used to detect and counter VAMPiRE. We then present a solution towards preventing such attacks in the form of a new breakpoint framework named Galanus. Galanus also adds support for legacy I/O breakpoints in kernel-mode, an important feature required to analyze keyloggers, BIOS flashers, CMOS updaters and rootkits. We also evaluate Galanus, comparing it to VAMPiRE in the context of a few real-world malware.
    No preview · Conference Paper · Oct 2009
  • Source
    Amit Vasudevan · Bryan Parno · Ning Qu · Adrian Perrig
    [Show abstract] [Hide abstract]
    ABSTRACT: We describe, build, and evaluate Lockdown, a system that significantly increases the level of security for online transactions, even on a platform infested with malicious code. Lockdown provides the user with a highly-protected, yet also highly-constrained trusted environment for performing online transactions, as well as a high-performance, general-purpose environment for all other (non-security-sensitive) applications. A simple, user-friendly external in-terface allows the user to securely learn which environment is active and easily switch between them. We focus on making Lockdown deployable and usable today. Lockdown works with both Windows and Linux, and provides immediate improvements to security-sensitive tasks while imposing, on average, only 3% memory overhead and 2–7% storage overhead on non-security-related tasks.
    Preview · Article · Aug 2009
  • Source
    Amit Vasudevan
    [Show abstract] [Hide abstract]
    ABSTRACT: Malware or malicious code is a rapidly evolving threat to the computing community. Zero-day malware are exploiting vulnerabilities very soon after being discovered and are spreading quickly. However, anti-virus tools, which are the most widely used countering mechanism, are unable to cope with this. They are based on signatures which need to be computed for new malware strains. After a new malware strikes and before the signature is found allows sufficient time for the malware to perform its damage. We propose a new framework, codenamed MalTRAK, which, when deployed on a clean system, guarantees that any effects of a known or unknown malware can always be reversed and the system can be restored back to a prior clean state. Our framework also maintains detailed dependency lists of system operations which can be used for further forensic analysis. We are able to achieve this without imposing any restrictions on the nature of programs that can be executed by the user and without the user noticing any perceptible system slowdown due to the framework. Furthermore, we are able to track modifications to the system at a level that ensures that we can always monitor any changes to the system state even if a malware modifies the system during execution. We implemented and evaluated MalTRAK on Windows, using 8 known malware assuming they were unknown strains. We then compared our results with two popular commercial anti-virus tools. We were able to successfully restore all the effects of the 8 malware, while the commercial tools, on an average were only able to restore 36% of all their effects put together. For one of the malware samples, the commercial tools could only detect it but could not repair any of its damage. Further, for two of the malware samples, the commercial tools were completely unable to detect or restore any of their effects. Our results show that signature based mechanisms in addition to not being able to prevent infection by new malware strains, are not ve- - ry effective in removing an infection even after a signature has been developed. Our experience shows that non-signature based approaches, such as MalTRAK, are the next step towards combating the threat of ever-evolving malware.
    Preview · Conference Paper · Dec 2008
  • Ashish Chawla · Yerraballi Ramesh · Amit Vasudevan
    [Show abstract] [Hide abstract]
    ABSTRACT: - Advances in softward and hardware technologies have given operating systems the ability to process data and handle various concurrent processes. The increased ability has been one of the driving forces which have led to the proliferation of mechanisms in operating systesm to satisfy the performance requriements of applications with predictable resourece allocation. As differnt classes of applicatons require different resources managemnt policies one needs to look into ways to satify all classes of applications. Conventional general purpose operating systems have been developed for a single class of best-effort applications, hence, are inadequate to support multiple classes of applications. We present an abstract architecture for the support of Quality of Service (Qos) in Kernel-Less Operating System (KLOS). We propose new semantics for the Qos resources management paradigm, based on the notion of Quality of Service. By virtue of this new semantics, it is possible to provide the support required by KLOS to various components of the operating system such as memory manager, processor time, IO management etc. These mechanisms which are required within an operating system to support this paradigm are described, and the design and implementation of a protoypical kernel which implements them in is presented. Various notions of negotiation rules between the application and the operating systems are discussed along-with a feature which allows the user to express its requirements and the fact is that this model assures the user in providing the selcted parameters and returns feedback about the way it meets those requirements. This Qos model presents a design paradigm that allows the internal components to be rearranged dynamically, adapting the architecutre to the high performance of KLOS. The benefits of our framework are demonstrated by building a simulation model to represent how the various modules of an opeating system and the interface between the processes and the operating system can be tailored to provide Qualitu of Service guarantees.
    No preview · Chapter · Sep 2007
  • Source
    A. Vasudevan · R. Yerraballi
    [Show abstract] [Hide abstract]
    ABSTRACT: Fine-grained code analysis in the context of malware is a complex and challenging task that provides insight into malware code-layers (polymorphic/metamorphic), its data encryption/decryption engine, its memory layout etc., important pieces of information that can be used to detect and counter the malware and its variants. Current research in fine-grained code analysis can be categorized into static and dynamic approaches. Static approaches have been tailored towards malware and allow exhaustive fine-grained malicious code analysis, but lack support for self-modifying code, have limitations related to code-obfuscations and face the undecidability problem. Given that most if not all malware employ self-modifying code and code-obfuscations, poses the need to analyze them at runtime using dynamic approaches. However, current dynamic approaches for fine-grained code analysis are not tailored specifically towards malware and lack support for multithreading, self-modifying/self-checking code and are easily detected and countered by ever-evolving anti-analysis tricks employed by malware. To address this problem, we propose a powerful dynamic fine-grained malicious code analysis framework, codenamed Cobra, to combat malware that are becoming increasingly hard to analyze. Our goal is to provide a stealth, efficient, portable and easy-to-use framework supporting multithreading, self-modifying/self-checking code and any form of code obfuscation in both user- and kernel-mode on commodity operating systems. Cobra cannot be detected or countered and can be dynamically and selectively deployed on malware specific code-streams while allowing other code-streams to execute as is. We also illustrate the framework utility by describing our experience with a tool employing Cobra to analyze a real-world malware.
    Preview · Conference Paper · Jun 2006
  • Source
    Conference Paper: Stealth breakpoints
    A. Vasudevan · R. Yerraballi
    [Show abstract] [Hide abstract]
    ABSTRACT: Microscopic analysis of malicious code (malware) requires the aid of a variety of powerful tools. Chief among them is a debugger that enables runtime binary analysis at an instruction level. One of the important services provided by a debugger is the ability to stop execution of code at an arbitrary point during runtime, using breakpoints. Software breakpoints support an unlimited number of breakpoint locations by changing the code being debugged so that it can be interrupted during runtime. Most, if not all, malware are very sensitive to code modification with self-modifying and/or self-checking (SM-SC) capabilities, rendering the use of software breakpoints limited in their scope. Hardware breakpoints supported by the underlying processor, on the other hand, use a subset of the processor register set and exception mechanisms to provide breakpoints that do not entail code modification. This makes hardware breakpoints the most powerful breakpoint mechanism for malware analysis. However, current processors provide a very limited number of hardware breakpoints (typically 2-4 locations). Thus, a serious restriction is imposed on the debugger to set a desired number of breakpoints without resorting to the limited alternative of software breakpoints. Also, with the ever evolving nature of malware, there are techniques being employed that prevent the use of hardware breakpoints. This calls for a new breakpoint mechanism that retains the features of hardware breakpoints while providing an unlimited number of breakpoints, which cannot be detected or countered. In this paper, we present the concept of stealth breakpoints and discuss the design and implementation of VAMPiRE, a realization of this concept. VAMPiRE cannot be detected or countered and provides unlimited number of breakpoints to be set on code, data, and I/O with the same precision as that of hardware breakpoints. It does so by employing a subtle combination of simple stealth techniques using virtual memory and hardware single-stepping mechanisms that are available on all processors, old and new. This technique makes VAMPiRE portable to any architecture, providing powerful breakpoint ability similar to hardware breakpoints for microscopic malware analysis.
    Preview · Conference Paper · Jan 2006
  • Source
    Amit Vasudevan · Ramesh Yerraballi
    [Show abstract] [Hide abstract]
    ABSTRACT: Malware — a generic term that encompasses viruses, trojans, spywares and other intrusive code — is widespread today. Malware analysis is a multi-step pro- cess providing insight into malware structure and func- tionality, facilitating the development of an antidote. Behavior monitoring, an important step in the analy- sis process, is used to observe malware interaction with respect to the system and is achieved by employing dy- namic coarse-grained binary-instrumentation on the tar- get system. However, current research involving dy- namic binary-instrumentation, categorized into probe- based and just-in-time compilation (JIT), fail in the con- text of malware. Probe-based schemes are not transpar- ent. Most if not all malware are sensitive to code mod- ification incorporating methods to prevent their analy- sis and even instrument the system themselves for their functionality and stealthness. Current JIT schemes, though transparent, do not support multithreading, self- modifying and/or self-checking (SM-SC) code and are unable to capture code running in kernel-mode. Also, they are an overkill in terms of latency for coarse-grained instrumentation. To address this problem, we have developed a new dynamic coarse-grained binary-instrumentation frame- work codenamed SPiKE, that aids in the construction of powerful malware analysis tools to combat malware that are becoming increasingly hard to analyze. Our goal is to provide a binary-instrumentation framework that is unobtrusive, portable, ecient, easy-to-use and reusable, supporting multithreading and SM-SC code, both in user- and kernel-mode. In this paper, we dis- cuss the concept of unobtrusive binary-instrumentation and present the design, implementation and evaluation of SPiKE. We also illustrate the framework utility by describing our experience with a tool employing SPiKE to analyze a real world malware.
    Preview · Conference Paper · Jan 2006
  • Source
    Amit Vasudevan · Ramesh Yerraballi · Ashish Chawla
    [Show abstract] [Hide abstract]
    ABSTRACT: Operating Systems provide services that are accessed by processes via mechanisms that involve a ring transition to transfer control to the kernel where the required functi on is performed. This has one significant drawback that every service call involves an overhead of a context switch where processor state is saved and a protectio n domain transfer is performed. However, as we discovered, it is possible, on processor architectures that support segmentation, to achieve a significant performance gain in accessing the services provided by the operating system by not performing a ring transition. Further, such gains can be achieved without compromising on the separation of the privileged components from the unprivileged. KLOS is a Kernel-Less Operating System built on the basis of such a design. The KLOS service call mechanism is an order of magnitude faster than the current widely implemented mechanisms for service or system calls wit h a 4x improvement over the traditional trap/interrupt and a 2x improvement over the Intel SYSENTER/SYSEXIT fast system call models.
    Full-text · Conference Paper · Jan 2005
  • Source
    Amit Vasudevan · Ramesh Yerraballi · Ashish Chawla
    [Show abstract] [Hide abstract]
    ABSTRACT: Operating Systems provide services that are accessed by processes via mechanisms that involve a ring transition to transfer control to the kernel where the required function is performed. This has one significant drawback that every service call involves an overhead of a context switch where processor state is saved and a protection domain transfer is performed. However, as we discovered, it is possible, on architectures that support segmentation, to achieve a significant performance gain in accessing the services provided by the operating system by not performing a ring transition. Further, such gains can be achieved without compromising on the separation of the privileged components from the non-privileged. Our service call mechanism results in 28 clock cycles in the best case and 50 clock cycles in the average case which is an order of magnitude faster than current widely implemented methods of service or system calls 1.
    Full-text · Article · Jan 2004

Publication Stats

186 Citations
0.66 Total Impact Points

Top Journals

Institutions

  • 2008-2013
    • Carnegie Mellon University
      • Computer Science Department
      Pittsburgh, Pennsylvania, United States
  • 2005-2007
    • University of Texas at Arlington
      • Department of Computer Sciences & Engineering
      Arlington, TX, United States