1 / 22

InkTag : Secure Applications on an Untrusted Operating system

InkTag : Secure Applications on an Untrusted Operating system. Paper from The University of Texas at Austin By: Hofmann, Owns S. Kim, Sangman Dunn, Alan M. Lee, Michael Z. Witchel , Emmett Presented b y : Anwaar Alsulaiman. Outline. Introduction

ishi
Download Presentation

InkTag : Secure Applications on an Untrusted Operating system

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. InkTag: Secure Applications on an Untrusted Operating system Paper from The University of Texas at Austin By: Hofmann, Owns S. Kim, Sangman Dunn, Alan M. Lee, Michael Z. Witchel, Emmett Presented by: Anwaar Alsulaiman

  2. Outline • Introduction • InkTag: secure applications on an untrusted OS • Verifying OS behavior • InkTagsecurity guarantees • Basic memory isolation mechanisms • Paraverification • Implementation & Evaluation • Conclusion

  3. Introduction

  4. Do you trust your OS? • The OS is the software root of trust on most systems. • The OS is a shared vulnerability. • Root often has OS-level privilege.

  5. What about the hypervisor? • Hypervisors have become a common part of the software stack. • Hypervisors can be more trustworthy.

  6. Why OS is still a problem? • Users want trustworthy applications. • Applications still must trust the OS. • However, OS still provides all essential services.

  7. Can the hypervisor improve this situation?

  8. InkTag: secure applications on an untrusted OS • A system in which secure, trust-worthy programs can efficiently verify an untrusted, commodity OS’ behavior with a small degree of assistance from a small trusted hypervisor.

  9. Verifying OS behavior • Application and hypervisor communicate. • Hypervisor interposes on low-level updates. • Hypervisor requires deep OS visibility into OSapplication.

  10. InkTag security guarantees • Control flow integrity: OS cannot change program counter, registers. • Address space integrity: OS cannot read, modify application data. • File I/O: applications access the desired files, privacy and integrity for file data, Built on address space integrity. • Process control: applications can fork(), exec(). • Access control and naming: Applications can defined access control policies, use string filename. • Consistency: OS-managed data and hypervisor-managed metadata remain in sync.

  11. Basic memory isolation mechanisms • Position of data in address space must match application requests [mmap()]. • Ensure OS constructs the correct address space. • Application maps file F at addrV. • Interpose on page table updates. • Match page table updates to application requests.

  12. Challenges: why is this difficult? • Interpreting low-level page table updates that OS can construct valid, but confusing page tables, and order in which updates are seen matters. • Matching page table updates to application requests that application and hypervisor must communicate complete memory map. • Application must validate pointer results returned from kernel.

  13. How can the untrusted OS help?

  14. Paraverification • Paraverification: an untrusted OS helping to verify its own behavior: take inspiration from paravirtualization, extensive use of existing parvirtual interface. • OS must participate, but information cannot be trusted.

  15. Paraverification: validating PTE updates • Untrusted OS notifies hypervisor on page table updates. • Application maintains memory mappings in an array of descriptors. • Generate a token for each mapping: identifier describing requested mapping,(HMAC(add,file,offset)), in implementation (integer index). • Application memory listing protected from OS. • Entries always allocated in defined virtual address range. • Invalid entries marked.

  16. Paraverification: validating syscall results • OS returns tokens to application to assist validation: application maintains linked list of mapping, OS specifies previous entry, application checks for overlap, and updates list.

  17. How can the untrusted OS help? • Guarantee sane address space updates. • Expose internal OS information to hypervisor and application.

  18. Implementation & Evaluation • Prototype built with KVM, qemu, uClibc -~3500 hypervisor LOC - Modify libc to validate syscall results • OS microbenchmarks -LMBench • Applications - SPEC - Apache - DokuWiki

  19. DokuWiki • PHP CGI binary with InkTagextensions. • InkTag authentication module: use InkTag access control on wiki page. • Result: hypervisor-enforced security for a PHP application: Integrity for all script files, Privacy and integrity for application data. • InkTag overhead: many short-lived processes, frequentmemory mapping, and 1.54x throughput slowdown.

  20. Other InkTag applications’ overheads LMBench• Low-level OS microbenchmarks.• 5x - 55x slowdown (for μs operations) • High context switch latency. SPEC• CPU-bound applications.• Most applications <= 1.03x.• gcc - 1.14x; perlbench, h264href - 1.10x. Apache• Long-lived processes, infrequent MM activity. • 1.02x throughput slowdown, 1.13x latency.

  21. Conclusion • We can enforce trustworthy services from an untrustworthy OS. • Paraverification simplifies crucial isolation mechanisms.

  22. Reference: • http://www.cs.utexas.edu/~adunn/pubs/hofmann13asplos-inktag.pdf

More Related