Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eternal Sunshine of the Spotless Machine: Protecting Privacy with Ephemeral Channels Alan M. Dunn, Michael Z. Lee, Suman Jana, Sangman Kim, Mark Silberstein,

Published byMelvyn Lucas Modified over 8 years ago

Similar presentations

Presentation on theme: "Eternal Sunshine of the Spotless Machine: Protecting Privacy with Ephemeral Channels Alan M. Dunn, Michael Z. Lee, Suman Jana, Sangman Kim, Mark Silberstein,"— Presentation transcript:

1 Eternal Sunshine of the Spotless Machine: Protecting Privacy with Ephemeral Channels Alan M. Dunn, Michael Z. Lee, Suman Jana, Sangman Kim, Mark Silberstein, Yuanzhong Xu, Vitaly Shmatikov, Emmett Witchel University of Texas at Austin OSDI 2012 October 8, 2012 1

2 Wanted: Application Privacy Goal: Run programs without leaving traces 2 Current state: Private browsing – Popular feature in web browsers – Ideal: When private browsing session terminates, all traces erased VoIP conversation with lawyer Biomedical researcher accessing data Website access

3 A Privacy Problem Private browsing unachieved – Evidence of site visits leaks into OS [Aggrawal, 2010] Problem: No system support – Applications interact with user and world – Data leaks into OS, system services – Applications cannot remove traces they leave 3

4 Example: Browsing a Website Network Audio What traces still remain on the computer? 4 X

5 Leaks From Browsing X server caches, graphics drivers PulseAudio server Memory contents: Complete packets, like: HTTP/1.1 200 OK Date: Mon, 17 Sep 2012 … Server: Apache/2.2.14 … … 5 Network Audio

6 Secure Deallocation Is Not Enough Secure deallocation: Zero memory when freed – Research implementation [Chow, 2005] – PaX: Security patch for Linux kernel Sensitive data remains allocated – X caches, PulseAudio buffers not freed 6

7 Resisting a Strong Adversary Goal: Provide forensic deniability – no evidence left for non-concurrent attacker Once program terminated, protection maintained under extreme circumstances Computer physically seizedRoot-level compromise (after program terminates) 7

8 Goals Provide privacy – Private sessions with forensic deniability Maintain usability – Simultaneous private/non-private applications – Support a wide variety of private applications – “Pay as you go” - costs only for private programs – Impose low overhead 8

9 Lacuna System to accomplish our privacy and usability goals Host OS (Linux), VMM (QEMU-KVM) modified Applications unmodified 9 la·cu·na [luh-kyoo-nuh] 1. a gap or missing part, as in a manuscript, series, or logical argument...

10 Outline Design – Erasable program container – Allow communication with peripherals Evaluation – Lacuna provides privacy – Lacuna maintains usability 10

11 Erasable Program Container Program 11 Process … VM contains Inter-Process Communication VM alone is insufficient

12 Communicating with Peripherals 12 - Sensitive data X App 1 App 2 Program Driver Dependencies on rest of OS Program must communicate with peripheral

13 Communicating with Peripherals 13 - Sensitive data X App 1 App 2 Driver Dependencies on rest of OS Program Code with potential data exposure Host OS X 0

14 Two Peripheral Types 14 - Sensitive data 1) Storage - Encrypted data Encrypt before data passes through OS Swap VM writes 2) All other peripherals Must ensure no traces left that are readable later Solve with ephemeral channels

15 Ensuring No Readable Traces 15 Program Strategy 1: Leave no trace Strategy 2: Make traces unreadable later

16 Ephemeral Channels Erase channel key 16 - Encrypted data - Sensitive data Encrypted ephemeral channel Hardware ephemeral channel Guest control of hardware (complex OS paths) 0 Traces now cryptographically erased

17 Channel Type Comparison 17 HardwareEncrypted Host drivers unmodified  Host code never sees unencrypted data  Hardware virtualization support unnecessary  (No graphics) Guest modification unnecessary  (Run Windows, Linux, unmodified programs)

18 Encrypted Graphics Channel No hardware virtualization support for graphics Solution: Encrypt VM output to GPU memory Emulated graphics card GPU memory CUDA Host OS Driver 18

19 Hardware USB Channel Switch into private mode USB host controller HW Controller under guest control 19 USB keyboard USB mouse Driver Controller: non-private Controller: private Encrypted USB, audio, network channels described in paper

20 Sanitizing Storage Encrypt VM writes to storage – VM image file unmodified – Diffs file contains VM writes to storage – Diffs file encrypted Leave no evidence of which storage locations read – Free buffer cache pages for VM image file only Encrypt swapped memory from private VM – Encrypt swapped pages for VMM process only Encryption keys erased on VM exit Techniques here “pay as you go” 20

21 Evaluation Lacuna provides privacy – Measure that Lacuna does not leak private data – Quantify size of code that handles sensitive data Lacuna maintains usability – Low switch time to private environment – Application performance near that of running program in VM More evaluation in paper 21

22 Lacuna Protects Privacy Experiment to locate leaks Inject random “tokens” into peripheral I/O paths, scan memory to locate [Chow, 2005] Tokens almost always found without Lacuna Tokens never found with Lacuna 22 Host OS 0x2a 0xbf 0x3c 0xb1 0x70 0xc6 0x6e 0x82 …

23 Little Code Handles Sensitive Data 23 SubsystemLines of Code Graphics725 (CUDA) Sound200 (out) 108 (in) USB414 Network208 Measurements are lines of code outside of QEMU that handle unencrypted data – Data within QEMU erased at VM exit

24 Time to Switch to Private Programs is Low Channel TypeSwitch Time (s) USB passthrough (encrypted) keyboard keyboard + mouse PCI assignment (hardware) keyboard keyboard + mouse USB driver disconnect significant (0.8-1.0 s) Switch time achieved by eliminating two extra disconnects in guest USB initialization 24

25 Impact on Full-System Workloads is Low Video (75 s) Browser (20 s) Office Suite (175 s) QEMU Lacuna Benchmarks – MPlayer: Watch video in across network – Firefox: Browse Alexa top 20 websites – LibreOffice: Create 2,994-character, 32-image document No execution slowdown, higher CPU utilization 25 Measurements are % CPU utilization CPU utilization lowered by hardware AES (AES-NI) Worst case: additional 20 percentage points

26 Conclusion Modern computer systems leak secrets Lacuna provides forensic deniability: secrets removed after program termination Ephemeral channels provide private peripheral I/O Lacuna runs full-system workloads efficiently 26

Download ppt "Eternal Sunshine of the Spotless Machine: Protecting Privacy with Ephemeral Channels Alan M. Dunn, Michael Z. Lee, Suman Jana, Sangman Kim, Mark Silberstein,"

Similar presentations

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
IO-Lite: A Unified Buffering and Caching System By Pai, Druschel, and Zwaenepoel (1999) Presented by Justin Kliger for CS780: Advanced Techniques in Caching.

IO-Lite: A Unified Buffering and Caching System By Pai, Druschel, and Zwaenepoel (1999) Presented by Justin Kliger for CS780: Advanced Techniques in Caching.
Virtual Machines What Why How Powerpoint?. What is a Virtual Machine? A Piece of software that emulates hardware.  Might emulate the I/O devices  Might.

Virtual Machines What Why How Powerpoint?. What is a Virtual Machine? A Piece of software that emulates hardware.  Might emulate the I/O devices  Might.
CS 345 Computer System Overview

CS 345 Computer System Overview
InkTag: Secure Applications on an Untrusted Operating system

InkTag: Secure Applications on an Untrusted Operating system
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
NoHype: Virtualized Cloud Infrastructure without the Virtualization Eric Keller, Jakub Szefer, Jennifer Rexford, Ruby Lee ISCA 2010 Princeton University.

NoHype: Virtualized Cloud Infrastructure without the Virtualization Eric Keller, Jakub Szefer, Jennifer Rexford, Ruby Lee ISCA 2010 Princeton University.
IT Infrastructure: Software September 18, 2014. LEARNING GOALS Identify the different types of systems software. Explain the main functions of operating.

IT Infrastructure: Software September 18, LEARNING GOALS Identify the different types of systems software. Explain the main functions of operating.
Network Implementation for Xen and KVM Class project for E6998-01: Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)

Network Implementation for Xen and KVM Class project for E : Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.

Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
CS533 - Concepts of Operating Systems

CS533 - Concepts of Operating Systems
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
1 SOFTWARE TECHNOLOGIES BUS3500 - Abdou Illia, Spring 2007 (Week 2, Thursday 1/18/2007)

1 SOFTWARE TECHNOLOGIES BUS Abdou Illia, Spring 2007 (Week 2, Thursday 1/18/2007)
Operating Systems.

Operating Systems.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.

Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
Week 6 Operating Systems.

Week 6 Operating Systems.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references

Similar presentations

Ads by Google