dancing with giants: wimpy kernels for on-demand isolated i/o
DESCRIPTION
Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O. Presenter: Probir Roy Computer Science Department College of William & Mary. Isolated security-sensitive application. Towards Application Security on Untrusted Operating Systems (by DRK Ports - 2008). - PowerPoint PPT PresentationTRANSCRIPT
Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O
Presenter: Probir RoyComputer Science DepartmentCollege of William & Mary
Isolated security-sensitive application
Towards Application Security on Untrusted Operating Systems (by DRK Ports - 2008)
Isolated security-sensitive application
AppShield: Protecting Applications against Untrusted Operating System (by Y Cheng - 2013)
Tamper-Resistant Execution in an Untrusted Operating System Using A Virtual Machine Monitor (H Chen - 2007)
TrustVisor: Efficient TCB Reduction and Attestation (by JM McCune - 2010)
Isolated security-sensitive application
Design, Implementation and Verification of aneXtensible and Modular Hypervisor Framework(by A Vasudevan - 2013)
MiniBox: A Two-Way Sandbox for x86 Native Code (by Y Li - 2014)
Many More ...
Isolated application
Wimps
Giants {
Limitations of Isolated application
softwarecomponents must be verified
Small, simple, limited in function
Wimps
Giants {
- persistent memory- file system and network services,- flexible trusted paths to users, and - isolated I/O services
Wimps Lack :
Limitations of Isolated application:Example
Providing Trustworthy services
Approach 1: Restructure Giant for trust-worthy services
Problem: lacks scalable performance
Approach 2: Include basic services to TCB
Problem: Increases code base
Providing services to Isolated application
Approach 3: Wimps reuse giant-provided services but only after efficientlyverifying their results
Providing services to Isolated application
Requires:
P1: On-demand isolated I/O Channel
P2: Complete Mediation of time-multiplexed accesses to devices
P3: Minimization of the Trusted Codebase
Giants can use Wimp services for protection against persistent threats
Wimpy Kernels for On-demand Isolated I/O
Adversary Model
1) Compromised OS can attack wimp apps or intentionally control or mis-configure any device
2) Malicious wimp application may escalate its privilege by manipulating the interfaces with the I/O isolation system or configuring the wimp app’s devices
3) Wimp Apps can break application isolation or even compromise OS execution and corrupt its data
Security requirements
P1. I/O Channel Isolation.
P2. Complete Mediation.
P3. Minimization of the Trusted Codebase.
(1) the code base ofa trusted I/O kernel must be minimized to facilitate formalverification; and (2) the underlying TCB must be unaffectedby the addition of a trusted I/O kernel
System Component
Implementing Security Properties: Wimpy kernel
Wimpy kernel is an add-on trustworthy component,
Dynamically controls hardware resources necessary to establish isolated I/O channels between wimp apps and I/O devices (P1: I/O Channel Isolation)
On-demand Isolated I/OFour significantadvantages
Enables wimp applications to obtain isolated I/O channels to any subset of a system’s commoditydevices needed during a session
Enables trusted audit and control of physicaldevices without stopping and restarting applications,
Allows unmodified commodity OSes to have unfettered access to all hardware resources and preserve the entireapplication ecosystem unchanged
Offers a significant opportunity for the reduction of the trusted I/O kernel size and complexity
Implementing Security Properties
Wimple Kernel compose with three other system components
MHV: To maintain memory integrity and address space separation (P3-II:TCB must be unaffected)
Untrusted OS: wimpy kernel outsources its most complex functions to the untrusted OS (P3-I: Small and simple Code base)
Wimp apps: minimize wimp kernel code base by de-privileging and exporting some of its code to wimp applications (P3-I: Small and simple Code base)
Wimp kernel mediates all accesses ofthe exported code to I/O devices and channels under its control(P2: Complete Mediation.)
Implementing Security Properties: DetailsOutsource-and-Verify& Export-and-Mediate
Implementing Security Properties: Details
P1 & 3-I: I/O Channel Isolation & Small and simple Code base: Outsource-and-Verify
1) Untrusted OS initializes the USB hierarchy
2) wimpy kernel verifies their correct configuration and initialization.
Outsource
Implementing Security Properties: Details
P1 & 3-I: I/O Channel Isolation & Small and simple Code base: Outsource-and-Verify
1) Untrusted OS initializes the USB hierarchy
2) wimpy kernel verifies their correct configuration and initialization.
Resolve the threat of USB address overlap and remote wake-up attacks
Implementing Security Properties: DetailsOutsource-and-Verify& Export-and-Mediate
Implementing Security Properties: Details
P2 & 3-I: Complete Mediation & Small and simple Code base: Export-and-Mediate
1) Bus subsystem code exported by the wimpy kernel to a wimp app
2) WK verifies the behavior of the wimp apps that may affect wimp app isolation from the OS
Implementing Security Properties: Details
P2 & 3-I: Complete Mediation & Small and simple Code base: Export-and-Mediate
1) Bus subsystem code exported by the wimpy kernel to a wimp app
2) WK verifies the behavior of the wimp apps that may affect wimp app isolation from the OS
SYSTEM LIFE-CYCLE
SYSTEM LIFE-CYCLE
EVALUATION
EVALUATION
Scanning Process
Contribution
Introduce the notion of on-demand isolated I/O channels for security-sensitive applications on unmodified commodity platforms
Present a security architecture based on a minimal wimpy kernel, without affecting the underlying TCB.
how the classic outsource-and-verify and export-and-mediate methods are used to minimize the wimpy kernel, and report on the minimization results in detail.
Implement and Evaluate the wimpy kernel for the USB subsystem
Questions