ABSTRACT
This paper describes an efficient and robust approach to provide a safe execution environment for an entire operating system, such as Linux, and all its applications. The approach, which we call Secure Virtual Architecture (SVA), defines a virtual, low-level, typed instruction set suitable for executing all code on a system, including kernel and application code. SVA code is translated for execution by a virtual machine transparently, offline or online. SVA aims to enforce fine-grained (object level) memory safety, control-flow integrity, type safety for a subset of objects, and sound analysis. A virtual machine implementing SVA achieves these goals by using a novel approach that exploits properties of existing memory pools in the kernel and by preserving the kernel's explicit control over memory, including custom allocators and explicit deallocation. Furthermore, the safety properties can be encoded compactly as extensions to the SVA type system, allowing the (complex) safety checking compiler to be outside the trusted computing base. SVA also defines a set of OS interface operations that abstract all privileged hardware instructions, allowing the virtual machine to monitor all privileged operations and control the physical resources on a given hardware platform. We have ported the Linux kernel to SVA, treating it as a new architecture, and made only minimal code changes (less than 300 lines of code) to the machine-independent parts of the kernel and device drivers. SVA is able to prevent 4 out of 5 memory safety exploits previously reported for the Linux 2.4.22 kernel for which exploit code is available, and would prevent the fifth one simply by compiling an additional kernel library.
Supplemental Material
Available for Download
Supplemental material for Secure virtual architecture: a safe execution environment for commodity operating systems
- V. Adve, C. Lattner, M. Brukman, A. Shukla, and B. Gaeke. LLVA: A Low-Level Virtual Instruction Set Architecture. In Int'l Symp. on Microarchitecture, Dec. 2003. Google Scholar
Digital Library
- Z. Amsden. Transparent paravirtualization for linux. In Linux Symposium, Ottawa, Canada, Jul 2006.Google Scholar
- T. M. Austin, S. E. Breach, and G. S. Sohi. Efficient detection of all pointer and array access errors.In Proc. ACM SIGPLAN Conf. on Prog. Lang. Design and Impl., June 1994. Google Scholar
Digital Library
- G. Back and W. C. Hsieh. The KaffeOS Java runtime system. ACM Trans. on Prog. Lang. and Sys., 27(4):583--630, 2005. Google Scholar
Digital Library
- B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers, and S. Eggers. Extensibility, Safety and Performance in the SPIN Operating System. In Proc. ACM Symp. on Op. Sys. Principles, pages 267--284, Copper Mountain, CO, 1995. Google Scholar
Digital Library
- H. Bos and B. Samwel. Safe kernel programming in the oke. In Proceedings of IEEE OPENARCH, 2002.Google Scholar
Cross Ref
- A. Brown. A Decompositional Approach to Computer System Performance. PhD thesis, Harvard College, April 1997.Google Scholar
- J. Criswell, B. Monroe, and V. Adve. A virtual instruction set interface for operating system kernels. In Workshop on the Interaction between Operating Systems and Computer Architecture, Boston, June 2006.Google Scholar
- G. Czajkowski and T. von Eicken. JRes: A resource accounting interface for Java. In Proc. ACM SIGPLAN Conf. on Object-Oriented Programming, Systems, Languages, and Applications, pages 21--35, 1998. Google Scholar
Digital Library
- D. Dhurjati and V. Adve. Backwards-compatible array bounds checking for C with very low overhead. In Proc. of the Int'l Conf. on Software Engineering, May 2006. Google Scholar
Digital Library
- D. Dhurjati, S. Kowshik, and V. Adve. SAFECode: Enforcing alias analysis for weakly typed languages. In Proc. ACM SIGPLAN Conf. on Prog. Lang. Design and Impl., June 2006. Google Scholar
Digital Library
- D. Dhurjati, S. Kowshik, V. Adve, and C. Lattner. Memory safety without garbage collection for embedded applications. ACM Trans. on Embedded Computing Systems, Feb. 2005. Google Scholar
Digital Library
- B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer. Xen and the art of virtualization. In Proc. ACM Symp. on Op. Sys. Principles, October 2003. Google Scholar
Digital Library
- D. Engler, D. Y. Chen, S. Hallem, A. Chou, and B. Chelf. Bugs as deviant behavior: A general approach to inferring errors in systems code. In Proc. ACM Symp. on Op. Sys. Principles, 2001. Google Scholar
Digital Library
- U. Erlingsson. The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Department of Computer Science, Cornell University, Ithaca, NY, 2003. Technical Report 2003--1916. Google Scholar
Digital Library
- M. Fahndrich, M. Aiken, C. Hawblitzel, O. Hodson, G. C. Hunt, J. R. Larus, and S. Levi. Language support for fast and reliable message-based communication in Singularity OS. In Proceedings of EuroSys, 2006. Google Scholar
Digital Library
- B. Ford, G. Back, G. Benson, J. Lepreau, A. Lin, and O. Shivers. The flux oskit: a substrate for kernel and language research. In Proc. ACM Symp. on Op. Sys. Principles, 1997. Google Scholar
Digital Library
- R. Ghiya, D. Lavery, and D. Sehr. On the importance of points-to analysis and other memory disambiguation methods for C programs. In Proc. ACM SIGPLAN Conf. on Prog. Lang. Design and Impl., 2001. Google Scholar
Digital Library
- M. Golm, M. Felser, C. Wawersich, and J. Kleinoder. The JX Operating System. In Proc. USENIX Annual Technical Conference, pages 45--58, Monterey, CA, June 2002. Google Scholar
Digital Library
- D. Grossman, G. Morrisett, T. Jim, M. Hicks, Y. Wang, and J. Cheney. Region-based memory management in cyclone. In Proc. ACM SIGPLAN Conf. on Prog. Lang. Design and Impl., June 2002. Google Scholar
Digital Library
- G. Guninski. Linux kernel multiple local vulnerabilities, 2005. http://www.securityfocus.com/bid/11956.Google Scholar
- T. Hallgren, M. P. Jones, R. Leslie, and A. Tolmach. A principled approach to operating system construction in haskell. In Proc. ACM SIGPLAN Int'l Conf. on Functional Programming, 2005. Google Scholar
Digital Library
- C. Hawblitzel, C.-C. Chang, G. Czajkowski, D. Hu, and T. von Eicken. Implementing multiple protection domains in Java. In USENIX Annual Technical Conference, June 1998. Google Scholar
Digital Library
- G. C. Hunt and J. R. Larus. Singularity Design Motivation (Singularity Technical Report 1). Technical Report MSR-TR-2004-105, Microsoft Research, Dec 2004.Google Scholar
- T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, Monterey, CA, 2002. Google Scholar
Digital Library
- R. W. M. Jones and P. H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in c programs. In Automated and Algorithmic Debugging, pages 13--26, 1997.Google Scholar
- C. Lattner and V. Adve. LLVM: A Compilation Framework for Lifelong Program Analysis and Transformation. In Proc. Int'l Symp. on Code Generation and Optimization, Mar 2004. Google Scholar
Digital Library
- C. Lattner and V. Adve. Automatic pool allocation: Improving performance by controlling data structure layout in the heap. In Proc. ACM SIGPLAN Conf. on Prog. Lang. Design and Impl., Chicago, IL, Jun 2005. Google Scholar
Digital Library
- C. Lattner, A. D. Lenharth, and V. S. Adve. Making context-sensitive points-to analysis with heap cloning practical for the real world. In Proc. ACM SIGPLAN Conf. on Prog. Lang. Design and Impl., San Diego, USA, Jun 2007. Google Scholar
Digital Library
- S. McCanne and V. Jacobson. The BSD packet filter: A new architecture for user-level packet capture. In USENIX Winter Conference, pages 259--270, 1993. Google Scholar
Digital Library
- G. C. Necula. Proof-carrying code. In Proc. ACM SIGACT Symp. on Principles of Prog. Lang., Jan. 1997. Google Scholar
Digital Library
- G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. Ccured: type-safe retrofitting of legacy software. ACM Trans. on Prog. Lang. and Sys., 2005. Google Scholar
Digital Library
- G. C. Necula and P. Lee. Safe kernel extensions without run-time checking. In Symp. on Op. Sys. Design and Impl., 1996. Google Scholar
Digital Library
- G. C. Necula and P. Lee. The design and implementation of a certifying compiler. In Proc. ACM SIGPLAN Conf. on Prog. Lang. Design and Impl., pages 333--344, 1998. Google Scholar
Digital Library
- A. Sabelfeld and A. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Comm., 2003. Google Scholar
Digital Library
- T. Saulpaugh and C. Mirho. Inside the JavaOS Operating System. Addison-Wesley, Reading, MA, USA, 1999.Google Scholar
- M. I. Seltzer, Y. Endo, C. Small, and K. A. Smith. Dealing with disaster: Surviving misbehaved kernel extensions. In Symp. on Op. Sys. Design and Impl., pages 213--227, Seattle, WA, 1996. Google Scholar
Digital Library
- P. Starzetz. Linux kernel elf core dump local buffer overflow vulnerability. http://www.securityfocus.com/bid/13589.Google Scholar
- P. Starzetz. Linux kernel IGMP multiple vulnerabilities, 2004. http://www.securityfocus.com/bid/11917.Google Scholar
- P. Starzetz and W. Purczynski. Linux kernel setsockopt MCAST\_MSFILTER integer overflow vulnerability, 2004. http://www.securityfocus.com/bid/10179.Google Scholar
- B. Steensgaard. Points-to analysis in almost linear time. In Proc. ACM SIGACT Symp. on Principles of Prog. Lang., 1996. Google Scholar
Digital Library
- M. M. Swift, M. Annamalai, B. N. Bershad, and H. M. Levy. Recovering device drivers. In Symp. on Op. Sys. Design and Impl., Dec. 2004. Google Scholar
Digital Library
- M. M. Swift, B. N. Bershad, and H. M. Levy. Improving the reliability of commodity operating systems. In Proc. ACM Symp. on Op. Sys. Principles, 2003. Google Scholar
Digital Library
- M. M. Swift, B. N. Bershad, and H. M. Levy. Improving the reliability of commodity operating systems. ACM Trans. Comput. Syst, 23(1):77--110, 2005. Google Scholar
Digital Library
- Úlfar Erlingsson, MAbadi, MVrable, MBudiu, and GC. Necula. XFI: Software guards for system address spaces. In Symp. on Op. Sys. Design and Impl., pages 75--88. USENIX, Nov. 2006. Google Scholar
Digital Library
- Ivan Sprundel. Linux kernel bluetooth signed buffer index vulnerability. http://www.securityfocus.com/bid/12911.Google Scholar
- R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. ACM SIGOPS Operating Systems Review, 27(5):203--216, December 1993. Google Scholar
Digital Library
- D. Walker. A type system for expressive security policies. In Proc. ACM SIGACT Symp. on Principles of Prog. Lang., pages 254--267, 2000. Google Scholar
Digital Library
- N. Weaver, V. Paxson, S. Staniford, and R. Cunningham. A taxonomy of computer worms. In Proc. of the ACM workshop on Rapid malcode, 2003. Google Scholar
Digital Library
- F. Zhou, J. Condit, Z. Anderson, I. Bagrak, R. Ennals, M. Harren, G. Necula, and E. Brewer. Safedrive: Safe and recoverable extensions using language-based techniques. In Symp. on Op. Sys. Design and Impl., pages 45--60. USENIX, Nov. 2006. Google Scholar
Digital Library
Index Terms
Secure virtual architecture: a safe execution environment for commodity operating systems
Recommendations
Secure virtual architecture: a safe execution environment for commodity operating systems
SOSP '07This paper describes an efficient and robust approach to provide a safe execution environment for an entire operating system, such as Linux, and all its applications. The approach, which we call Secure Virtual Architecture (SVA), defines a virtual, low-...
A Secure Virtual Execution Environment for Untrusted Code
Information Security and Cryptology - ICISC 2007AbstractThis paper proposes a Secure Virtual Execution Environment called Pollux for untrusted code. Pollux achieves both the OS isolation and the functionality benefits provided by the isolated untrusted applications. It accomplishes the OS isolation by ...
The Application of Virtual Machines on System Security
CHINAGRID '09: Proceedings of the 2009 Fourth ChinaGrid Annual ConferenceIt is very important to protect critical resources such as private data and code in computer systems. It is promising to protect private data and to improve the system security by leveraging the isolation attribute of virtual machine(VM). The isolation ...







Comments