More Web Proxy on the site http://driver.im/

research-article

InkTag: secure applications on an untrusted operating system

Authors:

Owen S. Hofmann,

Michael Z. Lee,

Emmett WitchelAuthors Info & Claims

ACM SIGARCH Computer Architecture News, Volume 41, Issue 1

Pages 265 - 278

https://doi.org/10.1145/2490301.2451146

Published: 16 March 2013 Publication History

Abstract

InkTag is a virtualization-based architecture that gives strong safety guarantees to high-assurance processes even in the presence of a malicious operating system. InkTag advances the state of the art in untrusted operating systems in both the design of its hypervisor and in the ability to run useful applications without trusting the operating system. We introduce paraverification, a technique that simplifies the InkTag hypervisor by forcing the untrusted operating system to participate in its own verification. Attribute-based access control allows trusted applications to create decentralized access control policies. InkTag is also the first system of its kind to ensure consistency between secure data and metadata, ensuring recoverability in the face of system crashes.

References

[1]

Microsoft security bulletin search, 2012. http://technet.microsoft.com/security/bulletin.

[2]

Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity. Inccs, 2005.

Digital Library

[3]

Anurag Acharya and Mandar Raje. MAPbox: Using parameterized behavior classes to confine applications. Inusenixsec, 2000.

Digital Library

[4]

Arati Baliga, Vinod Ganapathy, and Liviu Iftode. Automatic inference and enforcement of kernel data structure invariants. Inacsac, 2008.

Digital Library

[5]

Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the art of virtualization. Insosp, 2003.

Digital Library

[6]

Massimo Bernaschi, Emanuele Gabrielli, and Luigi V. Mancini. REMUS: A security-enhanced operating system.tissec, 5(1), 2002.

Digital Library

[7]

Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter, and Himanshu Khurana. Using attribute-based access control to enable attribute-based messaging. Inacsac, 2006.

Digital Library

[8]

Stephen Checkoway and Hovav Shacham. Iago attacks: Why the system call API is a bad untrusted RPC interface. Inasplos, March 2013.

Digital Library

[9]

Peter M. Chen and Brian D. Noble. When virtual is better than real. Inhotos, pages 133--, 2001.

[10]

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. Non-control-data attacks are realistic threats. Inusenixsec, 2005.

Digital Library

[11]

Xioaxin Chen, Tal Garfinkel, E. Christopher Lewis, Pratap Subrahmanyam, Carl A. Waldspurger, Dan Boneh, Jeffery Dwoskin, and Dan R. K. Ports. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. Inasplos, May 2008.

Digital Library

[12]

Lorenzo Cirio, Isabel F. Cruz, and Roberto Tamassia. A role and attribute based access control system using semantic web technologies. In øtm, 2007.

Digital Library

[13]

Tim Dierks and Eric Rescorla. RFC 5246: The Transport Layer Security (TLS) Protocol: Version 1.2. http://tools.ietf.org/html/rfc5246, 2008.

[14]

Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In øakland, May 2011.

[15]

John R. Douceur, Jeremy Elson, Jon Howell, and Jacob R. Lorch. Leveraging legacy code to deploy desktop applications on the web. In øsdi, 2008.

Digital Library

[16]

Timothy Fraser, Lee Badger, and Marc Feldman. Hardening COTS software with generic software wrappers. In øakland, 1999.

[17]

Timothy Fraser, Matthew R. Evenson, and William A. Arbaugh. VICI--virtual machine introspection for cognitive immunity. Inacsac, pages 87--96, 2008.

Digital Library

[18]

Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, and Dan Boneh. Terra: A virtual machine-based platform for trusted computing. Insosp, October 2003.

Digital Library

[19]

John L. Henning. SPEC CPU2006 benchmark descriptions. ACM SIGARCH Computer Architecture News, 34(4):1--17, 2006.

Digital Library

[20]

Owen S. Hofmann, Alan M. Dunn, Sangman Kim, Indrajit Roy, and Emmett Witchel. Ensuring operating system kernel integrity with OSck. Inasplos, March 2011.

Digital Library

[21]

Ralf Hund, Thorsten Holz, and Felix C. Freiling. Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. Inusenixsec, 2009.

Digital Library

[22]

Kapil Jain and R. Sekar. User-level infrastructure for system call interposition: A platform for intrusion detection and confinement. Inndss, 2000.

[23]

Xuxian Jiang, Xinyuan Wang, and Dongyan Xu. Stealthy malware detection through VMM-based "out-of-the-box" semantic view reconstruction. Inccs, pages 128--138, 2007.

Digital Library

[24]

Stephen T. Jones, Andrea C. Arpaci-Dusseau, and Remzi H. Arpaci-Dusseau. Antfarm: tracking processes in a virtual machine environment. Inusenixatc, 2006.

Digital Library

[25]

Taesoo Kim and Nickolai Zeldovich. Making linux protection mechanisms egalitarian with UserFS. Inusenixsec. USENIX Association, 2010.

Digital Library

[26]

David Lie, Chandramohan A. Thekkath, and Mark Horowitz. Implementing an untrusted operating system on trusted hardware. Insosp, pages 178--192. ACM Press, 2003.

Digital Library

[27]

Peter A. Loscocco, Perry W. Wilson, J. Aaron Pendergrass, and C. Durward McDonell. Linux kernel integrity measurement using contextual inspection. Instc, 2007.

Digital Library

[28]

Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, and Adrian Perrig. TrustVisor: Efficient TCB reduction and attestation. In øakland, May 2010.

[29]

Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki. Flicker: An execution infrastructure for TCB minimization. Ineurosys, April 2008.

Digital Library

[30]

Larry McVoy and Carl Staelin. LMbench: portable tools for performance analysis. Inusenixatc, pages 23--23, Berkeley, CA, USA, 1996. USENIX Association.

Digital Library

[31]

NIST. National vulnerability database. http://nvd.nist.gov/, 2012.

[32]

OASIS. eXtensible access control markup language. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml, 2012.

[33]

Bryan Parno, Jacob R. Lorch, John R. Douceur, James Mickens, and Jonathan M. McCune. Memoir: Practical state continuity for protected modules. In øakland, 2011.

[34]

Bryan D. Payne, Martim D. P. de A. Carbone, and Wenke Lee. Secure and flexible monitoring of virtual machines. Inacsac, 2007.

[35]

Dan R. K. Ports and Tal Garfinkel. Towards application security on untrusted operating systems. Inhotsec, San Jose, CA, USA, 2008. USENIX.

Digital Library

[36]

Shaya Potter and Jason Nieh. Apiary: Easy-to-use desktop application fault containment on commodity operating systems. Inusenixatc, 2010.

Digital Library

[37]

Neils Provos. Improving host security with system call policies. Inusenixsec, 2003.

Digital Library

[38]

Nguyen Anh Quynh and Yoshiyasu Takefuji. Towards a tamper-resistant kernel rootkit detector. Insac, 2007.

Digital Library

[39]

Junghwan Rhee, Ryan Riley, Dongyan Xu, and Xuxian Jiang. Defeating dynamic data kernel rootkit attacks via VMM-based guest-transparent monitoring. Inares, Fukuoka, Japan, March 2009.

[40]

Junghwan Rhee and Dongyan Xu. LiveDM: Temporal mapping of dynamic kernel memory for dynamic kernel malware analysis and debugging. Technical report, Purdue University, West Lafayette, IN, February 2010.

[41]

Mike Ryan, Ted Faber, Mei-Hui Su, John Wroclawski, and Steve Schwab. A.B$łeftarrow$A.C. http://abac.deterlab.net/, 2012.

[42]

Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. Insosp, pages 335--350, 2007.

Digital Library

[43]

Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). Inccs, pages 552--61. ACM Press, October 2007.

Digital Library

[44]

Richard Ta-min, Lionel Litty, and David Lie. Splitting interfaces: Making trust between applications and operating systems configurable. In øsdi, pages 279--292, 2006.

Digital Library

[45]

Zhi Wang, Xuxian Jiang, Weidong Cui, and Peng Ning. Countering kernel rootkits with lightweight hook protection. Inccs, 2009.

Digital Library

[46]

Min Xu, Xuxian Jiang, Ravi Sandhu, and Xinwen Zhang. Towards a VMM-based usage control framework for OS kernel integrity protection. Insacmat, 2007.

Digital Library

[47]

Jisoo Yang and Kang G. Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. Inveeconf, pages 71--80, 2008.

Digital Library

[48]

Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In øakland, pages 79--93, 2009.

Digital Library

[49]

Fengzhe Zhang, Jin Chen, Haibo Chen, and Binyu Zang. CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. Insosp, 2011.

Digital Library

Cited By

Jang JKang B(2019)In-process Memory Isolation Using Hardware WatchpointProceedings of the 56th Annual Design Automation Conference 201910.1145/3316781.3317843(1-6)Online publication date: 2-Jun-2019
https://dl.acm.org/doi/10.1145/3316781.3317843
Tarkhani ZMadhavapeddy AMortier R(2019)SnapeProceedings of the 2nd International Workshop on Edge Systems, Analytics and Networking10.1145/3301418.3313945(48-53)Online publication date: 25-Mar-2019
https://dl.acm.org/doi/10.1145/3301418.3313945
Hua ZDu DXia YChen HZang BGunawi HReed B(2018)EPTIProceedings of the 2018 USENIX Conference on Usenix Annual Technical Conference10.5555/3277355.3277380(255-266)Online publication date: 11-Jul-2018
https://dl.acm.org/doi/10.5555/3277355.3277380
Show More Cited By

Index Terms

InkTag: secure applications on an untrusted operating system
1. Security and privacy

Recommendations

InkTag: secure applications on an untrusted operating system
ASPLOS '13: Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems

InkTag is a virtualization-based architecture that gives strong safety guarantees to high-assurance processes even in the presence of a malicious operating system. InkTag advances the state of the art in untrusted operating systems in both the design of ...
InkTag: secure applications on an untrusted operating system
ASPLOS '13

InkTag is a virtualization-based architecture that gives strong safety guarantees to high-assurance processes even in the presence of a malicious operating system. InkTag advances the state of the art in untrusted operating systems in both the design of ...
Sego: Pervasive Trusted Metadata for Efficiently Verified Untrusted System Services
ASPLOS'16

Sego is a hypervisor-based system that gives strong privacy and integrity guarantees to trusted applications, even when the guest operating system is compromised or hostile. Sego verifies operating system services, like the file system, instead of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGARCH Computer Architecture News

ACM SIGARCH Computer Architecture News Volume 41, Issue 1

ASPLOS '13

March 2013

540 pages

ISSN:0163-5964

DOI:10.1145/2490301

Issue’s Table of Contents

ASPLOS '13: Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems
March 2013
574 pages
ISBN:9781450318709
DOI:10.1145/2451116
General Chair:
Vivek Sarkar
Rice University, USA
,
Program Chair:
Rastislav Bodik
University of California, Berkeley, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 March 2013

Published in SIGARCH Volume 41, Issue 1

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

186
Total Citations
View Citations
2,079
Total Downloads

Downloads (Last 12 months)125
Downloads (Last 6 weeks)7

Reflects downloads up to 11 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jang JKang B(2019)In-process Memory Isolation Using Hardware WatchpointProceedings of the 56th Annual Design Automation Conference 201910.1145/3316781.3317843(1-6)Online publication date: 2-Jun-2019
https://dl.acm.org/doi/10.1145/3316781.3317843
Tarkhani ZMadhavapeddy AMortier R(2019)SnapeProceedings of the 2nd International Workshop on Edge Systems, Analytics and Networking10.1145/3301418.3313945(48-53)Online publication date: 25-Mar-2019
https://dl.acm.org/doi/10.1145/3301418.3313945
Hua ZDu DXia YChen HZang BGunawi HReed B(2018)EPTIProceedings of the 2018 USENIX Conference on Usenix Annual Technical Conference10.5555/3277355.3277380(255-266)Online publication date: 11-Jul-2018
https://dl.acm.org/doi/10.5555/3277355.3277380
Lee HSong CKang BLie DMannan MBackes MWang X(2018)Lord of the x86 RingsProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243748(1441-1454)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243748
Lentz MSen RDruschel PBhattacharjee B(2018)SeCloakProceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services10.1145/3210240.3210334(1-13)Online publication date: 10-Jun-2018
https://dl.acm.org/doi/10.1145/3210240.3210334
Jang JChoi CLee JKwak NLee SChoi YKang B(2018)PrivateZoneIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2016.262226115:5(797-810)Online publication date: 1-Sep-2018
https://dl.acm.org/doi/10.1109/TDSC.2016.2622261
Arnautov STrach BGregor FKnauth TMartin APriebe CLind JMuthukumaran DO'Keeffe DStillwell MGoltzsche DEyers DKapitza RPietzuch PFetzer CKeeton KRoscoe T(2016)SCONEProceedings of the 12th USENIX conference on Operating Systems Design and Implementation10.5555/3026877.3026930(689-703)Online publication date: 2-Nov-2016
https://dl.acm.org/doi/10.5555/3026877.3026930
Shu RWang PGorski III SAndow BNadkarni ADeshotels LGionta JEnck WGu X(2016)A Study of Security Isolation TechniquesACM Computing Surveys10.1145/298854549:3(1-37)Online publication date: 12-Oct-2016
https://dl.acm.org/doi/10.1145/2988545
Sgandurra DLupu E(2016)Evolution of Attacks, Threat Models, and Solutions for Virtualized SystemsACM Computing Surveys10.1145/285612648:3(1-38)Online publication date: 8-Feb-2016
https://dl.acm.org/doi/10.1145/2856126
Qiang WZhang KDai WJin H(2016)Secure cryptographic functions via virtualization-based outsourced computingConcurrency and Computation: Practice & Experience10.1002/cpe.370628:11(3149-3163)Online publication date: 10-Aug-2016
https://dl.acm.org/doi/10.1002/cpe.3706
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents