inktag secure applications on an untrusted operating
play

InkTag: Secure Applications on an Untrusted Operating System Owen - PowerPoint PPT Presentation

Jan 20, 2024 •261 likes •1.06k views

InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin You trust your OS... should you? The OS is the software root of trust on most systems The OS is a

  1. InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin

  2. You trust your OS... should you? • The OS is the software root of trust on most systems • The OS is a shared vulnerability App App App App • OS compromise infects all • The OS is a vulnerable vulnerability OS • Syscall interface a complex attack surface • ioctl() • Root often has OS-level privilege 2

  3. You trust your OS... should you? • The OS is the software root of trust on most systems • The OS is a shared vulnerability App App App App App • OS compromise infects all • The OS is a vulnerable vulnerability OS • Syscall interface a complex attack surface • ioctl() • Root often has OS-level privilege 2

  4. You trust your OS... should you? • The OS is the software root of trust on most systems • The OS is a shared vulnerability App App App App App • OS compromise infects all • The OS is a vulnerable vulnerability OS OS • Syscall interface a complex attack surface • ioctl() • Root often has OS-level privilege 2

  5. You trust your OS... should you? • The OS is the software root of trust on most systems • The OS is a shared vulnerability App App App App App App App App • OS compromise infects all • The OS is a vulnerable vulnerability OS OS • Syscall interface a complex attack surface • ioctl() • Root often has OS-level privilege 2

  6. You should trust the hypervisor • Hypervisors have become a common part of the software stack • Provide a layer of indirection App App App App under the OS • Hypervisors can be more trustworthy OS • Fewer lines of code • Thinner interface • Fewer vulnerabilities Hypervisor 3

  7. But the OS is still a problem • Users want trustworthy App App App App applications • Applications still must trust OS the OS Hypervisor 4

  8. But the OS is still a problem • Users want trustworthy App App App App applications • Applications still must trust OS OS the OS Hypervisor 4

  9. But the OS is still a problem • Users want trustworthy App App App App App App App App applications • Applications still must trust OS OS the OS Hypervisor 4

  10. Removing OS trust • Why can the kernel compromise applications? App App App App • No isolation • OS still provides all essential services OS • File I/O • Memory mapping Hypervisor 5

  11. Isolate and verify • Can the hypervisor improve this situation? • Previous systems have App App App App examined this problem • Overshadow [ASPLOS ’08] • Trusted hypervisor isolates an OS application from an untrusted kernel • Ensure that the OS follows its Hypervisor contract with the application 6

  12. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(NULL, ..., F, offset); • Application expects pages from file F page table at address V 2. OS updates low-level state • Immediately • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 7

  13. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(NULL, ..., F, offset); • Application expects pages from file F mmap() page table at address V 2. OS updates low-level state • Immediately 0x7FFCB... • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 7

  14. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(file=F, offset=O); • Application expects pages from file F mmap() page table at address V 2. OS updates low-level state • Immediately 0x7FFCB... • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 8

  15. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(file=F, offset=O); • Application expects pages from file F page table at address V 2. OS updates low-level state • Immediately • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 9

  16. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(file=F, offset=O); • Application expects pages from file F page table page fault at address V 2. OS updates low-level state • Immediately • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 9

  17. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(file=F, offset=O); • Application expects pages from file F page table page fault at address V 2. OS updates low-level state • Immediately set_pte() • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 9

  18. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(file=F, offset=O); • Application expects pages from file F page table page fault at address V 2. OS updates low-level state • Immediately • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 9

  19. Verifying OS behavior 1. Application asks OS to update high-level state App • V = mmap(file=F, offset=O); • Application expects pages from file F page table page fault at address V 2. OS updates low-level state • Immediately • On-demand (e.g. paging) 3. Do OS updates match application OS requests? • Did the OS map a frame containing data from F at the correct offset? Hypervisor 10

  20. Verifying OS behavior • Application and hypervisor App communicate • Synchronize on high-level page table application state • Hypervisor interposes on low-level updates • Validate updates against expected state • Hypervisor requires deep OS visibility into OS, application (semantic gap) Hypervisor 11

  21. Verifying OS behavior • Application and hypervisor App communicate • Synchronize on high-level page table application state • Hypervisor interposes on low-level updates set_pte() • Validate updates against expected state • Hypervisor requires deep OS visibility into OS, application (semantic gap) Hypervisor 11

  22. • InkTag: secure applications on an untrusted OS • Paraverification: require active participation from the untrusted OS for simpler, more efficient hypervisor design 12

  23. InkTag security guarantees • Control flow integrity • OS cannot change program counter, registers • Address space integrity • OS cannot read or modify application data • File I/O • Applications access the desired files • Privacy and integrity for file data • Built on address space integrity • Process control • Applications can fork(), exec() • Access control and naming • Applications can define access control policies, use string filenames • Consistency • OS-managed data and hypervisor-managed metadata remain in sync 13

  24. InkTag security guarantees • Control flow integrity • OS cannot change program counter, registers • Address space integrity • OS cannot read or modify application data • File I/O • Applications access the desired files • Privacy and integrity for file data • Built on address space integrity • Process control • Applications can fork(), exec() • Access control and naming • Applications can define access control policies, use string filenames • Consistency • OS-managed data and hypervisor-managed metadata remain in sync 14

  25. InkTag security guarantees • Control flow integrity • OS cannot change program counter, registers • Address space integrity • OS cannot read or modify application data • File I/O • Applications access the desired files • Privacy and integrity for file data • Built on address space integrity • Process control • Applications can fork(), exec() • Access control and naming • Applications can define access control policies, use string filenames • Consistency • OS-managed data and hypervisor-managed metadata remain in sync 15

  26. InkTag security guarantees • Control flow integrity • OS cannot change program counter, registers • Address space integrity • OS cannot read or modify application data • File I/O • Applications access the desired files • Privacy and integrity for file data • Basic memory isolation mechanisms • Built on address space integrity • Challenges: why is this difficult? • Process control • • Paraverification: how can the untrusted OS help? Applications can fork(), exec() • Access control and naming • Applications can define access control policies, use string filenames • Consistency • OS-managed data and hypervisor-managed metadata remain in sync 16

Recommend

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas at Austin by: Owen S. Hofmann, Kim Sangmann, Alan M. Dunn, Michael Z. Lee, and Emmett Witchel Presented by: Kyle May and Carson Boden Outline

680 views • 26 slides
jVPFS: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components

jVPFS: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components

Department of Computer Science Institute of Systems Architecture, Operating Systems Group jVPFS: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components Carsten Weinhold, Hermann Hrtig INTRODUCTION

429 views • 21 slides
Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT

Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT

Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT CSAIL & VMware VMware Motivation Many applications handle sensitive data financial, medical, insurance, military... credit cards, medical

712 views • 25 slides
Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt

Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt

Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt Microsoft Research In the old days Application Operating system 2 In the old days Application Operating system 2 In the old days

631 views • 34 slides
Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work with Alessandro Chiesa Eli Ben-Sasson Daniel Genkin 1 Technion Cryptoday June 16, 2011 Motivation 3 Motivation INTEGRITY CONFIDENTIALITY

725 views • 50 slides
Plutus: scalable secure file sharing on untrusted storage Mahesh Kallahalla HP Labs Joint work

Plutus: scalable secure file sharing on untrusted storage Mahesh Kallahalla HP Labs Joint work

Plutus: scalable secure file sharing on untrusted storage Mahesh Kallahalla HP Labs Joint work with Erik Riedel (Seagate Research), Ram Swaminathan (HP Labs), Qian Wang (Penn State), Kevin Fu (MIT) March 31 2003 Why care about storage

399 views • 27 slides
Safe Loading A Foundation for Secure Execution of Untrusted Programs Mathias Payer, Tobias

Safe Loading A Foundation for Secure Execution of Untrusted Programs Mathias Payer, Tobias

Safe Loading A Foundation for Secure Execution of Untrusted Programs Mathias Payer, Tobias Hartmann, Thomas R. Gross Department of Computer Science ETH Zurich, Switzerland Motivation Application code Kernel 2 Motivation Application code

483 views • 30 slides
and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff & Kenneth R. Van Wyk

753 views • 17 slides
Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern

Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern

Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern Immutability The Inverse Life Coach Pa7ern Trust The founda>on of so?ware security 1. Hello! Im Businessman Bob! 2. Hello! Im the bank!

877 views • 69 slides
Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted

Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted

Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted Pattern Immutability The Inverse Life Coach Pattern Trust The foundation of software security 1. Hello! Im Businessman Bob! 2. Hello! Im the

666 views • 66 slides
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules or library untrusted

797 views • 46 slides
Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of

Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of

Networking Secure apps Aims Crypto Basics Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 26 June 2014

389 views • 26 slides
Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer

Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer

Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer Science, Stanford

1.01k views • 43 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Many acting parties on a site

867 views • 62 slides
Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, John Mitchell, David Mazires, and Alejandro Russo Web platforms are great ! They allow third-party developers to build apps

714 views • 54 slides
A Secure Architecture for Untrusted Web Browser Plugins Achim Weimert SECT/TU-Berlin March 18,

A Secure Architecture for Untrusted Web Browser Plugins Achim Weimert SECT/TU-Berlin March 18,

A Secure Architecture for Untrusted Web Browser Plugins Achim Weimert SECT/TU-Berlin March 18, 2011 Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 1 / 21 Outline Introduction 1 Design 2 3 Implementation

424 views • 24 slides
1 The OS and User Applications The OS and User Applications Overview of OS Services Overview of

1 The OS and User Applications The OS and User Applications Overview of OS Services Overview of

Operating Systems: The Big Picture Operating Systems: The Big Picture The operating system (OS) is the interface between user applications and the hardware. CPS 210: Operating Systems CPS 210: Operating Systems User Applications virtual

274 views • 4 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Modern web sites are

709 views • 57 slides
Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory

Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki

170 views • 13 slides
Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a

Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a

Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a computationally weak client to outsource its computation to an untrusted server. = () Main security concerns: 1. Correctness:

377 views • 4 slides
Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications

Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications

Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications Estonian Winter School in Computer Science 2016 Overview of this lecture Part 2: ABY Part 3: GSHADE Special Purpose Protocols Generic Protocols

819 views • 52 slides
CPS 210: Operating Systems CPS 210: Operating Systems Operating Systems: The Big Picture

CPS 210: Operating Systems CPS 210: Operating Systems Operating Systems: The Big Picture

CPS 210: Operating Systems CPS 210: Operating Systems Operating Systems: The Big Picture Operating Systems: The Big Picture The operating system (OS) is the interface between user applications and the hardware. User Applications virtual

245 views • 24 slides
Flexible Containment for Executing Untrusted Code Darrell Hyatt Introduction Standard

Flexible Containment for Executing Untrusted Code Darrell Hyatt Introduction Standard

Flexible Containment for Executing Untrusted Code Darrell Hyatt Introduction Standard security model is insufficient for security- critical applications Result sandboxing (among other things) Tailoring of policies to programs

221 views • 11 slides
Secure Income REIT Plc 9 March 2018 www.SecureIncomeREIT.co.uk Secure Income REIT Plc is a

Secure Income REIT Plc 9 March 2018 www.SecureIncomeREIT.co.uk Secure Income REIT Plc is a

Secure Income REIT Plc 9 March 2018 www.SecureIncomeREIT.co.uk Secure Income REIT Plc is a specialist UK REIT, selectively investing in key operating real estate assets in defensive sectors that provide long term rental income with inflation

822 views • 60 slides

More recommend