towards application security on untrusted operating
play

Towards Application Security on Untrusted Operating Systems Dan R. - PowerPoint PPT Presentation

Feb 21, 2023 •458 likes •712 views

Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT CSAIL & VMware VMware Motivation Many applications handle sensitive data financial, medical, insurance, military... credit cards, medical

  1. Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT CSAIL & VMware VMware

  2. Motivation Many applications handle sensitive data financial, medical, insurance, military... credit cards, medical records, corporate IP... ...but run on commodity operating systems Complexity leads to poor assurance!

  3. Large TCB Sizes Theory: Other App App few small trusted parts; App Apps can be assumed correct OS Hardware

  4. Large TCB Sizes Theory: Other App App few small trusted parts; App Apps can be assumed correct Reality: OS has many trusted parts: OS - kernel - device drivers - system daemons - anything running as root Hardware

  5. This is a problem.

  6. This is a problem. (and it’s not likely to solve itself)

  7. Defense in Depth Approach

  8. Defense in Depth Approach Continue to use existing OS components, without fully trusting them Add security layer to protect sensitive data even if OS is compromised

  9. Defense in Depth Approach Continue to use existing OS components, without fully trusting them Add security layer to protect sensitive data even if OS is compromised Desired security property: apps always behave normally even if the OS behaves maliciously

  10. Defense in Depth Approach Continue to use existing OS components, without fully trusting them Add security layer to protect sensitive data even if OS is compromised Desired security property: apps always behave normally (or fail-stop) even if the OS behaves maliciously

  11. Problem: OS solely responsible for CPU / memory resource management ➡ can access application memory & control application execution Solution: isolated execution environment ➡ give app memory that OS can’t access

  12. Is CPU & memory isolation enough to run apps securely on an untrusted OS?

  13. Is CPU & memory an untrusted OS? No! isolation enough to run apps securely on Apps still explicitly rely on OS services, so semantic-level attacks are possible.

  14. Background: Isolation Architectures Other App App App Apps Legacy OS

  15. Background: Isolation Architectures Isolation can be enforced via: Other App App Apps • microkernel processes ( e.g. Nizza / L4) Legacy OS Legacy OS App Trusted Services Microkernel

  16. Background: Isolation Architectures Isolation can be enforced via: Other App App App Apps • microkernel processes ( e.g. Nizza / L4) • separate VMs Private Legacy OS Legacy OS ( e.g. Proxos, OS NGSCB) VMM

  17. Background: Isolation Architectures Isolation can be enforced via: Other App App App Apps • microkernel processes ( e.g. Nizza / L4) • separate VMs Legacy OS Legacy OS ( e.g. Proxos, NGSCB) • encrypted application state Crypto ( e.g. XOM, processor / VMM Overshadow)

  18. Isolation Properties • secrecy: resources can’t be read by the OS • integrity: resources can’t be modified (without being detected) • secure control transfer: OS can’t affect control flow, except via syscalls/signals No defense against semantic attacks!

  19. Malicious OS Example Thread 1 Thread 2 acquire_lock(l); acquire_lock(l); isEncrypted = true; if (isEncrypted) { encrypt(data); sendToNet(data); release_lock(l); } release_lock(l); OS grants lock to both threads, introducing a new race condition!

  20. More OS Misbehavior A malicious OS could: • read or modify file contents • even if encrypted, swap two files • snoop on keyboard/display I/O • change system clock (break time-based auth) • control /dev/random (break crypto) (more examples & solutions in paper)

  21. Towards Application Security Ensure that system call results are valid (safety properties only; no availability) Three approaches: • verify correctness of system call results • emulate system call in trusted layer • disallow system call / “use at own risk”

  22. Verifying Mutexes Create “lock-held?” flag in shared memory • update after lock acquired & before released • when acquiring lock, check if already held by another thread Isn’t this just re-implementing locking? No — OS still handles scheduling, fairness, etc.

  23. Verifying the File System Similar to other FSes with untrusted storage ( e.g. VPFS, TDB, Sirius) Approach: • encrypt and hash file contents • store file hashes, metadata in a hash tree • need to protect directory structure too!

  24. Emulating System Calls • Clock/randomness : implement in VMM; transform system calls to hypercalls • IPC : use trusted layer to send message content; use OS signals for message notification

  25. Conclusion Isolation is only the first step to protecting applications from a malicious OS Need to carefully consider implications of malicious behavior by “untrusted” components Verifying correct behavior often simpler than implementing it, so allows smaller TCB

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules or library untrusted

797 views • 46 slides
Deserialization of untrusted data in Java Analysis, current solutions & a new approach

Deserialization of untrusted data in Java Analysis, current solutions & a new approach

Deserialization of untrusted data in Java Analysis, current solutions & a new approach Apostolos Giannakidis OWASP London Meetup @apgiannakidis 18th May 2017 1 Whois Security Architect at Waratek Application security

587 views • 46 slides
Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt

Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt

Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt Microsoft Research In the old days Application Operating system 2 In the old days Application Operating system 2 In the old days

631 views • 34 slides
NIZKs with an untrusted CRS: Security in the face of parameter subversion Mihir Bellare

NIZKs with an untrusted CRS: Security in the face of parameter subversion Mihir Bellare

NIZKs with an untrusted CRS: Security in the face of parameter subversion Mihir Bellare Alessandra Scafuro Georg Fuchsbauer Asiacrypt 2016 Motivation 2013 compromised security not covered by standard model here: parameter

576 views • 43 slides
Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

37.39k views • 30 slides
InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas at Austin by: Owen S. Hofmann, Kim Sangmann, Alan M. Dunn, Michael Z. Lee, and Emmett Witchel Presented by: Kyle May and Carson Boden Outline

680 views • 26 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan

InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan

InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin You trust your OS... should you? The OS is the software root of trust on most systems The OS is a

1.06k views • 79 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Spring 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

844 views • 56 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Fall 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

1.15k views • 64 slides
Security in an Operating System Operating systems need to protect against two types of security

Security in an Operating System Operating systems need to protect against two types of security

H Security Security in an Operating System Operating systems need to protect against two types of security violations: Accidental security violations, e.g.: a program accidentally overwrites a file; a user issues rm -rf *,

6.18k views • 28 slides
Flexible Containment for Executing Untrusted Code Darrell Hyatt Introduction Standard

Flexible Containment for Executing Untrusted Code Darrell Hyatt Introduction Standard

Flexible Containment for Executing Untrusted Code Darrell Hyatt Introduction Standard security model is insufficient for security- critical applications Result sandboxing (among other things) Tailoring of policies to programs

221 views • 11 slides
Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern

Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern

Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern Immutability The Inverse Life Coach Pa7ern Trust The founda>on of so?ware security 1. Hello! Im Businessman Bob! 2. Hello! Im the bank!

877 views • 69 slides
Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted

Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted

Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted Pattern Immutability The Inverse Life Coach Pattern Trust The foundation of software security 1. Hello! Im Businessman Bob! 2. Hello! Im the

666 views • 66 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: http://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

981 views • 10 slides
Parallelism and operating systems M. Frans Kaashoek MIT CSAIL With input from Eddie Kohler,

Parallelism and operating systems M. Frans Kaashoek MIT CSAIL With input from Eddie Kohler,

Parallelism and operating systems M. Frans Kaashoek MIT CSAIL With input from Eddie Kohler, Butler Lampson, Robert Morris, Jerry Saltzer, and Joel Emer 1 / 33 Parallelism is a major theme at SOSP/OSDI Real problem in practice, from day 1

476 views • 35 slides
Operating Systems Operating Systems CMPSC 473 CMPSC 473 Operating Systems Structure Operating

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Operating Systems Structure Operating

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Operating Systems Structure Operating Systems Structure January 24, 2008 - Lecture January 24, 2008 - Lecture 3 3 Instructor: Trent Jaeger Instructor: Trent Jaeger Last class:

414 views • 26 slides
Operating Systems 2016 Michael OBoyle Overview 1 How to get the most of the course Read

Operating Systems 2016 Michael OBoyle Overview 1 How to get the most of the course Read

Operating Systems 2016 Michael OBoyle Overview 1 How to get the most of the course Read ahead and use lectures to ask questions Take notes Do the coursework well. Straightforward - schedule smartly Exam questions are a mix of

216 views • 10 slides
Changelog Changes made in this version not seen in fjrst lecture: 15 January: logistics

Changelog Changes made in this version not seen in fjrst lecture: 15 January: logistics

Changelog Changes made in this version not seen in fjrst lecture: 15 January: logistics correctly note that quiz will be after this week 0 introduction / what is an OS? 1 two sections there are two sections of Operating Systems sections

1.23k views • 89 slides
CS 423 Operating System Design: Overview and Basic Concepts Professor Adam Bates Fall

CS 423 Operating System Design: Overview and Basic Concepts Professor Adam Bates Fall

CS 423 Operating System Design: Overview and Basic Concepts Professor Adam Bates Fall 2018 CS423: Operating Systems Design Goals for Today Learning Objectives: Introduce OS definition, challenges, and history Announcements:

590 views • 27 slides
Reaching puberty: How Genode is becoming a general-purpose OS Norman Feske <

Reaching puberty: How Genode is becoming a general-purpose OS Norman Feske <

Reaching puberty: How Genode is becoming a general-purpose OS Norman Feske < norman.feske@genode-labs.com > Outline 1. Background 2. Noux runtime for Unix software 3. Challenges of dynamic system composition 4. Fundamental features 5.

618 views • 42 slides
Meet the OS Software that manages a computer s resources Introduction Makes it easier to

Meet the OS Software that manages a computer s resources Introduction Makes it easier to

Meet the OS Software that manages a computer s resources Introduction Makes it easier to write the applications you want to write CS 4410 Makes you want to use the applications you wrote by running them efficiently OS wears many hats

261 views • 11 slides
Chapter 1: Introduction What is an Operating System? Mainframe Systems Desktop

Chapter 1: Introduction What is an Operating System? Mainframe Systems Desktop

Chapter 1: Introduction What is an Operating System? Mainframe Systems Desktop Systems Multiprocessor Systems Distributed Systems Clustered System Real -Time Systems Handheld Systems Computing Environments

472 views • 12 slides

More recommend