DriverGuard: Virtualization-Based Fine-Grained Protection on I/O Flows

Most commodity peripheral devices and their drivers are geared to achieve high performance with security functions being opted out. The absence of strong security measures invites attacks on the I/O data and consequently posts threats to those services feeding on them, such as fingerprint-based biometric authentication. In this article, we present a generic solution called DriverGuard, which dynamically protects the secrecy of I/O flows such that the I/O data are not exposed to the malicious kernel. Our design leverages a composite of cryptographic and virtualization techniques to achieve fine-grained protection without using any extra devices and modifications on user applications. We implement the DriverGuard prototype on Xen by adding around 1.7K SLOC. DriverGuard is lightweight as it only needs to protect around 2% of the driver code’s execution. We measure the performance and evaluate the security of DriverGuard with three input devices (keyboard, fingerprint reader and camera) and three output devices (printer, graphic card, and sound card). The experiment results show that DriverGuard induces negligible overhead to the applications.

[1]  Alan L. Cox,et al.  Protection Strategies for Direct Access to Virtualized I/O Devices , 2008, USENIX Annual Technical Conference.

[2]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[3]  Angelos D. Keromytis,et al.  libdft: practical dynamic data flow tracking for commodity systems , 2012, VEE '12.

[4]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[5]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[6]  James Newsome,et al.  Building Verifiable Trusted Path on Commodity x86 Computers , 2012, 2012 IEEE Symposium on Security and Privacy.

[7]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[8]  Adrian Perrig,et al.  Lockdown: Towards a Safe and Practical Architecture for Security Applications on Commodity Platforms , 2012, TRUST.

[9]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[10]  Zhi Wang,et al.  HyperSentry: enabling stealthy in-context measurement of hypervisor integrity , 2010, CCS '10.

[11]  Jiang Wang,et al.  Autonomic Recovery: HyperCheck: A Hardware-Assisted Integrity Monitor , 2013 .

[12]  Alec Wolman,et al.  I am a sensor, and I approve this message , 2010, HotMobile '10.

[13]  Vitaly Shmatikov,et al.  Eternal Sunshine of the Spotless Machine: Protecting Privacy with Ephemeral Channels , 2012, OSDI.

[14]  Mark David Weiser,et al.  Program slices: formal, psychological, and practical investigations of an automatic program abstraction method , 1979 .

[15]  Hanno Langweg Building a Trusted Path for Applications Using COTS Components , 2004 .

[16]  Shigeru Chiba,et al.  BitVisor: a thin hypervisor for enforcing i/o device security , 2009, VEE '09.

[17]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[18]  Jiang Wang,et al.  SecureSwitch: BIOS-Assisted Isolation and Switch between Trusted and Untrusted Commodity OSes , 2012, NDSS.

[19]  Raúl A. Santelices,et al.  Quantitative program slicing: Separating statements by relevance , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[20]  Olivier Tardieu,et al.  Ultra-fast aliasing analysis using CLA: a million lines of C code in a second , 2001, PLDI '01.

[21]  Kevin Borders,et al.  Securing Network Input via a Trusted Input Proxy , 2007, HotSec.

[22]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[23]  Robert H. Deng,et al.  DriverGuard: A Fine-Grained Protection on I/O Flows , 2011, ESORICS.

[24]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[25]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[26]  Manu Sridharan,et al.  Thin slicing , 2007, PLDI '07.

[27]  Somesh Jha,et al.  The design and implementation of microdrivers , 2008, ASPLOS.

[28]  Jiang Wang,et al.  HyperCheck: A Hardware-AssistedIntegrity Monitor , 2014, IEEE Transactions on Dependable and Secure Computing.

[29]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[30]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[31]  Kang G. Shin,et al.  Using hypervisor to provide data secrecy for user applications on a per-page basis , 2008, VEE '08.

[32]  Brian Rogers,et al.  SecureME: a hardware-software approach to full system security , 2011, ICS '11.

[33]  Myla Archer,et al.  Formal specification and verification of data separation in a separation kernel for an embedded system , 2006, CCS '06.

[34]  Michael K. Reiter,et al.  Safe Passage for Passwords and Other Sensitive Data , 2009, NDSS.

[35]  Adrian Perrig,et al.  VIPER: verifying the integrity of PERipherals' firmware , 2011, CCS '11.

[36]  Jun Zhu,et al.  Breaking up is hard to do: security and functionality in a commodity hypervisor , 2011, SOSP.

[37]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[38]  Markus Mock,et al.  Improving program slicing with dynamic points-to data , 2002, SIGSOFT '02/FSE-10.

[39]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[40]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[41]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[42]  Ahmad-Reza Sadeghi,et al.  Uni-directional trusted path: Transaction confirmation on just one device , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[43]  Michael K. Reiter,et al.  Bump in the Ether: A Framework for Securing Sensitive User Input , 2006, USENIX Annual Technical Conference, General Track.

[44]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[45]  Junfeng Yang,et al.  An empirical study of operating systems errors , 2001, SOSP.

[46]  Fabian Monrose,et al.  Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on Fon-iks , 2011, 2011 IEEE Symposium on Security and Privacy.

[47]  George C. Necula,et al.  SafeDrive: safe and recoverable extensions using language-based techniques , 2006, OSDI '06.