Towards Application Security on Untrusted Operating Systems Dan R. - - PowerPoint PPT Presentation

towards application security on untrusted operating
SMART_READER_LITE
LIVE PREVIEW

Towards Application Security on Untrusted Operating Systems Dan R. - - PowerPoint PPT Presentation

Feb 21, 2023 458 likes •723 views

Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT CSAIL & VMware VMware Motivation Many applications handle sensitive data financial, medical, insurance, military... credit cards, medical

slide-1
SLIDE 1

Towards Application Security on Untrusted Operating Systems

Dan R. K. Ports MIT CSAIL & VMware Tal Garfinkel VMware

slide-2
SLIDE 2

Many applications handle sensitive data

financial, medical, insurance, military... credit cards, medical records, corporate IP...

...but run on commodity operating systems Complexity leads to poor assurance!

Motivation

slide-3
SLIDE 3

Large TCB Sizes

Hardware OS App App App Other Apps

Theory: few small trusted parts; can be assumed correct

slide-4
SLIDE 4

Large TCB Sizes

Hardware OS App App App Other Apps

Theory: few small trusted parts; can be assumed correct

Reality: OS has many trusted parts:

  • kernel
  • device drivers
  • system daemons
  • anything running as root
slide-5
SLIDE 5

This is a problem.

slide-6
SLIDE 6

This is a problem.

(and it’s not likely to solve itself)

slide-7
SLIDE 7

Defense in Depth Approach

slide-8
SLIDE 8

Defense in Depth Approach

Continue to use existing OS components, without fully trusting them Add security layer to protect sensitive data even if OS is compromised

slide-9
SLIDE 9

Defense in Depth Approach

Continue to use existing OS components, without fully trusting them Add security layer to protect sensitive data even if OS is compromised Desired security property: apps always behave normally

even if the OS behaves maliciously

slide-10
SLIDE 10

Defense in Depth Approach

Continue to use existing OS components, without fully trusting them Add security layer to protect sensitive data even if OS is compromised Desired security property: apps always behave normally

even if the OS behaves maliciously

(or fail-stop)

slide-11
SLIDE 11

Problem: OS solely responsible for CPU / memory resource management

➡ can access application memory & control application execution

Solution: isolated execution environment

➡ give app memory that OS can’t access

slide-12
SLIDE 12

Is CPU & memory isolation enough to run apps securely on an untrusted OS?

slide-13
SLIDE 13

Is CPU & memory isolation enough to run apps securely on an untrusted OS? No!

Apps still explicitly rely on OS services, so semantic-level attacks are possible.

slide-14
SLIDE 14

Background: Isolation Architectures

Legacy OS App App App Other Apps

slide-15
SLIDE 15

Background: Isolation Architectures

Legacy OS App App App Other Apps Microkernel Trusted Services Legacy OS

Isolation can be enforced via:

  • microkernel

processes (e.g. Nizza / L4)

slide-16
SLIDE 16

Background: Isolation Architectures

Legacy OS App App App Other Apps Legacy OS Private OS VMM

Isolation can be enforced via:

  • microkernel

processes (e.g. Nizza / L4)

  • separate VMs

(e.g. Proxos, NGSCB)

slide-17
SLIDE 17

Background: Isolation Architectures

Legacy OS App App App Other Apps Legacy OS Crypto processor / VMM

Isolation can be enforced via:

  • microkernel

processes (e.g. Nizza / L4)

  • separate VMs

(e.g. Proxos, NGSCB)

  • encrypted

application state (e.g. XOM, Overshadow)

slide-18
SLIDE 18

Isolation Properties

  • secrecy: resources can’t be read by the OS
  • integrity: resources can’t be modified

(without being detected)

  • secure control transfer: OS can’t affect

control flow, except via syscalls/signals No defense against semantic attacks!

slide-19
SLIDE 19

Malicious OS Example

acquire_lock(l); isEncrypted = true; encrypt(data); release_lock(l); acquire_lock(l); if (isEncrypted) { sendToNet(data); } release_lock(l);

Thread 1 Thread 2 OS grants lock to both threads, introducing a new race condition!

slide-20
SLIDE 20

More OS Misbehavior

A malicious OS could:

  • read or modify file contents
  • even if encrypted, swap two files
  • snoop on keyboard/display I/O
  • change system clock (break time-based auth)
  • control /dev/random (break crypto)

(more examples & solutions in paper)

slide-21
SLIDE 21

Towards Application Security

Ensure that system call results are valid (safety properties only; no availability) Three approaches:

  • verify correctness of system call results
  • emulate system call in trusted layer
  • disallow system call / “use at own risk”
slide-22
SLIDE 22

Verifying Mutexes

Create “lock-held?” flag in shared memory

  • update after lock acquired & before released
  • when acquiring lock, check if already held

by another thread Isn’t this just re-implementing locking? No — OS still handles scheduling, fairness, etc.

slide-23
SLIDE 23

Verifying the File System

Similar to other FSes with untrusted storage (e.g. VPFS, TDB, Sirius) Approach:

  • encrypt and hash file contents
  • store file hashes, metadata in a hash tree
  • need to protect directory structure too!
slide-24
SLIDE 24

Emulating System Calls

  • Clock/randomness: implement in VMM;

transform system calls to hypercalls

  • IPC: use trusted layer to send message content;

use OS signals for message notification

slide-25
SLIDE 25

Conclusion

Isolation is only the first step to protecting applications from a malicious OS Need to carefully consider implications of malicious behavior by “untrusted” components Verifying correct behavior often simpler than implementing it, so allows smaller TCB