A Hardware Security-Monitoring Architecture Based on Data Integrity and Control Flow Integrity for Embedded Systems
Round 1
Reviewer 1 Report
A welcome extension to previous hardware assisted work - with useful evaluations presented in terms of three aspects: security capability, hardware implementation overhead and performance overhead of the platform.
The hybrid methodology improves on the previous state of the art
Some minor edits to grammar required for English following a re-read
I recommend that this paper be accepted
Author Response
We have revised the content of the manuscript in accordance with your comments.
Please see the attachment for details.
Thank you!
Author Response File: Author Response.docx
Reviewer 2 Report
Ortographics:
Line 115/158: harware monitoring
Figure 3 is comparatively small and therefore not easily readable.
Author Response
We have revised the content of the manuscript in accordance with your comments.
Please see the attachment for details.
Thank you!
Author Response File: Author Response.docx
Reviewer 3 Report
* Something is wrong with the tables and their numbering
Table 2 is referred to twice, but there is no table 2
However, there are 2 Table 3.'s
* In figure 4, the first BB (BB1) has 2 targets: one to BB2 and one to BB3. the
start address of BB2 match with the target. that of BB3 doesn't. Shouldn't there
be an exit from BB2 to BB3 ? maybe the start address of BB3 is 0x202c, as the authors
further mention: "The jump destination addresses of BB1 and BB2 are both BB3."
If this is not a typo, this figure is quite confusing.
* Why do the authors target a Virtex-5 FPGA ? That family is 2, maybe 3, generations
old. Also, the design software (ISE 14.6) is rather old and could be replaced with
results from the newer Vivado software.
Also in comparing the resource costs with other work, it would make sense to mention
which targets the other works have.
* The caption of Table 8 doesn't cover the content. The caption seems to be
a copy of Table 7.
* In "5.3. Comparison with Other Integrity Protection Methods", the authors compare
the obtained results with results in literature. However, the wall-of-text is
hard understand. This reviewer feels that one or more tables could be added
to improve the comparison. One table could show, using ticks, which works support
which countermeasures.
A second table could be added to compare the costs of the related work to the
presented work
* The paper is well structured, but suffers from a few errors. Below is a list
of some corrections. Also the amount of abbreviations is substantial which makes
it sometimes hard to follow.
- in detecting attacker tampering with the data
in detecting an attacker tampering with the data
OR
in detecting attackers tampering with the data
- the embedded system designer need to propose
the embedded system designer needs to propose
- HT hidden in the internal logic
HTs hidden in the internal logic
OR
An HT hidden in the internal logic
- the CFI of test program
the CFI of a/the test program
- such as hash function
such as a hash function
- this method increased amount of chip area
this method increased the amount of chip area
- These protection methods mainly monitors
These protection methods mainly monitor
- this approach leaded
this approach led
- and calculate the static data digest
and calculates the static data digest
- the architecture allocate CFI labels
the architecture allocates CFI labels
- the extraction of BBs is elaborated at first
the extraction of BBs is elaborated on first
- the threat model of this paper is describe in detail
the threat model of this paper is described in detail
- the execution of jump instruction
the execution of a jump instruction
- which called the delay slot
which is called the delay slot
- in registers by buffer overflow vulnerability
in registers by a buffer overflow vulnerability
- By monitoring DI and CFI, the HIIM proposed in this paper
Is this the HIIMA or the HMM ?
- we obtian the 64-bit hybrid integrity reference information
we obtain the 64-bit hybrid integrity reference information
xx
- we restrict the target address of an indirect jump instruction can only be the start address of a BB
we restrict the target address of an indirect jump instruction to only be the start address of a BB
- Instead, DI or CFI is considered to have been destroyed.
If not all checks are succelsful, DI and/or CFI are considered to have been destroyed.
- the traditional hash function will take up amount of resources
the traditional hash function will take up a substantial (??) amount of resources
- the nodes in CFG include three parameters.The value of Start_Addr
the nodes in CFG include three parameters. The value of Start_Addr
- corresponding to the decimal number 0-63,
corresponding to the decimal numbers 0-63,
similoar on a[2]
- extract the HD special of the current execution BB
extract the HD special of the BB in current execution
- , and extract the jump target address
, and the HMM will extract the jump target address
- with the searching algorithm proposed in (12)
with the searching algorithm proposed in [12] (the brackets)
- the embedded SoC on Xilinx Virtex 5 FPGA
the embedded SoC on a Xilinx Virtex 5 FPGA
- the hardware-based integrity monitoring module inside OR1200 processor
the hardware-based integrity monitoring module inside the OR1200 processor
- Table 3. The configuration of SoC.
Table 3. The configuration of the SoC.
- Table 4 shows the detection rate of the HIMA proposed
Table 4 shows the detection rate of the HIIMA proposed
- due to such reasons.
due to the same reasons.
OR
due to similar reasons.
- the larger the size required
the larger the size that is required
- Thus, the size of Toatl is the size
Thus, the size of Total is the size
- which causes amount
which causes the amount
- which also consumes amount of on-chip
which also consumes a certain amount of on-chip
- The embedded processor run these benchmarks
The embedded processor runs these benchmarks
- and record the average Cycles Per Instruction (CPI)
and records the average Cycles Per Instruction (CPI)
- will inevitably increase more on-chip resource overhead.
will inevitably increase on-chip resource overhead.
- and their hardware implementation cost are
and their hardware implementation cost is
- However neither [1] nor [11] can prevent attackers
However, neither [1] nor [11] can prevent attackers
- additional encryption modules, which consumes
additional encryption modules, which consume
Author Response
We have revised the content of the manuscript in accordance with your comments.
Please see the attachment for details.
Thank you!
Author Response File: Author Response.docx