ABSTRACT
Commodity operating systems entrusted with securing sensitive data are remarkably large and complex, and consequently, frequently prone to compromise. To address this limitation, we introduce a virtual-machine-based system called Overshadow that protects the privacy and integrity of application data, even in the event of a total OScompromise. Overshadow presents an application with a normal view of its resources, but the OS with an encrypted view. This allows the operating system to carry out the complex task of managing an application's resources, without allowing it to read or modify them. Thus, Overshadow offers a last line of defense for application data.
Overshadow builds on multi-shadowing, a novel mechanism that presents different views of "physical" memory, depending on the context performing the access. This primitive offers an additional dimension of protection beyond the hierarchical protection domains implemented by traditional operating systems and processor architectures.
We present the design and implementation of Overshadow and show how its new protection semantics can be integrated with existing systems. Our design has been fully implemented and used to protect a wide range of unmodified legacy applications running on an unmodified Linux operating system. We evaluate the performance of our implementation, demonstrating that this approach is practical.
Supplemental Material
Available for Download
Slides from the presentation
Supplement material for Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems
- K. Adams and O. Agesen. A Comparison of Software and Hardware Techniques for x86 Virtualization. In Proceedings of the Twelfth International Conference on Architectural Support for Programming Languages and Operating Systems, pages 2--13, October 2006. Google ScholarDigital Library
- AMD. AMD64 Virtualization Technology: Secure Virtual Machine Architecture Reference Manual, May 2005.Google Scholar
- P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pages 164--177, October 2003. Google ScholarDigital Library
- E. Bugnion, S. Devine, and M. Rosenblum. Disco: Running Commodity Operating Systems on Scalable Multiprocessors. In Proceedings of the Sixteenth ACM Symposium on Operating Systems Principles, pages 143--156, October 1997. Google ScholarDigital Library
- C. Clark, K. Fraser, S. Hand, J.G. Hansen, E. Jul, C. Limpach, I. Pratt, and A. Warfield. Live Migration of Virtual Machines. In Proceedings of the Second Symposium on Networked Systems Design and Implementation, pages 273--286, May 2005. Google ScholarDigital Library
- J.S. Dwoskin and R.B. Lee. Hardware-rooted Trust for Secure Key Management and Transient Trust. In Proceedings of the Fourteenth ACM Conference on Computer and Communications Security, pages 389--400, October 2007. Google ScholarDigital Library
- J. Dyer, M. Lindemann, R. Perez, R. Sailer, S. Smith, Lvan Doorn, and S. Weingart. Building the IBM 4758 Secure Coprocessor. IEEE Computer, 34:57--66, October 2001. Google ScholarDigital Library
- P. Englund, B. Lampson, J. Manferdelli, M. Peinado, and B. Willman. A Trusted Open Platform. IEEE Spectrum, pages 55--62, July 2003. Google ScholarDigital Library
- K. Fu, M.F. Kaashoek, and D. Mazières. Fast and Secure Distributed Read-only File System. In Proceedings of the Fourth Symposium on Operating Systems Design and Implementation, pages 181--196, October 2000. Google ScholarDigital Library
- T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A Virtual Machine-Based Platform for Trusted Computing. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pages 193--206, October 2003. Google ScholarDigital Library
- E.-J. Goh, H. Shacham, N. Modadugu, and D. Boneh. SiRiUS: Securing Remote Untrusted Storage. In Proceedings of the Network and Distributed System Security Symposium, pages 131--145, February 2003.Google Scholar
- H. Härtig, M. Hohmuth, N. Feske, C. Helmuth, A. Lackorzynski, F. Mehnert, and M. Peter. The Nizza Secure-System Architecture. In Proceedings of the International Conference on Collaborative Computing, December 2005.Google ScholarCross Ref
- Intel. Intel Trusted Execution Technology Preliminary Architecture Specification, November 2006.Google Scholar
- S.T. Jones, A.C. Arpaci-Dusseau, and R.H. Arpaci-Dusseau. Antfarm: Tracking Processes in a Virtual Machine Environment. In Proceedings of the USENIX Annual Technical Conference, pages 1--14, June 2006. Google ScholarDigital Library
- P. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In Proceedings of Crypto '96, pages 104--113, 1996. Google ScholarDigital Library
- R.B. Lee, P.C.S. Kwan, J.P. McGregor, J. Dwoskin, and Z. Wang. Architecture for Protecting Critical Secrets in Microprocessors. In Proceedings of the 32nd International Symposium on Computer Architecture, pages 2--13, June 2005. Google ScholarDigital Library
- J. Li, M.N. Krohn, D. Mazières, and D. Shasha. Secure Untrusted Data Repository (SUNDR). In Proceedings of the Sixth Symposium on Operating Systems Design and Implementation, pages 121--136, December 2004. Google ScholarDigital Library
- D. Lie, C.A. Thekkath, and M. Horowitz. Implementing an Untrusted Operating System on Trusted Hardware. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pages 178--192, October 2003. Google ScholarDigital Library
- D. Lie, C.A. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J.C. Mitchell, and M. Horowitz. Architectural Support for Copy and Tamper Resistant Software. In Proceedings of the Ninth International Conference on Architectural Support for Programming Languages and Operating Systems, pages 168--177, November 2000. Google ScholarDigital Library
- U. Maheshwari, R. Vingralek, and W. Shapiro. How to Build a Trusted Database System on Untrusted Storage. In Proceedings of the Fourth Symposium on Operating Systems Design and Implementation, pages 135--150, October 2000. Google ScholarDigital Library
- R. Merkle. Protocols for Public Key Cryptosystems. In Proceedings of the IEEE Symposium on Security and Privacy, pages 122--134, April 1980.Google ScholarCross Ref
- G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig. Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization. Intel Technology Journal, 10(3), August 2006.Google ScholarCross Ref
- M. Nelson, B.-H. Lim, and G. Hutchins. Fast Transparent Migration for Virtual Machines. In Proceedings of the USENIX Annual Technical Conference, pages 391--394, April 2005. Google ScholarDigital Library
- R.P. Goldberg. Survey of Virtual Machine Research. IEEE Computer, 7(6):34--45, June 1974.Google ScholarDigital Library
- M.D. Schroeder and J.H. Saltzer. A Hardware Architecture for Implementing Protection Rings. Communications of the ACM, 15(3):157--170, March 1972. Google ScholarDigital Library
- J.S. Shapiro, J.M. Smith, and D.J. Farber. EROS: A Fast Capability System. In Proceedings of the Seventeenth ACM Symposium on Operating Systems Principles, pages 170--185, December 1999. Google ScholarDigital Library
- W. Shi, J.B. Fryman, G. Gu, H.-H. Lee, Y. Zhang, and J. Yang. InfoShield: A Security Architecture for Protecting Information Usage in Memory. In Proceedings of the Twelfth International Symposium on High-Performance Computer Architecture, pages 222--231, February 2006.Google Scholar
- L. Singaravelu, CPu, H. Härtig, and C. Helmuth. Reducing TCB Complexity for Security-Sensitive Applications: Three Case Studies. In Proceedings of the First ACM EuroSys Conference, pages 161--174, 2006. Google ScholarDigital Library
- R. Ta-Min, L. Litty, and D. Lie. Splitting Interfaces: Making Trust Between Applications and Operating Systems Configurable. In Proceedings of the Seventh Symposium on Operating Systems Design and Implementation, pages 279--292, November 2006. Google ScholarDigital Library
- C.A. Waldspurger. Memory Resource Management in VMware ESX Server. In Proceedings of the Fifth Symposium on Operating Systems Design and Implementation, pages 181--194, December 2002. Google ScholarDigital Library
Index Terms
- Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems
Recommendations
Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems
ASPLOS '08Commodity operating systems entrusted with securing sensitive data are remarkably large and complex, and consequently, frequently prone to compromise. To address this limitation, we introduce a virtual-machine-based system called Overshadow that ...
Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems
ASPLOS '08Commodity operating systems entrusted with securing sensitive data are remarkably large and complex, and consequently, frequently prone to compromise. To address this limitation, we introduce a virtual-machine-based system called Overshadow that ...
Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems
ASPLOS '08Commodity operating systems entrusted with securing sensitive data are remarkably large and complex, and consequently, frequently prone to compromise. To address this limitation, we introduce a virtual-machine-based system called Overshadow that ...
Comments