Improving system security through TCB reduction

The OS (operating system) is the primary target of todays attacks. A single exploitable defect can be sufficient to break the security of the system and give fully control over all the software on the machine. Because current operating systems are too large to be defect free, the best approach to improve the system security is to reduce their code to more manageable levels. This work shows how the security-critical part of the OS, the so called TCB (Trusted Computing Base), can be reduced from millions to less than hundred thousand lines of code to achieve these security goals. Shrinking the software stack by more than an order of magnitude is an open challenge since no single technique can currently achieve this. We therefore followed a holistic approach and improved the design as well as implementation of several system layers starting with a new OS called NOVA. NOVA provides a small TCB for both newly written applications but also for legacy code running inside virtual machines. Virtualization is thereby the key technique to ensure that compatibility requirements will not increase the minimal TCB of our system. The main contribution of this work is to show how the virtual machine monitor for NOVA was implemented with significantly less lines of code without affecting the performance of its guest OS. To reduce the overall TCB of our system, other parts had to be improved as well. Additional contributions are the simplification of the OS debugging interface, the reduction of the boot stack and a new programming language called B1 that can be more easily compiled.

[1]  Jiang Wang,et al.  HyperCheck: A Hardware-AssistedIntegrity Monitor , 2014, IEEE Transactions on Dependable and Secure Computing.

[2]  Christopher J. Hughes,et al.  Performance evaluation of Intel® Transactional Synchronization Extensions for high-performance computing , 2013, 2013 SC - International Conference for High Performance Computing, Networking, Storage and Analysis (SC).

[3]  Tudor David,et al.  Everything you always wanted to know about synchronization but were afraid to ask , 2013, SOSP.

[4]  Gernot Heiser,et al.  From L3 to seL4 what have we learnt in 20 years of L4 microkernels? , 2013, SOSP.

[5]  Anton Sergeev,et al.  Too young to be secure: Analysis of UEFI threats and vulnerabilities , 2013, 14th Conference of Open Innovation Association FRUCT.

[6]  Zhengping Jin,et al.  Checkpoint-restart for a network of virtual machines , 2013, 2013 IEEE International Conference on Cluster Computing (CLUSTER).

[7]  Jiang Wang,et al.  Autonomic Recovery: HyperCheck: A Hardware-Assisted Integrity Monitor , 2013 .

[8]  Carsten Weinhold,et al.  Reducing size and complexity of the security-critical code base of file systems , 2013 .

[9]  Robert H. Deng,et al.  Launching Generic Attacks on iOS with Approved Third-Party Applications , 2013, ACNS.

[10]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[11]  Stuart Harman,et al.  No silver bullet , 2013 .

[12]  James Newsome,et al.  Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework , 2013, 2013 IEEE Symposium on Security and Privacy.

[13]  John Butterworth,et al.  Problems with the Static Root of Trust for Measurement , 2013 .

[14]  Markus Partheymüller Diplomarbeit Adding SMP Support to a User-Level VMM , 2013 .

[15]  Zhi Wang,et al.  Taming Hosted Hypervisors with (Mostly) Deprivileged Execution , 2013, NDSS.

[16]  Norman Feske,et al.  Design of the Bastei OS Architecture , 2012 .

[17]  Wolfgang Schröder-Preikschat,et al.  Automatic OS Kernel TCB Reduction by Leveraging Compile-Time Configurability , 2012, HotDep.

[18]  Ralf-Philipp Weinmann,et al.  iOS Hacker's Handbook , 2012 .

[19]  Zhi Wang,et al.  Isolating commodity hosted hypervisors with HyperLock , 2012, EuroSys '12.

[20]  Stephen McCamant,et al.  Path-exploration lifting: hi-fi tests for lo-fi emulators , 2012, ASPLOS XVII.

[21]  Ulan Degenbaev,et al.  Formal specification of the x86 instruction set architecture , 2012 .

[22]  Adrian L. Schüpbach,et al.  Tackling OS Complexity with Declarative Techniques , 2012 .

[23]  Jun Zhu,et al.  Breaking up is hard to do: security and functionality in a commodity hypervisor , 2011, SOSP.

[24]  Haibo Chen,et al.  CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization , 2011, SOSP.

[25]  Jennifer Rexford,et al.  Eliminating the hypervisor attack surface for a more secure cloud , 2011, CCS '11.

[26]  Johannes Winter,et al.  A Hijacker's Guide to the LPC Bus , 2011, EuroPKI.

[27]  Xi Wang,et al.  Linux kernel vulnerabilities: state-of-the-art defenses and open problems , 2011, APSys.

[28]  Alysson Neves Bessani,et al.  Recursive virtual machines for advanced security mechanisms , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W).

[29]  George Candea,et al.  Parallel symbolic execution for automated real-world software testing , 2011, EuroSys '11.

[30]  Donald E. Porter,et al.  Rethinking the library OS from the top down , 2011, ASPLOS XVI.

[31]  Fakultat Informatik Communication in Microkernel-Based Operating Systems , 2011 .

[32]  Ronald Aigner Communication in Microkernel-Based Operating Systems , 2011 .

[33]  Tobias Distler,et al.  SPARE: Replicas on Hold , 2011, NDSS.

[34]  Alex Garthwaite,et al.  The evolution of an x86 virtual machine monitor , 2010, OPSR.

[35]  Zhi Wang,et al.  HyperSentry: enabling stealthy in-context measurement of hypervisor integrity , 2010, CCS '10.

[36]  Muli Ben-Yehuda,et al.  The Turtles Project: Design and Implementation of Nested Virtualization , 2010, OSDI.

[37]  Adrian Perrig,et al.  Requirements for an Integrity-Protected Hypervisor on the x86 Hardware Virtualized Architecture , 2010, TRUST.

[38]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[39]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[40]  Peter A. Dinda,et al.  Palacios and Kitten: New high performance operating systems for scalable virtualized and native supercomputing , 2010, 2010 IEEE International Symposium on Parallel & Distributed Processing (IPDPS).

[41]  Jordi Torres,et al.  Checkpoint-based fault-tolerant infrastructure for virtualized service providers , 2010, 2010 IEEE Network Operations and Management Symposium - NOMS 2010.

[42]  Torvald Riegel,et al.  Evaluation of AMD's advanced synchronization facility within a complete transactional memory stack , 2010, EuroSys '10.

[43]  Udo Steinberg,et al.  NOVA: a microhypervisor-based secure virtualization architecture , 2010, EuroSys '10.

[44]  George Candea,et al.  Execution synthesis: a technique for automated software debugging , 2010, EuroSys '10.

[45]  George Candea,et al.  Reverse engineering of binary device drivers with RevNIC , 2010, EuroSys '10.

[46]  Udo Steinberg,et al.  Towards a Scalable Multiprocessor User-level Environment , 2010 .

[47]  Alexander Böttcher,et al.  Timeslice Donation in Component-Based Systems , 2010 .

[48]  Thomas Santen,et al.  Verifying the Microsoft Hyper-V Hypervisor with VCC , 2009, FM.

[49]  Robert Grimm,et al.  Debug all your code: portable mixed-environment debugging , 2009, OOPSLA.

[50]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[51]  Leonid Ryzhyk,et al.  Automatic device driver synthesis with termite , 2009, SOSP '09.

[52]  Volkmar Sieh,et al.  Deterministic high-speed simulation of complex systems including fault-injection , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[53]  Peter Schwabe,et al.  Faster and Timing-Attack Resistant AES-GCM , 2009, CHES.

[54]  Lorenzo Martignoni,et al.  Testing CPU emulators , 2009, ISSTA.

[55]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[56]  Geoffrey Thomas,et al.  Security Impact Ratings Considered Harmful , 2009, HotOS.

[57]  Eyal de Lara,et al.  SnowFlock: rapid virtual machine cloning for cloud computing , 2009, EuroSys '09.

[58]  Adam Lackorzynski,et al.  Virtual machines jailed: virtualization in systems with small trusted computing bases , 2009, VDTS '09.

[59]  Adam Lackorzynski,et al.  Taming subsystems: capabilities as universal resource access control in L4 , 2009, IIES '09.

[60]  Shigeru Chiba,et al.  BitVisor: a thin hypervisor for enforcing i/o device security , 2009, VEE '09.

[61]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[62]  Fakultät Informatik,et al.  Securing Graphical User Interfaces , 2009 .

[63]  Raffaele Sandrini VMkit: a lightweight hypervisor library for Barrelfish , 2009 .

[64]  Bernhard Kauer ATARE : ACPI Tables and Regular Expressions , 2009 .

[65]  Norman Feske,et al.  Securing graphical user interfaces , 2009 .

[66]  George Varghese,et al.  Difference engine , 2010, OSDI.

[67]  Daniel M. Germán,et al.  Macro-level software evolution: a case study of a large software compilation , 2009, Empirical Software Engineering.

[68]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[69]  David Safford,et al.  I/O for Virtual Machine Monitors: Security and Performance Issues , 2008, IEEE Security & Privacy.

[70]  Bryan Parno,et al.  Bootstrapping Trust in a "Trusted" Platform , 2008, HotSec.

[71]  Rusty Russell,et al.  virtio: towards a de-facto standard for virtual I/O devices , 2008, OPSR.

[72]  Bryan Ford,et al.  Vx32: Lightweight User-level Sandboxing on the x86 , 2008, USENIX Annual Technical Conference.

[73]  Stefan Berger,et al.  Trustworthy and personalized computing on public kiosks , 2008, MobiSys '08.

[74]  Yuanyuan Zhou,et al.  Designing and Implementing Malicious Hardware , 2008, LEET.

[75]  Hermann Härtig,et al.  VPFS: building a virtual private file system with a small trusted computing base , 2008, Eurosys '08.

[76]  Carlos Maltzahn,et al.  Efficient guaranteed disk request scheduling with fahrrad , 2008, Eurosys '08.

[77]  Heiko Stamer,et al.  A Software-Based Trusted Platform Module Emulator , 2008, TRUST.

[78]  Steven Hand,et al.  Improving Xen security through disaggregation , 2008, VEE '08.

[79]  Srilatha Manne,et al.  Accelerating two-dimensional page walks for virtualized systems , 2008, ASPLOS.

[80]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[81]  Jon Watson,et al.  VirtualBox: bits and bytes masquerading as machines , 2008 .

[82]  Werner Vogels,et al.  Beyond Server Consolidation , 2008, ACM Queue.

[83]  Rafal Wojtczuk Subverting the Xen hypervisor , 2008 .

[84]  Leendert van Doorn,et al.  A Practical Guide to Trusted Computing , 2007 .

[85]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[86]  Davide Ancona,et al.  RPython: a step towards reconciling dynamically and statically typed OO languages , 2007, DLS '07.

[87]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[88]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[89]  Jordi Torres,et al.  Using Virtualization to Improve Software Rejuvenation , 2007, IEEE Transactions on Computers.

[90]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[91]  Gernot Heiser,et al.  Hype and Virtue , 2007, HotOS.

[92]  Matt T. Yourst PTLsim: A Cycle Accurate Full System x86-64 Microarchitectural Simulator , 2007, 2007 IEEE International Symposium on Performance Analysis of Systems & Software.

[93]  Michael J. Eager Introduction to the DWARF Debugging Format , 2007 .

[94]  Andrew Warfield,et al.  Safe Hardware Access with the Xen Virtual Machine Monitor , 2007 .

[95]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[96]  Calton Pu,et al.  Enforcing Configurable Trust in Client-side Software Stacks by Splitting Information Flow , 2007 .

[97]  Tavis Ormandy An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments Tavis , 2007 .

[98]  Ole Agesen,et al.  A comparison of software and hardware techniques for x86 virtualization , 2006, ASPLOS XII.

[99]  Samuele Pedroni,et al.  PyPy's approach to virtual machine construction , 2006, OOPSLA '06.

[100]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[101]  Ted Faison,et al.  Event-Based Programming: Taking Events to the Limit , 2006 .

[102]  Herbert Bos,et al.  Can we make operating systems reliable and secure? , 2006, Computer.

[103]  Calton Pu,et al.  Reducing TCB complexity for security-sensitive applications: three case studies , 2006, EuroSys.

[104]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[105]  John Heasman Implementing and Detecting a PCI Rootkit , 2006 .

[106]  Lehrstuhl Systemarchitektur,et al.  Hardware-Supported Virtualization for the L4 Microkernel , 2006 .

[107]  Jimi Xenidis,et al.  Utilizing IOMMUs for Virtualization in Linux and Xen Muli , 2006 .

[108]  Hermann Härtig,et al.  The Nizza secure-system architecture , 2005, 2005 International Conference on Collaborative Computing: Networking, Applications and Worksharing.

[109]  David A. Wheeler,et al.  Countering trusting trust through diverse double-compiling , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[110]  Vincent Maraia The Build Master: Microsoft's Software Configuration Management Best Practices , 2005 .

[111]  Mark P. Jones,et al.  A principled approach to operating system construction in Haskell , 2005, ICFP '05.

[112]  Steven Hand,et al.  On the design of a pervasive debugger , 2005, AADEBUG'05.

[113]  Gernot Heiser,et al.  User-Level Device Drivers: Achieved Performance , 2005, Journal of Computer Science and Technology.

[114]  Andrew Warfield,et al.  Are Virtual Machine Monitors Microkernels Done Right? , 2005, HotOS.

[115]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[116]  Andrew Warfield,et al.  Live migration of virtual machines , 2005, NSDI.

[117]  James E. Smith,et al.  The architecture of virtual machines , 2005, Computer.

[118]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.

[119]  Frank Mehnert,et al.  Kapselung von Standard-Betriebssystemen , 2005 .

[120]  Samuel T. King,et al.  Debugging Operating Systems with Time-Traveling Virtual Machines (Awarded General Track Best Paper Award!) , 2005, USENIX Annual Technical Conference, General Track.

[121]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[122]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[123]  Kurir Estimating source lines of code from object code: Windows and Embedded Control Systems , 2005 .

[124]  N. Wirth Programming in Oberon a Derivative of Programming in Modula-2 (1982) , 2005 .

[125]  Gernot Heiser,et al.  Pre-virtualization: Slashing the cost of virtualization , 2005 .

[126]  William J. Caelli,et al.  DRM, Trusted Computing and Operating System Architecture , 2005, ACSW.

[127]  Stefan Götz,et al.  Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines , 2004, OSDI.

[128]  Yasushi Saito,et al.  Devirtualizable virtual machines enabling general, single-node, online maintenance , 2004, ASPLOS XI.

[129]  James Hendricks,et al.  Secure bootstrap is not enough: shoring up the trusted computing base , 2004, EW 11.

[130]  F. O R M A T I O N G U I D Timekeeping in VMware Virtual Machines , 2004 .

[131]  Angela Greiling Keane,et al.  NO SILVER BULLET , 2003 .

[132]  HarrisTim,et al.  Xen and the art of virtualization , 2003 .

[133]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[134]  Carl A. Waldspurger,et al.  Memory resource management in VMware ESX server , 2002, OSDI '02.

[135]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[136]  Siani Pearson,et al.  Trusted Computing Platforms: TCPA Technology in Context , 2002 .

[137]  Julia L. Lawall,et al.  Proceedings of the 2002 Usenix Annual Technical Conference Think: a Software Framework for Component-based Operating System Kernels , 2022 .

[138]  Fredrik Larsson,et al.  Simics: A Full System Simulation Platform , 2002, Computer.

[139]  Edsger W. Dijkstra,et al.  Cooperating sequential processes , 2002 .

[140]  Udo Steinberg Fiasco -Kernel User-Mode Port , 2002 .

[141]  Jeff Dike,et al.  User-mode Linux , 2006, Annual Linux Showcase & Conference.

[142]  Junfeng Yang,et al.  An empirical study of operating systems errors , 2001, SOSP.

[143]  Dawson R. Engler,et al.  Reverse-Engineering Instruction Encodings , 2001, USENIX Annual Technical Conference, General Track.

[144]  Beng-Hong Lim,et al.  Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor , 2001, USENIX Annual Technical Conference, General Track.

[145]  Sven B. Schreiber Undocumented Windows 2000 Secrets: A Programmer's Cookbook , 2001 .

[146]  Marianne Shaw,et al.  Denali: Lightweight Virtual Machines for Distributed and Networked Applications , 2001 .

[147]  Nicholas Wells,et al.  BusyBox: A Swiss Army Knife for Linux , 2000 .

[148]  Trent Jaeger,et al.  The SawMill multiserver approach , 2000, EW 9.

[149]  Cynthia E. Irvine,et al.  Analysis of the Intel Pentium's Ability to Support a Secure Virtual Machine Monitor , 2000, USENIX Security Symposium.

[150]  Thilo Ernst TRAPping Modelica with Python , 2000 .

[151]  Rob Pike,et al.  Systems Software Research is Irrelevant , 2000 .

[152]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[153]  Abraham Silberschatz,et al.  The Pebble Component-Based Operating System , 1999, USENIX Annual Technical Conference, General Track.

[154]  Thilo Ernst TRAPing Modelica with Python , 1999, CC.

[155]  Richard M. Stallman,et al.  Debugging with GDB: The GNU Source-Level Debugger , 1999 .

[156]  Bruce Schneier,et al.  A Cryptographic Evaluation of IPsec , 1999 .

[157]  Alessandro Forin,et al.  MMLite: a highly componentized system architecture , 1998, EW 8.

[158]  Hanspeter Mössenböck,et al.  Zero-Overhead Exeption Handling Using Metaprogramming , 1997, SOFSEM.

[159]  Scott Devine,et al.  Disco: running commodity operating systems on scalable multiprocessors , 1997, TOCS.

[160]  Jay Lepreau,et al.  The Flux OSKit: a substrate for kernel and language research , 1997, SOSP.

[161]  Jochen Liedtke,et al.  The performance of μ-kernel-based systems , 1997, SOSP.

[162]  LepreauJay,et al.  Microkernels meet recursive virtual machines , 1996 .

[163]  Mike Hibler,et al.  Microkernels meet recursive virtual machines , 1996, OSDI '96.

[164]  Kevin P. Lawton Bochs: A Portable PC Emulator for Unix/X , 1996 .

[165]  Peter Deutsch,et al.  GZIP file format specification version 4.3 , 1996, RFC.

[166]  François Barbou,et al.  Linux on the OSF Mach3 microkernel , 1996 .

[167]  Andreas Zeller,et al.  DDD—a free graphical front-end for UNIX debuggers , 1996, SIGP.

[168]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[169]  Niklaus Wirth,et al.  A Plea for Lean Software , 1995, Computer.

[170]  J. Liedtke On -Kernel Construction , 1995 .

[171]  Dale Skeen,et al.  The Information Bus: an architecture for extensible distributed systems , 1994, SOSP '93.

[172]  Tom Shanley,et al.  PCI System Architecture , 1993 .

[173]  Niklaus Wirth,et al.  Project Oberon - the design of an operating system and compiler , 1992 .

[174]  Mary Ellen Zurko,et al.  A Retrospective on the VAX VMM Security Kernel , 1991, IEEE Trans. Software Eng..

[175]  Christopher W. Fraser,et al.  A retargetable compiler for ANSI C , 1991, SIGP.

[176]  Ken Thompson A New C Compiler , 1990 .

[177]  Frederick P. Brooks,et al.  No Silver Bullet: Essence and Accidents of Software Engineering , 1987 .

[178]  William J. Bolosky,et al.  Mach: A New Kernel Foundation for UNIX Development , 1986, USENIX Summer.

[179]  Jim Gray,et al.  Why Do Computers Stop and What Can Be Done About It? , 1986, Symposium on Reliability in Distributed Software and Database Systems.

[180]  Ken Thompson,et al.  Reflections on trusting trust , 1984, CACM.

[181]  Donald E. Knuth,et al.  Literate Programming , 1984, Comput. J..

[182]  Alan J. Perlis,et al.  Special Feature: Epigrams on programming , 1982, SIGP.

[183]  David A. Patterson,et al.  The case for the reduced instruction set computer , 1980, CARN.

[184]  Richard A. MacKinnon The Changing Virtual Machine Environment: Interfaces to Real Hardware, Virtual Hardware, and Other Virtual Machines , 1979, IBM Syst. J..

[185]  B. A. Tague,et al.  UNIX time-sharing system: Foreword , 1978, The Bell System Technical Journal.

[186]  David B. Wortman,et al.  Static and Dynamic Characteristics of XPL Programs , 1975, Computer.

[187]  Donald E. Knuth,et al.  Structured Programming with go to Statements , 1974, CSUR.

[188]  Robert P. Goldberg,et al.  Survey of virtual machine research , 1974, Computer.

[189]  Robert P. Goldberg,et al.  Software debugging: the virtual machine approach , 1974, ACM '74.

[190]  Gerald J. Popek,et al.  Formal requirements for virtualizable third generation architectures , 1974, SOSP '73.

[191]  Charles Antony Richard Hoare,et al.  Hints on programming language design. , 1973 .

[192]  Michael Steil,et al.  Mistakes Microsoft Made in the Xbox Security System , 2022 .

[193]  Duflot,et al.  Using CPU System Management Mode to Circumvent Operating System Security Functions , 2022 .