InkTag: Secure Applications on an Untrusted Operating system

Slides:

Advertisements

Similar presentations

More on File Management

Advertisements

Operating System Security

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Virtual Memory Management G. Anuradha Ref:- Galvin.

Chapter 6 Security Kernels.

Virtual Memory Virtual Memory Management in Mach Labels and Event Processes in Asbestos Ingar Arntzen.

G Robert Grimm New York University Extensibility: SPIN and exokernels.

Active Messages: a Mechanism for Integrated Communication and Computation von Eicken et. al. Brian Kazian CS258 Spring 2008.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.

Tanenbaum 8.3 See references

1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人：張逸文.

APPLICATION PERFORMANCE AND FLEXIBILITY ON EXOKERNEL SYSTEMS M. F. Kaashoek, D. R. Engler, G. R. Ganger H. M. Briceño, R. Hunt, D. Mazières, T. Pinckney,

CS533 Concepts of Operating Systems Jonathan Walpole.

Windows Object Manager CS Spring Overview The object paradigm NT Objects and the Object Manager Object Structure Object Naming Object Handles.

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

CSC 501 Lecture 2: Processes. Process Process is a running program a program in execution an “instantiation” of a program Program is a bunch of instructions.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.

Memory Management 3 Tanenbaum Ch. 3 Silberschatz Ch. 8,9.

Operating Systems ECE344 Ding Yuan Paging Lecture 8: Paging.

The Structure of Processes (Chap 6 in the book “The Design of the UNIX Operating System”)

By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming  To allocate scarce memory resources.

Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.

Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’

G53SEC 1 Reference Monitors Enforcement of Access Control.

(a) What is the output generated by this program? In fact the output is not uniquely defined, i.e., it is not always the same. So please give three examples.

Operating Systems Lecture November 2015© Copyright Virtual University of Pakistan 2 Agenda for Today Review of previous lecture Hardware (I/O, memory,

A summary by Nick Rayner for PSU CS533, Spring 2006

By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming.  To allocate scarce memory.

Joonwon Lee Process and Address Space.

Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand.

Processes and Virtual Memory

DATA COMPROMISE Controlling the flow of sensitive electronic information remains a major challenge, ranging from theft to accidental violation of policies.

Session 1 Module 1: Introduction to Data Integrity

Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.

Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.

Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Securing Distributed Systems with Information Flow Control.

What is a Process ? A program in execution.

Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

CS533 Concepts of Operating Systems Jonathan Walpole.

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

Translation Lookaside Buffer

Presented by Yoon-Soo Lee

Chapter 9: Virtual Memory

OS Virtualization.

Introduction to Operating Systems

Chapter 9: Virtual-Memory Management

Operating Systems Lecture November 2018.

AEGIS: Secure Processor for Certified Execution

CSE 451: Operating Systems Spring 2012 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

Translation Lookaside Buffer

Operating Systems Lecture 3.

Lecture 37 Syed Mansoor Sarwar

CSE451 Virtual Memory Paging Autumn 2002

Operating Systems: A Modern Perspective, Chapter 3

Shielding applications from an untrusted cloud with Haven

CSE 542: Operating Systems

Xen and the Art of Virtualization

Presentation transcript:

InkTag: Secure Applications on an Untrusted Operating system Paper from The University of Texas at Austin By: Hofmann, Owns S. Kim, Sangman Dunn, Alan M. Lee, Michael Z. Witchel, Emmett Presented by: Anwaar Alsulaiman

Outline Introduction InkTag: secure applications on an untrusted OS Verifying OS behavior InkTag security guarantees Basic memory isolation mechanisms Paraverification Implementation & Evaluation Conclusion

Introduction

Do you trust your OS? The OS is the software root of trust on most systems. The OS is a shared vulnerability. Root often has OS-level privilege.

What about the hypervisor? Hypervisors have become a common part of the software stack. Hypervisors can be more trustworthy.

Why OS is still a problem? Users want trustworthy applications. Applications still must trust the OS. However, OS still provides all essential services.

Can the hypervisor improve this situation?

InkTag: secure applications on an untrusted OS A system in which secure, trust-worthy programs can efficiently verify an untrusted, commodity OS’ behavior with a small degree of assistance from a small trusted hypervisor.

Verifying OS behavior Application and hypervisor communicate. Hypervisor interposes on low-level updates. Hypervisor requires deep OS visibility into OS application. App OS Hypervisor Page table

InkTag security guarantees Control flow integrity: OS cannot change program counter, registers. Address space integrity: OS cannot read, modify application data. File I/O: applications access the desired files, privacy and integrity for file data, Built on address space integrity. Process control: applications can fork(), exec(). Access control and naming: Applications can defined access control policies, use string filename. Consistency: OS-managed data and hypervisor-managed metadata remain in sync.

Basic memory isolation mechanisms Position of data in address space must match application requests [mmap()]. Ensure OS constructs the correct address space. Application maps file F at addr V. Interpose on page table updates. Match page table updates to application requests.

Challenges: why is this difficult? Interpreting low-level page table updates that OS can construct valid, but confusing page tables, and order in which updates are seen matters. Matching page table updates to application requests that application and hypervisor must communicate complete memory map. Application must validate pointer results returned from kernel.

How can the untrusted OS help?

Paraverification Paraverification: an untrusted OS helping to verify its own behavior: take inspiration from paravirtualization, extensive use of existing parvirtual interface. OS must participate, but information cannot be trusted.

Paraverification: validating PTE updates Untrusted OS notifies hypervisor on page table updates. Application maintains memory mappings in an array of descriptors. Generate a token for each mapping: identifier describing requested mapping,(HMAC(add,file,offset)), in implementation (integer index). Application memory listing protected from OS. Entries always allocated in defined virtual address range. Invalid entries marked.

Paraverification: validating syscall results OS returns tokens to application to assist validation: application maintains linked list of mapping, OS specifies previous entry, application checks for overlap, and updates list.

How can the untrusted OS help? Guarantee sane address space updates. Expose internal OS information to hypervisor and application.

Implementation & Evaluation • Prototype built with KVM, qemu, uClibc - ~3500 hypervisor LOC - Modify libc to validate syscall results OS microbenchmarks - LMBench Applications - SPEC - Apache - DokuWiki

DokuWiki PHP CGI binary with InkTag extensions. • InkTag authentication module: use InkTag access control on wiki page. Result: hypervisor-enforced security for a PHP application: Integrity for all script files, Privacy and integrity for application data. InkTag overhead: many short-lived processes, frequent memory mapping, and 1.54x throughput slowdown.

Other InkTag applications’ overheads LMBench • Low-level OS microbenchmarks. • 5x - 55x slowdown (for μs operations) • High context switch latency. SPEC • CPU-bound applications. • Most applications <= 1.03x. • gcc - 1.14x; perlbench, h264href - 1.10x. Apache • Long-lived processes, infrequent MM activity. • 1.02x throughput slowdown, 1.13x latency.

Conclusion We can enforce trustworthy services from an untrustworthy OS. Paraverification simplifies crucial isolation mechanisms.

Reference: http://www.cs.utexas.edu/~adunn/pubs/hofmann13asplos-inktag.pdf