ABSTRACT
Applications that process sensitive data can be carefully designed and validated to be difficult to attack, but they are usually run on monolithic, commodity operating systems, which may be less secure. An OS compromise gives the attacker complete access to all of an application's data, regardless of how well the application is built. We propose a new system, Virtual Ghost, that protects applications from a compromised or even hostile OS. Virtual Ghost is the first system to do so by combining compiler instrumentation and run-time checks on operating system code, which it uses to create ghost memory that the operating system cannot read or write. Virtual Ghost interposes a thin hardware abstraction layer between the kernel and the hardware that provides a set of operations that the kernel must use to manipulate hardware, and provides a few trusted services for secure applications such as ghost memory management, encryption and signing services, and key management. Unlike previous solutions, Virtual Ghost does not use a higher privilege level than the kernel.
Virtual Ghost performs well compared to previous approaches; it outperforms InkTag on five out of seven of the LMBench microbenchmarks with improvements between 1.3x and 14.3x. For network downloads, Virtual Ghost experiences a 45% reduction in bandwidth at most for small files and nearly no reduction in bandwidth for large files and web traffic. An application we modified to use ghost memory shows a maximum additional overhead of 5% due to the Virtual Ghost protections. We also demonstrate Virtual Ghost's efficacy by showing how it defeats sophisticated rootkit attacks.
- Apachebench: A complete benchmarking and regression testing suite. http://freshmeat.net/projects/ apachebench/, July 2003.Google Scholar
- Intel 64 and IA-32 architectures software developer's manual, volume 3. Intel, 2012.Google Scholar
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Controlflow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur., 13:4:1--4:40, November 2009. Google ScholarDigital Library
- Advanced Micro Devices. AMD64 architecture programmer's manual volume 2: System programming, September 2006.Google Scholar
- I. Anati, S. Gueron, S. Johnson, and V. Scarlata. Innovative technology for cpu based attestation and sealing. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, page 10. ACM, 2013.Google Scholar
- ARM Limited. ARM security technology: Building a secure system using trustzone technology. http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492Ctrustzonesecuritywhitepaper.pdf, 2009.Google Scholar
- A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky. Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 38--49, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers, and S. Eggers. Extensibility, Safety and Performance in the SPIN Operating System. In Proc. ACM SIGOPS Symp. on Op. Sys. Principles, pages 267-- 284, Copper Mountain, CO, USA, 1995. Google ScholarDigital Library
- D. P. Bovet and M. Cesati. Understanding the LINUX Kernel. O'Reilly, Sebastopol, CA, 2nd edition, 2003. Google ScholarDigital Library
- S. Checkoway and H. Shacham. Iago attacks: why the system call API is a bad untrusted RPC interface. In Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems, ASPLOS '13, pages 253--264, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In Proceedings of the 13th international conference on Architectural support for programming languages and operating systems, ASPLOS XIII, pages 2--13, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- J. Criswell, N. Geoffray, and V. Adve. Memory safety for low-level software/hardware interactions. In Proceedings of the Eighteenth Usenix Security Symposium, August 2009. Google ScholarDigital Library
- J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems. In Proc. ACM SIGOPS Symp. on Op. Sys. Principles, pages 351--366, Stevenson, WA, USA, October 2007. Google ScholarDigital Library
- J. Criswell, B. Monroe, and V. Adve. A virtual instruction set interface for operating system kernels. In Workshop on the Interaction between Operating Systems and Computer Architecture, pages 26--33, Boston, MA, USA, June 2006.Google Scholar
- M. Fahndrich, M. Aiken, C. Hawblitzel, O. Hodson, G. C. Hunt, J. R. Larus, and S. Levi. Language support for fast and reliable message-based communication in Singularity OS. In Proceedings of EuroSys, 2006. Google ScholarDigital Library
- O. S. Hofmann, S. Kim, A. M. Dunn, M. Z. Lee, and E. Witchel. Inktag: secure applications on an untrusted operating system. In Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems, ASPLOS '13, pages 265--278, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- G. C. Hunt and J. R. Larus. Singularity Design Motivation (Singularity Technical Report 1). Technical Report MSR-TR- 2004--105, Microsoft Research, Dec 2004.Google Scholar
- J. Kong. Designing BSD Rootkits. No Starch Press, San Francisco, CA, USA, 2007. Google ScholarDigital Library
- C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis and transformation. In Proc. Conf. on Code Generation and Optimization, pages 75--88, San Jose, CA, USA, Mar 2004. Google ScholarDigital Library
- D. Lie, C. A. Thekkath, and M. Horowitz. Implementing an untrusted operating system on trusted hardware. In Proceedings of the nineteenth ACM symposium on Operating systems principles, SOSP '03, pages 178--192, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
- LMH. Month of kernel bugs (MoKB) archive, 2006. http://projects.info-pull.com/mokb/.Google Scholar
- J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. Trustvisor: Efficient tcb reduction and attestation. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP '10, pages 143--158, Washington, DC, USA, 2010. IEEE Computer Society. Google ScholarDigital Library
- J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: an execution infrastructure for tcb minimization. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, Eurosys '08, pages 315--328, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, page 10. ACM, 2013. Google ScholarDigital Library
- M. K. McKusick, K. Bostic, M. J. Karels, and J. S. Quarterman. The Design and Implementation of the 4.4 BSD Operating System. Addison-Wesley Publishing Company, Inc., Redwood City, CA, 1996. Google ScholarDigital Library
- L. McVoy and C. Staelin. lmbench: portable tools for performance analysis. In Proceedings of the 1996 annual conference on USENIX Annual Technical Conference, ATEC '96, pages 23--23, Berkeley, CA, USA, 1996. USENIX Association. Google ScholarDigital Library
- B. Parno, J. R. Lorch, J. R. Douceur, J. Mickens, and J. M. McCune. Memoir: Practical state continuity for protected modules. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11, pages 379--394, Washington, DC, USA, 2011. IEEE Computer Society. Google ScholarDigital Library
- D. R. K. Ports and T. Garfinkel. Towards application security on untrusted operating systems. In Proceedings of the 3rd conference on Hot topics in security, HOTSEC'08, pages 1:1--1:7, Berkeley, CA, USA, 2008. USENIX Association. Google ScholarDigital Library
- J. Poskanze. thttpd - tiny/turbo/throttling http server, 2000. http://www.acme.com/software/thttpd.Google Scholar
- Postmark. Email delivery for web apps, July 2013.Google Scholar
- R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Returnoriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur., 15(1):2:1--2:34, Mar. 2012. Google ScholarDigital Library
- M. E. Russinovich and D. A. Solomon. MicrosoftWindows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer). Microsoft Press, Redmond, WA, USA, 2004. Google ScholarDigital Library
- T. Saulpaugh and C. Mirho. Inside the JavaOS Operating System. Addison-Wesley, Reading, MA, USA, 1999.Google Scholar
- A. Singh. Mac OS X Internals. Addison-Wesley Professional, 2006. Google ScholarDigital Library
- Solar Designer. return-to-libc attack, August 1997. http://www.securityfocus.com/archive/1/7480.Google Scholar
- The OpenBSD Project. Openssh, 2006. http://www.openssh.com.Google Scholar
- J. Yang and K. G. Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. In Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, VEE '08, pages 71--80, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, pages 29--40, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
Index Terms
- Virtual ghost: protecting applications from hostile operating systems
Recommendations
Virtual ghost: protecting applications from hostile operating systems
ASPLOS '14Applications that process sensitive data can be carefully designed and validated to be difficult to attack, but they are usually run on monolithic, commodity operating systems, which may be less secure. An OS compromise gives the attacker complete ...
Virtual ghost: protecting applications from hostile operating systems
ASPLOS '14Applications that process sensitive data can be carefully designed and validated to be difficult to attack, but they are usually run on monolithic, commodity operating systems, which may be less secure. An OS compromise gives the attacker complete ...
Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation
ASPLOS'15Monolithic operating system designs undermine the security of computing systems by allowing single exploits anywhere in the kernel to enjoy full supervisor privilege. The nested kernel operating system architecture addresses this problem by "nesting" a ...
Comments