The software chain of trust starts with a chain of loaders. Software is just as reliant on the sequence of loaders that ultimately setup its runtime environment as it is on the libraries with which it shares its address space and offloads tasks onto. Loaders, and especially bootloaders, act as the keystone of trust, and yet their formal security properties – which should be a part of any solid bootloader design – are both underappreciated and not well understood. This is especially problematic given the increasing adoption of loader-based code signing and execution enforcement mechanisms. My thesis digs deeply into how loaders have failed to earn our trustworthiness and how they may continue to harbor vulnerabilities even after memory corruption-based vulnerabilities lose their prevalence. In order to address these issues, I propose a memory region-based type system that allows us to better model a loader's intentions and thus mediate its behavior. More specifically, I show how a loader's execution can be broken down into a sequence of typed phases, each semantically classified as either a bookkeeping, loading, or a patching substage, while sections of memory are grouped into semantically related regions and assigned a type, based on their intended use, by which policy access decisions are made. I demonstrate the feasibility of this technique by applying it to Das U-Boot, a well-known and widely-used bootloader, with minimal changes to the bootloader's implementation. In order to do so, I designed and developed an extensive bootloader instrumentation suite to help analyze a bootloader's behaviors, construct a policy, and completely mediate operations, thereby enforcing behaviors governed by the type system's policy.
|Advisor:||Bratus, Sergey, Smith, Sean W.|
|Commitee:||Balkom, Devin, Morrisett, Greg|
|School Location:||United States -- New Hampshire|
|Source:||DAI-B 79/09(E), Dissertation Abstracts International|
|Keywords:||Bootloading, Security, Systems|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be