research-article

AppSec: A Safe Execution Environment for Security Sensitive Applications

Authors:
Jianbao Ren

Xi'an Jiaotong University, Xi'an, China

Xi'an Jiaotong University, Xi'an, China
View Profile

,
Yong Qi

Xi'an Jiaotong University, Xi'an, China

Xi'an Jiaotong University, Xi'an, China
View Profile

,
Yuehua Dai

Xi'an Jiaotong University, Xi'an, China

Xi'an Jiaotong University, Xi'an, China
View Profile

,
Xiaoguang Wang

Xi'an Jiaotong University, Xi'an, China

Xi'an Jiaotong University, Xi'an, China
View Profile

,
Yi Shi

Xi'an Jiaotong University, Xi'an, China

Xi'an Jiaotong University, Xi'an, China
View Profile

VEE '15: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution EnvironmentsMarch 2015Pages 187–199https://doi.org/10.1145/2731186.2731199

Published:14 March 2015Publication History

VEE '15: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

Pages 187–199

ABSTRACT

Malicious OS kernel can easily access user's private data in main memory and pries human-machine interaction data, even one that employs privacy enforcement based on application level or OS level. This paper introduces AppSec, a hypervisor-based safe execution environment, to protect both the memory data and human-machine interaction data of security sensitive applications from the untrusted OS transparently.

AppSec provides several security mechanisms on an untrusted OS. AppSec introduces a safe loader to check the code integrity of application and dynamic shared objects. During runtime, AppSec protects application and dynamic shared objects from being modified and verifies kernel memory accesses according to application's intention. AppSec provides a devices isolation mechanism to prevent the human-machine interaction devices being accessed by compromised kernel. On top of that, AppSec further provides a privileged-based window system to protect application's X resources. The major advantages of AppSec are threefold. First, AppSec verifies and protects all dynamic shared objects during runtime. Second, AppSec mediates kernel memory access according to application's intention but not encrypts all application's data roughly. Third, AppSec provides a trusted I/O path from end-user to application. A prototype of AppSec is implemented and shows that AppSec is efficient and practical.

References

Xen Arbitrary Code Execution. URL http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3124.Google Scholar
Google V8 Benchmark Suite. URL http://v8.googlecode.com/svn/data/benchmarks/v7/run.html.Google Scholar
The connection methods to the X server. URL https://www.debian.org/doc/manuals/debian-reference/ch07.en.html#_the_connection_methods_to_the_x_server.Google Scholar
VMWare Arbitrary Code Execution. URL http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--1209.Google Scholar
PCI Local Bus Specification. URL http://www.math.uni.wroc.pl/~p-wyk4/so/pci23.pdf.Google Scholar
Trusted Platform Module (TPM) Summary. URL http://www.trustedcomputinggroup.org/resources/trusted_platform_module_tpm_summary.Google Scholar
X Window System. URL http://en.wikipedia.org/wiki/X_Window_System.Google Scholar
INTEL R 64 AND IA-32 ARCHITECTURES SOFTWARE DEVELOPER'S MANUAL. Instruction Set Extensions ProgrammingReference. Intel Corporation, January 2013.Google Scholar
M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Controlflow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC), 13(1):4, 2009. Google ScholarDigital Library
A. Arasu, S. Blanas, K. Eguro, R. Kaushik, D. Kossmann, R. Ramamurthy, and R. Venkatesan. Orthogonal security with cipherbase. In 6th Conference on Innovative Data Systems Research, Jan. 2013.Google Scholar
A. Azab, P. Ning, and X. Zhang. SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms. In Proceedings of the 18th ACM conference on Computer and communications security, pages 375--388. ACM, 2011. Google ScholarDigital Library
A. Baumann, D. Lee, P. Fonseca, L. Glendenning, J. R. Lorch, B. Bond, R. Olinsky, and G. C. Hunt. Composing os extensions safely and efficiently with bascule. In Proceedings of the 8th ACM European Conference on Computer Systems, pages 239--252. ACM, 2013. Google ScholarDigital Library
A. Baumann, M. Peinado, and G. Hunt. Shielding applications from an untrusted cloud with haven. In Proceedings of the 11th USENIX conference on Operating Systems Design and Implementation, pages 267--283. USENIX Association, 2014. Google ScholarDigital Library
A. D. Central. BIOS and Kernel Developer's Guide for AMD Family 15h Models 00h-0Fh Processors.Google Scholar
H. Chen, F. Zhang, C. Chen, Z. Yang, R. Chen, B. Zang, and W. Mao. Tamper-resistant execution in an untrusted operating system using a virtual machine monitor. 2007.Google Scholar
X. Chen, T. Garfinkel, E. Lewis, P. Subrahmanyam, C. Waldspurger, D. Boneh, J. Dwoskin, and D. Ports. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In ACM SIGPLAN Notices, volume 43, pages 2--13. ACM, 2008. Google ScholarDigital Library
Y. Cheng, X. Ding, and R. H. Deng. Driverguard: A finegrained protection on i/o flows. In Proceedings of European Symposium on Research in Computer Security, pages 227--244. Springer, 2011. Google ScholarDigital Library
I. Corporation. Lagrande technology preliminary architecture specification. Intel Publication, (D52212), 2006.Google Scholar
J. Criswell, N. Dautenhahn, and V. Adve. Virtual Ghost: Protecting Applications from Hostile Operating Systems. In Proceedings of the nineteenth international conference on Architectural Support for Programming Languages and Operating Systems. ACM, 2014. Google ScholarDigital Library
Y. Dai, Y. Shi, Y. Qi, J. Ren, and P. Wang. Design and verification of a lightweight reliable virtual machine monitor for a many-core architecture. Frontiers of Computer Science, pages 1--10. Google ScholarDigital Library
Y. Dai, Y. Qi, J. Ren, Y. Shi, X. Wang, and X. Yu. A lightweight VMM on many core for high performance computing. In Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual Execution Environments, pages 111--120. ACM, 2013. Google ScholarDigital Library
G. Duc and R. Keryell. Cryptopage: an efficient secure architecture with memory encryption, integrity and information leakage protection. In Computer Security Applications Conference, 2006. ACSAC'06. 22nd Annual, pages 483--492. IEEE, 2006. Google ScholarDigital Library
A. M. Dunn, M. Z. Lee, S. Jana, S. Kim, M. Silberstein, Y. Xu, V. Shmatikov, and E. Witchel. Eternal sunshine of the spotless machine: Protecting privacy with ephemeral channels. In Proc. of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2012. Google ScholarDigital Library
D. R. Engler, M. F. Kaashoek, et al. Exokernel: An operating system architecture for application-level resource management, volume 29. ACM, 1995. Google ScholarDigital Library
A. Filyanov, J. M. McCuney, A.-R. Sadeghiz, and M. Winandy. Uni-directional trusted path: Transaction confirmation on just one device. In Dependable Systems & Networks (DSN), 2011 IEEE/IFIP 41st International Conference on, pages 1--12. IEEE, 2011. Google ScholarDigital Library
K. Fraser, S. Hand, R. Neugebauer, I. Pratt, A. Warfield, and M. Williamson. Safe hardware access with the xen virtual machine monitor. In 1st Workshop on Operating System and Architectural Support for the on demand IT InfraStructure (OASIS), pages 1--1, 2004.Google Scholar
T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In ACM SIGOPS Operating Systems Review, volume 37, pages 193--206. ACM, 2003. Google ScholarDigital Library
C. Gebtry, S. Halevi, and N. P. Smart. Homomorphic evaluation of the aes circuit. In 32nd International Cryptology Conference, 2012.Google Scholar
C. Gentry. A fully homomorphic encryption scheme. PhD thesis, Stanford University, 2009. Google ScholarDigital Library
V. George, T. Piazza, and H. Jiang. Technology Insight: Intel c Next Generation Microarchitecture Codename Ivy Bridge, 2011. URL www.intel.com/idf/library/pdf/sf_2011/SF11_SPCS005_101F.pdf.Google Scholar
O. S. Hofmann, S. Kim, A. M. Dunn, M. Z. Lee, and E. Witchel. InkTag: Secure Applications On An Untrusted Operating System. In Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems, (ASPLOS), pages 265--278. ACM, 2013. Google ScholarDigital Library
V. P. Kemerlis, G. Portokalidis, and A. D. Keromytis. kguard: Lightweight kernel protection against return-to-user attacks. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, Berkeley, CA, USA, 2012. USENIX Association. Google ScholarDigital Library
V. P. Kemerlis, M. Polychronakis, and A. D. Keromytis. Ret2dir: Rethinking kernel isolation. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, 2014. Google ScholarDigital Library
C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In Code Generation and Optimization, 2004. CGO 2004. International Symposium on, pages 75--86. IEEE, 2004. Google ScholarDigital Library
D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural support for copy and tamper resistant software. ACM SIGPLAN Notices, 35 (11):168--177, 2000. Google ScholarDigital Library
J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB Reduction and Attestation. In IEEE Symposium on Security and Privacy (SP), pages 143--158. IEEE, 2010. Google ScholarDigital Library
F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, page 10. ACM, 2013. Google ScholarDigital Library
R. Nikolaev and G. Back. Virtuos: an operating system with kernel virtualization. In Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles (SOSP 2013), pages 116--132. ACM, 2013. Google ScholarDigital Library
K. Onarlioglu, C. Mulliner, W. Robertson, and E. Kirda. PRIVEXEC: Private Execution as an Operating System Service. In IEEE Symposium on Security and Privacy. IEEE, 2013. Google ScholarDigital Library
R. A. Popa, C. M. Redfield, N. Xeldovich, and H. Balakrishnan. Cryptdb: Protecting confidentiality with encrypted query processing. In 23rd ACM Symposium on Operating Systems Principles, pages 85--100, 2011. Google ScholarDigital Library
M. Seaborn. Plash: tools for practical least privilege, 2008. URL http://plash.beasts.org/index.html.Google Scholar
J. S. Shapiro, J. Vanderburgh, E. Northup, and D. Chizmadia. Design of the eros trusted window system. In Proceedings of the 13th conference on USENIX Security Symposium-Volume 13, pages 12--12. USENIX Association, 2004. Google ScholarDigital Library
L. Soares and M. Stumm. Flexsc: flexible system call scheduling with exception-less system calls. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI. ACM, 2010. Google ScholarDigital Library
R. Strackx and F. Piessens. Fides: Selectively hardening software application components against kernel-level or processlevel malware. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS 2012), 2012. Google ScholarDigital Library
G. E. Suh, D. Clarke, B. Gassend, M. Van Dijk, and S. Devadas. AEGIS: architecture for tamper-evident and tamper resistant processing. In Proceedings of the 17th annual international conference on Supercomputing, pages 160--171, 2003. Google ScholarDigital Library
S. D. Tetali, M. Lesani, R. Majumdar, and T. Millstein. Mrcrypt: static analysis for secure cloud computations. In Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications, pages 271--286. ACM, 2013. Google ScholarDigital Library
A. Virtualization. Secure Virtual Machine Architecture Reference Manual. AMD Publication, (33047), 2005.Google Scholar
J. Yang and K. Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. In Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pages 71--80. ACM, 2008. Google ScholarDigital Library
M. Zhang and R. Sekar. Control flow integrity for cots binaries. In Usenix Security, pages 337--352, 2013. Google ScholarDigital Library
Z. Zhou, V. Gligor, J. Newsome, and J. McCune. Building verifiable trusted path on commodity x86 computers. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 616--630. IEEE, 2012. Google ScholarDigital Library

Index Terms

AppSec: A Safe Execution Environment for Security Sensitive Applications
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

AppSec: A Safe Execution Environment for Security Sensitive Applications
VEE '15

Malicious OS kernel can easily access user's private data in main memory and pries human-machine interaction data, even one that employs privacy enforcement based on application level or OS level. This paper introduces AppSec, a hypervisor-based safe ...
Read More
Virtualization-based separation of privilege: working with sensitive data in untrusted environment
VDTS '09: Proceedings of the 1st EuroSys Workshop on Virtualization Technology for Dependable Systems

Contemporary commodity operating systems are too big and do not inspire trust in their security and reliability. Still they are used for processing sensitive data due to the vast amount of legacy software and good support for virtually all hardware ...
Read More
k-anonymity: a model for protecting privacy

Consider a data holder, such as a hospital or a bank, that has a privately held collection of person-specific, field structured data. Suppose the data holder wants to share a version of the data with researchers. How can a data holder release a version ...
Read More

Reviews

Reviewer: Patriciu V Victor-Valeriu

The authors of AppSec present a proposed implementation to achieve a secure environment without modifying the operating system (OS) kernel or applications. The main concept is that only the OS is untrusted, while the hardware and the firmware are presumed to be trusted. "A hypervisor-based safe execution environment," protects security-sensitive applications from an untrusted OS. The authors focus on a combination of mechanisms to secure "dynamic shared objects during runtime," "kernel memory access according to [the] application's intention," and input/output (I/O) communication from the end user to the application. The AppSec architecture overview is illustrated, and its elements are described meticulously. The safe loader component ensures the integrity of loaded applications and dynamic shared objects. The page tracker assures un-bypassed and transparent memory access by collecting information on sensitive applications' memory pages, and by raising a nested page table fault when the kernel tries to access them. Access is then granted according to the application's intentions. The I/O connections are secured with a privilege-based window-management system, with security-sensitive applications having the highest privilege. The authors detail the evaluation of their system, with respect to the performance overhead, by using native Linux execution rates as a baseline. The tests were performed on a server with AMD processors, running Debian "wheezy" with Linux 3.1. SPEC CPU2006, Apache, and Google V8 benchmarks, and a few microbenchmarks, were used to compare against the baseline and the modified version with AppSec off and on. The tests concluded that a performance overhead of 6-to-10 percent incurred when all protection mechanisms were activated. The authors then present the limitations of the system and compare their work to similar techniques for protecting the user's privacy. The most important differences were that AppSec does not modify the OS in any way and secures both memory and human-machine interaction data. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
VEE '15: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
March 2015
238 pages
ISBN:9781450334501
DOI:10.1145/2731186
General Chair:
Ada Gavrilovska
Georgia Tech
,
Program Chairs:
Angela Demke Brown
University of Toronto
,
Bjarne Steensgaard
Microsoft
ACM SIGPLAN Notices Volume 50, Issue 7
VEE '15
July 2015
221 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2817817
Editor:
Andy Gill
University of Kansas, Lawrence, KS
Issue’s Table of Contents
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 14 March 2015
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
human-machine interaction
kernel
privacy
vmm
Qualifiers
- research-article
Conference

Acceptance Rates
VEE '15 Paper Acceptance Rate16of50submissions,32%Overall Acceptance Rate80of235submissions,34%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 8
  Total Citations
  View Citations
- 727
  Total Downloads
- Downloads (Last 12 months)21
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

AppSec: A Safe Execution Environment for Security Sensitive Applications

VEE '15: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

ABSTRACT

References

Cited By

Index Terms

Recommendations

AppSec: A Safe Execution Environment for Security Sensitive Applications

Virtualization-based separation of privilege: working with sensitive data in untrusted environment

k-anonymity: a model for protecting privacy

Reviews

Access critical reviews of Computing literature here