inktag: secure applications on an untrusted operating system · • application and hypervisor...
TRANSCRIPT
![Page 1: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/1.jpg)
InkTag: Secure Applications on an Untrusted Operating System
Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee,
Emmett Witchel
UT Austin
![Page 2: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/2.jpg)
You trust your OS... should you?
• The OS is the software root of trust on most systems
• The OS is a shared vulnerability• OS compromise infects all
• The OS is a vulnerable vulnerability
• Syscall interface a complex attack surface
•ioctl()
• Root often has OS-level privilege
OS
App
App
App
App
2
![Page 3: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/3.jpg)
You trust your OS... should you?
• The OS is the software root of trust on most systems
• The OS is a shared vulnerability• OS compromise infects all
• The OS is a vulnerable vulnerability
• Syscall interface a complex attack surface
•ioctl()
• Root often has OS-level privilege
OS
App
App
App
App
2A
pp
![Page 4: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/4.jpg)
You trust your OS... should you?
• The OS is the software root of trust on most systems
• The OS is a shared vulnerability• OS compromise infects all
• The OS is a vulnerable vulnerability
• Syscall interface a complex attack surface
•ioctl()
• Root often has OS-level privilege
OS
App
App
App
App
2A
pp
OS
![Page 5: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/5.jpg)
You trust your OS... should you?
• The OS is the software root of trust on most systems
• The OS is a shared vulnerability• OS compromise infects all
• The OS is a vulnerable vulnerability
• Syscall interface a complex attack surface
•ioctl()
• Root often has OS-level privilege
OS
App
App
App
App
2A
pp
OS
App
App
App
![Page 6: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/6.jpg)
You should trust the hypervisor
• Hypervisors have become a common part of the software stack
• Provide a layer of indirection under the OS
• Hypervisors can be more trustworthy
• Fewer lines of code
• Thinner interface
• Fewer vulnerabilities
3
Hypervisor
OS
App
App
App
App
![Page 7: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/7.jpg)
But the OS is still a problem
• Users want trustworthy applications
• Applications still must trust the OS
4
Hypervisor
OS
App
App
App
App
![Page 8: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/8.jpg)
But the OS is still a problem
• Users want trustworthy applications
• Applications still must trust the OS
4
Hypervisor
OS
App
App
App
App
OS
![Page 9: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/9.jpg)
But the OS is still a problem
• Users want trustworthy applications
• Applications still must trust the OS
4
Hypervisor
OS
App
App
App
App
App
OS
App
App
App
![Page 10: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/10.jpg)
Removing OS trust
• Why can the kernel compromise applications?
• No isolation
• OS still provides all essential services
• File I/O
• Memory mapping
OS
App
App
App
App
5
Hypervisor
![Page 11: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/11.jpg)
Isolate and verify
• Can the hypervisor improve this situation?
• Previous systems have examined this problem
• Overshadow [ASPLOS ’08]
• Trusted hypervisor isolates an application from an untrusted kernel
• Ensure that the OS follows its contract with the application
OS
App
App
App A
pp
6
Hypervisor
![Page 12: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/12.jpg)
Verifying OS behavior
1. Application asks OS to update high-level state• V = mmap(NULL, ..., F, offset);
• Application expects pages from file F at address V
2. OS updates low-level state
• Immediately
• On-demand (e.g. paging)
3. Do OS updates match application requests?• Did the OS map a frame containing
data from F at the correct offset?
7
OS
Hypervisor
App
page table
![Page 13: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/13.jpg)
Verifying OS behavior
1. Application asks OS to update high-level state• V = mmap(NULL, ..., F, offset);
• Application expects pages from file F at address V
2. OS updates low-level state
• Immediately
• On-demand (e.g. paging)
3. Do OS updates match application requests?• Did the OS map a frame containing
data from F at the correct offset?
7
OS
Hypervisor
mmap()
0x7FFCB...
App
page table
![Page 14: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/14.jpg)
Verifying OS behavior
1. Application asks OS to update high-level state• V = mmap(file=F, offset=O);
• Application expects pages from file F at address V
2. OS updates low-level state
• Immediately
• On-demand (e.g. paging)
3. Do OS updates match application requests?• Did the OS map a frame containing
data from F at the correct offset?
8
OS
Hypervisor
mmap()
0x7FFCB...
App
page table
![Page 15: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/15.jpg)
Verifying OS behavior
1. Application asks OS to update high-level state• V = mmap(file=F, offset=O);
• Application expects pages from file F at address V
2. OS updates low-level state
• Immediately
• On-demand (e.g. paging)
3. Do OS updates match application requests?• Did the OS map a frame containing
data from F at the correct offset?
9
OS
Hypervisor
App
page table
![Page 16: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/16.jpg)
Verifying OS behavior
1. Application asks OS to update high-level state• V = mmap(file=F, offset=O);
• Application expects pages from file F at address V
2. OS updates low-level state
• Immediately
• On-demand (e.g. paging)
3. Do OS updates match application requests?• Did the OS map a frame containing
data from F at the correct offset?
9
OS
Hypervisor
App
page tablepage fault
![Page 17: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/17.jpg)
Verifying OS behavior
1. Application asks OS to update high-level state• V = mmap(file=F, offset=O);
• Application expects pages from file F at address V
2. OS updates low-level state
• Immediately
• On-demand (e.g. paging)
3. Do OS updates match application requests?• Did the OS map a frame containing
data from F at the correct offset?
9
OS
Hypervisor
App
page tablepage fault
set_pte()
![Page 18: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/18.jpg)
Verifying OS behavior
1. Application asks OS to update high-level state• V = mmap(file=F, offset=O);
• Application expects pages from file F at address V
2. OS updates low-level state
• Immediately
• On-demand (e.g. paging)
3. Do OS updates match application requests?• Did the OS map a frame containing
data from F at the correct offset?
9
OS
Hypervisor
App
page tablepage fault
![Page 19: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/19.jpg)
Verifying OS behavior
1. Application asks OS to update high-level state• V = mmap(file=F, offset=O);
• Application expects pages from file F at address V
2. OS updates low-level state
• Immediately
• On-demand (e.g. paging)
3. Do OS updates match application requests?• Did the OS map a frame containing
data from F at the correct offset?
10
OS
Hypervisor
App
page tablepage fault
![Page 20: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/20.jpg)
Verifying OS behavior
• Application and hypervisor communicate• Synchronize on high-level
application state
• Hypervisor interposes on low-level updates• Validate updates against
expected state
• Hypervisor requires deep visibility into OS, application (semantic gap)
11
OS
Hypervisor
App
page table
![Page 21: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/21.jpg)
Verifying OS behavior
• Application and hypervisor communicate• Synchronize on high-level
application state
• Hypervisor interposes on low-level updates• Validate updates against
expected state
• Hypervisor requires deep visibility into OS, application (semantic gap)
11
OS
Hypervisor
App
page table
set_pte()
![Page 22: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/22.jpg)
• InkTag: secure applications on an untrusted OS
• Paraverification: require active participation from the untrusted OS for simpler, more efficient hypervisor design
12
![Page 23: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/23.jpg)
InkTag security guarantees
• Control flow integrity
• OS cannot change program counter, registers
• Address space integrity• OS cannot read or modify application data
• File I/O
• Applications access the desired files
• Privacy and integrity for file data
• Built on address space integrity
• Process control
• Applications can fork(), exec()
• Access control and naming
• Applications can define access control policies, use string filenames
• Consistency
• OS-managed data and hypervisor-managed metadata remain in sync
13
![Page 24: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/24.jpg)
InkTag security guarantees
• Control flow integrity
• OS cannot change program counter, registers
• Address space integrity• OS cannot read or modify application data
• File I/O
• Applications access the desired files
• Privacy and integrity for file data
• Built on address space integrity
• Process control
• Applications can fork(), exec()
• Access control and naming
• Applications can define access control policies, use string filenames
• Consistency
• OS-managed data and hypervisor-managed metadata remain in sync
14
![Page 25: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/25.jpg)
InkTag security guarantees
• Control flow integrity
• OS cannot change program counter, registers
• Address space integrity• OS cannot read or modify application data
• File I/O
• Applications access the desired files
• Privacy and integrity for file data
• Built on address space integrity
• Process control
• Applications can fork(), exec()
• Access control and naming
• Applications can define access control policies, use string filenames
• Consistency
• OS-managed data and hypervisor-managed metadata remain in sync
15
![Page 26: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/26.jpg)
InkTag security guarantees
• Control flow integrity
• OS cannot change program counter, registers
• Address space integrity• OS cannot read or modify application data
• File I/O
• Applications access the desired files
• Privacy and integrity for file data
• Built on address space integrity
• Process control
• Applications can fork(), exec()
• Access control and naming
• Applications can define access control policies, use string filenames
• Consistency
• OS-managed data and hypervisor-managed metadata remain in sync
16
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 27: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/27.jpg)
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
H
• Common mechanism used by Overshadow, InkTag, others
• OS expects to manage memory
• Show cleartext to application
• Show ciphertext to OS
• Hash for integrity
17
OS
Hypervisor
App
![Page 28: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/28.jpg)
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
H
• Common mechanism used by Overshadow, InkTag, others
• OS expects to manage memory
• Show cleartext to application
• Show ciphertext to OS
• Hash for integrity
17
OS
Hypervisor
App
![Page 29: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/29.jpg)
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
H
• Common mechanism used by Overshadow, InkTag, others
• OS expects to manage memory
• Show cleartext to application
• Show ciphertext to OS
• Hash for integrity
17
OS
Hypervisor
App
![Page 30: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/30.jpg)
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
H
• Common mechanism used by Overshadow, InkTag, others
• OS expects to manage memory
• Show cleartext to application
• Show ciphertext to OS
• Hash for integrity
17
OS
Hypervisor
App
![Page 31: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/31.jpg)
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
H
• Common mechanism used by Overshadow, InkTag, others
• OS expects to manage memory
• Show cleartext to application
• Show ciphertext to OS
• Hash for integrity
17
OS
Hypervisor
App
![Page 32: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/32.jpg)
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
H
• Common mechanism used by Overshadow, InkTag, others
• OS expects to manage memory
• Show cleartext to application
• Show ciphertext to OS
• Hash for integrity
17
OS
Hypervisor
App
![Page 33: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/33.jpg)
18
OS
Hypervisor
App
H
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
• Common mechanism used by Overshadow, InkTag, others
• OS expects to manage memory
• Show cleartext to application
• Show ciphertext to OS
• Hash for integrity
![Page 34: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/34.jpg)
18
OS
Hypervisor
App
H
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
• Common mechanism used by Overshadow, InkTag, others
• OS expects to manage memory
• Show cleartext to application
• Show ciphertext to OS
• Hash for integrity
![Page 35: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/35.jpg)
18
OS
Hypervisor
App
H
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
• Common mechanism used by Overshadow, InkTag, others
• OS expects to manage memory
• Show cleartext to application
• Show ciphertext to OS
• Hash for integrity
![Page 36: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/36.jpg)
18
OS
Hypervisor
App
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
• Common mechanism used by Overshadow, InkTag, others
• OS expects to manage memory
• Show cleartext to application
• Show ciphertext to OS
• Hash for integrity
![Page 37: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/37.jpg)
• Position of data in address space must match application requests [mmap()]
• Ensure OS constructs the correct address space
19
OS
Hypervisor
App1
3
2OS
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 38: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/38.jpg)
• Position of data in address space must match application requests [mmap()]
• Ensure OS constructs the correct address space
19
OS
Hypervisor
App1
3
2
1
2
3OS
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 39: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/39.jpg)
• Position of data in address space must match application requests [mmap()]
• Ensure OS constructs the correct address space
19
OS
Hypervisor
App1
3
21
2
3
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 40: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/40.jpg)
• Position of data in address space must match application requests [mmap()]
• Ensure OS constructs the correct address space
19
OS
Hypervisor
App1
3
21
2
3
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 41: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/41.jpg)
OS
Hypervisor
App
page table
• Ensure OS constructs the correct address space
• Application maps file F at addr V
• Are page faults to V handled correctly?
• Decrypted physical frame has same hash as F
• Interpose on page table updates
• Disallow arbitrary OS mapping
• Determine high-level update implied by low-level PTE change
• Match page table updates to application requests
• Virtual address V = file F, offset O
• Result of previous mmap() call
20
![Page 42: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/42.jpg)
OS
Hypervisor
mmap()
0x7FFCB...
App
page table
• Ensure OS constructs the correct address space
• Application maps file F at addr V
• Are page faults to V handled correctly?
• Decrypted physical frame has same hash as F
• Interpose on page table updates
• Disallow arbitrary OS mapping
• Determine high-level update implied by low-level PTE change
• Match page table updates to application requests
• Virtual address V = file F, offset O
• Result of previous mmap() call
20
![Page 43: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/43.jpg)
OS
Hypervisor
App
page tablepage fault
• Ensure OS constructs the correct address space
• Application maps file F at addr V
• Are page faults to V handled correctly?
• Decrypted physical frame has same hash as F
• Interpose on page table updates
• Disallow arbitrary OS mapping
• Determine high-level update implied by low-level PTE change
• Match page table updates to application requests
• Virtual address V = file F, offset O
• Result of previous mmap() call
20
![Page 44: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/44.jpg)
OS
Hypervisor
App
page tablepage fault
set_pte()
• Ensure OS constructs the correct address space
• Application maps file F at addr V
• Are page faults to V handled correctly?
• Decrypted physical frame has same hash as F
• Interpose on page table updates
• Disallow arbitrary OS mapping
• Determine high-level update implied by low-level PTE change
• Match page table updates to application requests
• Virtual address V = file F, offset O
• Result of previous mmap() call
20
![Page 45: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/45.jpg)
OS
Hypervisor
App
page tablepage fault
• Ensure OS constructs the correct address space
• Application maps file F at addr V
• Are page faults to V handled correctly?
• Decrypted physical frame has same hash as F
• Interpose on page table updates
• Disallow arbitrary OS mapping
• Determine high-level update implied by low-level PTE change
• Match page table updates to application requests
• Virtual address V = file F, offset O
• Result of previous mmap() call
20
![Page 46: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/46.jpg)
OS
Hypervisor
App
page tablepage fault
21
• Ensure OS constructs the correct address space
• Application maps file F at addr V
• Are page faults to V handled correctly?
• Decrypted physical frame has same hash as F
• Interpose on page table updates
• Disallow arbitrary OS mapping
• Determine high-level update implied by low-level PTE change
• Match page table updates to application requests
• Virtual address V = file F, offset O
• Result of previous mmap() call
![Page 47: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/47.jpg)
OS
Hypervisor
App
page tablepage fault
22
• Ensure OS constructs the correct address space
• Application maps file F at addr V
• Are page faults to V handled correctly?
• Decrypted physical frame has same hash as F
• Interpose on page table updates
• Disallow arbitrary OS mapping
• Determine high-level update implied by low-level PTE change
• Match page table updates to application requests
• Virtual address V = file F, offset O
• Result of previous mmap() call
![Page 48: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/48.jpg)
• Interpreting low-level page table updates
• OS can construct valid, but confusing page tables
• Order in which updates are seen matters
• Matching page table updates to application requests
• Application and hypervisor must communicate complete memory map
OS
Hypervisor
PT (2)
App
23
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
PT
![Page 49: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/49.jpg)
• Interpreting low-level page table updates
• OS can construct valid, but confusing page tables
• Order in which updates are seen matters
• Matching page table updates to application requests
• Application and hypervisor must communicate complete memory map
OS
Hypervisor
PT (2)
App
23
PT (1)
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 50: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/50.jpg)
Hypervisor
PT (2)
App
24
PT (1)
OS
• Interpreting low-level page table updates
• OS can construct valid, but confusing page tables
• Order in which updates are seen matters
• Matching page table updates to application requests
• Application and hypervisor must communicate complete memory map
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 51: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/51.jpg)
Hypervisor
PT (2)
App
24
PT (1)
OS
• Interpreting low-level page table updates
• OS can construct valid, but confusing page tables
• Order in which updates are seen matters
• Matching page table updates to application requests
• Application and hypervisor must communicate complete memory map
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 52: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/52.jpg)
Hypervisor
PT (2)
App
24
PT (1)
OS
• Interpreting low-level page table updates
• OS can construct valid, but confusing page tables
• Order in which updates are seen matters
• Matching page table updates to application requests
• Application and hypervisor must communicate complete memory map
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 53: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/53.jpg)
Hypervisor
PT (2)
App
25
PT (1)
OS
• Interpreting low-level page table updates
• OS can construct valid, but confusing page tables
• Order in which updates are seen matters
• Matching page table updates to application requests
• Application and hypervisor must communicate complete memory map
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 54: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/54.jpg)
Hypervisor
PT (2)
App
25
PT (1)
OS
• Interpreting low-level page table updates
• OS can construct valid, but confusing page tables
• Order in which updates are seen matters
• Matching page table updates to application requests
• Application and hypervisor must communicate complete memory map
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 55: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/55.jpg)
Hypervisor
PT (2)
App
25
PT (1)
OS
• Interpreting low-level page table updates
• OS can construct valid, but confusing page tables
• Order in which updates are seen matters
• Matching page table updates to application requests
• Application and hypervisor must communicate complete memory map
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 56: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/56.jpg)
• Application must validate pointer results returned from kernel
• Iago attacks [ASPLOS ’13]
Hypervisor
App Stack
New region
OS
26
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 57: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/57.jpg)
• Application must validate pointer results returned from kernel
• Iago attacks [ASPLOS ’13]
Hypervisor
App
mmap()
0x7FFCB...
Stack New region
OS
26
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 58: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/58.jpg)
• The OS updates page tables
• Can guarantee sanity and ordering
• The OS maintains memory maps
• Can expose that information to hypervisor and application
Hypervisor
App
OS
27
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 59: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/59.jpg)
• Paraverification: an untrusted OS helping to verify its own behavior• Take inspiration from
paravirtualization
• Extensive use of existing paravirtual interface
• OS must participate, but information cannot be trusted
Hypervisor
App
OS
28
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
![Page 60: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/60.jpg)
Paraverification: validating PTE updates
• Untrusted OS notifies hypervisor on page table updates
• Regular structure
• In update order
App
Hypervisor
OS
29
![Page 61: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/61.jpg)
Paraverification: validating PTE updates
• Untrusted OS notifies hypervisor on page table updates
• Regular structure
• In update order
App
Hypervisor
OS
pte_update( addr=0x7FCB...
29
![Page 62: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/62.jpg)
Paraverification: validating PTE updates
• Application maintains memory mappings in an array of descriptors
• Interpose on mmap() in libc
• Generate a token for each mapping
• Unforgeable identifier describing requested mapping
• e.g. HMAC(addr, file, offset)
• In implementation, integer index
App
Hypervisor
OS.file=....addr=....offset=...
30
![Page 63: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/63.jpg)
Paraverification: validating PTE updates
• Application maintains memory mappings in an array of descriptors
• Interpose on mmap() in libc
• Generate a token for each mapping
• Unforgeable identifier describing requested mapping
• e.g. HMAC(addr, file, offset)
• In implementation, integer index
App
Hypervisor
OS.file=....addr=....offset=...
mmap(file=..., token=5
0x7FCB...
30
![Page 64: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/64.jpg)
Paraverification: validating PTE updates
• Application maintains memory mappings in an array of descriptors
• Interpose on mmap() in libc
• Generate a token for each mapping
• Unforgeable identifier describing requested mapping
• e.g. HMAC(addr, file, offset)
• In implementation, integer index
App
Hypervisor
OS.file=....addr=....offset=...
30
![Page 65: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/65.jpg)
Paraverification: validating PTE updates
• Application maintains memory mappings in an array of descriptors
• Interpose on mmap() in libc
• Generate a token for each mapping
• Unforgeable identifier describing requested mapping
• e.g. HMAC(addr, file, offset)
• In implementation, integer index
App
Hypervisor
OS.file=....addr=....offset=...
pte_update( addr=0x7FCB... token=5
30
![Page 66: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/66.jpg)
Paraverification: validating PTE updates
• Application maintains memory mappings in an array of descriptors
• Interpose on mmap() in libc
• Generate a token for each mapping
• Unforgeable identifier describing requested mapping
• e.g. HMAC(addr, file, offset)
• In implementation, integer index
App
Hypervisor
OS.file=....addr=....offset=...
pte_update( addr=0x7FCB... token=5
30
![Page 67: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/67.jpg)
Paraverification: validating PTE updates
• Application memory listing protected from OS
• Entries always allocated in defined virtual address range
• Invalid entries marked
App
Hypervisor
OS.file=....addr=....offset=...
31
![Page 68: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/68.jpg)
Paraverification: validating PTE updates
• Application memory listing protected from OS
• Entries always allocated in defined virtual address range
• Invalid entries marked
App
Hypervisor
OS.file=....addr=....offset=...
pte_update( addr=0x7FCB... token=eleventy
31
![Page 69: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/69.jpg)
Paraverification: validating PTE updates
• Application memory listing protected from OS
• Entries always allocated in defined virtual address range
• Invalid entries marked
App
Hypervisor
OS.file=....addr=....offset=...
pte_update( addr=0x7FCB... token=eleventy
31
![Page 70: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/70.jpg)
Paraverification: validating PTE updates
• Application memory listing protected from OS
• Entries always allocated in defined virtual address range
• Invalid entries marked
App
Hypervisor
OS.file=....addr=....offset=...
pte_update( addr=0x7FCB... token=eleventy
31
![Page 71: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/71.jpg)
Paraverification: validating syscall results
• OS returns tokens to application to assist validation
• Application maintains linked list of mappings
• OS specifies previous entry
• Application checks for overlap, updates list
App
Hypervisor
OS.file=....addr=....offset=...
32
![Page 72: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/72.jpg)
Paraverification: validating syscall results
• OS returns tokens to application to assist validation
• Application maintains linked list of mappings
• OS specifies previous entry
• Application checks for overlap, updates list
App
Hypervisor
OS.file=....addr=....offset=...
mmap(file=..., token=5
0x7FCB...
32
![Page 73: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/73.jpg)
Paraverification: validating syscall results
• OS returns tokens to application to assist validation
• Application maintains linked list of mappings
• OS specifies previous entry
• Application checks for overlap, updates list
App
Hypervisor
OS.file=....addr=....offset=...
mmap(file=..., token=5
0x7FCB... , prev=2
32
![Page 74: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/74.jpg)
Paraverification: validating syscall results
• OS returns tokens to application to assist validation
• Application maintains linked list of mappings
• OS specifies previous entry
• Application checks for overlap, updates list
App
Hypervisor
OS.file=....addr=....offset=...
mmap(file=..., token=5
0x7FCB... , prev=2
33
• Basic memory isolation mechanisms
• Challenges: why is this difficult?
• Paraverification: how can the untrusted OS help?
• Guarantee sane address space updates
• Expose internal OS information to hypervisor and application
![Page 75: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/75.jpg)
Implementation & Evaluation
• Prototype built with KVM, qemu, uClibc
• ~3500 hypervisor LOC
• Modify libc to validate syscall results
• OS microbenchmarks
• LMBench
• Applications
• SPEC
• Apache
• DokuWiki
34
![Page 76: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/76.jpg)
DokuWiki
• PHP CGI binary with InkTag extensions
• InkTag authentication module
• Use InkTag access control on wiki pages
• Result: hypervisor-enforced security for a PHP application
• Integrity for all script files
• Privacy and integrity for application data
35
![Page 77: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/77.jpg)
InkTag overheads
• LMBench
• Low-level OS microbenchmarks
• 5x - 55x slowdown (for µs operations)
• High context switch latency
• SPEC
• CPU-bound applications
• Most applications <= 1.03x
• gcc - 1.14x; perlbench, h264href - 1.10x
• Apache
• Long-lived processes, infrequent MM activity
• 1.02x throughput slowdown, 1.13x latency
• DokuWiki
• Many short-lived processes, frequent memory mapping
• 1.54x throughput slowdown36
![Page 78: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/78.jpg)
Related work
• Untrusted operating systems
• XOMOS [Lie et al. SOSP ’03]
• Overshadow [Chen et al. ASPLOS ’08]
• SP3 [Yang & Shin VEE ’08]
• Cloudvisor [Zhang et al. SOSP ’11]
37
![Page 79: InkTag: Secure Applications on an Untrusted Operating System · • Application and hypervisor communicate • Synchronize on high-level application state • Hypervisor interposes](https://reader035.vdocuments.us/reader035/viewer/2022081522/5fb75dcbbe8e32510b7f8178/html5/thumbnails/79.jpg)
Conclusion
• We can enforce trustworthy services from an untrustworthy OS
• Paraverification simplifies crucial isolation mechanisms
38