Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’

Slides:

Advertisements

Similar presentations

Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines J. LeVasseur V. Uhlig J. Stoess S. G¨otz University of Karlsruhe,

Advertisements

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

XEN AND THE ART OF VIRTUALIZATION Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, lan Pratt, Andrew Warfield.

Implementing an Untrusted Operating System on Trusted Hardware.

Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,

Chapter 6 Limited Direct Execution

InkTag: Secure Applications on an Untrusted Operating system

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.

Towards Application Security On Untrusted OS

KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

Threads CS 416: Operating Systems Design, Spring 2001 Department of Computer Science Rutgers University

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Virtualization for Cloud Computing

CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.

SymCall: Symbiotic Virtualization Through VMM-to-Guest Upcalls John R. Lange and Peter Dinda University of Pittsburgh (CS) Northwestern University (EECS)

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人：張逸文.

Protection and the Kernel: Mode, Space, and Context.

G53SEC 1 Reference Monitors Enforcement of Access Control.

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

Benefits: Increased server utilization Reduced IT TCO Improved IT agility.

Xen I/O Overview. Xen is a popular open-source x86 virtual machine monitor – full-virtualization – para-virtualization para-virtualization as a more efficient.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.

Introduction to Operating Systems Chapter 1. cs431 -cotter2 Lecture Objectives Understand the relationship between computing hardware, operating system,

Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.

29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.

CS533 Concepts of Operating Systems Jonathan Walpole.

The Performance of Micro-Kernel- Based Systems H. Haertig, M. Hohmuth, J. Liedtke, S. Schoenberg, J. Wolter Presentation by: Seungweon Park.

1 CSE 451 Section 2: Interrupts, Syscalls, Virtual Machines, and Project 1.

G53SEC 1 Reference Monitors Enforcement of Access Control.

1 CSE451 Architectural Supports for Operating Systems Autumn 2002 Gary Kimura Lecture #2 October 2, 2002.

Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand.

Operating Systems Security

A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.

Processes and Virtual Memory

Lecture 26 Virtual Machine Monitors. Virtual Machines Goal: run an guest OS over an host OS Who has done this? Why might it be useful? Examples: Vmware,

Trusted Passages: Managing Trust Properties of Open Distributed Overlays Faculty: Mustaque Ahamad, Greg Eisenhauer, Wenke Lee and Karsten Schwan PhD Students:

Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

Study on “Secure In-VM Monitoring Using Hardware Virtualization” Qiang.Guan Dependable Computing System Lab New Mexico Tech.

Memory Protection: Kernel and User Address Spaces Andy Wang Operating Systems COP 4610 / CGS 5765.

Virtualization.

Virtual Machine Monitors

Introduction to Operating Systems

Introduction to Operating Systems

Memory Protection: Kernel and User Address Spaces

Protection and OS Structure

CS 6560: Operating Systems Design

Mechanism: Limited Direct Execution

Lecture 24 Virtual Machine Monitors

OS Virtualization.

Memory Protection: Kernel and User Address Spaces

Introduction to Operating Systems

Memory Protection: Kernel and User Address Spaces

Memory Protection: Kernel and User Address Spaces

More examples How many processes does this piece of code create?

CSE 451: Operating Systems Spring 2012 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

Lecture Topics: 11/1 General Operating System Concepts Processes

Architectural Support for OS

The Design & Implementation of Hyperupcalls

Sai Krishna Deepak Maram, CS 6410

Shielding applications from an untrusted cloud with Haven

Architectural Support for OS

Memory Protection: Kernel and User Address Spaces

Presentation transcript:

Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’

Outline  Introduction  Secure In-VM Monitoring  Implementation  Experimental Evaluation  Conclusion

Introduction  Malicious programs compromise the kernel of an operating system.  Many security approaches require the ability to monitor frequently executing events.  Secure In-VM Monitoring (SIM), a general-purpose framework based on hardware virtualization features.

 contributions: hardware virtualization and memory protection features. implemented a prototype of the SIM framework based on KVM and Windows guest OS. systematic security analysis of SIM against a number of possible threats, and show that SIM provides no less security guarantees than what can be achieved by out-of-VM monitors.

In-VM monitoring H Handler C M Monitor code D M Monitor data R Response A Adversary program D P Program data C P Program code K Hook D K Hook data

Out-of-VM monitoring H Handler C M Monitor code D M Monitor data R Response A Adversary program D P Program data C P Program code K Hook D K Hook data

 performance requirements (P1) Fast invocation: ○ not involve any privilege level changes. (P2) Data read/write at native speed: ○ without any hypervisor intervention

 security requirements: (S1) Isolation of the monitor’s code (CM) and data (DM) (S2) Designated point for switching into CM (S3) A handler (hi) is called if and only if the corresponding hook (ki) executes (S4) The behavior of Monitor is not maliciously alterable

Secure In-VM Monitoring

The SIM address space SIM Data/Code  The monitor itself  Visible only within SIM address space Invocation checker  Verifies call chain is legit  Visible only in SIM space Entry/exit gates  Visible in both  Writable only in SIM space  Tiny, well crafted Kernel code/data  Not executable in SIM space (can't accidentally run insecure code) 10

Entry/exit gates  Entry: Disable interrupts (Untrusted VM) Save CPU state to the stack Switch address space Re-disable interrupts (SIM VM) Switch stack to a SIM-restricted one Run invocation checker  Exit: Restore stack, page table, CPU state Re-enable interrupts Jump to return point

security requirements 1. Isolation of the monitor’s code and data hypervisor to not allow the monitor code and data to be mappable to any untrusted address space in the guest VM. 2. Designated point for switching into CM : only method to enter the trusted address space from the untrusted one is via the entry gates. 3. A handler is called if and only if the corresponding hook executes each hook invokes a corresponding entry gate, which eventually calls a corresponding handler, and each invoker of the entry gate is checked by the invocation checking routine 4. The behavior of Monitor is not maliciously alterable: not allow any code from the untrusted domain to be executable in the trusted address space, not allow the monitor to call into the untrusted kernel

Implementation  Host: Linux distribution  guest OS : Windows XP SP2  Initialization 1. reserve virtual address ranges in the system address space for use in entry and exit gate creation 2. creation of the SIM virtual address space by the hypervisor component 3. loading a security monitor application into the SIM address space 4. relevant routines to perform switching into the SIM address space

Experimental Evaluation Monitor typeAvg. time (μ sec) Std. dev. (μ sec) SIM approach Out-of-VM approach Monitor Invocation Overhead Comparison Monitor type Average time (μ sec) Relative overhead (%) Traditional3.487× Out-of-VM approach % SIM approach % Process creation monitor performance results

BenchmarkBare Out-of-VM overhead SIM overhead Memory Latency10.42 MAcc/s84.58%7.97% HTML Render1.12 pg/s52.42%5.83% File Compress3.4 MB/s3.97%0.59% File Encrypt20.56 MB/s7.85%0.89% File Decrypt78.21 MB/s2.53%0.45% HDD15.29 MB/s41.68%3.74% Text Edit82.73 pg/s128.84%9.64% Average-46.10%4.15% System call tracing macrobenchmarks

Conclusion  a general-purpose SIM framework  provides the same security guarantees of out- of-VM monitoring low performance overhead of in-VM monitoring.  the SIM framework reduce monitoring overhead by 11 times if only monitor invocation time is considered.  SIM introduces an overhead of to 13.7% out-of-VM approach compared 690.5%.  SIM overall overhead below 10% out-of-VM approach overhead : 128%.