InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas at Austin by: Owen S. Hofmann, Kim Sangmann, Alan M. Dunn, Michael Z. Lee, and Emmett Witchel Presented by: Kyle May and Carson Boden
Outline Motivation Access Control Prior Work Storage and Consistency High-Level Overview Testing and Evaluation Memory Isolation Conclusion Paraverification 2
InkTag efficiently verifies untrusted OS behavior The operating system was once the root of trust Attacks against the OS render the system completely vulnerable Goal: For applications to remain safe, even on a compromised OS 3
Outline Motivation Access Control Prior Work Storage and Consistency High-Level Overview Testing and Evaluation Memory Isolation Conclusion Paraverification 4
Previous systems only ensure isolation High Assurance Processes (HAPs) prohibited from using any OS resources Programs could run, but were useless without OS intervention InkTag focuses on allowing HAPs to interact with the OS safely 5
Outline Motivation Access Control Prior Work Storage and Consistency High-Level Overview Testing and Evaluation Memory Isolation Conclusion Paraverification 6
InkTag gives users flexible OS access control Resides between the OS and Hardware level Introduces paraverification , requiring the OS to verify its own behavior Allows applications to define access policies Provides crash consistency between secure metadata From Hofmann et. al 7
Outline Motivation Access Control Prior Work Storage and Consistency High-Level Overview Testing and Evaluation Memory Isolation Conclusion Paraverification 8
Memory isolation protects HAPs from OS HAPs have separate trusted and OS contexts Files (Objects) are identified by 64-bit Object Identified (OID) Objects composed of secure pages (S-pages), encrypted and hashed 9
EPT protects cleartext S-pages from OS Extended Page Tables (EPTs) are managed by the hypervisor Cleartext allows HAPs to freely access their data When OS tries to access cleartext From Hofmann et. al S-page, hypervisor intervenes 10
Outline Motivation Access Control Prior Work Storage and Consistency High-Level Overview Testing and Evaluation Memory Isolation Conclusion Paraverification 11
Paraverification monitors OS behavior InkTag intercepts low-level page table updates and determine effects State maintained to quickly determine effects of changes HAPs provide OS a token to describe memory mapping 12
Outline Motivation Access Control Prior Work Storage and Consistency High-Level Overview Testing and Evaluation Memory Isolation Conclusion Paraverification 13
Decentralized access control enables HAPs to communicate Useful access control mechanisms allow for: Easy implementation in the hypervisor The use of familiar primitives Creation of new policies in a decentralized way 14
InkTag achieves access control with attributes Each HAP has a string ( .user.kyle ) of attributes Events like fork() and exec() allow for inheritance Each object (OID) has a list of attributes with different permissions 15
Example: InkTag enables decentralized login Normally, all users would trust the single login binary In a decentralized system, all users can trust their own login binaries Enabled by the passing of attributes between the system admin and the user 16
Outline Motivation Access Control Prior Work Storage and Consistency High-Level Overview Testing and Evaluation Memory Isolation Conclusion Paraverification 17
InkTag must maintain metadata for persistent security Metadata is required for the maintenance of the S-pages Metadata is stored near the data it describes Paraverification synchronizes OS actions From Hofmann et. al 18
Outline Motivation Access Control Prior Work Storage and Consistency High-Level Overview Testing and Evaluation Memory Isolation Conclusion Paraverification 19
Experiments run on extension of Linux kernel Prototype built from KVM hypervisor Ran on actual h/w Benchmarked with LMBench, SPEC CPU2006, Apache, and DokuWiki From Hofmann et. al 20
Metadata placement decreases performance 21 From Hofmann et. al
Application benchmarks indicate low overhead From Hofmann et. al 22
Outline Motivation Access Control Prior Work Storage and Consistency High-Level Overview Testing and Evaluation Memory Isolation Conclusion Paraverification 23
InkTag is only impressive at a glance Hypervisor offloads work to the OS Low complexity and overhead means codebase is easy to maintain InkTag is highly efficient, but added security is relatively unknown 24
Discussion Points Does this solve the problem? Are devices considered more secure with a hypervisor? What type of vulnerabilities does InkTag introduce? Is the result of the InkTag implementation worthwhile? Are the performance and complexity overheads worth the variable increase in security? 25
References https://dl.acm.org/citation.cfm?id=2451146 www.cs.kent.edu/~rothstei/...13/.../AnwarAlsulaimanSecureAppsonUntrustedOS.pptx 26
Recommend
More recommend