InkTag: secure applications on an untrusted operating system

InkTag is a virtualization-based architecture that gives strong safety guarantees to high-assurance processes even in the presence of a malicious operating system. InkTag advances the state of the art in untrusted operating systems in both the design of its hypervisor and in the ability to run useful applications without trusting the operating system. We introduce paraverification, a technique that simplifies the InkTag hypervisor by forcing the untrusted operating system to participate in its own verification. Attribute-based access control allows trusted applications to create decentralized access control policies. InkTag is also the first system of its kind to ensure consistency between secure data and metadata, ensuring recoverability in the face of system crashes.

[1]  Arati Baliga,et al.  Automatic Inference and Enforcement of Kernel Data Structure Invariants , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[2]  Tal Garfinkel,et al.  Towards Application Security on Untrusted Operating Systems , 2008, HotSec.

[3]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[4]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[5]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[6]  Haibo Chen,et al.  CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization , 2011, SOSP.

[7]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[8]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[9]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[10]  Martim Carbone Semantic view re-creation for the secure monitoring of virtual machines , 2012 .

[11]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[12]  Roberto Tamassia,et al.  A Role and Attribute Based Access Control System Using Semantic Web Technologies , 2007, OTM Workshops.

[13]  Hovav Shacham,et al.  Iago attacks: why the system call API is a bad untrusted RPC interface , 2013, ASPLOS '13.

[14]  Massimo Bernaschi,et al.  Remus: a security-enhanced operating system , 2002, TSEC.

[15]  Nickolai Zeldovich,et al.  Making Linux Protection Mechanisms Egalitarian with UserFS , 2010, USENIX Security Symposium.

[16]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[17]  Jason Nieh,et al.  Apiary: Easy-to-Use Desktop Application Fault Containment on Commodity Operating Systems , 2010, USENIX Annual Technical Conference.

[18]  Yoshiyasu Takefuji,et al.  Towards a tamper-resistant kernel rootkit detector , 2007, SAC '07.

[19]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[20]  Xuxian Jiang,et al.  Towards a VMM-based usage control framework for OS kernel integrity protection , 2007, SACMAT '07.

[21]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[22]  Emmett Witchel,et al.  Ensuring operating system kernel integrity with OSck , 2011, ASPLOS XVI.

[23]  Anurag Acharya,et al.  MAPbox: Using Parameterized Behavior Classes to Confine Untrusted Applications , 2000, USENIX Security Symposium.

[24]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[25]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[26]  Kang G. Shin,et al.  Using hypervisor to provide data secrecy for user applications on a per-page basis , 2008, VEE '08.

[27]  Xuxian Jiang,et al.  Defeating Dynamic Data Kernel Rootkit Attacks via VMM-Based Guest-Transparent Monitoring , 2009, 2009 International Conference on Availability, Reliability and Security.

[28]  Dongyan Xu,et al.  LiveDM : Temporal Mapping of Dynamic Kernel Memory for Dynamic Kernel Malware Analysis and Debugging , 2009 .

[29]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[30]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[31]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[32]  Jonathan M. McCune,et al.  Memoir: Practical State Continuity for Protected Modules , 2011, 2011 IEEE Symposium on Security and Privacy.

[33]  A. Acharya,et al.  MAPbox: Using Parameterized Behavior Classes to Confine Applications , 1999 .

[34]  Xuxian Jiang,et al.  Countering kernel rootkits with lightweight hook protection , 2009, CCS.

[35]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[36]  Timothy Fraser,et al.  Hardening COTS software with generic software wrappers , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[37]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[38]  J. Aaron Pendergrass,et al.  Linux kernel integrity measurement using contextual inspection , 2007, STC '07.

[39]  Mark Horowitz,et al.  Implementing an untrusted operating system on trusted hardware , 2003, SOSP '03.

[40]  Jon Howell,et al.  Leveraging Legacy Code to Deploy Desktop Applications on the Web , 2008, OSDI.

[41]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[42]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[43]  R. Sekar,et al.  User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement , 2000, NDSS.

[44]  Rakesh Bobba,et al.  Using Attribute-Based Access Control to Enable Attribute-Based Messaging , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[45]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[46]  William A. Arbaugh,et al.  VICI Virtual Machine Introspection for Cognitive Immunity , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[47]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.