Improving Flask Implementation Using Hardware Assisted In-VM Isolation
نویسندگان
چکیده
The Flask architecture, which mainly contains object manager (OM) and security server (SS), is widely used to support flexible security policies in operating system. In nature, OM and SS should be isolated from each other to separate decision from enforcement. However, current implementation of Flask, such as SELinux and SEBSD, puts both OM and SS in the same address space. If one component is subverted, the whole system will be exposed to the attacker. In this paper, we present hardware assisted in-VM isolation to improve the security of the Flask implementation. The key of our approach is the separation of SS from other parts of guest OS by constructing hardware assisted page tables at the hypervisor level. In this way SS can execute in a strongly isolated address space with respect to its associated guest OS, and therefore can provide a trustworthy and centralized repository for policy and decision-making. Our experiment shows that our method introduces moderate performance overhead.
منابع مشابه
Hardware Assisted OS Virtualization
Operating System-level virtualization, also known as a container, is an increasingly popular approach to isolating applications that use the same underlying OS kernel [2, 5–7]. Containers have recently gained popularity as the default back-end for Docker, an application packaging and distribution system used by companies including Google [3]. The purported reason to use containers over a hardwa...
متن کاملA Simulation Analysis of Shared TLBs with Tag Based Partitioning in Multicore Virtualized Environments
The current paradigm of computing in the server industry is undergoing rapid changes. Two of the most important changes are the emergence of multicore architectures with an increasing number of processors on a single die and the use of virtual machines (VMs) to efficiently partition and allocate these processors. As a result, the emphasis in microarchitecture design has shifted towards increasi...
متن کاملSafe Transient Use of Local Storage for VM-based Mobility
This paper investigates the transient use of free local storage for improving performance in VM-based mobile computing systems. Many such systems boot from a portable storage device to create a “zero-install” environment on a computer that is borrowed for temporary use. Unfortunately, consumergrade portable storage devices are optimized for capacity and cost rather than performance, which has b...
متن کاملDoS Attacks on Your Memory in the Cloud
In cloud computing, network Denial of Service (DoS) attacks are well studied and defenses have been implemented, but severe DoS attacks on a victim’s working memory by a single hostile VM are not well understood. Memory DoS attacks are Denial of Service (or Degradation of Service) attacks caused by contention for hardware memory resources on a cloud server. Despite the strong memory isolation t...
متن کاملKernel Plugins: When a VM Is Too Much
This paper presents kernel plugins, a framework for dynamic kernel specialization inspired by ideas borrowed from virtualization research. Plugins can be created and updated inexpensively on-the-fly and they can execute arbitrary user-supplied functions such that neither safety nor performance are compromised. Three key techniques are used to implement kernel plugins: (1) hardware fault isolati...
متن کامل