DATA COMPROMISE Controlling the flow of sensitive electronic information remains a major challenge, ranging from theft to accidental violation of policies.

Slides:



Advertisements
Similar presentations
Securing Enterprise Networks with Traffic Tainting Anirudh Ramachandran Nick Feamster Yogesh Mundada Mukarram bin Tariq.
Advertisements

Ian Pratt SVP, Products Bromium Inc.
CS533 Concepts of Operating Systems Class 14 Virtualization and Exokernels.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Information Security and Cloud Computing Naresh K. Sehgal, Sohum Sohoni, Ying Xiong, David Fritz, Wira Mulia, and John M. Acken 1 NKS.
Practical Data Confinement Andrey Ermolinskiy, Sachin Katti, Scott Shenker, Lisa Fowler, Murphy McCauley.
Network Implementation for Xen and KVM Class project for E : Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)
Virtual Machines Measure Up John Staton Karsten Steinhaeuser University of Notre Dame December 15, 2005 Graduate Operating Systems, Fall 2005 Final Project.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.
OS Organization. OS Requirements Provide resource abstractions –Process abstraction of CPU/memory use Address space Concurrency Thread abstraction of.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.
Tanenbaum 8.3 See references
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Computer Organization Review and OS Introduction CS550 Operating Systems.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.
Protection and the Kernel: Mode, Space, and Context.
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-7 Memory Management (1) Department of Computer Science and Software.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Segmentation & O/S Input/Output Chapter 4 & 5 Tuesday, April 3, 2007.
Benefits: Increased server utilization Reduced IT TCO Improved IT agility.
Xen I/O Overview. Xen is a popular open-source x86 virtual machine monitor – full-virtualization – para-virtualization para-virtualization as a more efficient.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Software.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko
CS533 Concepts of Operating Systems Jonathan Walpole.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Bart Miller – October 22 nd,  TCB & Threat Model  Xen Platform  Xoar Architecture Overview  Xoar Components  Design Goals  Results  Security.
By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming.  To allocate scarce memory.
Introduction to virtualization
Operating Systems Security
Full and Para Virtualization
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified.
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
Cloud Computing Lecture 5-6 Muhammad Ahmad Jan.
1 Xen and the Art of Binary Modification Lies, Damn Lies, and Page Frame Addresses Greg Cooksey and Nate Rosenblum, March 2007.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Better Performance Through Thread-local Emulation Ali Razeen, Valentin Pistol, Alexander Meijer, and Landon P. Cox Duke University.
Virtualization.
Virtual Machine Monitors
CSC 482/582: Computer Security
Breaking Up is Hard to Do
Memory COMPUTER ARCHITECTURE
Session 3 Memory Management
Virtualization overview
CIT 480: Securing Computer Systems
Introduction to Operating Systems
OS Virtualization.
Virtualization Layer Virtual Hardware Virtual Networking
Virtualization Techniques
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Operating Systems: A Modern Perspective, Chapter 3
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
Xen and the Art of Virtualization
Presentation transcript:

DATA COMPROMISE Controlling the flow of sensitive electronic information remains a major challenge, ranging from theft to accidental violation of policies. This data does not represent the several breaches that have an unknown number of victims. It includes physical theft and hacking, but concerns only the compromise of electronic data. Practical Data Confinement Andrey Ermolinsky, Lisa Fowler, Sachin Katti, and Scott Shenker Chronology of Personal Data Breaches in the US KEY PROBLEM It is difficult to secure sensitive data: Modern software is rife with security holes that can be exploited for exfiltration, theft, or leakage Users must be trained and trusted to remember, understand, and obey policy regarding data dissemination and handling Recent ISACA survey of corporate employees: 35% have knowingly violated corporate information flow policies at least once 22% have transferred sensitive internal information using a USB storage device OUR GOALS AND CONSTRAINTS Develop a practical mechanism for information flow control in enterprise environments Protect sensitive data against external attacks End-to-end enforcement of high-level information flow policies “do not disseminate the attached file” “do not copy X to USB storage devices” Key constraints: compatibility with existing software (OS and applications) and patterns of use PDC Implementation: Overview OUR APPROACH Fine-grained information flow control (IFC) and policy enforcement in virtual hardware Interpose a thin virtualization layer (hypervisor) between the OS kernel and hardware Hypervisor emulates hardware-level IFC Associates a sensitivity tag with each byte of the virtual machine (registers, memory, disk) Tracks propagation of tags at the level of machine instructions Intercepts output (network transmission, writes to removable storage) and enforces policies Coarse-grained VM-level partitioning Tag tracking code generation (example) “When security gets in the way, sensible, well meaning, dedicated people develop hacks and workarounds that defeat the security.” - Don Norman Our focus Data from: -Privacy Clearing House, retrieved Jan Information Systems Audit and Control Association (ISACA), August 2007 PRELIMINARY PERFORAMNCE STUDY Worst-case 10x slowdown for compute-intensive tasks (e.g., text searching) Overhead depends on the amount of sensitive data and degree of tag fragmentation Red/Green VM Partitioning MAIN CHALLENGES Tag storage overhead ( exploit spatial locality ) Computational overhead of tag tracking (“on-demand” emulation, asynchronous tracking) Tag explosion and erosion Semantic gap between app-level data units and machine state PDC IMPLEMENTATION Prototype: Hypervisor (Xen); Paravirtualized Linux guest kernel; x86 Emulator/Tag Tracker (QEMU); Tag- aware filesystem (ext3) Information Flow Tracking: Hypervisor Dynamically switches the guest VM between native virtualized and emulated execution Plays tricks with guest page tables to intercept initial access to sensitive data Emulator/Tag Tracker Recompiles the machine code, generates corresponding set of tag tracking instructions Executes the tag tracking instruction stream asynchronously in a separate thread Picture

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.