inktag secure applications on an untrusted operating
play

InkTag: Secure Applications on an Untrusted Operating System Owen - PowerPoint PPT Presentation

Jan 20, 2024 •261 likes •1.06k views

InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin You trust your OS... should you? The OS is the software root of trust on most systems The OS is a

  1. InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin

  2. You trust your OS... should you? • The OS is the software root of trust on most systems • The OS is a shared vulnerability App App App App • OS compromise infects all • The OS is a vulnerable vulnerability OS • Syscall interface a complex attack surface • ioctl() • Root often has OS-level privilege 2

  3. You trust your OS... should you? • The OS is the software root of trust on most systems • The OS is a shared vulnerability App App App App App • OS compromise infects all • The OS is a vulnerable vulnerability OS • Syscall interface a complex attack surface • ioctl() • Root often has OS-level privilege 2

  4. You trust your OS... should you? • The OS is the software root of trust on most systems • The OS is a shared vulnerability App App App App App • OS compromise infects all • The OS is a vulnerable vulnerability OS OS • Syscall interface a complex attack surface • ioctl() • Root often has OS-level privilege 2

  5. You trust your OS... should you? • The OS is the software root of trust on most systems • The OS is a shared vulnerability App App App App App App App App • OS compromise infects all • The OS is a vulnerable vulnerability OS OS • Syscall interface a complex attack surface • ioctl() • Root often has OS-level privilege 2

  6. You should trust the hypervisor • Hypervisors have become a common part of the software stack • Provide a layer of indirection App App App App under the OS • Hypervisors can be more trustworthy OS • Fewer lines of code • Thinner interface • Fewer vulnerabilities Hypervisor 3

  7. But the OS is still a problem • Users want trustworthy App App App App applications • Applications still must trust OS the OS Hypervisor 4

  8. But the OS is still a problem • Users want trustworthy App App App App applications • Applications still must trust OS OS the OS Hypervisor 4

  9. But the OS is still a problem • Users want trustworthy App App App App App App App App applications • Applications still must trust OS OS the OS Hypervisor 4

  10. Removing OS trust • Why can the kernel compromise applications? App App App App • No isolation • OS still provides all essential services OS • File I/O • Memory mapping Hypervisor 5

  11. Isolate and verify • Can the hypervisor improve this situation? • Previous systems have App App App App examined this problem • Overshadow [ASPLOS ’08] • Trusted hypervisor isolates an OS application from an untrusted kernel • Ensure that the OS follows its Hypervisor contract with the application 6

  12. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(NULL, ..., F, offset); • Application expects pages from file F page table at address V 2. OS updates low-level state • Immediately • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 7

  13. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(NULL, ..., F, offset); • Application expects pages from file F mmap() page table at address V 2. OS updates low-level state • Immediately 0x7FFCB... • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 7

  14. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(file=F, offset=O); • Application expects pages from file F mmap() page table at address V 2. OS updates low-level state • Immediately 0x7FFCB... • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 8

  15. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(file=F, offset=O); • Application expects pages from file F page table at address V 2. OS updates low-level state • Immediately • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 9

  16. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(file=F, offset=O); • Application expects pages from file F page table page fault at address V 2. OS updates low-level state • Immediately • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 9

  17. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(file=F, offset=O); • Application expects pages from file F page table page fault at address V 2. OS updates low-level state • Immediately set_pte() • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 9

  18. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(file=F, offset=O); • Application expects pages from file F page table page fault at address V 2. OS updates low-level state • Immediately • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 9

  19. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(file=F, offset=O); • Application expects pages from file F page table page fault at address V 2. OS updates low-level state • Immediately • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 10

  20. Verifying OS behavior • Application and hypervisor App communicate • Synchronize on high-level page table application state • Hypervisor interposes on low-level updates • Validate updates against expected state • Hypervisor requires deep OS visibility into OS, application (semantic gap) Hypervisor 11

  21. Verifying OS behavior • Application and hypervisor App communicate • Synchronize on high-level page table application state • Hypervisor interposes on low-level updates set_pte() • Validate updates against expected state • Hypervisor requires deep OS visibility into OS, application (semantic gap) Hypervisor 11

  22. • InkTag: secure applications on an untrusted OS • Paraverification: require active participation from the untrusted OS for simpler, more efficient hypervisor design 12

  23. InkTag security guarantees • Control flow integrity • OS cannot change program counter, registers • Address space integrity • OS cannot read or modify application data • File I/O • Applications access the desired files • Privacy and integrity for file data • Built on address space integrity • Process control • Applications can fork(), exec() • Access control and naming • Applications can define access control policies, use string filenames • Consistency • OS-managed data and hypervisor-managed metadata remain in sync 13

  24. InkTag security guarantees • Control flow integrity • OS cannot change program counter, registers • Address space integrity • OS cannot read or modify application data • File I/O • Applications access the desired files • Privacy and integrity for file data • Built on address space integrity • Process control • Applications can fork(), exec() • Access control and naming • Applications can define access control policies, use string filenames • Consistency • OS-managed data and hypervisor-managed metadata remain in sync 14

  25. InkTag security guarantees • Control flow integrity • OS cannot change program counter, registers • Address space integrity • OS cannot read or modify application data • File I/O • Applications access the desired files • Privacy and integrity for file data • Built on address space integrity • Process control • Applications can fork(), exec() • Access control and naming • Applications can define access control policies, use string filenames • Consistency • OS-managed data and hypervisor-managed metadata remain in sync 15

  26. InkTag security guarantees • Control flow integrity • OS cannot change program counter, registers • Address space integrity • OS cannot read or modify application data • File I/O • Applications access the desired files • Privacy and integrity for file data • Basic memory isolation mechanisms • Built on address space integrity • Challenges: why is this difficult? • Process control • • Paraverification: how can the untrusted OS help? Applications can fork(), exec() • Access control and naming • Applications can define access control policies, use string filenames • Consistency • OS-managed data and hypervisor-managed metadata remain in sync 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas at Austin by: Owen S. Hofmann, Kim Sangmann, Alan M. Dunn, Michael Z. Lee, and Emmett Witchel Presented by: Kyle May and Carson Boden Outline

680 views • 26 slides
jVPFS: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components

jVPFS: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components

Department of Computer Science Institute of Systems Architecture, Operating Systems Group jVPFS: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components Carsten Weinhold, Hermann Hrtig INTRODUCTION

429 views • 21 slides
Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT

Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT

Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT CSAIL & VMware VMware Motivation Many applications handle sensitive data financial, medical, insurance, military... credit cards, medical

712 views • 25 slides
Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt

Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt

Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt Microsoft Research In the old days Application Operating system 2 In the old days Application Operating system 2 In the old days

631 views • 34 slides
Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work with Alessandro Chiesa Eli Ben-Sasson Daniel Genkin 1 Technion Cryptoday June 16, 2011 Motivation 3 Motivation INTEGRITY CONFIDENTIALITY

725 views • 50 slides
Plutus: scalable secure file sharing on untrusted storage Mahesh Kallahalla HP Labs Joint work

Plutus: scalable secure file sharing on untrusted storage Mahesh Kallahalla HP Labs Joint work

Plutus: scalable secure file sharing on untrusted storage Mahesh Kallahalla HP Labs Joint work with Erik Riedel (Seagate Research), Ram Swaminathan (HP Labs), Qian Wang (Penn State), Kevin Fu (MIT) March 31 2003 Why care about storage

399 views • 27 slides
Safe Loading A Foundation for Secure Execution of Untrusted Programs Mathias Payer, Tobias

Safe Loading A Foundation for Secure Execution of Untrusted Programs Mathias Payer, Tobias

Safe Loading A Foundation for Secure Execution of Untrusted Programs Mathias Payer, Tobias Hartmann, Thomas R. Gross Department of Computer Science ETH Zurich, Switzerland Motivation Application code Kernel 2 Motivation Application code

483 views • 30 slides
and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff & Kenneth R. Van Wyk

753 views • 17 slides
Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern

Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern

Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern Immutability The Inverse Life Coach Pa7ern Trust The founda>on of so?ware security 1. Hello! Im Businessman Bob! 2. Hello! Im the bank!

877 views • 69 slides
Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted

Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted

Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted Pattern Immutability The Inverse Life Coach Pattern Trust The foundation of software security 1. Hello! Im Businessman Bob! 2. Hello! Im the

666 views • 66 slides
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules or library untrusted

797 views • 46 slides
Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of

Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of

Networking Secure apps Aims Crypto Basics Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 26 June 2014

389 views • 26 slides
Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer

Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer

Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer Science, Stanford

1.01k views • 43 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Many acting parties on a site

867 views • 62 slides
Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, John Mitchell, David Mazires, and Alejandro Russo Web platforms are great ! They allow third-party developers to build apps

714 views • 54 slides
A Secure Architecture for Untrusted Web Browser Plugins Achim Weimert SECT/TU-Berlin March 18,

A Secure Architecture for Untrusted Web Browser Plugins Achim Weimert SECT/TU-Berlin March 18,

A Secure Architecture for Untrusted Web Browser Plugins Achim Weimert SECT/TU-Berlin March 18, 2011 Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 1 / 21 Outline Introduction 1 Design 2 3 Implementation

424 views • 24 slides
Shared Memory OS Lecture 9 UdS/TUKL WS 2015 MPI-SWS 1 Review: Virtual Memory How is virtual

Shared Memory OS Lecture 9 UdS/TUKL WS 2015 MPI-SWS 1 Review: Virtual Memory How is virtual

Shared Memory OS Lecture 9 UdS/TUKL WS 2015 MPI-SWS 1 Review: Virtual Memory How is virtual memory realized? 1. Segmentation : linear virtual physical address translation with base & bounds registers 2. Paging : arbitrary virtual

733 views • 30 slides
Linux kernel synchronization Don Porter CSE 506 The old days Early/simple OSes (like

Linux kernel synchronization Don Porter CSE 506 The old days Early/simple OSes (like

Linux kernel synchronization Don Porter CSE 506 The old days Early/simple OSes (like JOS): No need for synchronization All kernel requests wait until completion even disk requests Heavily restrict when interrupts can be

331 views • 30 slides
Virtualizing Memory: Smaller Page TAbles Questions answered in this lecture: Review: What are

Virtualizing Memory: Smaller Page TAbles Questions answered in this lecture: Review: What are

9/27/16 UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 537 Andrea C. Arpaci-Dusseau Introduction to Operating Systems Remzi H. Arpaci-Dusseau Virtualizing Memory: Smaller Page TAbles Questions answered in this lecture:

366 views • 14 slides
Characterizing the Performance of Big Memory on Blue Gene Linux Kazutomo Yoshii

Characterizing the Performance of Big Memory on Blue Gene Linux Kazutomo Yoshii

Characterizing the Performance of Big Memory on Blue Gene Linux Kazutomo Yoshii Mathematics and Computer Science Division Argonne National Laboratory Kamil Iskra P. Chris Broekema (ASTRON) Harish Naik Pete Beckman ZeptoOS Project

601 views • 27 slides
DataCentre One Pte. Ltd. Extraordinary General Meeting 23 October 2019 Important Notice The

DataCentre One Pte. Ltd. Extraordinary General Meeting 23 October 2019 Important Notice The

Proposed Divestment of 51% Interest in DataCentre One Pte. Ltd. Extraordinary General Meeting 23 October 2019 Important Notice The information contained in this presentation is for information purposes only and does not constitute or form part

230 views • 6 slides
Active measurements to Root DNS servers especially from Asian countries Yuji Sekiya

Active measurements to Root DNS servers especially from Asian countries Yuji Sekiya

Active measurements to Root DNS servers especially from Asian countries Yuji Sekiya sekiya@wide.ad.jp Probing Use dnsprobe with dialup connection 1 probe 30 min Running three dnsprobe processes Probed between 25 th Feb. and

605 views • 27 slides
On a New Approach for Analyzing and Managing Macrofinancial Risks Robert C. Merton, PhD, School

On a New Approach for Analyzing and Managing Macrofinancial Risks Robert C. Merton, PhD, School

On a New Approach for Analyzing and Managing Macrofinancial Risks Robert C. Merton, PhD, School of Management Distinguished Professor of Finance, Massachusetts Institute of Technology, and Resident Scientist, Dimensional Holdings, Inc.

568 views • 22 slides
Formal Virtualization Reqs. Def: Machine State: S = <E, M, P, R> E executable

Formal Virtualization Reqs. Def: Machine State: S = <E, M, P, R> E executable

CPSC 410/611 : Operating Systems Formal Virtualization Reqs. Def: Machine State: S = <E, M, P, R> E executable storage M processor mode P program counter R relocation-bounds register Def:

361 views • 3 slides

More recommend