Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shielding applications from an untrusted cloud with Haven

Published byJaroslava Fišerová Modified over 5 years ago

Similar presentations

Presentation on theme: "Shielding applications from an untrusted cloud with Haven"— Presentation transcript:

1 Shielding applications from an untrusted cloud with Haven
Based on the paper ‘’ Shielding applications from an untrusted cloud with Haven’’ by Andrew Baumann, Marcus Peinado, and Galen Hunt, Microsoft Research.

2 Content Introduction System Limitations and Performance Future Work
Motivation Current Approaches Objective System Limitations and Performance Future Work Conclusion

3 Motivation Todays clouds use a security model that aims only to protect the privileged code (of the cloud provider) from untrusted code. (user’s VM) What does this mean to the user? The user must trust: Provider’s Software Provider’s Staff Law Enforcement Bodies

4 Current Approaches Trusted hypervisors Hardware Security Modules
Temper proof Hardware to protect secrets Support a range of cryptographic functions Expensive Do not usually run general-purpose applications Trusted hypervisors Protection of an application from malicious OS Cannot protect against a hypervisor controlled by malicious or comprimised cloud provider

5 Objective Secure execution of unmodified legacy applications on a commodity OS and commodity hardware ‘’… level of trust equivalent to user operating their own hardware in a locked cage at a colocation facility’’ What does that mean? Limiting the cloud provider to offering raw resources Just like the colocation provider Can deny service but cannot observe or modify any user data => Shielded Execution

6 Security overview Background Design Implementation
System Security overview Background Design Implementation

7 Security Overview Shielded execution Thread Model and Assumptions
Isolated execution Protecting specific code from rest of the system However naive isolated programs are vulnerable Guarantees Confidentiality (like a ‘’Black Box’’) and Integrity Thread Model and Assumptions Assuming CPU itself is implemented correctly Adversary has full control beyond the physical package of CPU and entire software stack Do not considering side-channel attacks

8 Background Intel SGX DrawBridge Memory protection Attestation
Enclave entry and exit Dynamic memory allocation DrawBridge Low-overhead Sandboxing Picoprocess and LibOS

9 Design Challenges Architecture Malicious host OS Unmodified Binaries
Iago Attacks Unmodified Binaries Architecture Enclave within Drawbridge picoprocess Contains entire application and LibOS Augmented with 2 layers Shield Module Untrusted runtime

10 Shield Module Trusted Computing base
Protecing LibOS and application from Iago attacks. Services Virtual memory Storage Threads and synchronisation

11 Untrusted interface ‘’the guest controls policy for virtual resources, while the host manages policy only for physical resources.’’ Mutual distrust between Host/Guest Limits host to only physical resource allocations Untrusted runtime Bootstrap and glue code Untrusted both ways Creating enclave, loading shield, forwarding calls

12 Implementation SGX support to host OS
by writing a driver and changes on kernel Modifications on host kernel to enable efficient mapping Support for debugging an enclave using SGX debug mechanism Minor modifications on LibOS

13 Deployment and attestation
Constructing a disk image and encrypting it Encrypted VHD and shield binary are sent to the cloud provider Cloud provider establishes a picoprocess and loads untrusted runtime After initialisation the shield generates a public/private key pair and uses it to establish a network connection with user If everything is loaded correctly the user encrypts the VHD key using the public key and sends it back to shield

14 Limitations and performance
SGX Limitations Performance evaluation

15 SGX limitations Dynamic memory allocation Exception handling
Not all exception causes are reported to the enclave Permitted instructions SGX dissalows in-enclave execution of instructions that are commonly encountered in LibOS and application boundaries effecting performance Thread-local storage

16 Performance Evaluation
Comparing Haven’s performance to alternative host environments (which do not provide shielded execution) Summary: Haven’s performance penalty vs. a VM is 31-54% Acceptable overheads, in return for not needing to trust the cloud

17 Future work Storage rollback Untrusted time Cloud management
Cannot prevent the attack: ‘’the enclave is terminated, and its in-memory state is lost Plan to communicate only on ‘’critical’’ writes Untrusted time Malicious host may lie about time or signal timeouts Plan to ensure the clock always runs forward And using cycle counter as an alternative clock Cloud management Haven prevents host’s ability to capture and recreate guest state Plan to implement checkpoints and resume by capturing state to an encrypted image

18 Conclusion Cloud platforms offer many advantages but the provider must be trusted with full access to user data. Implementing a shielded execution eliminates this risk Bringing us closer to ‘’utility computing’’ for the cloud Utility provies resources But has no acess to user data

19 Thank you Yanki Kurtcan

Download ppt "Shielding applications from an untrusted cloud with Haven"

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Virtualization Dr. Michael L. Collard

Virtualization Dr. Michael L. Collard
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,

1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,
Implementing an Untrusted Operating System on Trusted Hardware.

Implementing an Untrusted Operating System on Trusted Hardware.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Shielding Applications from an Untrusted Cloud Andrew Baumann, Marcus Peinado, and Galen Hunt. OSDI 2014. Fall 2014 Presenter: Kun Sun, Ph.D. Most slides.

Shielding Applications from an Untrusted Cloud Andrew Baumann, Marcus Peinado, and Galen Hunt. OSDI Fall 2014 Presenter: Kun Sun, Ph.D. Most slides.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.

Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Virtual Machine Security Summer 2013 Presented by: Rostislav Pogrebinsky.

Virtual Machine Security Summer 2013 Presented by: Rostislav Pogrebinsky.
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Similar presentations

Ads by Google