Protecting Legacy Applications with a Purely Hardware TCB

Secure execution of applications on untrusted operating systems is a fundamental security primitive that has been challenging to achieve. In this paper, we propose a new architecture feature called PODARCH, which makes it easy to import executables on an OS without risking the target system’s security or the execution of the imported application. PODARCH can be implemented as a backwards-compatible extension to the Intel x86 ISA, and overall, offers strong compatibility with existing applications and OSes beyond those offered by several existing architectural primitives (e.g., Intel SGX). We present a complete system implementation of a PODARCH CPU, the associated toolchain and a modified Linux OS and find that the adaption effort requires 415 lines of code change to the Linux kernel. Thus, PODARCH offers a new design point in the space of architectural primitives that commodity CPU designers can consider in the emerging security extensions to their ISA.

[1]  Margo I. Seltzer,et al.  Operating system benchmarking in the wake of lmbench: a case study of the performance of NetBSD on the Intel x86 architecture , 1997, SIGMETRICS '97.

[2]  Aaron B. Brown,et al.  A Decompositional Approach to Computer System Performance Evaluation , 1997 .

[3]  Dan Boneh,et al.  Architectural support for copy and tamper resistant software , 2000, SIGP.

[4]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[5]  Mark Horowitz,et al.  Implementing an untrusted operating system on trusted hardware , 2003, SOSP '03.

[6]  Hovav Shacham,et al.  SiRiUS: Securing Remote Untrusted Storage , 2003, NDSS.

[7]  Tal Garfinkel,et al.  Ostia: A Delegating Architecture for Secure System Call Interposition , 2004, NDSS.

[8]  G. Edward Suh,et al.  Design and implementation of the AEGIS single-chip secure processor using physical random functions , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[9]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[10]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[11]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[12]  Ruby B. Lee,et al.  New cache designs for thwarting software cache-based side channel attacks , 2007, ISCA '07.

[13]  Cheng Chen,et al.  Tamper-Resistant Execution in an Untrusted Operating System Using A Virtual Machine Monitor , 2007 .

[14]  Brian Rogers,et al.  Using Address Independent Seed Encryption and Bonsai Merkle Trees to Make Secure Processors OS- and Performance-Friendly , 2007, 40th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO 2007).

[15]  Kang G. Shin,et al.  Using hypervisor to provide data secrecy for user applications on a per-page basis , 2008, VEE '08.

[16]  Tal Garfinkel,et al.  Towards Application Security on Untrusted Operating Systems , 2008, HotSec.

[17]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[18]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[19]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[20]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[21]  Ruby B. Lee,et al.  Scalable architectural support for trusted software , 2010, HPCA - 16 2010 The Sixteenth International Symposium on High-Performance Computer Architecture.

[22]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[23]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[24]  Brian Rogers,et al.  SecureME: a hardware-software approach to full system security , 2011, ICS '11.

[25]  Donald E. Porter,et al.  Rethinking the library OS from the top down , 2011, ASPLOS XVI.

[26]  Haibo Chen,et al.  CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization , 2011, SOSP.

[27]  Rick Boivie,et al.  SecureBlue + + : CPU Support for Secure Execution , 2011 .

[28]  Ruby B. Lee,et al.  Architectural support for hypervisor-secure virtualization , 2012, ASPLOS XVII.

[29]  James Newsome,et al.  Building Verifiable Trusted Path on Commodity x86 Computers , 2012, 2012 IEEE Symposium on Security and Privacy.

[30]  Emmett Witchel,et al.  InkTag: secure applications on an untrusted operating system , 2013, ASPLOS '13.

[31]  Jonathan M. McCune,et al.  OASIS: on achieving a sanctuary for integrity and secrecy on untrusted platforms , 2013, CCS.

[32]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[33]  Hovav Shacham,et al.  Iago attacks: why the system call API is a bad untrusted RPC interface , 2013, ASPLOS '13.

[34]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[35]  Donald E. Porter,et al.  Cooperation and security isolation of library OSes for multi-process applications , 2014, EuroSys '14.

[36]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..