More Web Proxy on the site http://driver.im/

research-article

Virtual ghost: protecting applications from hostile operating systems

Authors:

Nathan Dautenhahn,

Vikram AdveAuthors Info & Claims

ASPLOS '14: Proceedings of the 19th international conference on Architectural support for programming languages and operating systems

Pages 81 - 96

https://doi.org/10.1145/2541940.2541986

Published: 24 February 2014 Publication History

Abstract

Applications that process sensitive data can be carefully designed and validated to be difficult to attack, but they are usually run on monolithic, commodity operating systems, which may be less secure. An OS compromise gives the attacker complete access to all of an application's data, regardless of how well the application is built. We propose a new system, Virtual Ghost, that protects applications from a compromised or even hostile OS. Virtual Ghost is the first system to do so by combining compiler instrumentation and run-time checks on operating system code, which it uses to create ghost memory that the operating system cannot read or write. Virtual Ghost interposes a thin hardware abstraction layer between the kernel and the hardware that provides a set of operations that the kernel must use to manipulate hardware, and provides a few trusted services for secure applications such as ghost memory management, encryption and signing services, and key management. Unlike previous solutions, Virtual Ghost does not use a higher privilege level than the kernel.

Virtual Ghost performs well compared to previous approaches; it outperforms InkTag on five out of seven of the LMBench microbenchmarks with improvements between 1.3x and 14.3x. For network downloads, Virtual Ghost experiences a 45% reduction in bandwidth at most for small files and nearly no reduction in bandwidth for large files and web traffic. An application we modified to use ghost memory shows a maximum additional overhead of 5% due to the Virtual Ghost protections. We also demonstrate Virtual Ghost's efficacy by showing how it defeats sophisticated rootkit attacks.

References

[1]

Apachebench: A complete benchmarking and regression testing suite. http://freshmeat.net/projects/ apachebench/, July 2003.

[2]

Intel 64 and IA-32 architectures software developer's manual, volume 3. Intel, 2012.

[3]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Controlflow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur., 13:4:1--4:40, November 2009.

Digital Library

[4]

Advanced Micro Devices. AMD64 architecture programmer's manual volume 2: System programming, September 2006.

[5]

I. Anati, S. Gueron, S. Johnson, and V. Scarlata. Innovative technology for cpu based attestation and sealing. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, page 10. ACM, 2013.

[6]

ARM Limited. ARM security technology: Building a secure system using trustzone technology. http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492Ctrustzonesecuritywhitepaper.pdf, 2009.

[7]

A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky. Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 38--49, New York, NY, USA, 2010. ACM.

Digital Library

[8]

B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers, and S. Eggers. Extensibility, Safety and Performance in the SPIN Operating System. In Proc. ACM SIGOPS Symp. on Op. Sys. Principles, pages 267-- 284, Copper Mountain, CO, USA, 1995.

Digital Library

[9]

D. P. Bovet and M. Cesati. Understanding the LINUX Kernel. O'Reilly, Sebastopol, CA, 2nd edition, 2003.

Digital Library

[10]

S. Checkoway and H. Shacham. Iago attacks: why the system call API is a bad untrusted RPC interface. In Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems, ASPLOS '13, pages 253--264, New York, NY, USA, 2013. ACM.

Digital Library

[11]

X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In Proceedings of the 13th international conference on Architectural support for programming languages and operating systems, ASPLOS XIII, pages 2--13, New York, NY, USA, 2008. ACM.

Digital Library

[12]

J. Criswell, N. Geoffray, and V. Adve. Memory safety for low-level software/hardware interactions. In Proceedings of the Eighteenth Usenix Security Symposium, August 2009.

Digital Library

[13]

J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems. In Proc. ACM SIGOPS Symp. on Op. Sys. Principles, pages 351--366, Stevenson, WA, USA, October 2007.

Digital Library

[14]

J. Criswell, B. Monroe, and V. Adve. A virtual instruction set interface for operating system kernels. In Workshop on the Interaction between Operating Systems and Computer Architecture, pages 26--33, Boston, MA, USA, June 2006.

[15]

M. Fahndrich, M. Aiken, C. Hawblitzel, O. Hodson, G. C. Hunt, J. R. Larus, and S. Levi. Language support for fast and reliable message-based communication in Singularity OS. In Proceedings of EuroSys, 2006.

Digital Library

[16]

O. S. Hofmann, S. Kim, A. M. Dunn, M. Z. Lee, and E. Witchel. Inktag: secure applications on an untrusted operating system. In Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems, ASPLOS '13, pages 265--278, New York, NY, USA, 2013. ACM.

Digital Library

[17]

G. C. Hunt and J. R. Larus. Singularity Design Motivation (Singularity Technical Report 1). Technical Report MSR-TR- 2004--105, Microsoft Research, Dec 2004.

[18]

J. Kong. Designing BSD Rootkits. No Starch Press, San Francisco, CA, USA, 2007.

Digital Library

[19]

C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis and transformation. In Proc. Conf. on Code Generation and Optimization, pages 75--88, San Jose, CA, USA, Mar 2004.

Digital Library

[20]

D. Lie, C. A. Thekkath, and M. Horowitz. Implementing an untrusted operating system on trusted hardware. In Proceedings of the nineteenth ACM symposium on Operating systems principles, SOSP '03, pages 178--192, New York, NY, USA, 2003. ACM.

Digital Library

[21]

LMH. Month of kernel bugs (MoKB) archive, 2006. http://projects.info-pull.com/mokb/.

[22]

J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. Trustvisor: Efficient tcb reduction and attestation. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP '10, pages 143--158, Washington, DC, USA, 2010. IEEE Computer Society.

Digital Library

[23]

J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: an execution infrastructure for tcb minimization. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, Eurosys '08, pages 315--328, New York, NY, USA, 2008. ACM.

Digital Library

[24]

F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, page 10. ACM, 2013.

Digital Library

[25]

M. K. McKusick, K. Bostic, M. J. Karels, and J. S. Quarterman. The Design and Implementation of the 4.4 BSD Operating System. Addison-Wesley Publishing Company, Inc., Redwood City, CA, 1996.

Digital Library

[26]

L. McVoy and C. Staelin. lmbench: portable tools for performance analysis. In Proceedings of the 1996 annual conference on USENIX Annual Technical Conference, ATEC '96, pages 23--23, Berkeley, CA, USA, 1996. USENIX Association.

Digital Library

[27]

B. Parno, J. R. Lorch, J. R. Douceur, J. Mickens, and J. M. McCune. Memoir: Practical state continuity for protected modules. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11, pages 379--394, Washington, DC, USA, 2011. IEEE Computer Society.

Digital Library

[28]

D. R. K. Ports and T. Garfinkel. Towards application security on untrusted operating systems. In Proceedings of the 3rd conference on Hot topics in security, HOTSEC'08, pages 1:1--1:7, Berkeley, CA, USA, 2008. USENIX Association.

Digital Library

[29]

J. Poskanze. thttpd - tiny/turbo/throttling http server, 2000. http://www.acme.com/software/thttpd.

[30]

Postmark. Email delivery for web apps, July 2013.

[31]

R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Returnoriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur., 15(1):2:1--2:34, Mar. 2012.

Digital Library

[32]

M. E. Russinovich and D. A. Solomon. MicrosoftWindows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer). Microsoft Press, Redmond, WA, USA, 2004.

Digital Library

[33]

T. Saulpaugh and C. Mirho. Inside the JavaOS Operating System. Addison-Wesley, Reading, MA, USA, 1999.

[34]

A. Singh. Mac OS X Internals. Addison-Wesley Professional, 2006.

Digital Library

[35]

Solar Designer. return-to-libc attack, August 1997. http://www.securityfocus.com/archive/1/7480.

[36]

The OpenBSD Project. Openssh, 2006. http://www.openssh.com.

[37]

J. Yang and K. G. Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. In Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, VEE '08, pages 71--80, New York, NY, USA, 2008. ACM.

Digital Library

[38]

B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, pages 29--40, New York, NY, USA, 2011. ACM.

Digital Library

Cited By

Ahmad AOu BLiu CZhang XFonseca PAamodt TSwift MJerger N(2023)Veil: A Protected Services Framework for Confidential Virtual MachinesProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624763(378-393)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624763
Fan SHua ZXia YChen HZang BSolihin YHeinrich M(2023)ISA-Grid: Architecture of Fine-grained Privilege Control for Instructions and RegistersProceedings of the 50th Annual International Symposium on Computer Architecture10.1145/3579371.3589050(1-15)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3579371.3589050
Murtaza HTanweer HAhmad MRasheed MRasheed M(2022)Efficient Application Protection against Untrusted Operating SystemsVFAST Transactions on Software Engineering10.21015/vtse.v10i4.119710:4(123-130)Online publication date: 31-Dec-2022
https://doi.org/10.21015/vtse.v10i4.1197
Show More Cited By

Index Terms

Virtual ghost: protecting applications from hostile operating systems
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Virtual ghost: protecting applications from hostile operating systems
ASPLOS '14

Applications that process sensitive data can be carefully designed and validated to be difficult to attack, but they are usually run on monolithic, commodity operating systems, which may be less secure. An OS compromise gives the attacker complete ...
Virtual ghost: protecting applications from hostile operating systems
ASPLOS '14

Applications that process sensitive data can be carefully designed and validated to be difficult to attack, but they are usually run on monolithic, commodity operating systems, which may be less secure. An OS compromise gives the attacker complete ...
Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation
ASPLOS'15

Monolithic operating system designs undermine the security of computing systems by allowing single exploits anywhere in the kernel to enjoy full supervisor privilege. The nested kernel operating system architecture addresses this problem by "nesting" a ...

Reviews

Reviewer: Eduardo B. Fernandez

Operating systems are very complex, with millions of lines of code; in general, they cannot be proven secure. They may contain malware, or they may have been compromised by attackers. This means that, in many cases, they cannot be trusted. Protecting applications against attacks coming from the operating system requires elaborate solutions, and several approaches have been presented. Virtual Ghost, the new system presented in this paper, is based on compiler instrumentation and runtime checks. This approach effectively inserts a small hardware abstraction layer between the kernel and the hardware providing operations to be used by the kernel to manipulate hardware, and provides some trusted services for secure applications. Virtual Ghost runs as a regular library at the same privilege level as the kernel. The paper discusses the architectural aspects of Virtual Ghost and shows how it can handle all types of attacks by an operating system on applications. The performance analysis of a prototype shows reasonable overhead for providing this level of security to applications and to the kernel itself. The paper is clear and well organized, and puts this work into context with other similar approaches. This paper should be very useful reading for anybody working on application security. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPLOS '14: Proceedings of the 19th international conference on Architectural support for programming languages and operating systems

February 2014

780 pages

ISBN:9781450323055

DOI:10.1145/2541940

General Chairs:
Rajeev Balasubramonian
University of Utah
,
Al Davis
University of Utah
,
Program Chair:
Sarita Adve
University of Illinois at Urbana-Champ

ACM SIGARCH Computer Architecture News Volume 42, Issue 1
ASPLOS '14
March 2014
729 pages
ISSN:0163-5964
DOI:10.1145/2654822
Editor:
Doug DeGroot
acm dot org
Issue’s Table of Contents
ACM SIGPLAN Notices Volume 49, Issue 4
ASPLOS '14
April 2014
729 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2644865
Editors:
Mark W. Bailey
Hamilton College, Clinton, NY
,
Rajeev Balasubramonian
University of Utah
,
Al Davis
University of Utah
,
Sarita Adve
University of Illinois at Urbana-Champ
Issue’s Table of Contents

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 February 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASPLOS '14

Sponsor:

ASPLOS '14: Architectural Support for Programming Languages and Operating Systems

March 1 - 5, 2014

Utah, Salt Lake City, USA

Acceptance Rates

ASPLOS '14 Paper Acceptance Rate 49 of 217 submissions, 23%;

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

112
Total Citations
View Citations
1,225
Total Downloads

Downloads (Last 12 months)37
Downloads (Last 6 weeks)2

Reflects downloads up to 17 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ahmad AOu BLiu CZhang XFonseca PAamodt TSwift MJerger N(2023)Veil: A Protected Services Framework for Confidential Virtual MachinesProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624763(378-393)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624763
Fan SHua ZXia YChen HZang BSolihin YHeinrich M(2023)ISA-Grid: Architecture of Fine-grained Privilege Control for Instructions and RegistersProceedings of the 50th Annual International Symposium on Computer Architecture10.1145/3579371.3589050(1-15)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3579371.3589050
Murtaza HTanweer HAhmad MRasheed MRasheed M(2022)Efficient Application Protection against Untrusted Operating SystemsVFAST Transactions on Software Engineering10.21015/vtse.v10i4.119710:4(123-130)Online publication date: 31-Dec-2022
https://doi.org/10.21015/vtse.v10i4.1197
Suciu DSion RFerdman M(2022)AppBastion: Protection from Untrusted Apps and OSes on ARMComputer Security – ESORICS 202210.1007/978-3-031-17146-8_34(692-715)Online publication date: 26-Sep-2022
https://dl.acm.org/doi/10.1007/978-3-031-17146-8_34
Liang HLi MChen YYang TXie ZJiang L(2021)Architectural Protection of Trusted System Services for SGX Enclaves in Cloud ComputingIEEE Transactions on Cloud Computing10.1109/TCC.2019.28924499:3(910-922)Online publication date: 1-Jul-2021
https://doi.org/10.1109/TCC.2019.2892449
Jang JKang Bde Lara EMohomed INieh JBelding E(2020)SelMonProceedings of the 18th International Conference on Mobile Systems, Applications, and Services10.1145/3386901.3389023(135-147)Online publication date: 15-Jun-2020
https://dl.acm.org/doi/10.1145/3386901.3389023
Lee DKohlbrenner DShinde SAsanović KSong DBilas AMagoutis KMarkatos EKostic DSeltzer M(2020)KeystoneProceedings of the Fifteenth European Conference on Computer Systems10.1145/3342195.3387532(1-16)Online publication date: 15-Apr-2020
https://dl.acm.org/doi/10.1145/3342195.3387532
Gu JWu XZhu BXia YZang BGuan HChen H(2020)Enclavisor: A Hardware-software Co-design for Enclaves on Untrusted CloudIEEE Transactions on Computers10.1109/TC.2020.3019704(1-1)Online publication date: 2020
https://doi.org/10.1109/TC.2020.3019704
Lee UPark C(2020)SofTEE: Software-Based Trusted Execution Environment for User ApplicationsIEEE Access10.1109/ACCESS.2020.30067038(121874-121888)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3006703
Compastié MBadonnel RFestor OHe R(2020)From virtualization security issues to cloud protection opportunities: An in-depth analysis of system virtualization modelsComputers & Security10.1016/j.cose.2020.10190597(101905)Online publication date: Oct-2020
https://doi.org/10.1016/j.cose.2020.101905
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents