skip to main content
research-article

FIMCE: A Fully Isolated Micro-Computing Environment for Multicore Systems

Published:21 May 2018Publication History
Skip Abstract Section

Abstract

Virtualization-based memory isolation has been widely used as a security primitive in various security systems to counter kernel-level attacks. In this article, our in-depth analysis on this primitive shows that its security is significantly undermined in the multicore setting when other hardware resources for computing are not enclosed within the isolation boundary. We thus propose to construct a fully isolated micro-computing environment (FIMCE) as a new primitive. By virtue of its architectural niche, FIMCE not only offers stronger security assurance than its predecessor, but also features a flexible and composable environment with support for peripheral device isolation, thus greatly expanding the scope of applications. In addition, FIMCE can be integrated with recent technologies such as Intel Software Guard Extensions (SGX) to attain even stronger security guarantees. We have built a prototype of FIMCE with a bare-metal hypervisor. To show the benefits of using FIMCE as a building block, we have also implemented four applications which are difficult to construct using the existing memory isolation method. Experiments with these applications demonstrate that FIMCE imposes less than 1% overhead on single-threaded applications, while the maximum performance loss on multithreaded applications is bounded by the degree of parallelism at the processor level.

References

  1. Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O’Keeffe, Mark L. Stillwell, David Goltzsche, David Eyers, Rüdiger Kapitza, Peter Pietzuch, and Christof Fetzer. 2016. SCONE: Secure Linux containers with intel SGX. In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (OSDI’16). USENIX Association, Berkeley, CA, 689--703. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Ahmed M. Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. 2014. Hypervision across worlds: Real-time kernel protection from the ARM trustzone secure world. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14). ACM, New York, 90--102. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Ahmed M. Azab, Peng Ning, and Xiaolan Zhang. 2011. SICE: A hardware-level strongly isolated computing environment for x86 multi-core platforms. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). ACM, New York, 375--388. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Andrew Baumann, Marcus Peinado, and Galen Hunt. 2015. Shielding applications from an untrusted cloud with haven. ACM Transactions on Computer Systems (TOCS) 33, 3 (2015), 8. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Stephen Checkoway and Hovav Shacham. 2013. Iago attacks: Why the system call API is a bad untrusted RPC interface. In Proceedings of the 18th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’13). ACM, New York, 253--264. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis, Pratap Subrahmanyam, Carl A. Waldspurger, Dan Boneh, Jeffrey Dwoskin, and Dan R. K. Ports. 2008. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’08). ACM, New York, 2--13. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Yueqiang Cheng and Xuhua Ding. 2013. Guardian: Hypervisor as security foothold for personal computers. In Proceedings of the International Conference on Trust and Trustworthy Computing, Michael Huth, N. Asokan, Srdjan Čapkun, Ivan Flechais, and Lizzie Coles-Kemp (Eds.). Springer, Berlin, 19--36.Google ScholarGoogle ScholarCross RefCross Ref
  8. Yueqiang Cheng, Xuhua Ding, and Robert H. Deng. 2011. DriverGuard: A fine-grained protection on I/O flows. In Proceedings of the 16th European Symposium on Research in Computer Security (ESORICS), Vijay Atluri and Claudia Diaz (Eds.). Springer, Berlin, 227--244. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Yueqiang Cheng, Xuhua Ding, and Robert H. Deng. 2015. Efficient virtualization-based application protection against untrusted operating system. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIA CCS’15). ACM, New York, 345--356. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Yeongpil Cho, Junbum Shin, Donghyun Kwon, MyungJoo Ham, Yuna Kim, and Yunheung Paek. 2016. Hardware-assisted on-demand hypervisor activation for efficient security critical code execution on mobile devices. In 2016 USENIX Annual Technical Conference (USENIX ATC'16). USENIX Association, Denver, CO, 565--578. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Victor Costan and Srinivas Devadas. 2016. Intel SGX explained. IACR Cryptology ePrint Archive (2016), 86.Google ScholarGoogle Scholar
  12. John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014. Virtual ghost: Protecting applications from hostile operating systems. In Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’14). ACM, New York, 81--96. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Zhui Deng, Xiangyu Zhang, and Dongyan Xu. 2013. SPIDER: Stealthy binary program instrumentation and debugging via hardware virtualization. In Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC’13). ACM, New York, 289--298. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. 2011. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceeding of the 2011 IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, Washington, DC, 297--312. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Yangchun Fu and Zhiqiang Lin. 2012. Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, Washington, DC, 586--600. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, and Dan Boneh. 2003. Terra: A virtual machine-based platform for trusted computing. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP’03). ACM, New York, 193--206. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Abel Gordon, Nadav Amit, Nadav Har’El, Muli Ben-Yehuda, Alex Landau, Assaf Schuster, and Dan Tsafrir. 2012. ELI: Bare-metal performance for I/O virtualization. In Proceedings of the 17th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’12). ACM, New York, 411--422. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Owen S. Hofmann, Sangman Kim, Alan M. Dunn, Michael Z. Lee, and Emmett Witchel. 2013. InkTag: Secure applications on an untrusted operating system. In Proceedings of the 18th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’13). ACM, New York, 265--278. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Hajime Inoue, Frank Adelstein, Matthew Donovan, and Stephen Brueckner. 2011. Automatically bridging the semantic gap using C interpreter. In Proceedings of the 2011 Annual Symposium on Information Assurance. University at Albany, State University of New York (SUNY), Albany, NY, 51--58.Google ScholarGoogle Scholar
  20. Intel Corporation. 2013. Innovative Instructions and Software Model for Isolated Execution. Retrieved from http://privatecore.com/wp-content/uploads/2013/06/HASP-instruction-presentation-release.pdf.Google ScholarGoogle Scholar
  21. Trent Jaeger, Reiner Sailer, and Umesh Shankar. 2006. PRIMA: Policy-reduced integrity measurement architecture. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (SACMAT’06). ACM, New York, 19--28. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Yanlin Li, Jonathan McCune, James Newsome, Adrian Perrig, Brandon Baker, and Will Drewry. 2014. MiniBox: A two-way sandbox for x86 native code. In 2014 USENIX Annual Technical Conference (USENIX ATC 14). USENIX Association, Philadelphia, PA, 409--420. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Yutao Liu, Tianyu Zhou, Kexin Chen, Haibo Chen, and Yubin Xia. 2015. Thwarting memory disclosure with efficient hypervisor-enforced intra-domain isolation. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15). ACM, New York, 1607--1619. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, and Adrian Perrig. 2010. TrustVisor: Efficient TCB reduction and attestation. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, Washington, DC, 143--158. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Jonathan M. McCune, Bryan J. Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki. 2008. Flicker: An execution infrastructure for Tcb minimization. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008 (Eurosys’08). ACM, New York, 315--328. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Bryan D. Payne, Martim Carbone, Monirul Sharif, and Wenke Lee. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, Washington, DC, 233--247. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Reiner Sailer, Xiaolan Zhang, Trent Jaeger, and Leendert van Doorn. 2004. Design and implementation of a TCG-based integrity measurement architecture. In Proceedings of the 13th Conference on USENIX Security Symposium. USENIX Association, Berkeley, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of 21st ACM SIGOPS Symposium on Operating Systems Principles (SOSP’07). ACM, New York, 335--350. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, Kenji Kono, Shigeru Chiba, Yasushi Shinjo, and Kazuhiko Kato. 2009. BitVisor: A thin hypervisor for enforcing I/O device security. In Proceedings of the 5th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’09). ACM, New York, 121--130. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Sahil Suneja, Canturk Isci, Eyal de Lara, and Vasanth Bala. 2015. Exploring VM introspection: Techniques and trade-offs. In Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’15). ACM, New York, 133--146. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Richard Ta-Min, Lionel Litty, and David Lie. 2006. Splitting interfaces: Making trust between applications and operating systems configurable. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI’06). USENIX Association, Berkeley, CA, 279--292. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo. 2015. Heisenbyte: Thwarting memory disclosure attacks using destructive code reads. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15). ACM, New York, 256--267. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Cheng-Chun Tu, Michael Ferdman, Chao-tung Lee, and Tzi-cker Chiueh. 2015. A comprehensive implementation and evaluation of direct interrupt delivery. In Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’15). ACM, New York, 1--15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Giorgos Vasiliadis, Elias Athanasopoulos, Michalis Polychronakis, and Sotiris Ioannidis. 2014. PixelVault: Using GPUs for securing cryptographic operations. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14). ACM, New York, 1131--1142. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Amit Vasudevan, Sagar Chaki, Limin Jia, Jonathan McCune, James Newsome, and Anupam Datta. 2014. Design, implementation and verification of an extensible and modular hypervisor framework. In Proceedings of the 2014 IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, Washington, DC, 430--444. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Amit Vasudevan, Bryan Parno, Ning Qu, Virgil D. Gligor, and Adrian Perrig. 2009. Lockdown: A safe and practical environment for security applications. CMU-CyLab-09-011 14 (2009).Google ScholarGoogle Scholar
  37. Yuanzhong Xu, Weidong Cui, and Marcus Peinado. 2015. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, Washington, DC, 640--656. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Jisoo Yang and Kang G. Shin. 2008. Using hypervisor to provide data secrecy for user applications on a per-page basis. In Proceedings of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’08). ACM, New York, 71--80. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. 2009. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 2009 IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, Washington, DC, 79--93. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Siqi Zhao and Xuhua Ding. 2017. On the effectiveness of virtualization based memory isolation on multicore platforms. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE Computer Society, Washington, DC.Google ScholarGoogle ScholarCross RefCross Ref
  41. Zongwei Zhou, Virgil D. Gligor, James Newsome, and Jonathan M. McCune. 2012. Building verifiable trusted path on commodity x86 computers. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, Washington, DC, 616--630. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Zongwei Zhou, Miao Yu, and Virgil D. Gligor. 2014. Dancing with giants: Wimpy kernels for on-demand isolated I/O. In Proceedings of the 2014 IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, Washington, DC, 308--323. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. FIMCE: A Fully Isolated Micro-Computing Environment for Multicore Systems

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on Privacy and Security
      ACM Transactions on Privacy and Security  Volume 21, Issue 3
      August 2018
      157 pages
      ISSN:2471-2566
      EISSN:2471-2574
      DOI:10.1145/3208360
      Issue’s Table of Contents

      Copyright © 2018 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 21 May 2018
      • Accepted: 1 March 2018
      • Revised: 1 November 2017
      • Received: 1 March 2017
      Published in tops Volume 21, Issue 3

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Research
      • Refereed
    • Article Metrics

      • Downloads (Last 12 months)10
      • Downloads (Last 6 weeks)1

      Other Metrics

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!