InkTag: Secure Applications on an Untrusted Operating System Paper - - PowerPoint PPT Presentation

inktag secure applications on an untrusted operating
SMART_READER_LITE
LIVE PREVIEW

InkTag: Secure Applications on an Untrusted Operating System Paper - - PowerPoint PPT Presentation

Feb 09, 2023 414 likes •682 views

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas at Austin by: Owen S. Hofmann, Kim Sangmann, Alan M. Dunn, Michael Z. Lee, and Emmett Witchel Presented by: Kyle May and Carson Boden Outline

slide-1
SLIDE 1

InkTag: Secure Applications on an Untrusted Operating System

Paper from The University of Texas at Austin by: Owen S. Hofmann, Kim Sangmann, Alan M. Dunn, Michael Z. Lee, and Emmett Witchel Presented by: Kyle May and Carson Boden

slide-2
SLIDE 2

Outline

Motivation Prior Work High-Level Overview Memory Isolation Paraverification Access Control Storage and Consistency Testing and Evaluation Conclusion

2

slide-3
SLIDE 3

InkTag efficiently verifies untrusted OS behavior

The operating system was once the root of trust Attacks against the OS render the system completely vulnerable Goal: For applications to remain safe, even on a compromised OS

3

slide-4
SLIDE 4

Outline

Motivation Prior Work High-Level Overview Memory Isolation Paraverification Access Control Storage and Consistency Testing and Evaluation Conclusion

4

slide-5
SLIDE 5

Previous systems only ensure isolation

High Assurance Processes (HAPs) prohibited from using any OS resources Programs could run, but were useless without OS intervention InkTag focuses on allowing HAPs to interact with the OS safely

5

slide-6
SLIDE 6

Outline

Motivation Prior Work High-Level Overview Memory Isolation Paraverification Access Control Storage and Consistency Testing and Evaluation Conclusion

6

slide-7
SLIDE 7

InkTag gives users flexible OS access control

Resides between the OS and Hardware level Introduces paraverification, requiring the OS to verify its own behavior Allows applications to define access policies Provides crash consistency between secure metadata

From Hofmann et. al

7

slide-8
SLIDE 8

Outline

Motivation Prior Work High-Level Overview Memory Isolation Paraverification Access Control Storage and Consistency Testing and Evaluation Conclusion

8

slide-9
SLIDE 9

Memory isolation protects HAPs from OS

HAPs have separate trusted and OS contexts Files (Objects) are identified by 64-bit Object Identified (OID) Objects composed of secure pages (S-pages), encrypted and hashed

9

slide-10
SLIDE 10

EPT protects cleartext S-pages from OS

Extended Page Tables (EPTs) are managed by the hypervisor Cleartext allows HAPs to freely access their data When OS tries to access cleartext S-page, hypervisor intervenes

From Hofmann et. al

10

slide-11
SLIDE 11

Outline

Motivation Prior Work High-Level Overview Memory Isolation Paraverification Access Control Storage and Consistency Testing and Evaluation Conclusion

11

slide-12
SLIDE 12

Paraverification monitors OS behavior

InkTag intercepts low-level page table updates and determine effects State maintained to quickly determine effects of changes HAPs provide OS a token to describe memory mapping

12

slide-13
SLIDE 13

Outline

Motivation Prior Work High-Level Overview Memory Isolation Paraverification Access Control Storage and Consistency Testing and Evaluation Conclusion

13

slide-14
SLIDE 14

Decentralized access control enables HAPs to communicate

Useful access control mechanisms allow for: Easy implementation in the hypervisor The use of familiar primitives Creation of new policies in a decentralized way

14

slide-15
SLIDE 15

InkTag achieves access control with attributes

Each HAP has a string (.user.kyle) of attributes Events like fork() and exec() allow for inheritance Each object (OID) has a list of attributes with different permissions

15

slide-16
SLIDE 16

Example: InkTag enables decentralized login

Normally, all users would trust the single login binary In a decentralized system, all users can trust their own login binaries Enabled by the passing of attributes between the system admin and the user

16

slide-17
SLIDE 17

Outline

Motivation Prior Work High-Level Overview Memory Isolation Paraverification Access Control Storage and Consistency Testing and Evaluation Conclusion

17

slide-18
SLIDE 18

InkTag must maintain metadata for persistent security

Metadata is required for the maintenance of the S-pages Metadata is stored near the data it describes Paraverification synchronizes OS actions

From Hofmann et. al

18

slide-19
SLIDE 19

Outline

Motivation Prior Work High-Level Overview Memory Isolation Paraverification Access Control Storage and Consistency Testing and Evaluation Conclusion

19

slide-20
SLIDE 20

Experiments run on extension of Linux kernel

Prototype built from KVM hypervisor Ran on actual h/w Benchmarked with LMBench, SPEC CPU2006, Apache, and DokuWiki

From Hofmann et. al

20

slide-21
SLIDE 21

Metadata placement decreases performance

From Hofmann et. al

21

slide-22
SLIDE 22

Application benchmarks indicate low overhead

From Hofmann et. al

22

slide-23
SLIDE 23

Outline

Motivation Prior Work High-Level Overview Memory Isolation Paraverification Access Control Storage and Consistency Testing and Evaluation Conclusion

23

slide-24
SLIDE 24

InkTag is only impressive at a glance

Hypervisor offloads work to the OS Low complexity and overhead means codebase is easy to maintain InkTag is highly efficient, but added security is relatively unknown

24

slide-25
SLIDE 25

Discussion Points

Does this solve the problem? Are devices considered more secure with a hypervisor? What type of vulnerabilities does InkTag introduce? Is the result of the InkTag implementation worthwhile? Are the performance and complexity overheads worth the variable increase in security?

25

slide-26
SLIDE 26

References

https://dl.acm.org/citation.cfm?id=2451146 www.cs.kent.edu/~rothstei/...13/.../AnwarAlsulaimanSecureAppsonUntrustedOS.pptx

26