ABSTRACT
Malicious OS kernel can easily access user's private data in main memory and pries human-machine interaction data, even one that employs privacy enforcement based on application level or OS level. This paper introduces AppSec, a hypervisor-based safe execution environment, to protect both the memory data and human-machine interaction data of security sensitive applications from the untrusted OS transparently.
AppSec provides several security mechanisms on an untrusted OS. AppSec introduces a safe loader to check the code integrity of application and dynamic shared objects. During runtime, AppSec protects application and dynamic shared objects from being modified and verifies kernel memory accesses according to application's intention. AppSec provides a devices isolation mechanism to prevent the human-machine interaction devices being accessed by compromised kernel. On top of that, AppSec further provides a privileged-based window system to protect application's X resources. The major advantages of AppSec are threefold. First, AppSec verifies and protects all dynamic shared objects during runtime. Second, AppSec mediates kernel memory access according to application's intention but not encrypts all application's data roughly. Third, AppSec provides a trusted I/O path from end-user to application. A prototype of AppSec is implemented and shows that AppSec is efficient and practical.
- Xen Arbitrary Code Execution. URL http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3124.Google Scholar
- Google V8 Benchmark Suite. URL http://v8.googlecode.com/svn/data/benchmarks/v7/run.html.Google Scholar
- The connection methods to the X server. URL https://www.debian.org/doc/manuals/debian-reference/ch07.en.html#_the_connection_methods_to_the_x_server.Google Scholar
- VMWare Arbitrary Code Execution. URL http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--1209.Google Scholar
- PCI Local Bus Specification. URL http://www.math.uni.wroc.pl/~p-wyk4/so/pci23.pdf.Google Scholar
- Trusted Platform Module (TPM) Summary. URL http://www.trustedcomputinggroup.org/resources/trusted_platform_module_tpm_summary.Google Scholar
- X Window System. URL http://en.wikipedia.org/wiki/X_Window_System.Google Scholar
- INTEL R 64 AND IA-32 ARCHITECTURES SOFTWARE DEVELOPER'S MANUAL. Instruction Set Extensions ProgrammingReference. Intel Corporation, January 2013.Google Scholar
- M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Controlflow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC), 13(1):4, 2009. Google ScholarDigital Library
- A. Arasu, S. Blanas, K. Eguro, R. Kaushik, D. Kossmann, R. Ramamurthy, and R. Venkatesan. Orthogonal security with cipherbase. In 6th Conference on Innovative Data Systems Research, Jan. 2013.Google Scholar
- A. Azab, P. Ning, and X. Zhang. SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms. In Proceedings of the 18th ACM conference on Computer and communications security, pages 375--388. ACM, 2011. Google ScholarDigital Library
- A. Baumann, D. Lee, P. Fonseca, L. Glendenning, J. R. Lorch, B. Bond, R. Olinsky, and G. C. Hunt. Composing os extensions safely and efficiently with bascule. In Proceedings of the 8th ACM European Conference on Computer Systems, pages 239--252. ACM, 2013. Google ScholarDigital Library
- A. Baumann, M. Peinado, and G. Hunt. Shielding applications from an untrusted cloud with haven. In Proceedings of the 11th USENIX conference on Operating Systems Design and Implementation, pages 267--283. USENIX Association, 2014. Google ScholarDigital Library
- A. D. Central. BIOS and Kernel Developer's Guide for AMD Family 15h Models 00h-0Fh Processors.Google Scholar
- H. Chen, F. Zhang, C. Chen, Z. Yang, R. Chen, B. Zang, and W. Mao. Tamper-resistant execution in an untrusted operating system using a virtual machine monitor. 2007.Google Scholar
- X. Chen, T. Garfinkel, E. Lewis, P. Subrahmanyam, C. Waldspurger, D. Boneh, J. Dwoskin, and D. Ports. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In ACM SIGPLAN Notices, volume 43, pages 2--13. ACM, 2008. Google ScholarDigital Library
- Y. Cheng, X. Ding, and R. H. Deng. Driverguard: A finegrained protection on i/o flows. In Proceedings of European Symposium on Research in Computer Security, pages 227--244. Springer, 2011. Google ScholarDigital Library
- I. Corporation. Lagrande technology preliminary architecture specification. Intel Publication, (D52212), 2006.Google Scholar
- J. Criswell, N. Dautenhahn, and V. Adve. Virtual Ghost: Protecting Applications from Hostile Operating Systems. In Proceedings of the nineteenth international conference on Architectural Support for Programming Languages and Operating Systems. ACM, 2014. Google ScholarDigital Library
- Y. Dai, Y. Shi, Y. Qi, J. Ren, and P. Wang. Design and verification of a lightweight reliable virtual machine monitor for a many-core architecture. Frontiers of Computer Science, pages 1--10. Google ScholarDigital Library
- Y. Dai, Y. Qi, J. Ren, Y. Shi, X. Wang, and X. Yu. A lightweight VMM on many core for high performance computing. In Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual Execution Environments, pages 111--120. ACM, 2013. Google ScholarDigital Library
- G. Duc and R. Keryell. Cryptopage: an efficient secure architecture with memory encryption, integrity and information leakage protection. In Computer Security Applications Conference, 2006. ACSAC'06. 22nd Annual, pages 483--492. IEEE, 2006. Google ScholarDigital Library
- A. M. Dunn, M. Z. Lee, S. Jana, S. Kim, M. Silberstein, Y. Xu, V. Shmatikov, and E. Witchel. Eternal sunshine of the spotless machine: Protecting privacy with ephemeral channels. In Proc. of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2012. Google ScholarDigital Library
- D. R. Engler, M. F. Kaashoek, et al. Exokernel: An operating system architecture for application-level resource management, volume 29. ACM, 1995. Google ScholarDigital Library
- A. Filyanov, J. M. McCuney, A.-R. Sadeghiz, and M. Winandy. Uni-directional trusted path: Transaction confirmation on just one device. In Dependable Systems & Networks (DSN), 2011 IEEE/IFIP 41st International Conference on, pages 1--12. IEEE, 2011. Google ScholarDigital Library
- K. Fraser, S. Hand, R. Neugebauer, I. Pratt, A. Warfield, and M. Williamson. Safe hardware access with the xen virtual machine monitor. In 1st Workshop on Operating System and Architectural Support for the on demand IT InfraStructure (OASIS), pages 1--1, 2004.Google Scholar
- T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In ACM SIGOPS Operating Systems Review, volume 37, pages 193--206. ACM, 2003. Google ScholarDigital Library
- C. Gebtry, S. Halevi, and N. P. Smart. Homomorphic evaluation of the aes circuit. In 32nd International Cryptology Conference, 2012.Google Scholar
- C. Gentry. A fully homomorphic encryption scheme. PhD thesis, Stanford University, 2009. Google ScholarDigital Library
- V. George, T. Piazza, and H. Jiang. Technology Insight: Intel c Next Generation Microarchitecture Codename Ivy Bridge, 2011. URL www.intel.com/idf/library/pdf/sf_2011/SF11_SPCS005_101F.pdf.Google Scholar
- O. S. Hofmann, S. Kim, A. M. Dunn, M. Z. Lee, and E. Witchel. InkTag: Secure Applications On An Untrusted Operating System. In Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems, (ASPLOS), pages 265--278. ACM, 2013. Google ScholarDigital Library
- V. P. Kemerlis, G. Portokalidis, and A. D. Keromytis. kguard: Lightweight kernel protection against return-to-user attacks. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, Berkeley, CA, USA, 2012. USENIX Association. Google ScholarDigital Library
- V. P. Kemerlis, M. Polychronakis, and A. D. Keromytis. Ret2dir: Rethinking kernel isolation. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, 2014. Google ScholarDigital Library
- C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In Code Generation and Optimization, 2004. CGO 2004. International Symposium on, pages 75--86. IEEE, 2004. Google ScholarDigital Library
- D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural support for copy and tamper resistant software. ACM SIGPLAN Notices, 35 (11):168--177, 2000. Google ScholarDigital Library
- J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB Reduction and Attestation. In IEEE Symposium on Security and Privacy (SP), pages 143--158. IEEE, 2010. Google ScholarDigital Library
- F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, page 10. ACM, 2013. Google ScholarDigital Library
- R. Nikolaev and G. Back. Virtuos: an operating system with kernel virtualization. In Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles (SOSP 2013), pages 116--132. ACM, 2013. Google ScholarDigital Library
- K. Onarlioglu, C. Mulliner, W. Robertson, and E. Kirda. PRIVEXEC: Private Execution as an Operating System Service. In IEEE Symposium on Security and Privacy. IEEE, 2013. Google ScholarDigital Library
- R. A. Popa, C. M. Redfield, N. Xeldovich, and H. Balakrishnan. Cryptdb: Protecting confidentiality with encrypted query processing. In 23rd ACM Symposium on Operating Systems Principles, pages 85--100, 2011. Google ScholarDigital Library
- M. Seaborn. Plash: tools for practical least privilege, 2008. URL http://plash.beasts.org/index.html.Google Scholar
- J. S. Shapiro, J. Vanderburgh, E. Northup, and D. Chizmadia. Design of the eros trusted window system. In Proceedings of the 13th conference on USENIX Security Symposium-Volume 13, pages 12--12. USENIX Association, 2004. Google ScholarDigital Library
- L. Soares and M. Stumm. Flexsc: flexible system call scheduling with exception-less system calls. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI. ACM, 2010. Google ScholarDigital Library
- R. Strackx and F. Piessens. Fides: Selectively hardening software application components against kernel-level or processlevel malware. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS 2012), 2012. Google ScholarDigital Library
- G. E. Suh, D. Clarke, B. Gassend, M. Van Dijk, and S. Devadas. AEGIS: architecture for tamper-evident and tamper resistant processing. In Proceedings of the 17th annual international conference on Supercomputing, pages 160--171, 2003. Google ScholarDigital Library
- S. D. Tetali, M. Lesani, R. Majumdar, and T. Millstein. Mrcrypt: static analysis for secure cloud computations. In Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications, pages 271--286. ACM, 2013. Google ScholarDigital Library
- A. Virtualization. Secure Virtual Machine Architecture Reference Manual. AMD Publication, (33047), 2005.Google Scholar
- J. Yang and K. Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. In Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pages 71--80. ACM, 2008. Google ScholarDigital Library
- M. Zhang and R. Sekar. Control flow integrity for cots binaries. In Usenix Security, pages 337--352, 2013. Google ScholarDigital Library
- Z. Zhou, V. Gligor, J. Newsome, and J. McCune. Building verifiable trusted path on commodity x86 computers. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 616--630. IEEE, 2012. Google ScholarDigital Library
Index Terms
- AppSec: A Safe Execution Environment for Security Sensitive Applications
Recommendations
AppSec: A Safe Execution Environment for Security Sensitive Applications
VEE '15Malicious OS kernel can easily access user's private data in main memory and pries human-machine interaction data, even one that employs privacy enforcement based on application level or OS level. This paper introduces AppSec, a hypervisor-based safe ...
Virtualization-based separation of privilege: working with sensitive data in untrusted environment
VDTS '09: Proceedings of the 1st EuroSys Workshop on Virtualization Technology for Dependable SystemsContemporary commodity operating systems are too big and do not inspire trust in their security and reliability. Still they are used for processing sensitive data due to the vast amount of legacy software and good support for virtually all hardware ...
k-anonymity: a model for protecting privacy
Consider a data holder, such as a hospital or a bank, that has a privately held collection of person-specific, field structured data. Suppose the data holder wants to share a version of the data with researchers. How can a data holder release a version ...
Comments