1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,

Slides:



Advertisements
Similar presentations
Operating Systems Components of OS
Advertisements

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Overcoming an UNTRUSTED COMPUTING BASE: Detecting and Removing Malicious Hardware Automatically Matthew Hicks Murph Finnicum Samuel T. King University.
CPU Review and Programming Models CT101 – Computing Systems.
Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
1 Specifying and Verifying Hardware Support for Copy and Tamper-Resistant Software David Lie, John Mitchell, Chandramohan Thekkath and Mark Horowitz Computer.
1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University.
Implementing an Untrusted Operating System on Trusted Hardware.
Architectures for Secure Processing Matt DeVuyst.
Presented By Srinivas Sundaravaradan. MACH µ-Kernel system based on message passing Over 5000 cycles to transfer a short message Buffering IPC L3 Similar.
Architectural Support for Operating Systems. Announcements Most office hours are finalized Assignments up every Wednesday, due next week CS 415 section.
Introduction to Kernel
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
Virtual Memory and Paging J. Nelson Amaral. Large Data Sets Size of address space: – 32-bit machines: 2 32 = 4 GB – 64-bit machines: 2 64 = a huge number.
Architectural Support for Copy and Tamper Resistant Software David Lie, Chandu Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell and Mark.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Protection and the Kernel: Mode, Space, and Context.
Review of Memory Management, Virtual Memory CS448.
Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
1 Architectural Support for Copy and Tamper Resistant Software David Lie, Chandu Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell and.
Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.
IVEC: Off-Chip Memory Integrity Protection for Both Security and Reliability Ruirui Huang, G. Edward Suh Cornell University.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
Virtual Memory Expanding Memory Multiple Concurrent Processes.
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
SOCSAMS e-learning Dept. of Computer Applications, MES College Marampally VIRTUALMEMORY.
G53SEC 1 Reference Monitors Enforcement of Access Control.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 9: Virtual Memory.
Joonwon Lee Process and Address Space.
Silberschatz, Galvin and Gagne  Operating System Concepts Process Concept An operating system executes a variety of programs:  Batch system.
1 Computer Systems II Introduction to Processes. 2 First Two Major Computer System Evolution Steps Led to the idea of multiprogramming (multiple concurrent.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Virtual Memory Hardware.
Processes and Virtual Memory
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
Creating Security using Software and Hardware Bradley Herrup CS297- Security and Programming Languages.
What is a Process ? A program in execution.
Chapter 4: Threads 羅習五. Chapter 4: Threads Motivation and Overview Multithreading Models Threading Issues Examples – Pthreads – Windows XP Threads – Linux.
Running Commodity Operating Systems on Scalable Multiprocessors Edouard Bugnion, Scott Devine and Mendel Rosenblum Presentation by Mark Smith.
Architecture Support for Secure Computing Mikel Bezdek Chun Yee Yu CprE 585 Survey Project 12/10/04.
A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.
1 Module 3: Processes Reading: Chapter Next Module: –Inter-process Communication –Process Scheduling –Reading: Chapter 4.5, 6.1 – 6.3.
Introduction to Kernel
Trusted Computing and the Trusted Platform Module
CS 6560: Operating Systems Design
Virtual Memory - Part II
Protection of System Resources
Chapter 4: Threads 羅習五.
KERNEL ARCHITECTURE.
Hardware Support for Embedded Operating System Security
Chapter 4: Threads.
AEGIS: Secure Processor for Certified Execution
User-mode Secret Protection (SP) architecture
Process & its States Lecture 5.
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
Embedded Computer Architecture 5SAI0 Chip Multi-Processors (ch 8)
LINUX System : Lecture 7 Lecture notes acknowledgement : The design of UNIX Operating System.
Sai Krishna Deepak Maram, CS 6410
SCONE: Secure Linux Containers Environments with Intel SGX
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
Shielding applications from an untrusted cloud with Haven
CS510 Operating System Foundations
Outline Operating System Organization Operating System Examples
Virtual Memory Use main memory as a “cache” for secondary (disk) storage Managed jointly by CPU hardware and the operating system (OS) Programs share main.
Virtual machine monitors & Secure operation
Presentation transcript:

1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research, and Stanford University

2 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 Protection in Systems: Hardware Approach Many platforms exist where trust is placed in hardware: –Trust Computing Platform Alliance (TCPA) –Microsoft’s Palladium (NGSCB) –Intel LaGrande Architecture Advantages of hardware approach –Better tamper-resistance –Less dependent on OS correctness for security Trust in hardware means less trust (or no) in OS –We need to rethink operating system design

3 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 Rethinking the Role of the OS A traditional OS performs both resource management and protection for applications –But now applications and OS are mutually suspicious –But applications don’t trust OS to access their code and data –OS must be able to interrupt applications Use XOM (eXecute Only Memory) as an example platform –New operating system is called XOMOS XOMOS is UNIX-like, port of IRIX 6.5 –Should support most standard UNIX applications

4 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 XOM Hardware Architecture XOM is implemented as a set of ISA extensions XOM Processor implements compartments for protection –Each compartment has a unique XOM ID –Architectural tags to control access to data on-chip –Cryptographic mechanisms protect data off-chip XOM Processor executes encrypted code –Combination of asymmetric/symmetric ciphers –Private key embedded on-chip hardware

5 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 Entering Secure Execution Applications Enter and Exit secure execution via instructions Encrypted Symmetric Key Encrypted Code (sym) Executable Code Symmetric Decryption Module XOM Processor Main Memory Unencrypted Code Enter XOMExit XOM Private Key XOM Key Table Asymmetric Decryption Module Currently executing XOM ID and Key

6 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 Implementing Compartments XOM Processor OS ???Data Register 3 Program TagData Register 1 TagData Register 3 Program TagData Register 1 Problem: How does OS save registers during a trap or interrupt? ! TagData Register 3 Program TagData Register 1 !

7 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 XOMOS Overview Implement XOM CPU in SimOS hardware simulator –MIPS-based architecture with XOM ISA extensions Ported the IRIX 6.5 Operating System to run on XOM processor Main areas that need modification: –Resource management of secure data Saving Registers on Interrupt, Memory Management –Need support for XOM Key Table Loading/Unloading, Management –Compatibility with original system Fork, Signal Handling, Shared Libraries/System Calls

8 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 Saving Registers OS uses save register instruction DataTag OS XOM ID Look up program key based on Tag XOM Key Table Encrypt Data Data Store encrypted data and hash to memory Hash Enlarge the exception frame to store hash and XOM ID

9 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 Protecting and Managing Memory Applications use secure store instruction DataTag RegistersCaches Memory DataTag Secure Store: Tag is copied from register to cache XOM Key Table Writeback: Look up Tag, Encrypt and Hash Data Hash Relocate data and hashes together

10 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 An OS Fork must be differentiated from a Replay Attack –Replay Attack: OS duplicates registers and replays them –Fork: OS must duplicate register set and restore them Revoke and regenerate register keys on every interrupt This hardware defense breaks traditional fork code Replay Attacks and Fork Reg B Reg A OS saves registers Reg A Replay register value Time 1 Time 2 (Same Register) Reg A OS restores registers

11 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 Naïve Fork Implementation Parent and Child are exactly the same, have the same XOM ID Problem: Both threads use the same register key XOM Processor Process Parent Register Key ! ChildParent Fork

12 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 Fork Solution OS must allocate a new XOM ID for child process –Child has a separate XOM ID and register key Process XOM ID Process Pre-fork: Allocate a new XOM Key Table Entry XOM ID Child Parent Fork: Child uses one XOM ID, the Parent uses other XOM ID

13 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 XOM Performance Simulation The SimOS Simulator: –Performance modeling processor, caches, memory and disk Simulation Parameters –Memory latency increases 10% due to encryption Based on AES (Rijndael) cipher implementation –Public key decryption: 400,000 cycles Once per process creation

14 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 Operating System Overhead OS overhead due to poor cache behavior: –More cache misses due to bigger code/data footprint –Should check to see if OS needs to do extra work Work is only needed if application is in compartment Total CyclesCache Misses IRIXXOMOVIRIXXOMOV System Call5.7K6.3K11% % Signal Handling31K40K27% % Fork138K126K-9% %

15 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 End-to-end Application Overhead Applications use Enter/Exit XOM to execute sections securely –How large to make secure sections? –Executing in compartment has memory access overhead –Entering/leaving compartment can cause cache misses Different compartment sizes: granularities –3 levels: Coarse, Fine, Super-Fine –Applications are MPEG Decode and RSA Encryption

16 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 Application Overhead Turns out that granularity has little impact on performance overhead! Overheads for most applications turn out to be less than 5% –If cache behavior is similar Coarse application has smallest effect on cache behavior

17 Implementing an Untrusted Operating System on Trusted HardwareDavid Lie SOSP 2003 Conclusions Possible to construct an Untrusted Operating System –Modest modifications Port required 1900 lines of low level code –Modifications limited to low level interface to the hardware Able to support most traditional OS mechanisms Performance hit is modest (< 5%) –Can run applications completely inside compartment As long as cache behavior is unaffected –This is because of hardware acceleration

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.