Tamper-Resistant Execution in an Untrusted Operating System Using A Virtual Machine Monitor

نویسندگان

  • Haibo Chen
  • Fengzhe Zhang
  • Cheng Chen
  • Ziye Yang
  • Rong Chen
  • Binyu Zang
  • Wenbo Mao
چکیده

Software applications today face constant threat of tampering because of the vulnerability in operating systems and their permissive interface. Unfortunately, existing tamper-resistance approaches often require non-trivial amount of changes to core CPU architectures, operating systems and/or applications. In this paper, we propose an approach that requires only minimal changes to existing commodity operating systems running on commodity hardware without compromising their functionality and compatibility. The key idea is to use a trustworthy virtual machine monitor (VMM) to monitor and regulate the behavior of other untrustworthy processes including the underlying operating system that might have been compromised. We use the trusted VMM to compartmentalize a process that demands tamper resistant protection from OS kernels and other processes, by interposing security-sensitive operations (e.g. system calls) and isolating (and sealing) security-sensitive information (e.g. registers and memory). We have implemented a working prototype, CHAOS , that supports tamper-resistant applications running on Linux and Xen VMM. Our prototype shows that it only requires minor changes (about 230 LOCs) to Linux and a small amount of code expansion to Xen (about 4200 LOCs). Performance measurements also show that CHAOS incurs a little performance degradation to the application software: about 3% for SPECINT-2000 and less than 15% for apache httpd and vsftpd.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Secure Execution of Mutually Mistrusting Software

Commodity operating systems, e.g. Linux and Android, running on PC or smartphone, are ubiquitous in home, commercial, government, and military settings. The booming popularity of PC and smartphone makes the commodity operating system an attractive target for attacks. These systems are tasked with a variety of applications, e.g. from secure software provided by trusted enterprises to regular app...

متن کامل

Ensuring System Integrity using Limited Local Memory

System integrity monitors, such as rootkit detectors, rely critically on the ability to fetch and inspect pages containing code and data of a target system under study. To avoid being infected by malicious or compromised targets, state of the art system integrity monitors rely on virtualization technology to set up a tamper-proof execution environment. Consequently, the virtualization infrastru...

متن کامل

Using Memory Errors to Attack a Virtual Machine

We present an experimental study showing that soft memory errors can lead to serious security vulnerabilities in Java and .NET virtual machines, or in any system that relies on type-checking of untrusted programs as a protection mechanism. Our attack works by sending to the JVM a Java program that is designed so that almost any memory error in its address space will allow it to take control of ...

متن کامل

Janos: A Java-Oriented OS for Active Network Nodes

Janos is an operating system for active network nodes whose primary focus is strong resource management and control of untrusted active applications written in Java. Janos includes the three major components of a Javabased active network operating system: the low-level NodeOS, a resource-aware Java Virtual Machine, and an active network protocol execution environment. Each of these components i...

متن کامل

Extending Tamper-Proof Hardware Security to Untrusted Execution Environments

This paper addresses mobile code protection with respect to potential integrity and confidentiality violations originating from the untrusted runtime environment where the code execution takes place. Both security properties are defined in a framework where code is modeled using Boolean circuits. Two protection schemes are presented. The first scheme addresses the protection of a function that ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2007