skip to main content
10.1145/1294261.1294295acmconferencesArticle/Chapter ViewAbstractPublication PagessospConference Proceedingsconference-collections
Article

Secure virtual architecture: a safe execution environment for commodity operating systems

Published:14 October 2007Publication History

ABSTRACT

This paper describes an efficient and robust approach to provide a safe execution environment for an entire operating system, such as Linux, and all its applications. The approach, which we call Secure Virtual Architecture (SVA), defines a virtual, low-level, typed instruction set suitable for executing all code on a system, including kernel and application code. SVA code is translated for execution by a virtual machine transparently, offline or online. SVA aims to enforce fine-grained (object level) memory safety, control-flow integrity, type safety for a subset of objects, and sound analysis. A virtual machine implementing SVA achieves these goals by using a novel approach that exploits properties of existing memory pools in the kernel and by preserving the kernel's explicit control over memory, including custom allocators and explicit deallocation. Furthermore, the safety properties can be encoded compactly as extensions to the SVA type system, allowing the (complex) safety checking compiler to be outside the trusted computing base. SVA also defines a set of OS interface operations that abstract all privileged hardware instructions, allowing the virtual machine to monitor all privileged operations and control the physical resources on a given hardware platform. We have ported the Linux kernel to SVA, treating it as a new architecture, and made only minimal code changes (less than 300 lines of code) to the machine-independent parts of the kernel and device drivers. SVA is able to prevent 4 out of 5 memory safety exploits previously reported for the Linux 2.4.22 kernel for which exploit code is available, and would prevent the fifth one simply by compiling an additional kernel library.

Skip Supplemental Material Section

Supplemental Material

Video

References

  1. V. Adve, C. Lattner, M. Brukman, A. Shukla, and B. Gaeke. LLVA: A Low-Level Virtual Instruction Set Architecture. In Int'l Symp. on Microarchitecture, Dec. 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Z. Amsden. Transparent paravirtualization for linux. In Linux Symposium, Ottawa, Canada, Jul 2006.Google ScholarGoogle Scholar
  3. T. M. Austin, S. E. Breach, and G. S. Sohi. Efficient detection of all pointer and array access errors.In Proc. ACM SIGPLAN Conf. on Prog. Lang. Design and Impl., June 1994. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. G. Back and W. C. Hsieh. The KaffeOS Java runtime system. ACM Trans. on Prog. Lang. and Sys., 27(4):583--630, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers, and S. Eggers. Extensibility, Safety and Performance in the SPIN Operating System. In Proc. ACM Symp. on Op. Sys. Principles, pages 267--284, Copper Mountain, CO, 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. H. Bos and B. Samwel. Safe kernel programming in the oke. In Proceedings of IEEE OPENARCH, 2002.Google ScholarGoogle ScholarCross RefCross Ref
  7. A. Brown. A Decompositional Approach to Computer System Performance. PhD thesis, Harvard College, April 1997.Google ScholarGoogle Scholar
  8. J. Criswell, B. Monroe, and V. Adve. A virtual instruction set interface for operating system kernels. In Workshop on the Interaction between Operating Systems and Computer Architecture, Boston, June 2006.Google ScholarGoogle Scholar
  9. G. Czajkowski and T. von Eicken. JRes: A resource accounting interface for Java. In Proc. ACM SIGPLAN Conf. on Object-Oriented Programming, Systems, Languages, and Applications, pages 21--35, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. D. Dhurjati and V. Adve. Backwards-compatible array bounds checking for C with very low overhead. In Proc. of the Int'l Conf. on Software Engineering, May 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. D. Dhurjati, S. Kowshik, and V. Adve. SAFECode: Enforcing alias analysis for weakly typed languages. In Proc. ACM SIGPLAN Conf. on Prog. Lang. Design and Impl., June 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. D. Dhurjati, S. Kowshik, V. Adve, and C. Lattner. Memory safety without garbage collection for embedded applications. ACM Trans. on Embedded Computing Systems, Feb. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer. Xen and the art of virtualization. In Proc. ACM Symp. on Op. Sys. Principles, October 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. D. Engler, D. Y. Chen, S. Hallem, A. Chou, and B. Chelf. Bugs as deviant behavior: A general approach to inferring errors in systems code. In Proc. ACM Symp. on Op. Sys. Principles, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. U. Erlingsson. The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Department of Computer Science, Cornell University, Ithaca, NY, 2003. Technical Report 2003--1916. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. M. Fahndrich, M. Aiken, C. Hawblitzel, O. Hodson, G. C. Hunt, J. R. Larus, and S. Levi. Language support for fast and reliable message-based communication in Singularity OS. In Proceedings of EuroSys, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. B. Ford, G. Back, G. Benson, J. Lepreau, A. Lin, and O. Shivers. The flux oskit: a substrate for kernel and language research. In Proc. ACM Symp. on Op. Sys. Principles, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. R. Ghiya, D. Lavery, and D. Sehr. On the importance of points-to analysis and other memory disambiguation methods for C programs. In Proc. ACM SIGPLAN Conf. on Prog. Lang. Design and Impl., 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. M. Golm, M. Felser, C. Wawersich, and J. Kleinoder. The JX Operating System. In Proc. USENIX Annual Technical Conference, pages 45--58, Monterey, CA, June 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. D. Grossman, G. Morrisett, T. Jim, M. Hicks, Y. Wang, and J. Cheney. Region-based memory management in cyclone. In Proc. ACM SIGPLAN Conf. on Prog. Lang. Design and Impl., June 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. G. Guninski. Linux kernel multiple local vulnerabilities, 2005. http://www.securityfocus.com/bid/11956.Google ScholarGoogle Scholar
  22. T. Hallgren, M. P. Jones, R. Leslie, and A. Tolmach. A principled approach to operating system construction in haskell. In Proc. ACM SIGPLAN Int'l Conf. on Functional Programming, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. C. Hawblitzel, C.-C. Chang, G. Czajkowski, D. Hu, and T. von Eicken. Implementing multiple protection domains in Java. In USENIX Annual Technical Conference, June 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. G. C. Hunt and J. R. Larus. Singularity Design Motivation (Singularity Technical Report 1). Technical Report MSR-TR-2004-105, Microsoft Research, Dec 2004.Google ScholarGoogle Scholar
  25. T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, Monterey, CA, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. R. W. M. Jones and P. H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in c programs. In Automated and Algorithmic Debugging, pages 13--26, 1997.Google ScholarGoogle Scholar
  27. C. Lattner and V. Adve. LLVM: A Compilation Framework for Lifelong Program Analysis and Transformation. In Proc. Int'l Symp. on Code Generation and Optimization, Mar 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. C. Lattner and V. Adve. Automatic pool allocation: Improving performance by controlling data structure layout in the heap. In Proc. ACM SIGPLAN Conf. on Prog. Lang. Design and Impl., Chicago, IL, Jun 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. C. Lattner, A. D. Lenharth, and V. S. Adve. Making context-sensitive points-to analysis with heap cloning practical for the real world. In Proc. ACM SIGPLAN Conf. on Prog. Lang. Design and Impl., San Diego, USA, Jun 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. S. McCanne and V. Jacobson. The BSD packet filter: A new architecture for user-level packet capture. In USENIX Winter Conference, pages 259--270, 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. G. C. Necula. Proof-carrying code. In Proc. ACM SIGACT Symp. on Principles of Prog. Lang., Jan. 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. Ccured: type-safe retrofitting of legacy software. ACM Trans. on Prog. Lang. and Sys., 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. G. C. Necula and P. Lee. Safe kernel extensions without run-time checking. In Symp. on Op. Sys. Design and Impl., 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. G. C. Necula and P. Lee. The design and implementation of a certifying compiler. In Proc. ACM SIGPLAN Conf. on Prog. Lang. Design and Impl., pages 333--344, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. A. Sabelfeld and A. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Comm., 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. T. Saulpaugh and C. Mirho. Inside the JavaOS Operating System. Addison-Wesley, Reading, MA, USA, 1999.Google ScholarGoogle Scholar
  37. M. I. Seltzer, Y. Endo, C. Small, and K. A. Smith. Dealing with disaster: Surviving misbehaved kernel extensions. In Symp. on Op. Sys. Design and Impl., pages 213--227, Seattle, WA, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. P. Starzetz. Linux kernel elf core dump local buffer overflow vulnerability. http://www.securityfocus.com/bid/13589.Google ScholarGoogle Scholar
  39. P. Starzetz. Linux kernel IGMP multiple vulnerabilities, 2004. http://www.securityfocus.com/bid/11917.Google ScholarGoogle Scholar
  40. P. Starzetz and W. Purczynski. Linux kernel setsockopt MCAST\_MSFILTER integer overflow vulnerability, 2004. http://www.securityfocus.com/bid/10179.Google ScholarGoogle Scholar
  41. B. Steensgaard. Points-to analysis in almost linear time. In Proc. ACM SIGACT Symp. on Principles of Prog. Lang., 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. M. M. Swift, M. Annamalai, B. N. Bershad, and H. M. Levy. Recovering device drivers. In Symp. on Op. Sys. Design and Impl., Dec. 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. M. M. Swift, B. N. Bershad, and H. M. Levy. Improving the reliability of commodity operating systems. In Proc. ACM Symp. on Op. Sys. Principles, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. M. M. Swift, B. N. Bershad, and H. M. Levy. Improving the reliability of commodity operating systems. ACM Trans. Comput. Syst, 23(1):77--110, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Úlfar Erlingsson, MAbadi, MVrable, MBudiu, and GC. Necula. XFI: Software guards for system address spaces. In Symp. on Op. Sys. Design and Impl., pages 75--88. USENIX, Nov. 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Ivan Sprundel. Linux kernel bluetooth signed buffer index vulnerability. http://www.securityfocus.com/bid/12911.Google ScholarGoogle Scholar
  47. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. ACM SIGOPS Operating Systems Review, 27(5):203--216, December 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. D. Walker. A type system for expressive security policies. In Proc. ACM SIGACT Symp. on Principles of Prog. Lang., pages 254--267, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. N. Weaver, V. Paxson, S. Staniford, and R. Cunningham. A taxonomy of computer worms. In Proc. of the ACM workshop on Rapid malcode, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. F. Zhou, J. Condit, Z. Anderson, I. Bagrak, R. Ennals, M. Harren, G. Necula, and E. Brewer. Safedrive: Safe and recoverable extensions using language-based techniques. In Symp. on Op. Sys. Design and Impl., pages 45--60. USENIX, Nov. 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Secure virtual architecture: a safe execution environment for commodity operating systems

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!