Presentation on theme: "Towards Application Security On Untrusted OS"— Presentation transcript:
1 Towards Application Security On Untrusted OS Dan R. K. Ports Tal GarfinkelMIT CSAIL & VMware, Inc VMware, Inc.Presented by Khalid Aljohani
2 Contents Introduction Isolation Architecture Overshadow Attacks and Mitigations:- File System- Inter-Process Communication (IPC)- Process Management- Time and Randomness- I/O and Trusted paths- Identity Management
3 IntroductionRich functionality in commodity operating systems lead to complexity which makes compromise inevitable.There are many solutions that have been proposed for enhancing security in these systems such as microkernel and virtual machine monitors (VMM).These solutions provide CPU and memory isolation, but applications still rely on operating system (OS) services which can turn malicious.
4 Overshadow, a virtualization-based system, was developed by the papers’ authors and others. It protects applications in a VM from the guest OS in that VM.Overshadow maintains integrity and confidentiality of applications even if the OS is completely compromised.
5 Isolation Architectures 55Isolation ArchitecturesIsolation architecture was proposed to decrease the impact of an OS compromise.A separate layer is used below the OS, between OS and CPU or memory, in order to implement the isolation architecture.These architectures are implemented using microkernel or VMM.These architectures prevent applications to be modified or read when there is an OS compromise.
6 OvershadowIt is a virtualization-based system that protects applications which run inside a VM from the guest OS in that VM.It protects applications by encrypting the application’s memory page. Then this system saves a secure hash to protect the integrity and confidentiality for that application.This allows OS to manage functions, but without compromising the application’s integrity and confidentiality. For example, the OS can swap memory pages, but cannot read or modify the application’s contents.
7 To adapt applications to this new execution environment without any modifications to the applications or OS, a shim is added to each application at load time.The shim manages transition between the application and the guest OS.It prevents the application from directly interacting with the guest OS.It uses an explicit hypercall interfaces, which is a secure communication, for interacting with VMM.
8 How does it work? Virtual Machine Application Shim 1 4 Guest OS Secure communication(Hypercall)23VMMHardware
9 Attacks and Mitigations Applications use services which are provided by OS. OS sometimes use its services to attack applications.1) File System:- One of the most important services provided by OS.- It is strongly related to security because applications’data and code are stored on the file system.1.1) File Contents:- potential attack: files are stored unprotected, so OS canread its sensitive data.
10 - Proposed solution: in Overshadow, applications are encrypted with the same key which is known onlyto VMM and stored securely outside the VM.1.2) File Metadata:- Potential attack: OS could turn malicious by performinga pathname lookup incorrectly to another file.- Proposed solution: Overshadow creates a protectionmetadata file that contains the hashes to verify the file.
11 2) Inter-Process Communication (IPC): Its very important to secure IPC and communicationsbetween applications.- Potential attack: A malicious OS can spy on IPC messagesbetween protected applications, or a malicious OS cantamper with, drop, delay, reorder , or spoof messages.- Proposed solution: Overshadow uses hypercallcommunications which are secure communicationsbetween applications and the guest OS through VMM.
12 3) Process Management:The OS is responsible for the management of processes,and it manages process identities.Potential attack: A malicious OS might try to redirectthe results of a process, the process return value or otherinformation, to a wrong process.Proposed solution: Overshadow uses its own protectedtable for the process’s signal handlers and hypercall toensure that signals are delivered to the correct process.
13 4) Time and Randomness:The OS maintains the system clock, so Security-criticalapplications cannot rely on it.Potential attack: A malicious OS could speed up orslow down the clock. That could allow it to corrupttime-based authentication scheme.Proposed solution: create a trusted clock in theVMM.
14 5) I/O and Trusted paths: Potential attack: An application’s input and output pathsgo through the OS, so a malicious OS can observe trafficacross these paths capturing sensitive data (e.g. passwords).Proposed solution: In order to address this problem,Overshadow uses cryptography to create trusted paths.
15 6) Identity Management: The OS manages many types of identities such as userand group IDs and network endpoints such as IP address,DNS names and port numbers.Potential attack: A malicious OS could allow an attackeract as a trusted user.Proposed solution: To address this problem, Overshadowuses cryptography to encrypt connections betweenlocal and remote users
16 ReferencesX. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A.Waldspurger, D. Boneh, J. Dwoskin, and D. R. K. Ports. Overshadow:A virtualization-based approach to retrofitting protection in commodity operating systems. In Proc. ASPLOS ’08, Seattle,WA, MarTowards Application Security on Untrusted Operating Systems, Dan R. K. Ports, MIT CSAIL & Vmware and Tal Garfinkel ,VMware, Inc. San Jose, CA, July 2008.