Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Shim
Document related concepts
Library (computing) wikipedia , lookup
Process management (computing) wikipedia , lookup
Distributed operating system wikipedia , lookup
Burroughs MCP wikipedia , lookup
Security-focused operating system wikipedia , lookup
Spring (operating system) wikipedia , lookup
Transcript
Towards Application Security On Untrusted OS Dan R. K. Ports MIT CSAIL & VMware, Inc. Tal Garfinkel VMware, Inc. Presented by Khalid Aljohani Contents Introduction Isolation Architecture Overshadow Attacks and Mitigations: - File System - Inter-Process Communication (IPC) - Process Management - Time and Randomness - I/O and Trusted paths - Identity Management Introduction Rich functionality in commodity operating systems lead to complexity which makes compromise inevitable. There are many solutions that have been proposed for enhancing security in these systems such as microkernel and virtual machine monitors (VMM). These solutions provide CPU and memory isolation, but applications still rely on operating system (OS) services which can turn malicious. Overshadow, a virtualization-based system, was developed by the papers’ authors and others. It protects applications in a VM from the guest OS in that VM. Overshadow maintains integrity and confidentiality of applications even if the OS is completely compromised. Isolation Architectures Isolation architecture was proposed to decrease the impact of an OS compromise. A separate layer is used below the OS, between OS and CPU or memory, in order to implement the isolation architecture. These architectures are implemented using microkernel or VMM. These architectures prevent applications to be modified or read when there is an OS compromise. Overshadow It is a virtualization-based system that protects applications which run inside a VM from the guest OS in that VM. It protects applications by encrypting the application’s memory page. Then this system saves a secure hash to protect the integrity and confidentiality for that application. This allows OS to manage functions, but without compromising the application’s integrity and confidentiality. For example, the OS can swap memory pages, but cannot read or modify the application’s contents. To adapt applications to this new execution environment without any modifications to the applications or OS, a shim is added to each application at load time. The shim manages transition between the application and the guest OS. It prevents the application from directly interacting with the guest OS. It uses an explicit hypercall interfaces, which is a secure communication, for interacting with VMM. How does it work? Virtual Machine Application Shim 1 Secure communica tion (Hypercall) 4 Guest OS 2 VMM Hardware 3 Attacks and Mitigations Applications use services which are provided by OS. OS sometimes use its services to attack applications. 1) File System: - One of the most important services provided by OS. - It is strongly related to security because applications’ data and code are stored on the file system. 1.1) File Contents: - potential attack: files are stored unprotected, so OS can read its sensitive data. - Proposed solution: in Overshadow, applications are encrypted with the same key which is known only to VMM and stored securely outside the VM. 1.2) File Metadata: - Potential attack: OS could turn malicious by performing a pathname lookup incorrectly to another file. - Proposed solution: Overshadow creates a protection metadata file that contains the hashes to verify the file. 2) Inter-Process Communication (IPC): Its very important to secure IPC and communications between applications. - Potential attack: A malicious OS can spy on IPC messages between protected applications, or a malicious OS can tamper with, drop, delay, reorder , or spoof messages. - Proposed solution: Overshadow uses hypercall communications which are secure communications between applications and the guest OS through VMM. 3) Process Management: The OS is responsible for the management of processes, and it manages process identities. Potential attack: A malicious OS might try to redirect the results of a process, the process return value or other information, to a wrong process. Proposed solution: Overshadow uses its own protected table for the process’s signal handlers and hypercall to ensure that signals are delivered to the correct process. 4) Time and Randomness: The OS maintains the system clock, so Security-critical applications cannot rely on it. Potential attack: A malicious OS could speed up or slow down the clock. That could allow it to corrupt time-based authentication scheme. Proposed solution: create a trusted clock in the VMM. 5) I/O and Trusted paths: Potential attack: An application’s input and output paths go through the OS, so a malicious OS can observe traffic across these paths capturing sensitive data (e.g. passwords). Proposed solution: In order to address this problem, Overshadow uses cryptography to create trusted paths. 6) Identity Management: The OS manages many types of identities such as user and group IDs and network endpoints such as IP address, DNS names and port numbers. Potential attack: A malicious OS could allow an attacker act as a trusted user. Proposed solution: To address this problem, Overshadow uses cryptography to encrypt connections between local and remote users References X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A.Waldspurger, D. Boneh, J. Dwoskin, and D. R. K. Ports. Overshadow:A virtualization-based approach to retrofitting protection in commodity operating systems. In Proc. ASPLOS ’08, Seattle,WA, Mar. 2008. Towards Application Security on Untrusted Operating Systems, Dan R. K. Ports, MIT CSAIL & Vmware and Tal Garfinkel ,VMware, Inc. San Jose, CA, July 2008.
