InkTag: Secure Applications on an Untrusted Operating System. Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin
|
|
- Posy Randall
- 5 years ago
- Views:
Transcription
1 InkTag: Secure lications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin
2 You trust your... should you? The is the software root of trust on most systems The is a shared vulnerability compromise infects all The is a vulnerable vulnerability Syscall interface a complex attack surface ioctl() Root often has -level privilege 2
3 You trust your... should you? The is the software root of trust on most systems The is a shared vulnerability compromise infects all The is a vulnerable vulnerability Syscall interface a complex attack surface ioctl() Root often has -level privilege 2
4 You trust your... should you? The is the software root of trust on most systems The is a shared vulnerability compromise infects all The is a vulnerable vulnerability Syscall interface a complex attack surface ioctl() Root often has -level privilege 2
5 You trust your... should you? The is the software root of trust on most systems The is a shared vulnerability compromise infects all The is a vulnerable vulnerability Syscall interface a complex attack surface ioctl() Root often has -level privilege 2
6 You should trust the hypervisor s have become a common part of the software stack Provide a layer of indirection under the s can be more trustworthy Fewer lines of code Thinner interface Fewer vulnerabilities 3
7 But the is still a problem Users want trustworthy applications lications still must trust the 4
8 But the is still a problem Users want trustworthy applications lications still must trust the 4
9 But the is still a problem Users want trustworthy applications lications still must trust the 4
10 Removing trust Why can the kernel compromise applications? No isolation still provides all essential services File I/O Memory mapping 5
11 Isolate and verify Can the hypervisor improve this situation? Previous systems have examined this problem Overshadow [ASPL 08] Trusted hypervisor isolates an application from an untrusted kernel Ensure that the follows its contract with the application 6
12 Verifying behavior 1. lication asks to update high-level state V = mmap(null,..., F, offset); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? page table 7
13 Verifying behavior 1. lication asks to update high-level state V = mmap(null,..., F, offset); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? mmap() 0x7FFCB... page table 7
14 Verifying behavior 1. lication asks to update high-level state V = mmap(file=f, offset=o); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? mmap() 0x7FFCB... page table 8
15 Verifying behavior 1. lication asks to update high-level state V = mmap(file=f, offset=o); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? page table 9
16 Verifying behavior 1. lication asks to update high-level state V = mmap(file=f, offset=o); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? page fault page table 9
17 Verifying behavior 1. lication asks to update high-level state V = mmap(file=f, offset=o); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? page fault page table set_pte() 9
18 Verifying behavior 1. lication asks to update high-level state V = mmap(file=f, offset=o); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? page fault page table 9
19 Verifying behavior 1. lication asks to update high-level state V = mmap(file=f, offset=o); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? page fault page table 10
20 Verifying behavior lication and hypervisor communicate Synchronize on high-level application state interposes on low-level updates Validate updates against expected state requires deep visibility into, application (semantic gap) page table 11
21 Verifying behavior lication and hypervisor communicate Synchronize on high-level application state interposes on low-level updates Validate updates against expected state requires deep visibility into, application (semantic gap) page table set_pte() 11
22 InkTag: secure applications on an untrusted Paraverification: require active participation from the untrusted for simpler, more efficient hypervisor design 12
23 InkTag security guarantees Control flow integrity cannot change program counter, registers Address space integrity cannot read or modify application data File I/O lications access the desired files Privacy and integrity for file data Built on address space integrity Process control lications can fork(), exec() Access control and naming lications can define access control policies, use string filenames Consistency -managed data and hypervisor-managed metadata remain in sync 13
24 InkTag security guarantees Control flow integrity cannot change program counter, registers Address space integrity cannot read or modify application data File I/O lications access the desired files Privacy and integrity for file data Built on address space integrity Process control lications can fork(), exec() Access control and naming lications can define access control policies, use string filenames Consistency -managed data and hypervisor-managed metadata remain in sync 14
25 InkTag security guarantees Control flow integrity cannot change program counter, registers Address space integrity cannot read or modify application data File I/O lications access the desired files Privacy and integrity for file data Built on address space integrity Process control lications can fork(), exec() Access control and naming lications can define access control policies, use string filenames Consistency -managed data and hypervisor-managed metadata remain in sync 15
26 InkTag security guarantees Control flow integrity cannot change program counter, registers Address space integrity cannot read or modify application data File I/O lications access the desired files Privacy and integrity for file data Basic Built memory on address isolation space integrity mechanisms Process Challenges: control why is this difficult? lications can fork(), exec() Paraverification: how can the untrusted help? Access control and naming lications can define access control policies, use string filenames Consistency -managed data and hypervisor-managed metadata remain in sync 16
27 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 17
28 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 17
29 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 17
30 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 17
31 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 17
32 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 17
33 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 18
34 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 18
35 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 18
36 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity 18
37 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Position of data in address space must match application requests [mmap()] Ensure constructs the correct address space
38 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Position of data in address space must match application requests [mmap()] Ensure constructs the correct address space
39 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Position of data in address space must match application requests [mmap()] Ensure constructs the correct address space
40 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Position of data in address space must match application requests [mmap()] Ensure constructs the correct address space
41 Ensure constructs the correct address space lication maps file F at addr V Are page faults to V handled correctly? Decrypted physical frame has same hash as F Interpose on page table updates Disallow arbitrary mapping Determine high-level update implied by low-level PTE change Match page table updates to application requests Virtual address V = file F, offset O Result of previous mmap() call page table 20
42 Ensure constructs the correct address space lication maps file F at addr V Are page faults to V handled correctly? Decrypted physical frame has same hash as F Interpose on page table updates Disallow arbitrary mapping Determine high-level update implied by low-level PTE change Match page table updates to application requests Virtual address V = file F, offset O Result of previous mmap() call mmap() 0x7FFCB... page table 20
43 Ensure constructs the correct address space lication maps file F at addr V Are page faults to V handled correctly? Decrypted physical frame has same hash as F Interpose on page table updates Disallow arbitrary mapping Determine high-level update implied by low-level PTE change Match page table updates to application requests Virtual address V = file F, offset O Result of previous mmap() call page fault page table 20
44 Ensure constructs the correct address space lication maps file F at addr V Are page faults to V handled correctly? Decrypted physical frame has same hash as F Interpose on page table updates Disallow arbitrary mapping Determine high-level update implied by low-level PTE change Match page table updates to application requests Virtual address V = file F, offset O Result of previous mmap() call page fault page table set_pte() 20
45 Ensure constructs the correct address space lication maps file F at addr V Are page faults to V handled correctly? Decrypted physical frame has same hash as F Interpose on page table updates Disallow arbitrary mapping Determine high-level update implied by low-level PTE change Match page table updates to application requests Virtual address V = file F, offset O Result of previous mmap() call page fault page table 20
46 Ensure constructs the correct address space lication maps file F at addr V Are page faults to V handled correctly? Decrypted physical frame has same hash as F Interpose on page table updates Disallow arbitrary mapping Determine high-level update implied by low-level PTE change Match page table updates to application requests Virtual address V = file F, offset O Result of previous mmap() call page fault page table 21
47 Ensure constructs the correct address space lication maps file F at addr V Are page faults to V handled correctly? Decrypted physical frame has same hash as F Interpose on page table updates Disallow arbitrary mapping Determine high-level update implied by low-level PTE change Match page table updates to application requests Virtual address V = file F, offset O Result of previous mmap() call page fault page table 22
48 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT PT(2) 23
49 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT (1) PT (2) 23
50 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT (1) PT (2) 24
51 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT (1) PT (2) 24
52 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT (1) PT (2) 24
53 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT (1) PT (2) 25
54 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT (1) PT (2) 25
55 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT (1) PT (2) 25
56 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Stack lication must validate pointer results returned from kernel Iago attacks [ASPL 13] New region 26
57 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Stack New region lication must validate pointer results returned from kernel Iago attacks [ASPL 13] mmap() 0x7FFCB... 26
58 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? The updates page tables Can guarantee sanity and ordering The maintains memory maps Can expose that information to hypervisor and application 27
59 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Paraverification: an untrusted helping to verify its own behavior Take inspiration from paravirtualization Extensive use of existing paravirtual interface must participate, but information cannot be trusted 28
60 Paraverification: validating PTE updates Untrusted notifies hypervisor on page table updates Regular structure In update order 29
61 Paraverification: validating PTE updates Untrusted notifies hypervisor on page table updates Regular structure In update order pte_update( addr=0x7fcb... 29
62 Paraverification: validating PTE updates.file=....addr=....offset=... lication maintains memory mappings in an array of descriptors Interpose on mmap() in libc Generate a token for each mapping Unforgeable identifier describing requested mapping e.g. HMAC(addr, file, offset) In implementation, integer index 30
63 Paraverification: validating PTE updates.file=....addr=....offset=... mmap(file=..., token=5 0x7FCB... lication maintains memory mappings in an array of descriptors Interpose on mmap() in libc Generate a token for each mapping Unforgeable identifier describing requested mapping e.g. HMAC(addr, file, offset) In implementation, integer index 30
64 Paraverification: validating PTE updates.file=....addr=....offset=... lication maintains memory mappings in an array of descriptors Interpose on mmap() in libc Generate a token for each mapping Unforgeable identifier describing requested mapping e.g. HMAC(addr, file, offset) In implementation, integer index 30
65 Paraverification: validating PTE updates.file=....addr=....offset=... lication maintains memory mappings in an array of descriptors Interpose on mmap() in libc Generate a token for each mapping Unforgeable identifier describing requested mapping e.g. HMAC(addr, file, offset) In implementation, integer index 30 pte_update( addr=0x7fcb... token=5
66 Paraverification: validating PTE updates.file=....addr=....offset=... lication maintains memory mappings in an array of descriptors Interpose on mmap() in libc Generate a token for each mapping Unforgeable identifier describing requested mapping e.g. HMAC(addr, file, offset) In implementation, integer index 30 pte_update( addr=0x7fcb... token=5
67 Paraverification: validating PTE updates.file=....addr=....offset=... lication memory listing protected from Entries always allocated in defined virtual address range Invalid entries marked 31
68 Paraverification: validating PTE updates.file=....addr=....offset=... pte_update( addr=0x7fcb... token=eleventy lication memory listing protected from Entries always allocated in defined virtual address range Invalid entries marked 31
69 Paraverification: validating PTE updates.file=....addr=....offset=... pte_update( addr=0x7fcb... token=eleventy lication memory listing protected from Entries always allocated in defined virtual address range Invalid entries marked 31
70 Paraverification: validating PTE updates.file=....addr=....offset=... pte_update( addr=0x7fcb... token=eleventy lication memory listing protected from Entries always allocated in defined virtual address range Invalid entries marked 31
71 Paraverification: validating syscall results.file=....addr=....offset=... returns tokens to application to assist validation lication maintains linked list of mappings specifies previous entry lication checks for overlap, updates list 32
72 Paraverification: validating syscall results.file=....addr=....offset=... mmap(file=..., token=5 0x7FCB... returns tokens to application to assist validation lication maintains linked list of mappings specifies previous entry lication checks for overlap, updates list 32
73 Paraverification: validating syscall results.file=....addr=....offset=... mmap(file=..., token=5 0x7FCB..., prev=2 returns tokens to application to assist validation lication maintains linked list of mappings specifies previous entry lication checks for overlap, updates list 32
74 Paraverification: validating syscall results.file=....addr=....offset=... mmap(file=..., token=5 0x7FCB..., prev=2 Basic memory isolation mechanisms Challenges: why is this difficult? returns tokens to application to assist validation lication maintains linked list of mappings and application specifies previous entry lication checks for overlap, updates list Paraverification: how can the untrusted help? Guarantee sane address space updates Expose internal information to hypervisor 33
75 Implementation & Evaluation Prototype built with KVM, qemu, uclibc ~3500 hypervisor LOC Modify libc to validate syscall results microbenchmarks LMBench lications SPEC Apache DokuWiki 34
76 DokuWiki PHP CGI binary with InkTag extensions InkTag authentication module Use InkTag access control on wiki pages Result: hypervisor-enforced security for a PHP application Integrity for all script files Privacy and integrity for application data 35
77 InkTag overheads LMBench Low-level microbenchmarks 5x - 55x slowdown (for µs operations) High context switch latency SPEC CPU-bound applications Most applications <= 1.03x gcc x; perlbench, h264href x Apache Long-lived processes, infrequent MM activity 1.02x throughput slowdown, 1.13x latency DokuWiki Many short-lived processes, frequent memory mapping 1.54x throughput slowdown 36
78 Related work Untrusted operating systems XOM [Lie et al. SP 03] Overshadow [Chen et al. ASPL 08] SP 3 [Yang & Shin VEE 08] Cloudvisor [Zhang et al. SP 11] 37
79 Conclusion We can enforce trustworthy services from an untrustworthy Paraverification simplifies crucial isolation mechanisms 38
0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 X. Chen, T, Garfinkel, E. Lewis, P. Subrahmanyam, C. Waldspurger, D. Boneh, J. Dwoskin,
More informationIAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE
IAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE Stephen Checkoway and Hovav Shacham March 19, 2013 1 1 A vulnerable program #include int main() { void *p = malloc(100);
More informationOvershadow: Retrofitting Protection in Commodity Operating Systems
Overshadow: Retrofitting Protection in Commodity Operating Systems Mike Chen Tal Garfinkel E. Christopher Lewis Pratap Subrahmanyam Carl Waldspurger VMware, Inc. Dan Boneh Jeffrey Dwoskin Dan R.K. Ports
More informationSecure Computation Interfaces
Secure Computation Interfaces Manuel Costa, Orion Hodson, Marcus Peinado, Sriram Rajamani, Mark Russinovich, Kapil Vaswani Introduction Applications such as secure Hadoop [1] need to have part of their
More informationSPECTRES, VIRTUAL GHOSTS, AND HARDWARE SUPPORT
SPECTRES, VIRTUAL GHOSTS, AND HARDWARE SUPPORT Xiaowan Dong Zhuojia Shen John Criswell Alan Cox Sandhya Dwarkadas University of Rochester University of Rochester University of Rochester Rice University
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationAutoscopy Jr.: Intrusion Detec3on for Embedded Control Systems
Autoscopy Jr.: Intrusion Detec3on for Embedded Control Systems Jason Reeves, Ashwin Ramaswamy, Michael Locasto, Sergey Bratus, and Sean Smith CSRS 2011 Dartmouth College September 24, 2011 1 Outline Mo3va3on
More informationARMlock: Hardware-based Fault Isolation for ARM
ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou, Xiaoguang Wang, Yue Chen, and Zhi Wang North Carolina State University Xi an Jiaotong University Florida State University Software is Complicated
More informationRISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas
RISCV with Sanctum Enclaves Victor Costan, Ilia Lebedev, Srini Devadas Today, privilege implies trust (1/3) If computing remotely, what is the TCB? Priviledge CPU HW Hypervisor trusted computing base OS
More informationLecture 4: Mechanism of process execution. Mythili Vutukuru IIT Bombay
Lecture 4: Mechanism of process execution Mythili Vutukuru IIT Bombay Low-level mechanisms How does the OS run a process? How does it handle a system call? How does it context switch from one process to
More informationCSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 1 Operating System Quandary Q: What is the primary goal of
More informationInfluential OS Research Security. Michael Raitza
Influential OS Research Security Michael Raitza raitza@os.inf.tu-dresden.de 1 Security recap Various layers of security Application System Communication Aspects of security Access control / authorization
More informationAnne Bracy CS 3410 Computer Science Cornell University
Anne Bracy CS 3410 Computer Science Cornell University The slides were originally created by Deniz ALTINBUKEN. P&H Chapter 4.9, pages 445 452, appendix A.7 Manages all of the software and hardware on the
More informationVirtual Machine Virtual Machine Types System Virtual Machine: virtualize a machine Container: virtualize an OS Program Virtual Machine: virtualize a process Language Virtual Machine: virtualize a language
More informationINFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD OVERVIEW Fundamental
More informationBeyond the PDP-11: Architectural support for a memory-safe C abstract machine
Trustworthy Systems Research and CTSRDCRASH-worthy Development Beyond the PDP-11: Architectural support for a memory-safe C abstract machine David Chisnall, Colin Rothwell, Brooks Davis, Robert N.M. Watson,
More informationThe Kernel Abstraction. Chapter 2 OSPP Part I
The Kernel Abstraction Chapter 2 OSPP Part I Kernel The software component that controls the hardware directly, and implements the core privileged OS functions. Modern hardware has features that allow
More informationEnhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Anton Kuijsten Andrew S. Tanenbaum Vrije Universiteit Amsterdam 21st USENIX Security Symposium Bellevue,
More informationThe Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36
The Challenges of X86 Hardware Virtualization GCC- Virtualization: Rajeev Wankar 36 The Challenges of X86 Hardware Virtualization X86 operating systems are designed to run directly on the bare-metal hardware,
More informationXen and the Art of Virtualization. Nikola Gvozdiev Georgian Mihaila
Xen and the Art of Virtualization Nikola Gvozdiev Georgian Mihaila Outline Xen and the Art of Virtualization Ian Pratt et al. I. The Art of Virtualization II. Xen, goals and design III. Xen evaluation
More informationLecture 7. Xen and the Art of Virtualization. Paul Braham, Boris Dragovic, Keir Fraser et al. 16 November, Advanced Operating Systems
Lecture 7 Xen and the Art of Virtualization Paul Braham, Boris Dragovic, Keir Fraser et al. Advanced Operating Systems 16 November, 2011 SOA/OS Lecture 7, Xen 1/38 Contents Virtualization Xen Memory CPU
More informationCSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Operating System Quandary Q: What is the primary goal of system
More informationMiniBox: A Two-Way Sandbox for x86 Native Code
MiniBox: A Two-Way Sandbox for x86 Native Code Yanlin Li CyLab/CMU Jonathan McCune CyLab/CMU, Google Inc. James Newsome CyLab/CMU, Google Inc. Adrian Perrig CyLab/CMU Brandon Baker Google Inc. Will Drewry
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationBUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX
BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX FLORIAN KERSCHBAUM, UNIVERSITY OF WATERLOO JOINT WORK WITH BENNY FUHRY (SAP), ANDREAS FISCHER (SAP) AND MANY OTHERS DO YOU TRUST YOUR CLOUD SERVICE
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 3.1: OS Security Basics of secure design Endadul Hoque Slide Acknowledgment Contents are based on slides from Ninghui Li (Purdue), John Mitchell (Stanford), Dan Boneh (Stanford)
More informationExtended Page Tables (EPT) A VMM must protect host physical memory Multiple guest operating systems share the same host physical memory VMM typically implements protections through page-table shadowing
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationTolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich
XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory,...
More informationCIS Operating Systems CPU Mode. Professor Qiang Zeng Spring 2018
CIS 3207 - Operating Systems CPU Mode Professor Qiang Zeng Spring 2018 CPU Modes Two common modes Kernel mode The CPU has to be in this mode to execute the kernel code User mode The CPU has to be in this
More informationCS261 Scribe Notes: Secure Computation 1
CS261 Scribe Notes: Secure Computation 1 Scriber: Cameron Rasmussen October 24, 2018 1 Introduction It is often the case that code is being run locally on our system that isn t completely trusted, a prime
More informationXen and the Art of Virtualization. CSE-291 (Cloud Computing) Fall 2016
Xen and the Art of Virtualization CSE-291 (Cloud Computing) Fall 2016 Why Virtualization? Share resources among many uses Allow heterogeneity in environments Allow differences in host and guest Provide
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationWhat is KVM? KVM patch. Modern hypervisors must do many things that are already done by OSs Scheduler, Memory management, I/O stacks
LINUX-KVM The need for KVM x86 originally virtualization unfriendly No hardware provisions Instructions behave differently depending on privilege context(popf) Performance suffered on trap-and-emulate
More informationTowards Application Security on Untrusted Operating Systems
Towards Application Security on Untrusted Operating Systems Dan R. K. Ports MIT CSAIL & VMware Tal Garfinkel VMware Motivation Many applications handle sensitive data financial, medical, insurance, military...
More informationComputer Architecture Background
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 2b Computer Architecture Background Marten van Dijk Syed Kamran Haider, Chenglu Jin, Phuong Ha Nguyen Department of Electrical & Computer Engineering
More informationInformation Flow Control For Standard OS Abstractions
Information Flow Control For Standard OS Abstractions Maxwell Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris MIT SOSP 2007 Presenter: Lei Xia Mar. 2 2009 Outline
More informationSecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security Systems Xiaoguang Wang, Yue Chen, Zhi Wang, Yong Qi, Yajin Zhou Florida State University Xi an Jiaotong University Qihoo 360 abstract The OS kernel
More informationHardware OS & OS- Application interface
CS 4410 Operating Systems Hardware OS & OS- Application interface Summer 2013 Cornell University 1 Today How my device becomes useful for the user? HW-OS interface Device controller Device driver Interrupts
More informationVersion:1.1. Overview of speculation-based cache timing side-channels
Author: Richard Grisenthwaite Date: January 2018 Version 1.1 Introduction This whitepaper looks at the susceptibility of Arm implementations following recent research findings from security researchers
More informationHardware Enclave Attacks CS261
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Service (IAS) Process Enclave Untrusted Trusted Enclave Code Enclave Data Process Process Other Enclave OS and/or Hypervisor
More informationUsing Hardware-Assisted Virtualization to Protect Application Address Space Inside Untrusted Environment
Using Hardware-Assisted Virtualization to Protect Application Address Space Inside Untrusted Environment Denis Silakov Institute for System Programming at the Russian Academy of Sciences Moscow, Russian
More informationDecoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor
Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan, Michael Dalton, Christos Kozyrakis Computer Systems Laboratory Stanford University Motivation Dynamic analysis help
More informationWhat is an Operating System? A Whirlwind Tour of Operating Systems. How did OS evolve? How did OS evolve?
What is an Operating System? A Whirlwind Tour of Operating Systems Trusted software interposed between the hardware and application/utilities to improve efficiency and usability Most computing systems
More informationAdvanced Operating Systems (CS 202) Virtualization
Advanced Operating Systems (CS 202) Virtualization Virtualization One of the natural consequences of the extensibility research we discussed What is virtualization and what are the benefits? 2 Virtualization
More informationExplicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières
Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières Too much trusted software Untrustworthy code a huge problem Users willingly run malicious
More informationAddress spaces and memory management
Address spaces and memory management Review of processes Process = one or more threads in an address space Thread = stream of executing instructions Address space = memory space used by threads Address
More informationMidterm Exam #2 Solutions April 20, 2016 CS162 Operating Systems
University of California, Berkeley College of Engineering Computer Science Division EECS Spring 2016 Anthony D. Joseph Midterm Exam #2 Solutions April 20, 2016 CS162 Operating Systems Your Name: SID AND
More information[537] Virtual Machines. Tyler Harter
[537] Virtual Machines Tyler Harter Outline Machine Virtualization Overview CPU Virtualization (Trap-and-Emulate) CPU Virtualization (Modern x86) Memory Virtualization Performance Challenges Outline Machine
More informationstack Two-dimensional logical addresses Fixed Allocation Binary Page Table
Question # 1 of 10 ( Start time: 07:24:13 AM ) Total Marks: 1 LRU page replacement algorithm can be implemented by counter stack linked list all of the given options Question # 2 of 10 ( Start time: 07:25:28
More informationVirtual to physical address translation
Virtual to physical address translation Virtual memory with paging Page table per process Page table entry includes present bit frame number modify bit flags for protection and sharing. Page tables can
More informationHakim Weatherspoon CS 3410 Computer Science Cornell University
Hakim Weatherspoon CS 3410 Computer Science Cornell University The slides are the product of many rounds of teaching CS 3410 by Deniz Altinbuken, Professors Weatherspoon, Bala, Bracy, and Sirer. C practice
More informationSCONE: Secure Linux Container Environments with Intel SGX
SCONE: Secure Linux Container Environments with Intel SGX S. Arnautov, B. Trach, F. Gregor, Thomas Knauth, and A. Martin, Technische Universität Dresden; C. Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe,
More informationRuntime Integrity Checking for Exploit Mitigation on Embedded Devices
Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Matthias Neugschwandtner IBM Research, Zurich eug@zurich.ibm.com Collin Mulliner Northeastern University, Boston collin@mulliner.org
More informationVirtualization. Adam Belay
Virtualization Adam Belay What is a virtual machine Simulation of a computer Running as an application on a host computer Accurate Isolated Fast Why use a virtual machine? To run multiple
More informationSecurity Architecture
Security Architecture We ve been looking at how particular applications are secured We need to secure not just a few particular applications, but many applications, running on separate machines We need
More informationPreventing Information Leakage from Virtual Machines Memory in IaaS Clouds
Regular Paper Preventing Information Leakage from Virtual Machines Memory in IaaS Clouds Hidekazu Tadokoro 1,a) Kenichi Kourai 2,4 Shigeru Chiba 3 Received: January 18, 2012, Accepted: April 20, 2012 Abstract:
More informationApplications of. Virtual Memory in. OS Design
Applications of Virtual Memory in OS Design Nima Honarmand Introduction Virtual memory is a powerful level of indirection Indirection: IMO, the most powerful concept in Computer Science Fundamental Theorem
More informationVarys. Protecting SGX Enclaves From Practical Side-Channel Attacks. Oleksii Oleksenko, Bohdan Trach. Mark Silberstein
Varys Protecting SGX Enclaves From Practical Side-Channel Attacks Oleksii Oleksenko, Bohdan Trach Robert Krahn, Andre Martin, Christof Fetzer Mark Silberstein Key issue of the cloud: We cannot trust it
More informationComputer Science. ! Other approaches:! Special systems designed for extensibility
Application-Specific Service Technologies for Commodity OSes in Real-Time Environments Richard West and Gabriel Parmer Boston University Boston, MA {richwest,gabep1}@cs.bu.edu Introduction! Leverage commodity
More informationSyscalls, exceptions, and interrupts, oh my!
Syscalls, exceptions, and interrupts, oh my! Hakim Weatherspoon CS 3410 Computer Science Cornell University [Altinbuken, Weatherspoon, Bala, Bracy, McKee, and Sirer] Announcements P4-Buffer Overflow is
More informationFast access ===> use map to find object. HW == SW ===> map is in HW or SW or combo. Extend range ===> longer, hierarchical names
Fast access ===> use map to find object HW == SW ===> map is in HW or SW or combo Extend range ===> longer, hierarchical names How is map embodied: --- L1? --- Memory? The Environment ---- Long Latency
More informationQualifying exam: operating systems, 1/6/2014
Qualifying exam: operating systems, 1/6/2014 Your name please: Part 1. Fun with forks (a) What is the output generated by this program? In fact the output is not uniquely defined, i.e., it is not always
More informationAdministrivia. Lab 1 due Friday 12pm. We give will give short extensions to groups that run into trouble. But us:
Administrivia Lab 1 due Friday 12pm. We give will give short extensions to groups that run into trouble. But email us: - How much is done & left? - How much longer do you need? Attend section Friday at
More informationBreaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A statistical
More informationPolicy-Sealed Data: A New Abstraction for Building Trusted Cloud Services
Max Planck Institute for Software Systems Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services 1, Rodrigo Rodrigues 2, Krishna P. Gummadi 1, Stefan Saroiu 3 MPI-SWS 1, CITI / Universidade
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 Demand paging Concepts to Learn 2 Abstraction Virtual Memory (VM) 4GB linear address space for each process
More informationProblem System administration tasks on a VM from the outside, e.g., issue administrative commands such as hostname and rmmod. One step ahead tradition
EXTERIOR: Using a Dual-VM Based External Shell for Guest-OS Introspection, Configuration, and Recovery ACM VEE 13 Problem System administration tasks on a VM from the outside, e.g., issue administrative
More informationPrivilege Escalation
Privilege Coleman Kane Coleman.Kane@ge.com February 9, 2015 Security Vulnerability Assessment Privilege 1 / 14 root, or Privilege or Elevation is the act of gaining access to resources which were intended
More informationResearch in OS: Light-weight contexts
Research in OS: Light-weight contexts Light-weight Contexts: An OS Abstraction for Safety and Performance J. Litton, A. Vahldiek-Oberwagner, E. Elnikety, D. Garg, B. Bhattacharjee, P. Druschel, Proc. of
More informationAnne Bracy CS 3410 Computer Science Cornell University
Anne Bracy CS 3410 Computer Science Cornell University The slides were originally created by Deniz ALTINBUKEN. P&H Chapter 4.9, pages 445 452, appendix A.7 Manages all of the software and hardware on the
More informationCS5460: Operating Systems
CS5460: Operating Systems Lecture 2: OS Hardware Interface (Chapter 2) Course web page: http://www.eng.utah.edu/~cs5460/ CADE lab: WEB L224 and L226 http://www.cade.utah.edu/ Projects will be on Linux
More informationArchitectural Supports to Protect OS Kernels from Code-Injection Attacks
Architectural Supports to Protect OS Kernels from Code-Injection Attacks 2016-06-18 Hyungon Moon, Jinyong Lee, Dongil Hwang, Seonhwa Jung, Jiwon Seo and Yunheung Paek Seoul National University 1 Why to
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 CPU management Roadmap Process, thread, synchronization, scheduling Memory management Virtual memory Disk
More informationOutline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Advantages of Multi-level Page Tables
Outline V22.0202-001 Computer Systems Organization II (Honors) (Introductory Operating Systems) Lecture 15 Memory Management (cont d) Virtual Memory March 30, 2005 Announcements Lab 4 due next Monday (April
More informationThe cow and Zaphod... Virtual Memory #2 Feb. 21, 2007
15-410...The cow and Zaphod... Virtual Memory #2 Feb. 21, 2007 Dave Eckhardt Bruce Maggs 1 L16_VM2 Wean Synchronization Watch for exam e-mail Please answer promptly Computer Club demo night Thursday (2/22)
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 Recap Paged MMU: Two main Issues Translation speed can be slow TLB Table size is big Multi-level page table
More informationDesign and Implementation of SecPod, A Framework for Virtualization-based Security Systems
Design and Implementation of SecPod, A Framework for Virtualization-based Security Systems Xiaoguang Wang, Yong Qi, Member, IEEE, Zhi Wang, Yue Chen, and Yajin Zhou 1 Abstract The OS kernel is critical
More informationCS510 Operating System Foundations. Jonathan Walpole
CS510 Operating System Foundations Jonathan Walpole Course Overview Who am I? Jonathan Walpole Professor at PSU since 2004, OGI 1989 2004 Research Interests: Operating System Design, Parallel and Distributed
More informationGPUfs: Integrating a file system with GPUs
GPUfs: Integrating a file system with GPUs Mark Silberstein (UT Austin/Technion) Bryan Ford (Yale), Idit Keidar (Technion) Emmett Witchel (UT Austin) 1 Traditional System Architecture Applications OS CPU
More informationCOMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy
COMPUTER ARCHITECTURE Virtualization and Memory Hierarchy 2 Contents Virtual memory. Policies and strategies. Page tables. Virtual machines. Requirements of virtual machines and ISA support. Virtual machines:
More informationLecture 19: File System Implementation. Mythili Vutukuru IIT Bombay
Lecture 19: File System Implementation Mythili Vutukuru IIT Bombay File System An organization of files and directories on disk OS has one or more file systems Two main aspects of file systems Data structures
More informationProcess Out-Grafting: An Efficient Out-of-VM Approach for Fine-Grained Process Execution Monitoring
Process Out-Grafting: An Efficient Out-of-VM Approach for Fine-Grained Process Execution Monitoring Deepa Srinivasan Zhi Wang Xuxian Jiang Dongyan Xu NC State University NC State University NC State University
More informationSTING: Finding Name Resolution Vulnerabilities in Programs
STING: Finding Name Resolution ulnerabilities in Programs Hayawardh ijayakumar, Joshua Schiffman, Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department
More informationCS 5460/6460 Operating Systems
CS 5460/6460 Operating Systems Fall 2009 Instructor: Matthew Flatt Lecturer: Kevin Tew TAs: Bigyan Mukherjee, Amrish Kapoor 1 Join the Mailing List! Reminders Make sure you can log into the CADE machines
More informationHDFI: Hardware-Assisted Data-flow Isolation
HDFI: Hardware-Assisted Data-flow Isolation Presented by Ben Schreiber Chengyu Song 1, Hyungon Moon 2, Monjur Alam 1, Insu Yun 1, Byoungyoung Lee 1, Taesoo Kim 1, Wenke Lee 1, Yunheung Paek 2 1 Georgia
More informationArchitecture Support for Guest-Transparent VM Protection from Untrusted Hypervisor and Physical Attacks
Architecture Support for Guest-Transparent VM Protection from Untrusted and Physical Attacks Yubin Xia, Yutao Liu, Haibo Chen Institute of Parallel and Distributed Systems, Shanghai Jiao Tong University
More informationLec 22: Interrupts. Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University. Announcements
Lec 22: Interrupts Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University HW 3 HW4: due this Friday Announcements PA 3 out Nov 14 th Due Nov 25 th (feel free to turn it in early) Demos and
More informationWilliam Stallings Computer Organization and Architecture. Chapter 11 CPU Structure and Function
William Stallings Computer Organization and Architecture Chapter 11 CPU Structure and Function CPU Structure CPU must: Fetch instructions Interpret instructions Fetch data Process data Write data Registers
More informationMemory Safety for Low- Level Software/Hardware Interactions
Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Montreal or Bust! Vikram Adve Safety Future is Bright User-space memory safety is improving Safe languages SAFECode,
More informationMASSACHUSETTS INSTITUTE OF TECHNOLOGY Computer Systems Engineering: Spring Quiz I Solutions
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.033 Computer Systems Engineering: Spring 2011 Quiz I Solutions There are 10 questions and 12 pages in this
More informationProtection Goals of Protection Principles of Protection principle of least privilege Domain Structure need to know principle
Protection Discuss the goals and principles of protection in a modern computer system Explain how protection domains combined with an access matrix are used to specify the resources a process may access
More informationChapter 8: Virtual Memory. Operating System Concepts Essentials 2 nd Edition
Chapter 8: Virtual Memory Silberschatz, Galvin and Gagne 2013 Chapter 8: Virtual Memory Background Demand Paging Copy-on-Write Page Replacement Allocation of Frames Thrashing Memory-Mapped Files Allocating
More informationFast access ===> use map to find object. HW == SW ===> map is in HW or SW or combo. Extend range ===> longer, hierarchical names
Fast access ===> use map to find object HW == SW ===> map is in HW or SW or combo Extend range ===> longer, hierarchical names How is map embodied: --- L1? --- Memory? The Environment ---- Long Latency
More informationEfficient Memory Integrity Verification and Encryption for Secure Processors
Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, Srinivas Devadas Massachusetts Institute of Technology New Security
More informationMing Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay
Hardware and Architectural Support for Security and Privacy (HASP 18), June 2, 2018, Los Angeles, CA, USA Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay Computing and Engineering (SCSE) Nanyang Technological
More informationFundamentals of Computer Security
Fundamentals of Computer Security Spring 2015 Radu Sion Software Errors Buffer Overflow TOCTTOU 2005-15 Portions copyright by Bogdan Carbunar and Wikipedia. Used with permission Why Security Vulnerabilities?
More informationCS527 Software Security
Security Policies Purdue University, Spring 2018 Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and
More information2 nd Half. Memory management Disk management Network and Security Virtual machine
Final Review 1 2 nd Half Memory management Disk management Network and Security Virtual machine 2 Abstraction Virtual Memory (VM) 4GB (32bit) linear address space for each process Reality 1GB of actual
More information