Transcript Shim

Towards Application Security On Untrusted OS
Dan R. K. Ports
MIT CSAIL & VMware, Inc.
Tal Garfinkel
VMware, Inc.
Presented by Khalid Aljohani
Contents
Introduction
Isolation Architecture
Overshadow
Attacks and Mitigations:
- File System
- Inter-Process Communication (IPC)
- Process Management
- Time and Randomness
- I/O and Trusted paths
- Identity Management
Introduction
Rich functionality in commodity operating systems lead to
complexity which makes compromise inevitable.
There are many solutions that have been proposed for enhancing
security in these systems such as microkernel and virtual machine
monitors (VMM).
These solutions provide CPU and memory isolation, but
applications still rely on operating system (OS) services which
can turn malicious.
Overshadow, a virtualization-based system, was developed by the
papers’ authors and others. It protects applications in a VM from
the guest OS in that VM.
Overshadow maintains integrity and confidentiality of
applications even if the OS is completely compromised.
Isolation Architectures
Isolation architecture was proposed to decrease the impact of an
OS compromise.
A separate layer is used below the OS, between OS and CPU or
memory, in order to implement the isolation architecture.
These architectures are implemented using microkernel or VMM.
These architectures prevent applications to be modified or read
when there is an OS compromise.
Overshadow
It is a virtualization-based system that protects applications which
run inside a VM from the guest OS in that VM.
It protects applications by encrypting the application’s memory
page. Then this system saves a secure hash to protect the integrity
and confidentiality for that application.
This allows OS to manage functions, but without compromising
the application’s integrity and confidentiality. For example, the
OS can swap memory pages, but cannot read or modify the
application’s contents.
To adapt applications to this new execution environment without
any modifications to the applications or OS, a shim is added to
each application at load time.
The shim manages transition between the application and the
guest OS.
It prevents the application from directly interacting with the guest
OS.
It uses an explicit hypercall interfaces, which is a secure
communication, for interacting with VMM.
How does it
work?
Virtual Machine
Application
Shim
1
Secure
communica
tion
(Hypercall)
4
Guest OS
2
VMM
Hardware
3
Attacks and Mitigations
Applications use services which are provided by OS. OS
sometimes use its services to attack applications.
1) File System:
- One of the most important services provided by OS.
- It is strongly related to security because applications’
data and code are stored on the file system.
1.1) File Contents:
- potential attack: files are stored unprotected, so OS can
read its sensitive data.
- Proposed solution: in Overshadow, applications are
encrypted with the same key which is known only
to VMM and stored securely outside the VM.
1.2) File Metadata:
- Potential attack: OS could turn malicious by performing
a pathname lookup incorrectly to another file.
- Proposed solution: Overshadow creates a protection
metadata file that contains the hashes to verify the file.
2) Inter-Process Communication (IPC):
Its very important to secure IPC and communications
between applications.
- Potential attack: A malicious OS can spy on IPC messages
between protected applications, or a malicious OS can
tamper with, drop, delay, reorder , or spoof messages.
- Proposed solution: Overshadow uses hypercall
communications which are secure communications
between applications and the guest OS through VMM.
3) Process Management:
The OS is responsible for the management of processes,
and it manages process identities.
Potential attack: A malicious OS might try to redirect
the results of a process, the process return value or other
information, to a wrong process.
Proposed solution: Overshadow uses its own protected
table for the process’s signal handlers and hypercall to
ensure that signals are delivered to the correct process.
4) Time and Randomness:
The OS maintains the system clock, so Security-critical
applications cannot rely on it.
Potential attack: A malicious OS could speed up or
slow down the clock. That could allow it to corrupt
time-based authentication scheme.
Proposed solution: create a trusted clock in the
VMM.
5) I/O and Trusted paths:
Potential attack: An application’s input and output paths
go through the OS, so a malicious OS can observe traffic
across these paths capturing sensitive data (e.g. passwords).
Proposed solution: In order to address this problem,
Overshadow uses cryptography to create trusted paths.
6) Identity Management:
The OS manages many types of identities such as user
and group IDs and network endpoints such as IP address,
DNS names and port numbers.
Potential attack: A malicious OS could allow an attacker
act as a trusted user.
Proposed solution: To address this problem, Overshadow
uses cryptography to encrypt connections between
local and remote users
References
X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A.Waldspurger, D.
Boneh, J. Dwoskin, and D. R. K. Ports. Overshadow:A virtualization-based
approach to retrofitting protection in commodity operating systems. In Proc.
ASPLOS ’08, Seattle,WA, Mar. 2008.
Towards Application Security on Untrusted Operating Systems, Dan R. K.
Ports, MIT CSAIL & Vmware and Tal Garfinkel ,VMware, Inc. San Jose, CA,
July 2008.