towards application security on untrusted operating
play

Towards Application Security on Untrusted Operating Systems Dan R. - PowerPoint PPT Presentation

Feb 21, 2023 •458 likes •712 views

Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT CSAIL & VMware VMware Motivation Many applications handle sensitive data financial, medical, insurance, military... credit cards, medical

  1. Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT CSAIL & VMware VMware

  2. Motivation Many applications handle sensitive data financial, medical, insurance, military... credit cards, medical records, corporate IP... ...but run on commodity operating systems Complexity leads to poor assurance!

  3. Large TCB Sizes Theory: Other App App few small trusted parts; App Apps can be assumed correct OS Hardware

  4. Large TCB Sizes Theory: Other App App few small trusted parts; App Apps can be assumed correct Reality: OS has many trusted parts: OS - kernel - device drivers - system daemons - anything running as root Hardware

  5. This is a problem.

  6. This is a problem. (and it’s not likely to solve itself)

  7. Defense in Depth Approach

  8. Defense in Depth Approach Continue to use existing OS components, without fully trusting them Add security layer to protect sensitive data even if OS is compromised

  9. Defense in Depth Approach Continue to use existing OS components, without fully trusting them Add security layer to protect sensitive data even if OS is compromised Desired security property: apps always behave normally even if the OS behaves maliciously

  10. Defense in Depth Approach Continue to use existing OS components, without fully trusting them Add security layer to protect sensitive data even if OS is compromised Desired security property: apps always behave normally (or fail-stop) even if the OS behaves maliciously

  11. Problem: OS solely responsible for CPU / memory resource management ➡ can access application memory & control application execution Solution: isolated execution environment ➡ give app memory that OS can’t access

  12. Is CPU & memory isolation enough to run apps securely on an untrusted OS?

  13. Is CPU & memory an untrusted OS? No! isolation enough to run apps securely on Apps still explicitly rely on OS services, so semantic-level attacks are possible.

  14. Background: Isolation Architectures Other App App App Apps Legacy OS

  15. Background: Isolation Architectures Isolation can be enforced via: Other App App Apps • microkernel processes ( e.g. Nizza / L4) Legacy OS Legacy OS App Trusted Services Microkernel

  16. Background: Isolation Architectures Isolation can be enforced via: Other App App App Apps • microkernel processes ( e.g. Nizza / L4) • separate VMs Private Legacy OS Legacy OS ( e.g. Proxos, OS NGSCB) VMM

  17. Background: Isolation Architectures Isolation can be enforced via: Other App App App Apps • microkernel processes ( e.g. Nizza / L4) • separate VMs Legacy OS Legacy OS ( e.g. Proxos, NGSCB) • encrypted application state Crypto ( e.g. XOM, processor / VMM Overshadow)

  18. Isolation Properties • secrecy: resources can’t be read by the OS • integrity: resources can’t be modified (without being detected) • secure control transfer: OS can’t affect control flow, except via syscalls/signals No defense against semantic attacks!

  19. Malicious OS Example Thread 1 Thread 2 acquire_lock(l); acquire_lock(l); isEncrypted = true; if (isEncrypted) { encrypt(data); sendToNet(data); release_lock(l); } release_lock(l); OS grants lock to both threads, introducing a new race condition!

  20. More OS Misbehavior A malicious OS could: • read or modify file contents • even if encrypted, swap two files • snoop on keyboard/display I/O • change system clock (break time-based auth) • control /dev/random (break crypto) (more examples & solutions in paper)

  21. Towards Application Security Ensure that system call results are valid (safety properties only; no availability) Three approaches: • verify correctness of system call results • emulate system call in trusted layer • disallow system call / “use at own risk”

  22. Verifying Mutexes Create “lock-held?” flag in shared memory • update after lock acquired & before released • when acquiring lock, check if already held by another thread Isn’t this just re-implementing locking? No — OS still handles scheduling, fairness, etc.

  23. Verifying the File System Similar to other FSes with untrusted storage ( e.g. VPFS, TDB, Sirius) Approach: • encrypt and hash file contents • store file hashes, metadata in a hash tree • need to protect directory structure too!

  24. Emulating System Calls • Clock/randomness : implement in VMM; transform system calls to hypercalls • IPC : use trusted layer to send message content; use OS signals for message notification

  25. Conclusion Isolation is only the first step to protecting applications from a malicious OS Need to carefully consider implications of malicious behavior by “untrusted” components Verifying correct behavior often simpler than implementing it, so allows smaller TCB

Recommend

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules or library untrusted

797 views • 46 slides
Deserialization of untrusted data in Java Analysis, current solutions & a new approach

Deserialization of untrusted data in Java Analysis, current solutions & a new approach

Deserialization of untrusted data in Java Analysis, current solutions & a new approach Apostolos Giannakidis OWASP London Meetup @apgiannakidis 18th May 2017 1 Whois Security Architect at Waratek Application security

587 views • 46 slides
Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt

Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt

Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt Microsoft Research In the old days Application Operating system 2 In the old days Application Operating system 2 In the old days

631 views • 34 slides
NIZKs with an untrusted CRS: Security in the face of parameter subversion Mihir Bellare

NIZKs with an untrusted CRS: Security in the face of parameter subversion Mihir Bellare

NIZKs with an untrusted CRS: Security in the face of parameter subversion Mihir Bellare Alessandra Scafuro Georg Fuchsbauer Asiacrypt 2016 Motivation 2013 compromised security not covered by standard model here: parameter

576 views • 43 slides
Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

37.39k views • 30 slides
InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas at Austin by: Owen S. Hofmann, Kim Sangmann, Alan M. Dunn, Michael Z. Lee, and Emmett Witchel Presented by: Kyle May and Carson Boden Outline

680 views • 26 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan

InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan

InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin You trust your OS... should you? The OS is the software root of trust on most systems The OS is a

1.06k views • 79 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Spring 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

844 views • 56 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Fall 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

1.15k views • 64 slides
Security in an Operating System Operating systems need to protect against two types of security

Security in an Operating System Operating systems need to protect against two types of security

H Security Security in an Operating System Operating systems need to protect against two types of security violations: Accidental security violations, e.g.: a program accidentally overwrites a file; a user issues rm -rf *,

6.18k views • 28 slides
Flexible Containment for Executing Untrusted Code Darrell Hyatt Introduction Standard

Flexible Containment for Executing Untrusted Code Darrell Hyatt Introduction Standard

Flexible Containment for Executing Untrusted Code Darrell Hyatt Introduction Standard security model is insufficient for security- critical applications Result sandboxing (among other things) Tailoring of policies to programs

221 views • 11 slides
Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern

Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern

Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern Immutability The Inverse Life Coach Pa7ern Trust The founda>on of so?ware security 1. Hello! Im Businessman Bob! 2. Hello! Im the bank!

877 views • 69 slides
Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted

Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted

Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted Pattern Immutability The Inverse Life Coach Pattern Trust The foundation of software security 1. Hello! Im Businessman Bob! 2. Hello! Im the

666 views • 66 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: http://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

981 views • 10 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: https://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

1.31k views • 11 slides
Hardening Application Security using Intel SGX Max Plauth, Frederik T eschke, Daniel Richter,

Hardening Application Security using Intel SGX Max Plauth, Frederik T eschke, Daniel Richter,

Hardening Application Security using Intel SGX Max Plauth, Frederik T eschke, Daniel Richter, and Andreas Polze Operating Systems & Middleware Group Hasso Plattner Institute at University of Potsdam, Germany Motivation data security:

423 views • 31 slides
Safe Loading A Foundation for Secure Execution of Untrusted Programs Mathias Payer, Tobias

Safe Loading A Foundation for Secure Execution of Untrusted Programs Mathias Payer, Tobias

Safe Loading A Foundation for Secure Execution of Untrusted Programs Mathias Payer, Tobias Hartmann, Thomas R. Gross Department of Computer Science ETH Zurich, Switzerland Motivation Application code Kernel 2 Motivation Application code

483 views • 30 slides
Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

IN3210 Network Security Web Application Security Attacks on the Web Attacker Web User Application Web Database Web Server Application 2 The OWASP Foundation The Open Web Application Security Project (OWASP) is a 501(c)(3)

1.21k views • 60 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/18/2018 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

374 views • 9 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/24/2017 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

533 views • 14 slides
Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating

Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating

Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating System Security Data and process are directly visible Application security can be circumvented from lower layers = > good scope

103 views • 8 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides

More recommend