A Bytecode Interpreter for Secure Program Execution in Untrusted Main Memory

by Maximilian Seitzer, Michael Gruhn, Tilo Müller

Bispe is a bytecode interpreter providing secure program execution in untrusted main memory scenarios. Its implementation is partially based on Tresor.

Abstract

Physical access to a system allows attackers to read out RAM through cold boot and DMA attacks. Thus far, counter measures protect only against attacks targeting disk encryption keys, while the remaining memory content is left vulnerable. We present a bytecode interpreter that protects code and data of programs against memory attacks by executing them without using RAM for sensitive content. Any program content within memory is encrypted, for which the interpreter utilizes TRESOR, a cold boot resistant implementation of the AES cipher. The interpreter was developed as a Linux kernel module, taking advantage of the CPU instruction sets AVX for additional registers, and AES-NI for fast encryption. We show that the interpreter is secure against memory attacks, and that the overall performance is only a factor of 4 times slower than the performance of Python. Moreover, the performance penalty is mostly induced by the encryption.

Resources

Bispe has been publish at ESORICS’15: Paper (.pdf), Slides (.pdf)

The source code is available under the GPL: Source Code (.tar.gz)

Bispe originated from the Bachelor Thesis of Max Seitzer: Thesis (.pdf)