research-article

Virtual ghost: protecting applications from hostile operating systems

Authors:
John Criswell

University of Illinois at Urbana-Champaign, Urbana, IL, USA

University of Illinois at Urbana-Champaign, Urbana, IL, USA
View Profile

,
Nathan Dautenhahn

University of Illinois at Urbana-Champaign, Urbana, IL, USA

University of Illinois at Urbana-Champaign, Urbana, IL, USA
View Profile

,
Vikram Adve

University of Illinois at Urbana-Champaign, Urbana, IL, USA

University of Illinois at Urbana-Champaign, Urbana, IL, USA
View Profile

ASPLOS '14: Proceedings of the 19th international conference on Architectural support for programming languages and operating systemsFebruary 2014Pages 81–96https://doi.org/10.1145/2541940.2541986

Published:24 February 2014Publication History

ASPLOS '14: Proceedings of the 19th international conference on Architectural support for programming languages and operating systems

Pages 81–96

ABSTRACT

Applications that process sensitive data can be carefully designed and validated to be difficult to attack, but they are usually run on monolithic, commodity operating systems, which may be less secure. An OS compromise gives the attacker complete access to all of an application's data, regardless of how well the application is built. We propose a new system, Virtual Ghost, that protects applications from a compromised or even hostile OS. Virtual Ghost is the first system to do so by combining compiler instrumentation and run-time checks on operating system code, which it uses to create ghost memory that the operating system cannot read or write. Virtual Ghost interposes a thin hardware abstraction layer between the kernel and the hardware that provides a set of operations that the kernel must use to manipulate hardware, and provides a few trusted services for secure applications such as ghost memory management, encryption and signing services, and key management. Unlike previous solutions, Virtual Ghost does not use a higher privilege level than the kernel.

Virtual Ghost performs well compared to previous approaches; it outperforms InkTag on five out of seven of the LMBench microbenchmarks with improvements between 1.3x and 14.3x. For network downloads, Virtual Ghost experiences a 45% reduction in bandwidth at most for small files and nearly no reduction in bandwidth for large files and web traffic. An application we modified to use ghost memory shows a maximum additional overhead of 5% due to the Virtual Ghost protections. We also demonstrate Virtual Ghost's efficacy by showing how it defeats sophisticated rootkit attacks.

References

Apachebench: A complete benchmarking and regression testing suite. http://freshmeat.net/projects/ apachebench/, July 2003.Google Scholar
Intel 64 and IA-32 architectures software developer's manual, volume 3. Intel, 2012.Google Scholar
M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Controlflow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur., 13:4:1--4:40, November 2009. Google ScholarDigital Library
Advanced Micro Devices. AMD64 architecture programmer's manual volume 2: System programming, September 2006.Google Scholar
I. Anati, S. Gueron, S. Johnson, and V. Scarlata. Innovative technology for cpu based attestation and sealing. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, page 10. ACM, 2013.Google Scholar
ARM Limited. ARM security technology: Building a secure system using trustzone technology. http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492Ctrustzonesecuritywhitepaper.pdf, 2009.Google Scholar
A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky. Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 38--49, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers, and S. Eggers. Extensibility, Safety and Performance in the SPIN Operating System. In Proc. ACM SIGOPS Symp. on Op. Sys. Principles, pages 267-- 284, Copper Mountain, CO, USA, 1995. Google ScholarDigital Library
D. P. Bovet and M. Cesati. Understanding the LINUX Kernel. O'Reilly, Sebastopol, CA, 2nd edition, 2003. Google ScholarDigital Library
S. Checkoway and H. Shacham. Iago attacks: why the system call API is a bad untrusted RPC interface. In Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems, ASPLOS '13, pages 253--264, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In Proceedings of the 13th international conference on Architectural support for programming languages and operating systems, ASPLOS XIII, pages 2--13, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
J. Criswell, N. Geoffray, and V. Adve. Memory safety for low-level software/hardware interactions. In Proceedings of the Eighteenth Usenix Security Symposium, August 2009. Google ScholarDigital Library
J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems. In Proc. ACM SIGOPS Symp. on Op. Sys. Principles, pages 351--366, Stevenson, WA, USA, October 2007. Google ScholarDigital Library
J. Criswell, B. Monroe, and V. Adve. A virtual instruction set interface for operating system kernels. In Workshop on the Interaction between Operating Systems and Computer Architecture, pages 26--33, Boston, MA, USA, June 2006.Google Scholar
M. Fahndrich, M. Aiken, C. Hawblitzel, O. Hodson, G. C. Hunt, J. R. Larus, and S. Levi. Language support for fast and reliable message-based communication in Singularity OS. In Proceedings of EuroSys, 2006. Google ScholarDigital Library
O. S. Hofmann, S. Kim, A. M. Dunn, M. Z. Lee, and E. Witchel. Inktag: secure applications on an untrusted operating system. In Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems, ASPLOS '13, pages 265--278, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
G. C. Hunt and J. R. Larus. Singularity Design Motivation (Singularity Technical Report 1). Technical Report MSR-TR- 2004--105, Microsoft Research, Dec 2004.Google Scholar
J. Kong. Designing BSD Rootkits. No Starch Press, San Francisco, CA, USA, 2007. Google ScholarDigital Library
C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis and transformation. In Proc. Conf. on Code Generation and Optimization, pages 75--88, San Jose, CA, USA, Mar 2004. Google ScholarDigital Library
D. Lie, C. A. Thekkath, and M. Horowitz. Implementing an untrusted operating system on trusted hardware. In Proceedings of the nineteenth ACM symposium on Operating systems principles, SOSP '03, pages 178--192, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
LMH. Month of kernel bugs (MoKB) archive, 2006. http://projects.info-pull.com/mokb/.Google Scholar
J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. Trustvisor: Efficient tcb reduction and attestation. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP '10, pages 143--158, Washington, DC, USA, 2010. IEEE Computer Society. Google ScholarDigital Library
J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: an execution infrastructure for tcb minimization. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, Eurosys '08, pages 315--328, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, page 10. ACM, 2013. Google ScholarDigital Library
M. K. McKusick, K. Bostic, M. J. Karels, and J. S. Quarterman. The Design and Implementation of the 4.4 BSD Operating System. Addison-Wesley Publishing Company, Inc., Redwood City, CA, 1996. Google ScholarDigital Library
L. McVoy and C. Staelin. lmbench: portable tools for performance analysis. In Proceedings of the 1996 annual conference on USENIX Annual Technical Conference, ATEC '96, pages 23--23, Berkeley, CA, USA, 1996. USENIX Association. Google ScholarDigital Library
B. Parno, J. R. Lorch, J. R. Douceur, J. Mickens, and J. M. McCune. Memoir: Practical state continuity for protected modules. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11, pages 379--394, Washington, DC, USA, 2011. IEEE Computer Society. Google ScholarDigital Library
D. R. K. Ports and T. Garfinkel. Towards application security on untrusted operating systems. In Proceedings of the 3rd conference on Hot topics in security, HOTSEC'08, pages 1:1--1:7, Berkeley, CA, USA, 2008. USENIX Association. Google ScholarDigital Library
J. Poskanze. thttpd - tiny/turbo/throttling http server, 2000. http://www.acme.com/software/thttpd.Google Scholar
Postmark. Email delivery for web apps, July 2013.Google Scholar
R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Returnoriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur., 15(1):2:1--2:34, Mar. 2012. Google ScholarDigital Library
M. E. Russinovich and D. A. Solomon. MicrosoftWindows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer). Microsoft Press, Redmond, WA, USA, 2004. Google ScholarDigital Library
T. Saulpaugh and C. Mirho. Inside the JavaOS Operating System. Addison-Wesley, Reading, MA, USA, 1999.Google Scholar
A. Singh. Mac OS X Internals. Addison-Wesley Professional, 2006. Google ScholarDigital Library
Solar Designer. return-to-libc attack, August 1997. http://www.securityfocus.com/archive/1/7480.Google Scholar
The OpenBSD Project. Openssh, 2006. http://www.openssh.com.Google Scholar
J. Yang and K. G. Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. In Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, VEE '08, pages 71--80, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, pages 29--40, New York, NY, USA, 2011. ACM. Google ScholarDigital Library

Index Terms

Virtual ghost: protecting applications from hostile operating systems
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Virtual ghost: protecting applications from hostile operating systems
ASPLOS '14

Applications that process sensitive data can be carefully designed and validated to be difficult to attack, but they are usually run on monolithic, commodity operating systems, which may be less secure. An OS compromise gives the attacker complete ...
Read More
Virtual ghost: protecting applications from hostile operating systems
ASPLOS '14

Applications that process sensitive data can be carefully designed and validated to be difficult to attack, but they are usually run on monolithic, commodity operating systems, which may be less secure. An OS compromise gives the attacker complete ...
Read More
Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation
ASPLOS'15

Monolithic operating system designs undermine the security of computing systems by allowing single exploits anywhere in the kernel to enjoy full supervisor privilege. The nested kernel operating system architecture addresses this problem by "nesting" a ...
Read More

Reviews

Reviewer: Eduardo B. Fernandez

Operating systems are very complex, with millions of lines of code; in general, they cannot be proven secure. They may contain malware, or they may have been compromised by attackers. This means that, in many cases, they cannot be trusted. Protecting applications against attacks coming from the operating system requires elaborate solutions, and several approaches have been presented. Virtual Ghost, the new system presented in this paper, is based on compiler instrumentation and runtime checks. This approach effectively inserts a small hardware abstraction layer between the kernel and the hardware providing operations to be used by the kernel to manipulate hardware, and provides some trusted services for secure applications. Virtual Ghost runs as a regular library at the same privilege level as the kernel. The paper discusses the architectural aspects of Virtual Ghost and shows how it can handle all types of attacks by an operating system on applications. The performance analysis of a prototype shows reasonable overhead for providing this level of security to applications and to the kernel itself. The paper is clear and well organized, and puts this work into context with other similar approaches. This paper should be very useful reading for anybody working on application security. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASPLOS '14: Proceedings of the 19th international conference on Architectural support for programming languages and operating systems
February 2014
780 pages
ISBN:9781450323055
DOI:10.1145/2541940
General Chairs:
Rajeev Balasubramonian
University of Utah
,
Al Davis
University of Utah
,
Program Chair:
Sarita Adve
University of Illinois at Urbana-Champ
ACM SIGARCH Computer Architecture News Volume 42, Issue 1
ASPLOS '14
March 2014
729 pages
ISSN:0163-5964
DOI:10.1145/2654822
Editor:
Doug DeGroot
acm dot org
Issue’s Table of Contents
ACM SIGPLAN Notices Volume 49, Issue 4
ASPLOS '14
April 2014
729 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2644865
Editors:
Mark W. Bailey
Hamilton College, Clinton, NY
,
Rajeev Balasubramonian
University of Utah
,
Al Davis
University of Utah
,
Sarita Adve
University of Illinois at Urbana-Champ
Issue’s Table of Contents
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 24 February 2014
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
control-flow integrity
inlined reference monitors
malicious operating systems
software fault isolation
software security
Qualifiers
- research-article
Conference

Acceptance Rates
ASPLOS '14 Paper Acceptance Rate49of217submissions,23%Overall Acceptance Rate535of2,713submissions,20%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 112
  Total Citations
  View Citations
- 1,203
  Total Downloads
- Downloads (Last 12 months)43
- Downloads (Last 6 weeks)9
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Virtual ghost: protecting applications from hostile operating systems

ASPLOS '14: Proceedings of the 19th international conference on Architectural support for programming languages and operating systems

ABSTRACT

References

Cited By

Index Terms

Recommendations

Virtual ghost: protecting applications from hostile operating systems

Virtual ghost: protecting applications from hostile operating systems

Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation

Reviews

Access critical reviews of Computing literature here