sego pervasive trusted metadata for efficiently verified
play

Sego: Pervasive Trusted Metadata for Efficiently Verified Untrusted - PowerPoint PPT Presentation

Sego: Pervasive Trusted Metadata for Efficiently Verified Untrusted System Services Youngjin Kwon , Alan Dunn, Michael Lee, Owen Hofmann, Yuanzhong Xu, Emmett Witchel 1 Securing OS is difficult OS vulnerabilities in 2014 from national


  1. Sego: Pervasive Trusted Metadata for Efficiently Verified Untrusted System Services Youngjin Kwon , Alan Dunn, Michael Lee, Owen Hofmann, Yuanzhong Xu, Emmett Witchel 1

  2. Securing OS is difficult OS vulnerabilities in 2014 from national vulnerability database (NVD) 160 Mac OS • Large attack surfaces iOS • System calls Linux Kernel 120 Window 8.1 • Ioctl interface Windows Server 2012 • 3rd party device 80 driver 40 0 # of vulnerabilites # of high ranked 
 vulnerabilites 2

  3. Securing OS is not enough Vulnerability distribution in 2014 from NVD 4% Getting root leads to control OS • 13% Privilege escalation vulnerability • Many APPs run with root permission • 83% Application OS Hardware 3

  4. Protecting application from malicious OS With trusted hypervisor • Overshadow (ASPLOS 2008) TrustVisor (IEEE S&P 2010) Read / modify Application InkTag (ASPLOS 2013) code or data Sego (ASPLOS 2016) With compiler instrumentation • VirtualGhost (ASPLOS 2014) Operating system With hardware (SGX) support • Haven (OSDI 2014) 4

  5. Outline • Previous system • Sego eliminates encryption and hashing • Sego provides crash consistency and recovery • Conclusion 5

  6. How do previous systems work? 6

  7. Trust model System overview Sego library Secure APP Interpose syscall • APP cooperate with hypervisor • Sego library hypercall Guest operating system Hypervisor Trusted Hardware Untrusted 7

  8. Hypervisor encrypts memory for secrecy APP OS Hypervisor storage Plaintext Ciphertext RAM Software 8

  9. Hypervisor encrypts memory for secrecy 1. APP reads/writes memory page A APP B OS Hypervisor C storage Plaintext Ciphertext RAM Software 8

  10. Hypervisor encrypts memory for secrecy 1. APP reads/writes memory page A APP 2. OS wants to swap page B OS Hypervisor C storage Plaintext Ciphertext RAM Software 8

  11. Hypervisor encrypts memory for secrecy 1. APP reads/writes memory page A APP 2. OS wants to swap page 0110 OS 1010 3. Hypervisor blocks OS Hypervisor C a) Encrypts page storage Plaintext Ciphertext RAM Software 8

  12. Hypervisor encrypts memory for secrecy 1. APP reads/writes memory page A APP 2. OS wants to swap page 0110 OS 1010 3. Hypervisor blocks OS Hypervisor C a) Encrypts page storage 4. OS swaps encrypted page Plaintext Ciphertext RAM Software 8

  13. Hypervisor encrypts memory for secrecy 1. APP reads/writes memory page A APP 2. OS wants to swap page 0110 OS 1010 3. Hypervisor blocks OS Hypervisor C a) Encrypts page storage 4. OS swaps encrypted page Plaintext Ciphertext RAM Software 8

  14. Hypervisor hashes memory for integrity APP OS Hypervisor storage Metadata Plaintext Ciphertext H Hash Hypervisor memory Software RAM 9

  15. Hypervisor hashes memory for integrity 1. APP reads/writes memory page a) HYP maintains metadata A APP B OS Hypervisor C storage mA Metadata mB Plaintext Ciphertext H Hash Hypervisor mC memory Software RAM 9

  16. Hypervisor hashes memory for integrity 1. APP reads/writes memory page a) HYP maintains metadata A APP 2. OS wants to swap page B OS Hypervisor C storage mA Metadata mB Plaintext Ciphertext H Hash Hypervisor mC memory Software RAM 9

  17. Hypervisor hashes memory for integrity 1. APP reads/writes memory page a) HYP maintains metadata A APP 2. OS wants to swap page 0110 OS 1010 3. Hypervisor blocks OS Hypervisor C a) Encrypts page storage b) Hashes page mA Metadata mB Plaintext Ciphertext H Hash Hypervisor mC memory Software RAM 9

  18. Hypervisor hashes memory for integrity 1. APP reads/writes memory page a) HYP maintains metadata A APP 2. OS wants to swap page 0110 OS 1010 3. Hypervisor blocks OS Hypervisor C a) Encrypts page storage b) Hashes page mA Metadata mB Plaintext H Ciphertext H Hash Hypervisor mC memory Software RAM 9

  19. Hypervisor hashes memory for integrity 1. APP reads/writes memory page a) HYP maintains metadata A APP 2. OS wants to swap page 0110 OS 1010 3. Hypervisor blocks OS Hypervisor C a) Encrypts page storage b) Hashes page 4. OS swaps the encrypted page mA Metadata mB Plaintext H Ciphertext H Hash Hypervisor mC memory Software RAM 9

  20. Hypervisor hashes memory for integrity 1. APP reads/writes memory page a) HYP maintains metadata A APP 2. OS wants to swap page 0110 OS 1010 3. Hypervisor blocks OS Hypervisor C a) Encrypts page storage b) Hashes page 4. OS swaps the encrypted page mA Metadata mB Plaintext H Ciphertext H Hash Hypervisor mC memory Software RAM 9

  21. Hypervisor hashes memory for integrity 1. APP reads/writes memory page a) HYP maintains metadata A APP 2. OS wants to swap page 0110 OS 1010 3. Hypervisor blocks OS Hypervisor C a) Encrypts page storage b) Hashes page 4. OS swaps the encrypted page mA Metadata 5. APP accesses page mB Plaintext H a) OS swaps in Ciphertext H Hash Hypervisor mC b) HYP checks hash memory Software c) HYP decrypts page RAM 9

  22. Hypervisor hashes memory for integrity 1. APP reads/writes memory page a) HYP maintains metadata A APP 2. OS wants to swap page 0110 OS 1010 3. Hypervisor blocks OS Hypervisor C a) Encrypts page storage b) Hashes page 4. OS swaps the encrypted page mA Metadata 5. APP accesses page mB Plaintext H a) OS swaps in Ciphertext H Hash Hypervisor mC b) HYP checks hash memory Software c) HYP decrypts page RAM 9

  23. Hypervisor hashes memory for integrity 1. APP reads/writes memory page a) HYP maintains metadata A APP 2. OS wants to swap page 0110 H OS 1010 3. Hypervisor blocks OS Hypervisor C a) Encrypts page storage b) Hashes page 4. OS swaps the encrypted page mA Metadata 5. APP accesses page mB Plaintext H a) OS swaps in Ciphertext H Hash Hypervisor mC b) HYP checks hash memory Software c) HYP decrypts page RAM 9

  24. Hypervisor hashes memory for integrity 1. APP reads/writes memory page a) HYP maintains metadata A APP 2. OS wants to swap page 0110 B H OS 1010 3. Hypervisor blocks OS Hypervisor C a) Encrypts page storage b) Hashes page 4. OS swaps the encrypted page mA Metadata 5. APP accesses page mB Plaintext H a) OS swaps in Ciphertext H Hash Hypervisor mC b) HYP checks hash memory Software c) HYP decrypts page RAM 9

  25. Performance cost of encryption and hashing • Performance of encryption and hashing • AES-NI (GCM) supported in processor • 800MB/s - 1.2 GB/s • Performance of a single IO device • Commodity SSD : 520MB/s • Fusion-io ioDrive : 1GB ~ 1.5GB/s • IO bandwidth can overwhelm encryption bandwidth! 10

  26. OS Memory Services • Modern services require OS to touch memory • Transparent page sharing • Multiple virtual machines consume less memory • Overshadow/InkTag can not support it • Memory compaction • OS defragments memory for large pages • Better TLB utilization • We must make OS access to APP pages more efficient 11

  27. Sego eliminates encryption and hashing by using trusted metadata 12

  28. Replace encryption and hashing with hypercalls APP OS Sego hypervisor protected data Hypervisor Software memory 13

  29. Replace encryption and hashing with hypercalls 1. APP reads/writes memory page a) HYP maintains metadata APP A OS B Sego C hypervisor mA mB protected data mC Hypervisor Software memory 13

  30. Replace encryption and hashing with hypercalls 1. APP reads/writes memory page a) HYP maintains metadata APP A OS B Sego C hypervisor mA mB protected data mC Hypervisor Software memory 13

  31. Replace encryption and hashing with hypercalls 1. APP reads/writes memory page a) HYP maintains metadata APP A 2. OS is not allowed to access OS B protected memory pages Sego C hypervisor mA mB protected data mC Hypervisor Software memory 13

  32. Replace encryption and hashing with hypercalls 1. APP reads/writes memory page a) HYP maintains metadata APP A 2. OS is not allowed to access OS B protected memory pages Sego C hypercall hypervisor 3. OS sends hypercall to move memory pages mA mB protected data mC Hypervisor Software memory 13

  33. Replace encryption and hashing with hypercalls 1. APP reads/writes memory page B a) HYP maintains metadata APP A 2. OS is not allowed to access OS protected memory pages Sego C hypercall hypervisor 3. OS sends hypercall to move memory pages mA 4. Hypervisor moves the mB memory page protected data mC Hypervisor Software memory 13

  34. Sego persists data with metadata Virtualized block device • APP A Virtual hard disk/SSD • Sees/controls all I/O • OS B Buffers guest IO in host • Sego hypervisor C C memory Virtualized block device Hypervisor storage • mA Invisible to OS • mB Holds trusted metadata • protected mC mC Hypervisor data memory Software OS Hypervisor storage storage 14

  35. Sego persists data with metadata Virtualized block device • APP A Virtual hard disk/SSD • Sees/controls all I/O • OS B IO Buffers guest IO in host • Sego hypervisor buffer C C memory Virtualized block device Read Hypervisor storage • mA Invisible to OS • mB Holds trusted metadata • protected mC mC Hypervisor data memory Software OS Hypervisor storage storage 14

Recommend


More recommend