Presentation is loading. Please wait.

Presentation is loading. Please wait.

InkTag: Secure Applications on an Untrusted Operating system

Published byGyles Tucker Modified over 9 years ago

Similar presentations

Presentation on theme: "InkTag: Secure Applications on an Untrusted Operating system"— Presentation transcript:

1 InkTag: Secure Applications on an Untrusted Operating system
Paper from The University of Texas at Austin By: Hofmann, Owns S. Kim, Sangman Dunn, Alan M. Lee, Michael Z. Witchel, Emmett Presented by: Anwaar Alsulaiman

2 Outline Introduction InkTag: secure applications on an untrusted OS
Verifying OS behavior InkTag security guarantees Basic memory isolation mechanisms Paraverification Implementation & Evaluation Conclusion

3 Introduction

4 Do you trust your OS? The OS is the software root of trust on most systems. The OS is a shared vulnerability. Root often has OS-level privilege.

5 What about the hypervisor?
Hypervisors have become a common part of the software stack. Hypervisors can be more trustworthy.

6 Why OS is still a problem?
Users want trustworthy applications. Applications still must trust the OS. However, OS still provides all essential services.

7 Can the hypervisor improve this situation?

8 InkTag: secure applications on an untrusted OS
A system in which secure, trust-worthy programs can efficiently verify an untrusted, commodity OS’ behavior with a small degree of assistance from a small trusted hypervisor.

9 Verifying OS behavior Application and hypervisor communicate.
Hypervisor interposes on low-level updates. Hypervisor requires deep OS visibility into OS application. App OS Hypervisor Page table

10 InkTag security guarantees
Control flow integrity: OS cannot change program counter, registers. Address space integrity: OS cannot read, modify application data. File I/O: applications access the desired files, privacy and integrity for file data, Built on address space integrity. Process control: applications can fork(), exec(). Access control and naming: Applications can defined access control policies, use string filename. Consistency: OS-managed data and hypervisor-managed metadata remain in sync.

11 Basic memory isolation mechanisms
Position of data in address space must match application requests [mmap()]. Ensure OS constructs the correct address space. Application maps file F at addr V. Interpose on page table updates. Match page table updates to application requests.

12 Challenges: why is this difficult?
Interpreting low-level page table updates that OS can construct valid, but confusing page tables, and order in which updates are seen matters. Matching page table updates to application requests that application and hypervisor must communicate complete memory map. Application must validate pointer results returned from kernel.

13 How can the untrusted OS help?

14 Paraverification Paraverification: an untrusted OS helping to verify its own behavior: take inspiration from paravirtualization, extensive use of existing parvirtual interface. OS must participate, but information cannot be trusted.

15 Paraverification: validating PTE updates
Untrusted OS notifies hypervisor on page table updates. Application maintains memory mappings in an array of descriptors. Generate a token for each mapping: identifier describing requested mapping,(HMAC(add,file,offset)), in implementation (integer index). Application memory listing protected from OS. Entries always allocated in defined virtual address range. Invalid entries marked.

16 Paraverification: validating syscall results
OS returns tokens to application to assist validation: application maintains linked list of mapping, OS specifies previous entry, application checks for overlap, and updates list.

17 How can the untrusted OS help?
Guarantee sane address space updates. Expose internal OS information to hypervisor and application.

18 Implementation & Evaluation
• Prototype built with KVM, qemu, uClibc - ~3500 hypervisor LOC - Modify libc to validate syscall results OS microbenchmarks - LMBench Applications - SPEC - Apache - DokuWiki

19 DokuWiki PHP CGI binary with InkTag extensions.
• InkTag authentication module: use InkTag access control on wiki page. Result: hypervisor-enforced security for a PHP application: Integrity for all script files, Privacy and integrity for application data. InkTag overhead: many short-lived processes, frequent memory mapping, and 1.54x throughput slowdown.

20 Other InkTag applications’ overheads
LMBench • Low-level OS microbenchmarks. • 5x - 55x slowdown (for μs operations) • High context switch latency. SPEC • CPU-bound applications. • Most applications <= 1.03x. • gcc x; perlbench, h264href x. Apache • Long-lived processes, infrequent MM activity. • 1.02x throughput slowdown, 1.13x latency.

21 Conclusion We can enforce trustworthy services from an untrustworthy OS. Paraverification simplifies crucial isolation mechanisms.

22 Reference:

Download ppt "InkTag: Secure Applications on an Untrusted Operating system"

Similar presentations

More on File Management

More on File Management
Operating System Security

Operating System Security
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Virtual Memory Management G. Anuradha Ref:- Galvin.

Virtual Memory Management G. Anuradha Ref:- Galvin.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
Virtual Memory Virtual Memory Management in Mach Labels and Event Processes in Asbestos Ingar Arntzen.

Virtual Memory Virtual Memory Management in Mach Labels and Event Processes in Asbestos Ingar Arntzen.
G22.3250-001 Robert Grimm New York University Extensibility: SPIN and exokernels.

G Robert Grimm New York University Extensibility: SPIN and exokernels.
Active Messages: a Mechanism for Integrated Communication and Computation von Eicken et. al. Brian Kazian CS258 Spring 2008.

Active Messages: a Mechanism for Integrated Communication and Computation von Eicken et. al. Brian Kazian CS258 Spring 2008.
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.

KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.

CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.

Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.

1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.

Similar presentations

Ads by Google