eternal sunshine of the spotless
play

Eternal Sunshine of the Spotless Machine: Protecting Privacy with - PowerPoint PPT Presentation

Sep 19, 2022 •17 likes •277 views

Eternal Sunshine of the Spotless Machine: Protecting Privacy with Ephemeral Channels Alan M. Dunn , Michael Z. Lee, Suman Jana, Sangman Kim, Mark Silberstein, Yuanzhong Xu, Vitaly Shmatikov, Emmett Witchel University of Texas at Austin OSDI 2012

  1. Eternal Sunshine of the Spotless Machine: Protecting Privacy with Ephemeral Channels Alan M. Dunn , Michael Z. Lee, Suman Jana, Sangman Kim, Mark Silberstein, Yuanzhong Xu, Vitaly Shmatikov, Emmett Witchel University of Texas at Austin OSDI 2012 October 8, 2012 1

  2. Wanted: Application Privacy • Goal: Run programs without leaving traces VoIP conversation Biomedical researcher Website access accessing data with lawyer • Current state: Private browsing – Popular feature in web browsers – Ideal: When private browsing session terminates, all traces erased 2

  3. A Privacy Problem • Private browsing unachieved – Evidence of site visits leaks into OS [Aggrawal, 2010] • Problem: No system support – Applications interact with user and world – Data leaks into OS, system services – Applications cannot remove traces they leave 3

  4. Example: Browsing a Website X Network What traces still remain on the computer? Audio 4

  5. Leaks From Browsing Memory contents: Complete packets, like: HTTP/1.1 200 OK Network Date: Mon, 17 Sep 2012 … Server: Apache/2.2.14 … … PulseAudio server X server caches, graphics drivers Audio 5

  6. Secure Deallocation Is Not Enough • Secure deallocation : Zero memory when freed – Research implementation [Chow, 2005] – PaX: Security patch for Linux kernel • Sensitive data remains allocated – X caches, PulseAudio buffers not freed 6

  7. Resisting a Strong Adversary • Goal: Provide forensic deniability – no evidence left for non-concurrent attacker • Once program terminated, protection maintained under extreme circumstances Root-level compromise Computer physically seized (after program terminates) 7

  8. Goals • Provide privacy – Private sessions with forensic deniability • Maintain usability – Simultaneous private/non-private applications – Support a wide variety of private applications – “Pay as you go” - costs only for private programs – Impose low overhead 8

  9. Lacuna • System to accomplish our privacy and usability goals • Host OS (Linux), VMM (QEMU-KVM) modified • Applications unmodified la·cu·na [luh-kyoo-nuh] 1. a gap or missing part, as in a manuscript, series, or logical argument... 9

  10. Outline • Design – Erasable program container – Allow communication with peripherals • Evaluation – Lacuna provides privacy – Lacuna maintains usability 10

  11. Erasable Program Container Process Program Process Process … VM contains Inter-Process Communication VM alone is insufficient 11

  12. Communicating with Peripherals - Sensitive data Program App X App 1 2 Program must Host OS communicate with peripheral Driver Dependencies on rest of OS 12

  13. Communicating with Peripherals - Sensitive data Code with potential data exposure Program App X X App 1 2 Host OS Host OS Driver Dependencies on rest of OS 13

  14. Two Peripheral Types - Sensitive data - Encrypted data 1) Storage 2) All other peripherals Swap Solve with ephemeral channels Host OS VM writes Encrypt before data Must ensure no traces left passes through OS that are readable later 14

  15. Ensuring No Readable Traces Program Strategy 1: Leave no trace Host OS Strategy 2: Make traces unreadable later 15

  16. Ephemeral Channels - Sensitive data Hardware - Encrypted data ephemeral channel Guest control of hardware Traces now cryptographically erased Host OS Encrypted ephemeral Erase channel key (complex channel Proxy OS paths) 16

  17. Channel Type Comparison Hardware Encrypted   Host drivers unmodified   Host code never sees unencrypted data   Hardware virtualization support unnecessary (No graphics)   Guest modification unnecessary (Run Windows, Linux, unmodified programs) 17

  18. Encrypted Graphics Channel • No hardware virtualization support for graphics • Solution: Encrypt VM output to GPU memory GPU memory CUDA Host OS Emulated Driver graphics card 18

  19. Hardware USB Channel Controller: private Controller: non-private Controller under Switch into guest control private mode USB mouse USB keyboard Host OS Driver Encrypted USB, audio, network channels USB host described in paper controller HW 19

  20. Sanitizing Storage • Encrypt VM writes to storage – VM image file unmodified – Diffs file contains VM writes to storage – Diffs file encrypted • Leave no evidence of which storage locations read – Free buffer cache pages for VM image file only • Encrypt swapped memory from private VM – Encrypt swapped pages for VMM process only • Encryption keys erased on VM exit • Techniques here “pay as you go” 20

  21. Evaluation • Lacuna provides privacy – Measure that Lacuna does not leak private data – Quantify size of code that handles sensitive data • Lacuna maintains usability – Low switch time to private environment – Application performance near that of running program in VM • More evaluation in paper 21

  22. Lacuna Protects Privacy • Experiment to locate leaks • Inject random “tokens” into peripheral I/O paths, scan memory to locate [Chow, 2005] • Tokens almost always found without Lacuna • Tokens never found with Lacuna Host OS … 0x2a 0xbf 0x3c 0xb1 0x70 0xc6 0x6e 0x82 22

  23. Little Code Handles Sensitive Data Subsystem Lines of Code Graphics 725 (CUDA) Sound 200 (out) 108 (in) USB 414 Network 208 • Measurements are lines of code outside of QEMU that handle unencrypted data – Data within QEMU erased at VM exit 23

  24. Time to Switch to Private Programs is Low Channel Type Switch Time (s) USB passthrough (encrypted) 1.4 ± 0.2 keyboard 2 .3 ± 0.2 keyboard + mouse PCI assignment (hardware) 2.4 ± 0.2 keyboard 3.8 ± 0.2 keyboard + mouse • USB driver disconnect significant (0.8-1.0 s) • Switch time achieved by eliminating two extra disconnects in guest USB initialization 24

  25. Impact on Full-System Workloads is Low • Benchmarks – MPlayer: Watch video in across network – Firefox: Browse Alexa top 20 websites – LibreOffice: Create 2,994-character, 32-image document • No execution slowdown, higher CPU utilization Video Browser Office Suite (75 s) (20 s) (175 s) 32.2 ± 7.4 25.9 ± 1.3 8.1 ± 1.2 QEMU 49.7 ± 0.3 46.2 ± 1.5 21.1 ± 0.6 Lacuna (+ 17.5) (+ 20.3) (+ 13.0) Worst case: additional Measurements are % CPU utilization 20 percentage points • CPU utilization lowered by hardware AES (AES-NI) 25

  26. Conclusion • Modern computer systems leak secrets • Lacuna provides forensic deniability : secrets removed after program termination • Ephemeral channels provide private peripheral I/O • Lacuna runs full-system workloads efficiently 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SUNSHINE LAW Floridas Government in the Sunshine Law, s. 286.011, F.S., commonly referred

SUNSHINE LAW Floridas Government in the Sunshine Law, s. 286.011, F.S., commonly referred

GOVERNMENT IN THE SUNSHINE LAW Floridas Government in the Sunshine Law, s. 286.011, F.S., commonly referred to as the Sunshine Law, provides a right of access to governmental proceedings of public boards or commissions at both the state

703 views • 66 slides
AN ETERNALLY GREEN WHAT IS ETERNIS An ETERNAL Home having spread on 6 acres land An

AN ETERNALLY GREEN WHAT IS ETERNIS An ETERNAL Home having spread on 6 acres land An

A PLACE WHEREBY THE RESIDENCE RESIDE WITH AN ETERNALLY GREEN WHAT IS ETERNIS An ETERNAL Home having spread on 6 acres land An ETERNAL elevation of B+G+11 in 13 towers with Commercial Space An ETERNAL landscaped garden of 55000

969 views • 31 slides
OHIO OHIO SUNSHINE LAW SUNSHINE LAW Curt C. Hartm an The La w Firm of Curt C. Ha rtm a n

OHIO OHIO SUNSHINE LAW SUNSHINE LAW Curt C. Hartm an The La w Firm of Curt C. Ha rtm a n

OHIO OHIO SUNSHINE LAW SUNSHINE LAW Curt C. Hartm an The La w Firm of Curt C. Ha rtm a n 3749 Fox Point Court Am elia, OH 4510 2 (513) 752-8 8 0 0 ha rtm a nla w firm @fuse.net OHIO OHIO SUNSHINE LAW SUNSHINE LAW The Found ing

524 views • 16 slides
Is a little sunshine all we need? On the impact of sunshine regulation on profits, productivity

Is a little sunshine all we need? On the impact of sunshine regulation on profits, productivity

Is a little sunshine all we need? On the impact of sunshine regulation on profits, productivity and prices in the Dutch drinking water sector. Kristof De Witte University of Leuven, Belgium Maastricht University, the Netherlands David Saal

539 views • 37 slides
Missouri Sunshine Law Casey Lawrence Director of Sunshine Law Compliance Disclaimer: This

Missouri Sunshine Law Casey Lawrence Director of Sunshine Law Compliance Disclaimer: This

Missouri Sunshine Law Casey Lawrence Director of Sunshine Law Compliance Disclaimer: This presentation is meant as a summary of relevant provisions of the Sunshine Law; not an official opinion of the AGO. In providing this presentation, we

944 views • 51 slides
Jesus is the source of eternal Jesus is the source of eternal salvation for all who obey

Jesus is the source of eternal Jesus is the source of eternal salvation for all who obey

Hebrews 4.145.10 Jesus is the source of eternal Jesus is the source of eternal salvation for all who obey him Learning obedience through suffering salvation for all who Pastor Lyndon Drake 01 March 2015 Hebrews 5.9 1 2

309 views • 3 slides
Technical Advisory Committee Training January 30, 2019 Government in the Sunshine 2 Sunshine

Technical Advisory Committee Training January 30, 2019 Government in the Sunshine 2 Sunshine

NAPLES AI RPORT AUTHORI TY Technical Advisory Committee Training January 30, 2019 Government in the Sunshine 2 Sunshine Law Protects the public from closed door decision making and provides a right of access to governmental meetings.

764 views • 23 slides
Sunshine & Smiles World Down Syndrome Congress Sunshine & Smiles - What We Do and Why

Sunshine & Smiles World Down Syndrome Congress Sunshine & Smiles - What We Do and Why

Sunshine & Smiles World Down Syndrome Congress Sunshine & Smiles - What We Do and Why Parent led - started in 2011 Age specific social groups Activities - specific taught or coached activities - dance, swimming, football,

338 views • 15 slides
Corporate Presentation-2020 About Sunshine Sunshine Powertronics founded in August 2015 aiming to

Corporate Presentation-2020 About Sunshine Sunshine Powertronics founded in August 2015 aiming to

Corporate Presentation-2020 About Sunshine Sunshine Powertronics founded in August 2015 aiming to deliver high quality & reliable power conversion & Control solution for Indian & outside Market. Design & development are key

550 views • 20 slides
Sunshine Law W ork Session Orange County Board of County Com m issioners Orange County

Sunshine Law W ork Session Orange County Board of County Com m issioners Orange County

Sunshine Law W ork Session Orange County Board of County Com m issioners Orange County Attorneys Office February 7 , 2 0 1 7 Sunshine Law Overview of Sunshine Law Exceptions Potential Pit Falls Violations Enforcem ent 2

318 views • 27 slides
INVESTOR PRESENTATION INTRODUCTION Downers financial results for the 12 months to 30 June 2017

INVESTOR PRESENTATION INTRODUCTION Downers financial results for the 12 months to 30 June 2017

Downer Full Year Results | 29 August 2017 INVESTOR PRESENTATION INTRODUCTION Downers financial results for the 12 months to 30 June 2017 incorporate the financial statements of Spotless Group Holdings Limited (Spotless) as Downers interest

644 views • 28 slides
According to his eternal purpose that he accomplished in Christ Jesus our Lord. Ephesians 3.11

According to his eternal purpose that he accomplished in Christ Jesus our Lord. Ephesians 3.11

According to his eternal purpose that he accomplished in Christ Jesus our Lord. Ephesians 3.11 Through the ages one eternal purpose runs. AT Robertson 1) God has chosen the church to reveal His plan His intent was that

387 views • 34 slides
Storing Sunshine Where the Sun Never Shines An Underground Storage Solution to Intermittent

Storing Sunshine Where the Sun Never Shines An Underground Storage Solution to Intermittent

Storing Sunshine Where the Sun Never Shines An Underground Storage Solution to Intermittent Solar Power How do you store sunshine You convert it into hydrogen using an electrolyzer. Solar panel power Electrolysis Hydrogen Sunshine Is

907 views • 34 slides
Discover the Red Sea Riviera The Best Brexit Solution Under the Sun 365 Days of Sunshine

Discover the Red Sea Riviera The Best Brexit Solution Under the Sun 365 Days of Sunshine

Discover the Red Sea Riviera The Best Brexit Solution Under the Sun 365 Days of Sunshine Luxury living in the sunshine with a low cost of living in a safe and secure environment. Enjoy a Champagne lifestyle on a lemonade budget. Accessible

915 views • 60 slides
SUNSHINE COAST MINOR HOCKEY Return to Play SUNSHINE COAST MINOR HOCKEY RETURN TO PLAY PROTOCOL

SUNSHINE COAST MINOR HOCKEY Return to Play SUNSHINE COAST MINOR HOCKEY RETURN TO PLAY PROTOCOL

SUNSHINE COAST MINOR HOCKEY Return to Play SUNSHINE COAST MINOR HOCKEY RETURN TO PLAY PROTOCOL Sunshine Coast Minor Hockey Association continues to follow guidelines set forth by the Center for Disease Control and Prevention (CDC), as well as

414 views • 12 slides
RM of Edenwold No. 158 Development Process for Sunshine Community Developments May 22, 2019

RM of Edenwold No. 158 Development Process for Sunshine Community Developments May 22, 2019

RM of Edenwold No. 158 Development Process for Sunshine Community Developments May 22, 2019 Objective Provide the Town of Pilot Butte Council with accurate and up-to-date information regarding the Sunshine Communities Development proposal

303 views • 16 slides
Boolean Analysis Unveils Universal Rules in the Microbiome Data Daniella Vo, Shayal Singh, Sara

Boolean Analysis Unveils Universal Rules in the Microbiome Data Daniella Vo, Shayal Singh, Sara

Boolean Analysis Unveils Universal Rules in the Microbiome Data Daniella Vo, Shayal Singh, Sara Safa Advisor: Dr. Debashis Sahoo Microbial Cells Microbiome ~100 Trillion (~70-90%) Consists of microorganisms such as bacteria, yeast, and

333 views • 4 slides
Agenda Dairy Cattle Milk Recording WG Aarhus, May 28, 2013 Agenda Opening, Kai, Pavel, Franz,

Agenda Dairy Cattle Milk Recording WG Aarhus, May 28, 2013 Agenda Opening, Kai, Pavel, Franz,

Agenda Dairy Cattle Milk Recording WG Aarhus, May 28, 2013 Agenda Opening, Kai, Pavel, Franz, Kevin first time; apologizes from Carlos Minutes Presentations: 15 minutes per presentation 16:00 h: What next.. 17:00 h end meeting

308 views • 7 slides
Day 3 ! " 5 slide synopsis of last lecture A: Sequence + structure " Covariance Models

Day 3 ! " 5 slide synopsis of last lecture A: Sequence + structure " Covariance Models

Day 3 ! " 5 slide synopsis of last lecture A: Sequence + structure " Covariance Models (CMs) represent conserved RNA sequence/structure motifs " B: the CM guide tree " They allow accurate search " C: probabilities

393 views • 10 slides
Markov Decision Processes: Biosens II E. Jrgensen & Lars R. Nielsen Department of Genetics

Markov Decision Processes: Biosens II E. Jrgensen & Lars R. Nielsen Department of Genetics

Markov Decision Processes: Biosens II E. Jrgensen & Lars R. Nielsen Department of Genetics and Biotechnology Faculty of Agricultural Sciences, University of rhus 10/10 2008 Background: Markov Decision Processes Background: Biosens

334 views • 12 slides
Introduction to the Dictionary of Medieval Names from European Sources Dr. Sara L. Uckelman

Introduction to the Dictionary of Medieval Names from European Sources Dr. Sara L. Uckelman

Introduction to the Dictionary of Medieval Names from European Sources Dr. Sara L. Uckelman eic@dmnes.org @SaraLUckelman , @theDMNES 29 Aug 2017 Dr. Sara L. Uckelman Intro to The DMNES 29 Aug 2017 1 / 15 What? A Dictionary of given names

721 views • 16 slides
Digital Humanities and Big Data: Introduction to the Dictionary of Medieval Names from European

Digital Humanities and Big Data: Introduction to the Dictionary of Medieval Names from European

Digital Humanities and Big Data: Introduction to the Dictionary of Medieval Names from European Sources Dr. Sara L. Uckelman IMEMS/Philosophy, Durham University s.l.uckelman@durham.ac.uk @SaraLUckelman , @theDMNES 9 May 2018 Innovative

953 views • 15 slides
Definition Definition A lattice-ordered pregroup , or just -pregroup , is a structure of

Definition Definition A lattice-ordered pregroup , or just -pregroup , is a structure of

Distributive -Pregroups R. Ball, N. Galatos, and P. Jipsen 5 August 2013 Definition Definition A lattice-ordered pregroup , or just -pregroup , is a structure of the form L , , 1, l , r , , , , where L ,

1.19k views • 86 slides
Gone, But Not Forgotten: The Current State of Private Computing Aseem Rastogi Jun Yuan Rob

Gone, But Not Forgotten: The Current State of Private Computing Aseem Rastogi Jun Yuan Rob

Gone, But Not Forgotten: The Current State of Private Computing Aseem Rastogi Jun Yuan Rob Johnson University of Maryland, College Park Stony Brook University Web browser private mode Web browser private mode Why is the

399 views • 28 slides

More recommend