Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Slides:



Advertisements
Similar presentations
Operating Systems Components of OS
Advertisements

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Virtualization Technology
Vpn-info.com.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Fast and Safe Performance Recovery on OS Reboot Kenichi Kourai Kyushu Institute of Technology.
Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.
Kenichi Kourai (Kyushu Institute of Technology) Takeshi Azumi (Tokyo Institute of Technology) Shigeru Chiba (Tokyo University) A Self-protection Mechanism.
Efficient VM Introspection in KVM and Performance Comparison with Xen
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
A Secure System-wide Process Scheduling across Virtual Machines Hidekazu Tadokoro (Tokyo Institute of Technology) Kenichi Kourai (Kyushu Institute of Technology)
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
OS Spring’03 Introduction Operating Systems Spring 2003.
1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.
Towards Application Security On Untrusted OS
CacheMind: Fast Performance Recovery Using a Virtual Machine Monitor Kenichi Kourai Kyushu Institute of Technology, Japan.
1 Pioneer: Dynamic Root of Trust for Measurement and Verifiable Executable Invocation Arvind Seshadri, Mark Luk, Elaine Shi, Adrian Perrig (CMU), Leendert.
Fast and Correct Performance Recovery of Operating Systems Using a Virtual Machine Monitor Kenichi Kourai Kyushu Institute of Technology, Japan.
1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Author : Jiang Wang, Angelos Stavrou, and Anup Ghosh Conference: RAID 2010 Advisor: Yuh-Jye Lee Reporter: Yi-Hsiang Yang
HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology.
1 UCR Firmware Attacks and Security introduction.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
Secure Out-of-band Remote Management Using Encrypted Virtual Serial Consoles in IaaS Clouds Kenichi Kourai Tatsuya Kajiwara Kyushu Institute of Technology.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko
Virtualization: Not Just For Servers Hollis Blanchard PowerPC kernel hacker.
Zero-copy Migration for Lightweight Software Rejuvenation of Virtualized Systems Kenichi Kourai Hiroki Ooba Kyushu Institute of Technology.
Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. Timothy.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Synchronized Co-migration of Virtual Machines for IDS Offloading in Clouds Kenichi Kourai and Hisato Utsunomiya Kyushu Institute of Technology, Japan.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
1 CSE451 Architectural Supports for Operating Systems Autumn 2002 Gary Kimura Lecture #2 October 2, 2002.
Operating Systems Security
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Full and Para Virtualization
1 Lecture 1: Computer System Structures We go over the aspects of computer architecture relevant to OS design  overview  input and output (I/O) organization.
Input/Output Problems Wide variety of peripherals —Delivering different amounts of data —At different speeds —In different formats All slower than CPU.
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Cloud Computing – UNIT - II. VIRTUALIZATION Virtualization Hiding the reality The mantra of smart computing is to intelligently hide the reality Binary->
1 Device Controller I/O units typically consist of A mechanical component: the device itself An electronic component: the device controller or adapter.
Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted IaaS Clouds Kenichi Kourai Kazuki Juda Kyushu Institute of Technology.
Trusted Computing and the Trusted Platform Module
Kenichi Kourai Hiroki Ooba Kyushu Institute of Technology, Japan
Shohei Miyama Kenichi Kourai Kyushu Institute of Technology, Japan
OS Virtualization.
Sho Kawahara and Kenichi Kourai Kyushu Institute of Technology, Japan
Virtualization Techniques
Preventing Performance Degradation on Operating System Reboots
I'm Kenichi Kourai from Kyushu Institute of Technology.
I'm Kenichi Kourai from Kyushu Institute of Technology.
Resource Cages: A New Abstraction of the Hypervisor for Performance Isolation Considering IDS Offloading Kenichi Kourai*, Sungho Arai**, Kousuke Nakamura*,
Computer Security: Art and Science, 2nd Edition
The Design & Implementation of Hyperupcalls
CSE 451: Operating Systems Autumn 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 596 Allen Center 1.
CSE 451: Operating Systems Autumn 2001 Lecture 2 Architectural Support for Operating Systems Brian Bershad 310 Sieg Hall 1.
SCONE: Secure Linux Containers Environments with Intel SGX
Shielding applications from an untrusted cloud with Haven
CSE 451: Operating Systems Winter 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 412 Sieg Hall 1.
Virtual Machine Migration for Secure Out-of-band Remote Management in Clouds T.Unoki, S.Futagami, K.Kourai (Kyushu Institute of Technology) OUT-OF-BAND.
Consistent Offline Update of Suspended Virtual Machines in Clouds
Efficient Migration of Large-memory VMs Using Private Virtual Memory
Presentation transcript:

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using SPEs in Cell/B.E.

OSes are not an exception of attacks e.g. kernel rootkits All the applications are also compromised if the OS is compromised It is necessary to check the integrity of OSes Not only at the boot time, but also at runtime OSes are long-running software This can increase the reliability of the system Attacks against OSes kernel rootkit kernel rootkit OS application

Running on top of the OS Monitoring systems must issue system calls to the OS e.g. obtaining process information e.g. reading the kernel memory The results cannot be trusted if the OS is compromised Embedded into the OS Monitoring systems can directly examine the kernel They are easily disabled by the compromised OS Secure OS Monitoring is not Easy OS monitoring system monitoring system monitoring system monitoring system system calls

Two approaches have been proposed The underlying hypervisor monitors the OS in a virtual machine (VM) A privileged VM monitors the OS in a target VM The hypervisor and the privileged VM can be also compromised There are vulnerabilities in software VM-based Approaches hypervisor OS monitoring system monitoring system monitoring system monitoring system privileged VM target VM

Using System Management Mode (SMM) in x86 One of many hardware-based approaches A CPU can securely execute a monitoring system in SMM A monitoring system is located in isolated SMRAM Several drawbacks SMM is much slower than the normal mode A monitoring system must be embedded in BIOS Hardware-based Approaches monitoring system monitoring system SMRAM SMM main memory main memory normal mode CPU

A framework for securely monitoring OSes using Cell/B.E. Runs a monitoring system on an SPE An SPE is a general-purpose CPU core Its isolation mode enables secure execution Monitors the running status of the monitoring system from an external security proxy SPE Observer PPE OS SPE monitoring system monitoring system security proxy security proxy target host Cell/B.E.

Heterogeneous multicore processor PPE (control processing core) Runs the OS and regular processes SPE (arithmetic processing core) Runs parallel applications Contains the memory called a local store Accesses the main memory using DMA Architecture of Cell/B.E. SPE PPE main memory main memory local store local store DMA

Protects the local store in an SPE from the PPE and the other SPEs Preserving integrity Attackers cannot modify a running monitoring system or processing data Preserving confidentiality Attackers cannot analyze a monitoring system or steal sensitive information Isolation Mode isolated SPE monitoring system monitoring system local store PPESPE OSapplication

Securely loads a monitoring system into the local store of an isolated SPE Preserving integrity Attackers cannot load compromised images of monitoring systems Preserving confidentiality Attackers cannot decrypt images of monitoring systems Secure Loader main memory encrypted image encrypted image encrypted image encrypted image monitoring system DMA isolated SPE DMA secure loader verify & decrypt

The isolation mode is not perfect for secure execution of monitoring systems The PPE can stop the execution of even isolated SPEs It must control all the SPEs Attackers can disable monitoring systems! The isolation mode is not designed for PPE monitoring Fortunately, the confidentiality of monitoring systems is still preserved Availability Issue PPE OS isolated SPE monitoring system monitoring system stop

Externally monitors the running status of monitoring systems on SPEs Periodically sends heartbeats to monitoring systems via the relay process Cuts the network if monitoring systems do not respond to the heartbeats correctly Security Proxy PPESPE monitoring system monitoring system security proxy security proxy external network heartbeats relay process relay process target host OS internal network

The security proxy sends an encrypted challenge to a monitoring system The monitoring system decrypts it and returns an encrypted response Attackers cannot return correct responses Only legitimate monitoring systems and the security proxy share secret keys A malicious relay process cannot mount man-in-the-middle attacks Secure Heartbeats security proxy security proxy monitoring system monitoring system relay process relay process encrypted challenge encrypted response

SPE Observer can schedule monitoring systems Application performance is improved by not occupying one SPE for a monitoring system Scheduling by the security proxy and the SPE scheduler The security proxy periodically sends commands The OS schedules SPEs if necessary Scheduled Monitoring PPE OS SPE security proxy security proxy commands relay process relay process SPE application... monitoring system monitoring system

Integrity monitor for the OS kernel Obtains the contents of the kernel memory using DMA Calculates SHA-1 hash and compares it with correct one Overlaps DMA with calculation using double buffering Other possible monitors Monitors for dynamic kernel data Using a technique similar to VM introspection Examples of Monitoring Systems PPE OS kernel SPE integrity monitor integrity monitor DMA SHA-1 DMA buffers DMA SHA-1

SPE Observer configures an isolated SPE to enable accessing the kernel memory Clears the Problem-State bit in the status register of the MFC The MFC is used for DMA transfers Registers an address mapping for the kernel memory to the SLB The SLB is an address translation table Accessing the Kernel Memory local store MFCSLB kernel memory main memory SPE DMA

We conducted several experiments to examine Effectiveness and performance of the integrity monitor Impacts on application performance We used the emulation of the isolation mode because we could not obtain the secure loader supporting the hardware-level isolation mode Experiments CPU: 1 PPE, 6 SPEs Local store: 256 KB Main memory: 256 MB NIC: Gigabit Ethernet OS: Linux CPU: Xeon E5630 Memory: 4 GB NIC: Gigabit Ethernet PlayStation 3 Security proxy

We ran the integrity monitor on an SPE It could detect the compromised kernels Modified system call table Modified function for a system call We measured the time for integrity check Hash calculation: 70% DMA was hidden by calculation Integrity Check of the Kernel

We ran various applications with various monitors CPU- and DMA-bound applications Using various numbers of SPEs CPU- and DMA-bound monitors Using one SPE Impacts on Application Performance main memory main memory SPE monitoring system monitoring system SPE CPU-bound application DMA DMA-bound monitor

We ran various applications with various monitors Any monitors did not affect CPU-bound applications Linear performance improvement All monitors affected DMA-bound applications Especially DMA-bound monitors Impacts on Application Performance

We ran various applications using 6 threads with the integrity monitor The monitor occupied one SPE An application could use only 5 SPEs Performance Degradation SPE integrity monitor integrity monitor SPE thread 1 thread 1 application SPE thread 2 thread 2 SPE thread 3 thread 3 SPE thread 4 thread 4 SPE thread 5 thread 5 thread 6 thread 6

We ran various applications using 6 threads with the integrity monitor The monitor occupied one SPE An application could use only 5 SPEs Application performance CPU-bound: 83% (= 5/6) DMA-bound: 98% DMA bandwidth was saturated Matrix: 18% Waiting for synchronization Performance Degradation

SPE Observer scheduled the integrity monitor at various intervals We measured the performance of matrix multiplication Improvement by Scheduling (1/2) SPE integrity monitor integrity monitor SPE thread 1 thread 1 application SPE thread 2 thread 2 SPE thread 3 thread 3 SPE thread 4 thread 4 SPE thread 5 thread 5 thread 6 thread 6

SPE Observer scheduled the integrity monitor at various intervals We measured the performance of matrix multiplication The performance was improved as the interval became longer 83% at a 200-ms interval = 5/6 Improvement by Scheduling (1/2)

We measured the performance of CPU- and DMA- bound applications CPU-bound: 96% at a 100-ms interval DMA-bound: almost 100% at a short interval Improvement by Scheduling (2/2)

Copilot [Petroni et al.'04] Sends the contents of the physical memory to a remote host using a special PCI card The remote host checks the integrity of the OS Flicker [McCune et al.'08] Executes security-sensitive code using Intel TXT The whole system is suspended while such code is running Code verification service [Murase et al.'09] An isolated SPE checks the integrity of applications for running on the PPE Not assume that the OS is compromised Related Work

We proposed SPE Observer A framework for secure execution of OS monitoring systems Using the isolation mode of SPEs to guarantee the integrity and confidentiality Using the security proxy to monitor the running status of monitoring systems Scheduling monitoring systems to mitigate performance degradation Future work Developing various monitoring systems Developing middleware for better SPE scheduling Conclusion

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.