skip to main content
research-article

InkTag: secure applications on an untrusted operating system

Published:16 March 2013Publication History
Skip Abstract Section

Abstract

InkTag is a virtualization-based architecture that gives strong safety guarantees to high-assurance processes even in the presence of a malicious operating system. InkTag advances the state of the art in untrusted operating systems in both the design of its hypervisor and in the ability to run useful applications without trusting the operating system. We introduce paraverification, a technique that simplifies the InkTag hypervisor by forcing the untrusted operating system to participate in its own verification. Attribute-based access control allows trusted applications to create decentralized access control policies. InkTag is also the first system of its kind to ensure consistency between secure data and metadata, ensuring recoverability in the face of system crashes.

References

  1. Microsoft security bulletin search, 2012. http://technet.microsoft.com/security/bulletin.Google ScholarGoogle Scholar
  2. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity. Inccs, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Anurag Acharya and Mandar Raje. MAPbox: Using parameterized behavior classes to confine applications. Inusenixsec, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Arati Baliga, Vinod Ganapathy, and Liviu Iftode. Automatic inference and enforcement of kernel data structure invariants. Inacsac, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the art of virtualization. Insosp, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Massimo Bernaschi, Emanuele Gabrielli, and Luigi V. Mancini. REMUS: A security-enhanced operating system.tissec, 5(1), 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter, and Himanshu Khurana. Using attribute-based access control to enable attribute-based messaging. Inacsac, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Stephen Checkoway and Hovav Shacham. Iago attacks: Why the system call API is a bad untrusted RPC interface. Inasplos, March 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Peter M. Chen and Brian D. Noble. When virtual is better than real. Inhotos, pages 133--, 2001.Google ScholarGoogle Scholar
  10. Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. Non-control-data attacks are realistic threats. Inusenixsec, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Xioaxin Chen, Tal Garfinkel, E. Christopher Lewis, Pratap Subrahmanyam, Carl A. Waldspurger, Dan Boneh, Jeffery Dwoskin, and Dan R. K. Ports. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. Inasplos, May 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Lorenzo Cirio, Isabel F. Cruz, and Roberto Tamassia. A role and attribute based access control system using semantic web technologies. In øtm, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Tim Dierks and Eric Rescorla. RFC 5246: The Transport Layer Security (TLS) Protocol: Version 1.2. http://tools.ietf.org/html/rfc5246, 2008.Google ScholarGoogle Scholar
  14. Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In øakland, May 2011.Google ScholarGoogle Scholar
  15. John R. Douceur, Jeremy Elson, Jon Howell, and Jacob R. Lorch. Leveraging legacy code to deploy desktop applications on the web. In øsdi, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Timothy Fraser, Lee Badger, and Marc Feldman. Hardening COTS software with generic software wrappers. In øakland, 1999.Google ScholarGoogle Scholar
  17. Timothy Fraser, Matthew R. Evenson, and William A. Arbaugh. VICI--virtual machine introspection for cognitive immunity. Inacsac, pages 87--96, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, and Dan Boneh. Terra: A virtual machine-based platform for trusted computing. Insosp, October 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. John L. Henning. SPEC CPU2006 benchmark descriptions. ACM SIGARCH Computer Architecture News, 34(4):1--17, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Owen S. Hofmann, Alan M. Dunn, Sangman Kim, Indrajit Roy, and Emmett Witchel. Ensuring operating system kernel integrity with OSck. Inasplos, March 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Ralf Hund, Thorsten Holz, and Felix C. Freiling. Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. Inusenixsec, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Kapil Jain and R. Sekar. User-level infrastructure for system call interposition: A platform for intrusion detection and confinement. Inndss, 2000.Google ScholarGoogle Scholar
  23. Xuxian Jiang, Xinyuan Wang, and Dongyan Xu. Stealthy malware detection through VMM-based "out-of-the-box" semantic view reconstruction. Inccs, pages 128--138, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Stephen T. Jones, Andrea C. Arpaci-Dusseau, and Remzi H. Arpaci-Dusseau. Antfarm: tracking processes in a virtual machine environment. Inusenixatc, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Taesoo Kim and Nickolai Zeldovich. Making linux protection mechanisms egalitarian with UserFS. Inusenixsec. USENIX Association, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. David Lie, Chandramohan A. Thekkath, and Mark Horowitz. Implementing an untrusted operating system on trusted hardware. Insosp, pages 178--192. ACM Press, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Peter A. Loscocco, Perry W. Wilson, J. Aaron Pendergrass, and C. Durward McDonell. Linux kernel integrity measurement using contextual inspection. Instc, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, and Adrian Perrig. TrustVisor: Efficient TCB reduction and attestation. In øakland, May 2010.Google ScholarGoogle Scholar
  29. Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki. Flicker: An execution infrastructure for TCB minimization. Ineurosys, April 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Larry McVoy and Carl Staelin. LMbench: portable tools for performance analysis. Inusenixatc, pages 23--23, Berkeley, CA, USA, 1996. USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. NIST. National vulnerability database. http://nvd.nist.gov/, 2012.Google ScholarGoogle Scholar
  32. OASIS. eXtensible access control markup language. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml, 2012.Google ScholarGoogle Scholar
  33. Bryan Parno, Jacob R. Lorch, John R. Douceur, James Mickens, and Jonathan M. McCune. Memoir: Practical state continuity for protected modules. In øakland, 2011.Google ScholarGoogle Scholar
  34. Bryan D. Payne, Martim D. P. de A. Carbone, and Wenke Lee. Secure and flexible monitoring of virtual machines. Inacsac, 2007.Google ScholarGoogle ScholarCross RefCross Ref
  35. Dan R. K. Ports and Tal Garfinkel. Towards application security on untrusted operating systems. Inhotsec, San Jose, CA, USA, 2008. USENIX. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Shaya Potter and Jason Nieh. Apiary: Easy-to-use desktop application fault containment on commodity operating systems. Inusenixatc, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Neils Provos. Improving host security with system call policies. Inusenixsec, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Nguyen Anh Quynh and Yoshiyasu Takefuji. Towards a tamper-resistant kernel rootkit detector. Insac, 2007.Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Junghwan Rhee, Ryan Riley, Dongyan Xu, and Xuxian Jiang. Defeating dynamic data kernel rootkit attacks via VMM-based guest-transparent monitoring. Inares, Fukuoka, Japan, March 2009.Google ScholarGoogle ScholarCross RefCross Ref
  40. Junghwan Rhee and Dongyan Xu. LiveDM: Temporal mapping of dynamic kernel memory for dynamic kernel malware analysis and debugging. Technical report, Purdue University, West Lafayette, IN, February 2010.Google ScholarGoogle Scholar
  41. Mike Ryan, Ted Faber, Mei-Hui Su, John Wroclawski, and Steve Schwab. A.B$łeftarrow$A.C. http://abac.deterlab.net/, 2012.Google ScholarGoogle Scholar
  42. Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. Insosp, pages 335--350, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). Inccs, pages 552--61. ACM Press, October 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Richard Ta-min, Lionel Litty, and David Lie. Splitting interfaces: Making trust between applications and operating systems configurable. In øsdi, pages 279--292, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Zhi Wang, Xuxian Jiang, Weidong Cui, and Peng Ning. Countering kernel rootkits with lightweight hook protection. Inccs, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Min Xu, Xuxian Jiang, Ravi Sandhu, and Xinwen Zhang. Towards a VMM-based usage control framework for OS kernel integrity protection. Insacmat, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Jisoo Yang and Kang G. Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. Inveeconf, pages 71--80, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In øakland, pages 79--93, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Fengzhe Zhang, Jin Chen, Haibo Chen, and Binyu Zang. CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. Insosp, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. InkTag: secure applications on an untrusted operating system

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM SIGPLAN Notices
          ACM SIGPLAN Notices  Volume 48, Issue 4
          ASPLOS '13
          April 2013
          540 pages
          ISSN:0362-1340
          EISSN:1558-1160
          DOI:10.1145/2499368
          Issue’s Table of Contents
          • cover image ACM Conferences
            ASPLOS '13: Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems
            March 2013
            574 pages
            ISBN:9781450318709
            DOI:10.1145/2451116

          Copyright © 2013 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 16 March 2013

          Check for updates

          Qualifiers

          • research-article

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!