Abstract
InkTag is a virtualization-based architecture that gives strong safety guarantees to high-assurance processes even in the presence of a malicious operating system. InkTag advances the state of the art in untrusted operating systems in both the design of its hypervisor and in the ability to run useful applications without trusting the operating system. We introduce paraverification, a technique that simplifies the InkTag hypervisor by forcing the untrusted operating system to participate in its own verification. Attribute-based access control allows trusted applications to create decentralized access control policies. InkTag is also the first system of its kind to ensure consistency between secure data and metadata, ensuring recoverability in the face of system crashes.
- Microsoft security bulletin search, 2012. http://technet.microsoft.com/security/bulletin.Google Scholar
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity. Inccs, 2005. Google Scholar
Digital Library
- Anurag Acharya and Mandar Raje. MAPbox: Using parameterized behavior classes to confine applications. Inusenixsec, 2000. Google Scholar
Digital Library
- Arati Baliga, Vinod Ganapathy, and Liviu Iftode. Automatic inference and enforcement of kernel data structure invariants. Inacsac, 2008. Google Scholar
Digital Library
- Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the art of virtualization. Insosp, 2003. Google Scholar
Digital Library
- Massimo Bernaschi, Emanuele Gabrielli, and Luigi V. Mancini. REMUS: A security-enhanced operating system.tissec, 5(1), 2002. Google Scholar
Digital Library
- Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter, and Himanshu Khurana. Using attribute-based access control to enable attribute-based messaging. Inacsac, 2006. Google Scholar
Digital Library
- Stephen Checkoway and Hovav Shacham. Iago attacks: Why the system call API is a bad untrusted RPC interface. Inasplos, March 2013. Google Scholar
Digital Library
- Peter M. Chen and Brian D. Noble. When virtual is better than real. Inhotos, pages 133--, 2001.Google Scholar
- Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. Non-control-data attacks are realistic threats. Inusenixsec, 2005. Google Scholar
Digital Library
- Xioaxin Chen, Tal Garfinkel, E. Christopher Lewis, Pratap Subrahmanyam, Carl A. Waldspurger, Dan Boneh, Jeffery Dwoskin, and Dan R. K. Ports. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. Inasplos, May 2008. Google Scholar
Digital Library
- Lorenzo Cirio, Isabel F. Cruz, and Roberto Tamassia. A role and attribute based access control system using semantic web technologies. In øtm, 2007. Google Scholar
Digital Library
- Tim Dierks and Eric Rescorla. RFC 5246: The Transport Layer Security (TLS) Protocol: Version 1.2. http://tools.ietf.org/html/rfc5246, 2008.Google Scholar
- Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In øakland, May 2011.Google Scholar
- John R. Douceur, Jeremy Elson, Jon Howell, and Jacob R. Lorch. Leveraging legacy code to deploy desktop applications on the web. In øsdi, 2008. Google Scholar
Digital Library
- Timothy Fraser, Lee Badger, and Marc Feldman. Hardening COTS software with generic software wrappers. In øakland, 1999.Google Scholar
- Timothy Fraser, Matthew R. Evenson, and William A. Arbaugh. VICI--virtual machine introspection for cognitive immunity. Inacsac, pages 87--96, 2008. Google Scholar
Digital Library
- Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, and Dan Boneh. Terra: A virtual machine-based platform for trusted computing. Insosp, October 2003. Google Scholar
Digital Library
- John L. Henning. SPEC CPU2006 benchmark descriptions. ACM SIGARCH Computer Architecture News, 34(4):1--17, 2006. Google Scholar
Digital Library
- Owen S. Hofmann, Alan M. Dunn, Sangman Kim, Indrajit Roy, and Emmett Witchel. Ensuring operating system kernel integrity with OSck. Inasplos, March 2011. Google Scholar
Digital Library
- Ralf Hund, Thorsten Holz, and Felix C. Freiling. Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. Inusenixsec, 2009. Google Scholar
Digital Library
- Kapil Jain and R. Sekar. User-level infrastructure for system call interposition: A platform for intrusion detection and confinement. Inndss, 2000.Google Scholar
- Xuxian Jiang, Xinyuan Wang, and Dongyan Xu. Stealthy malware detection through VMM-based "out-of-the-box" semantic view reconstruction. Inccs, pages 128--138, 2007. Google Scholar
Digital Library
- Stephen T. Jones, Andrea C. Arpaci-Dusseau, and Remzi H. Arpaci-Dusseau. Antfarm: tracking processes in a virtual machine environment. Inusenixatc, 2006. Google Scholar
Digital Library
- Taesoo Kim and Nickolai Zeldovich. Making linux protection mechanisms egalitarian with UserFS. Inusenixsec. USENIX Association, 2010. Google Scholar
Digital Library
- David Lie, Chandramohan A. Thekkath, and Mark Horowitz. Implementing an untrusted operating system on trusted hardware. Insosp, pages 178--192. ACM Press, 2003. Google Scholar
Digital Library
- Peter A. Loscocco, Perry W. Wilson, J. Aaron Pendergrass, and C. Durward McDonell. Linux kernel integrity measurement using contextual inspection. Instc, 2007. Google Scholar
Digital Library
- Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, and Adrian Perrig. TrustVisor: Efficient TCB reduction and attestation. In øakland, May 2010.Google Scholar
- Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki. Flicker: An execution infrastructure for TCB minimization. Ineurosys, April 2008. Google Scholar
Digital Library
- Larry McVoy and Carl Staelin. LMbench: portable tools for performance analysis. Inusenixatc, pages 23--23, Berkeley, CA, USA, 1996. USENIX Association. Google Scholar
Digital Library
- NIST. National vulnerability database. http://nvd.nist.gov/, 2012.Google Scholar
- OASIS. eXtensible access control markup language. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml, 2012.Google Scholar
- Bryan Parno, Jacob R. Lorch, John R. Douceur, James Mickens, and Jonathan M. McCune. Memoir: Practical state continuity for protected modules. In øakland, 2011.Google Scholar
- Bryan D. Payne, Martim D. P. de A. Carbone, and Wenke Lee. Secure and flexible monitoring of virtual machines. Inacsac, 2007.Google Scholar
Cross Ref
- Dan R. K. Ports and Tal Garfinkel. Towards application security on untrusted operating systems. Inhotsec, San Jose, CA, USA, 2008. USENIX. Google Scholar
Digital Library
- Shaya Potter and Jason Nieh. Apiary: Easy-to-use desktop application fault containment on commodity operating systems. Inusenixatc, 2010. Google Scholar
Digital Library
- Neils Provos. Improving host security with system call policies. Inusenixsec, 2003. Google Scholar
Digital Library
- Nguyen Anh Quynh and Yoshiyasu Takefuji. Towards a tamper-resistant kernel rootkit detector. Insac, 2007.Google Scholar
Digital Library
- Junghwan Rhee, Ryan Riley, Dongyan Xu, and Xuxian Jiang. Defeating dynamic data kernel rootkit attacks via VMM-based guest-transparent monitoring. Inares, Fukuoka, Japan, March 2009.Google Scholar
Cross Ref
- Junghwan Rhee and Dongyan Xu. LiveDM: Temporal mapping of dynamic kernel memory for dynamic kernel malware analysis and debugging. Technical report, Purdue University, West Lafayette, IN, February 2010.Google Scholar
- Mike Ryan, Ted Faber, Mei-Hui Su, John Wroclawski, and Steve Schwab. A.B$łeftarrow$A.C. http://abac.deterlab.net/, 2012.Google Scholar
- Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. Insosp, pages 335--350, 2007. Google Scholar
Digital Library
- Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). Inccs, pages 552--61. ACM Press, October 2007. Google Scholar
Digital Library
- Richard Ta-min, Lionel Litty, and David Lie. Splitting interfaces: Making trust between applications and operating systems configurable. In øsdi, pages 279--292, 2006. Google Scholar
Digital Library
- Zhi Wang, Xuxian Jiang, Weidong Cui, and Peng Ning. Countering kernel rootkits with lightweight hook protection. Inccs, 2009. Google Scholar
Digital Library
- Min Xu, Xuxian Jiang, Ravi Sandhu, and Xinwen Zhang. Towards a VMM-based usage control framework for OS kernel integrity protection. Insacmat, 2007. Google Scholar
Digital Library
- Jisoo Yang and Kang G. Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. Inveeconf, pages 71--80, 2008. Google Scholar
Digital Library
- Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In øakland, pages 79--93, 2009. Google Scholar
Digital Library
- Fengzhe Zhang, Jin Chen, Haibo Chen, and Binyu Zang. CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. Insosp, 2011. Google Scholar
Digital Library
Index Terms
InkTag: secure applications on an untrusted operating system
Recommendations
InkTag: secure applications on an untrusted operating system
ASPLOS '13: Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systemsInkTag is a virtualization-based architecture that gives strong safety guarantees to high-assurance processes even in the presence of a malicious operating system. InkTag advances the state of the art in untrusted operating systems in both the design of ...
InkTag: secure applications on an untrusted operating system
ASPLOS '13InkTag is a virtualization-based architecture that gives strong safety guarantees to high-assurance processes even in the presence of a malicious operating system. InkTag advances the state of the art in untrusted operating systems in both the design of ...
Sego: Pervasive Trusted Metadata for Efficiently Verified Untrusted System Services
ASPLOS'16Sego is a hypervisor-based system that gives strong privacy and integrity guarantees to trusted applications, even when the guest operating system is compromised or hostile. Sego verifies operating system services, like the file system, instead of ...







Comments