research-article

AppSec: A Safe Execution Environment for Security Sensitive Applications

Authors:

Jianbao Ren,

Yong Qi,

Yuehua Dai,

Xiaoguang Wang,

Yi ShiAuthors Info & Claims

ACM SIGPLAN Notices, Volume 50, Issue 7

Pages 187 - 199

https://doi.org/10.1145/2817817.2731199

Published: 14 March 2015 Publication History

Get Access

Abstract

Malicious OS kernel can easily access user's private data in main memory and pries human-machine interaction data, even one that employs privacy enforcement based on application level or OS level. This paper introduces AppSec, a hypervisor-based safe execution environment, to protect both the memory data and human-machine interaction data of security sensitive applications from the untrusted OS transparently.

AppSec provides several security mechanisms on an untrusted OS. AppSec introduces a safe loader to check the code integrity of application and dynamic shared objects. During runtime, AppSec protects application and dynamic shared objects from being modified and verifies kernel memory accesses according to application's intention. AppSec provides a devices isolation mechanism to prevent the human-machine interaction devices being accessed by compromised kernel. On top of that, AppSec further provides a privileged-based window system to protect application's X resources. The major advantages of AppSec are threefold. First, AppSec verifies and protects all dynamic shared objects during runtime. Second, AppSec mediates kernel memory access according to application's intention but not encrypts all application's data roughly. Third, AppSec provides a trusted I/O path from end-user to application. A prototype of AppSec is implemented and shows that AppSec is efficient and practical.

References

[1]

Xen Arbitrary Code Execution. URL http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3124.

Google Scholar

[2]

Google V8 Benchmark Suite. URL http://v8.googlecode.com/svn/data/benchmarks/v7/run.html.

Google Scholar

[3]

The connection methods to the X server. URL https://www.debian.org/doc/manuals/debian-reference/ch07.en.html#_the_connection_methods_to_the_x_server.

Google Scholar

[4]

VMWare Arbitrary Code Execution. URL http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--1209.

Google Scholar

[5]

PCI Local Bus Specification. URL http://www.math.uni.wroc.pl/~p-wyk4/so/pci23.pdf.

Google Scholar

[6]

Trusted Platform Module (TPM) Summary. URL http://www.trustedcomputinggroup.org/resources/trusted_platform_module_tpm_summary.

Google Scholar

[7]

X Window System. URL http://en.wikipedia.org/wiki/X_Window_System.

Google Scholar

[8]

INTEL R 64 AND IA-32 ARCHITECTURES SOFTWARE DEVELOPER'S MANUAL. Instruction Set Extensions ProgrammingReference. Intel Corporation, January 2013.

Google Scholar

[9]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Controlflow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC), 13(1):4, 2009.

Digital Library

Google Scholar

[10]

A. Arasu, S. Blanas, K. Eguro, R. Kaushik, D. Kossmann, R. Ramamurthy, and R. Venkatesan. Orthogonal security with cipherbase. In 6th Conference on Innovative Data Systems Research, Jan. 2013.

Google Scholar

[11]

A. Azab, P. Ning, and X. Zhang. SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms. In Proceedings of the 18th ACM conference on Computer and communications security, pages 375--388. ACM, 2011.

Digital Library

Google Scholar

[12]

A. Baumann, D. Lee, P. Fonseca, L. Glendenning, J. R. Lorch, B. Bond, R. Olinsky, and G. C. Hunt. Composing os extensions safely and efficiently with bascule. In Proceedings of the 8th ACM European Conference on Computer Systems, pages 239--252. ACM, 2013.

Digital Library

Google Scholar

[13]

A. Baumann, M. Peinado, and G. Hunt. Shielding applications from an untrusted cloud with haven. In Proceedings of the 11th USENIX conference on Operating Systems Design and Implementation, pages 267--283. USENIX Association, 2014.

Digital Library

Google Scholar

[14]

A. D. Central. BIOS and Kernel Developer's Guide for AMD Family 15h Models 00h-0Fh Processors.

Google Scholar

[15]

H. Chen, F. Zhang, C. Chen, Z. Yang, R. Chen, B. Zang, and W. Mao. Tamper-resistant execution in an untrusted operating system using a virtual machine monitor. 2007.

Google Scholar

[16]

X. Chen, T. Garfinkel, E. Lewis, P. Subrahmanyam, C. Waldspurger, D. Boneh, J. Dwoskin, and D. Ports. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In ACM SIGPLAN Notices, volume 43, pages 2--13. ACM, 2008.

Digital Library

Google Scholar

[17]

Y. Cheng, X. Ding, and R. H. Deng. Driverguard: A finegrained protection on i/o flows. In Proceedings of European Symposium on Research in Computer Security, pages 227--244. Springer, 2011.

Digital Library

Google Scholar

[18]

I. Corporation. Lagrande technology preliminary architecture specification. Intel Publication, (D52212), 2006.

Google Scholar

[19]

J. Criswell, N. Dautenhahn, and V. Adve. Virtual Ghost: Protecting Applications from Hostile Operating Systems. In Proceedings of the nineteenth international conference on Architectural Support for Programming Languages and Operating Systems. ACM, 2014.

Digital Library

Google Scholar

[20]

Y. Dai, Y. Shi, Y. Qi, J. Ren, and P. Wang. Design and verification of a lightweight reliable virtual machine monitor for a many-core architecture. Frontiers of Computer Science, pages 1--10.

Digital Library

Google Scholar

[21]

Y. Dai, Y. Qi, J. Ren, Y. Shi, X. Wang, and X. Yu. A lightweight VMM on many core for high performance computing. In Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual Execution Environments, pages 111--120. ACM, 2013.

Digital Library

Google Scholar

[22]

G. Duc and R. Keryell. Cryptopage: an efficient secure architecture with memory encryption, integrity and information leakage protection. In Computer Security Applications Conference, 2006. ACSAC'06. 22nd Annual, pages 483--492. IEEE, 2006.

Digital Library

Google Scholar

[23]

A. M. Dunn, M. Z. Lee, S. Jana, S. Kim, M. Silberstein, Y. Xu, V. Shmatikov, and E. Witchel. Eternal sunshine of the spotless machine: Protecting privacy with ephemeral channels. In Proc. of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2012.

Digital Library

Google Scholar

[24]

D. R. Engler, M. F. Kaashoek, et al. Exokernel: An operating system architecture for application-level resource management, volume 29. ACM, 1995.

Digital Library

Google Scholar

[25]

A. Filyanov, J. M. McCuney, A.-R. Sadeghiz, and M. Winandy. Uni-directional trusted path: Transaction confirmation on just one device. In Dependable Systems & Networks (DSN), 2011 IEEE/IFIP 41st International Conference on, pages 1--12. IEEE, 2011.

Digital Library

Google Scholar

[26]

K. Fraser, S. Hand, R. Neugebauer, I. Pratt, A. Warfield, and M. Williamson. Safe hardware access with the xen virtual machine monitor. In 1st Workshop on Operating System and Architectural Support for the on demand IT InfraStructure (OASIS), pages 1--1, 2004.

Google Scholar

[27]

T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In ACM SIGOPS Operating Systems Review, volume 37, pages 193--206. ACM, 2003.

Digital Library

Google Scholar

[28]

C. Gebtry, S. Halevi, and N. P. Smart. Homomorphic evaluation of the aes circuit. In 32nd International Cryptology Conference, 2012.

Google Scholar

[29]

C. Gentry. A fully homomorphic encryption scheme. PhD thesis, Stanford University, 2009.

Digital Library

Google Scholar

[30]

V. George, T. Piazza, and H. Jiang. Technology Insight: Intel c Next Generation Microarchitecture Codename Ivy Bridge, 2011. URL www.intel.com/idf/library/pdf/sf_2011/SF11_SPCS005_101F.pdf.

Google Scholar

[31]

O. S. Hofmann, S. Kim, A. M. Dunn, M. Z. Lee, and E. Witchel. InkTag: Secure Applications On An Untrusted Operating System. In Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems, (ASPLOS), pages 265--278. ACM, 2013.

Digital Library

Google Scholar

[32]

V. P. Kemerlis, G. Portokalidis, and A. D. Keromytis. kguard: Lightweight kernel protection against return-to-user attacks. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, Berkeley, CA, USA, 2012. USENIX Association.

Digital Library

Google Scholar

[33]

V. P. Kemerlis, M. Polychronakis, and A. D. Keromytis. Ret2dir: Rethinking kernel isolation. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, 2014.

Digital Library

Google Scholar

[34]

C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In Code Generation and Optimization, 2004. CGO 2004. International Symposium on, pages 75--86. IEEE, 2004.

Digital Library

Google Scholar

[35]

D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural support for copy and tamper resistant software. ACM SIGPLAN Notices, 35 (11):168--177, 2000.

Digital Library

Google Scholar

[36]

J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB Reduction and Attestation. In IEEE Symposium on Security and Privacy (SP), pages 143--158. IEEE, 2010.

Digital Library

Google Scholar

[37]

F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, page 10. ACM, 2013.

Digital Library

Google Scholar

[38]

R. Nikolaev and G. Back. Virtuos: an operating system with kernel virtualization. In Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles (SOSP 2013), pages 116--132. ACM, 2013.

Digital Library

Google Scholar

[39]

K. Onarlioglu, C. Mulliner, W. Robertson, and E. Kirda. PRIVEXEC: Private Execution as an Operating System Service. In IEEE Symposium on Security and Privacy. IEEE, 2013.

Digital Library

Google Scholar

[40]

R. A. Popa, C. M. Redfield, N. Xeldovich, and H. Balakrishnan. Cryptdb: Protecting confidentiality with encrypted query processing. In 23rd ACM Symposium on Operating Systems Principles, pages 85--100, 2011.

Digital Library

Google Scholar

[41]

M. Seaborn. Plash: tools for practical least privilege, 2008. URL http://plash.beasts.org/index.html.

Google Scholar

[42]

J. S. Shapiro, J. Vanderburgh, E. Northup, and D. Chizmadia. Design of the eros trusted window system. In Proceedings of the 13th conference on USENIX Security Symposium-Volume 13, pages 12--12. USENIX Association, 2004.

Digital Library

Google Scholar

[43]

L. Soares and M. Stumm. Flexsc: flexible system call scheduling with exception-less system calls. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI. ACM, 2010.

Digital Library

Google Scholar

[44]

R. Strackx and F. Piessens. Fides: Selectively hardening software application components against kernel-level or processlevel malware. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS 2012), 2012.

Digital Library

Google Scholar

[45]

G. E. Suh, D. Clarke, B. Gassend, M. Van Dijk, and S. Devadas. AEGIS: architecture for tamper-evident and tamper resistant processing. In Proceedings of the 17th annual international conference on Supercomputing, pages 160--171, 2003.

Digital Library

Google Scholar

[46]

S. D. Tetali, M. Lesani, R. Majumdar, and T. Millstein. Mrcrypt: static analysis for secure cloud computations. In Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications, pages 271--286. ACM, 2013.

Digital Library

Google Scholar

[47]

A. Virtualization. Secure Virtual Machine Architecture Reference Manual. AMD Publication, (33047), 2005.

Google Scholar

[48]

J. Yang and K. Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. In Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pages 71--80. ACM, 2008.

Digital Library

Google Scholar

[49]

M. Zhang and R. Sekar. Control flow integrity for cots binaries. In Usenix Security, pages 337--352, 2013.

Digital Library

Google Scholar

[50]

Z. Zhou, V. Gligor, J. Newsome, and J. McCune. Building verifiable trusted path on commodity x86 computers. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 616--630. IEEE, 2012.

Digital Library

Google Scholar

Cited By

View all

M SKS KT VG SD S(2023)Dynamic Access Control Through Cryptography in CloudITM Web of Conferences10.1051/itmconf/2023560600156(06001)Online publication date: 9-Aug-2023
https://doi.org/10.1051/itmconf/20235606001
Zhu MTu BWei WMeng D(2017)HA-VMSIProceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments10.1145/3050748.3050767(242-256)Online publication date: 8-Apr-2017
https://dl.acm.org/doi/10.1145/3050748.3050767
Kwon YDunn ALee MHofmann OXu YWitchel E(2016)SegoACM SIGOPS Operating Systems Review10.1145/2954680.287237250:2(277-290)Online publication date: 25-Mar-2016
https://doi.org/10.1145/2954680.2872372
Show More Cited By

Index Terms

AppSec: A Safe Execution Environment for Security Sensitive Applications
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

AppSec: A Safe Execution Environment for Security Sensitive Applications
VEE '15: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

Malicious OS kernel can easily access user's private data in main memory and pries human-machine interaction data, even one that employs privacy enforcement based on application level or OS level. This paper introduces AppSec, a hypervisor-based safe ...
Virtualization-based separation of privilege: working with sensitive data in untrusted environment
VDTS '09: Proceedings of the 1st EuroSys Workshop on Virtualization Technology for Dependable Systems

Contemporary commodity operating systems are too big and do not inspire trust in their security and reliability. Still they are used for processing sensitive data due to the vast amount of legacy software and good support for virtually all hardware ...
Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems
ASPLOS '08

Commodity operating systems entrusted with securing sensitive data are remarkably large and complex, and consequently, frequently prone to compromise. To address this limitation, we introduce a virtual-machine-based system called Overshadow that ...

Reviews

Reviewer: Patriciu V Victor-Valeriu

The authors of AppSec present a proposed implementation to achieve a secure environment without modifying the operating system (OS) kernel or applications. The main concept is that only the OS is untrusted, while the hardware and the firmware are presumed to be trusted. "A hypervisor-based safe execution environment," protects security-sensitive applications from an untrusted OS. The authors focus on a combination of mechanisms to secure "dynamic shared objects during runtime," "kernel memory access according to [the] application's intention," and input/output (I/O) communication from the end user to the application. The AppSec architecture overview is illustrated, and its elements are described meticulously. The safe loader component ensures the integrity of loaded applications and dynamic shared objects. The page tracker assures un-bypassed and transparent memory access by collecting information on sensitive applications' memory pages, and by raising a nested page table fault when the kernel tries to access them. Access is then granted according to the application's intentions. The I/O connections are secured with a privilege-based window-management system, with security-sensitive applications having the highest privilege. The authors detail the evaluation of their system, with respect to the performance overhead, by using native Linux execution rates as a baseline. The tests were performed on a server with AMD processors, running Debian "wheezy" with Linux 3.1. SPEC CPU2006, Apache, and Google V8 benchmarks, and a few microbenchmarks, were used to compare against the baseline and the modified version with AppSec off and on. The tests concluded that a performance overhead of 6-to-10 percent incurred when all protection mechanisms were activated. The authors then present the limitations of the system and compare their work to similar techniques for protecting the user's privacy. The most important differences were that AppSec does not modify the OS in any way and secures both memory and human-machine interaction data. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ACM SIGPLAN Notices Volume 50, Issue 7

VEE '15

July 2015

221 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/2817817

Editor:
Andy Gill
University of Kansas, Lawrence, KS

Issue’s Table of Contents

VEE '15: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
March 2015
238 pages
ISBN:9781450334501
DOI:10.1145/2731186
General Chair:
Ada Gavrilovska
Georgia Tech
,
Program Chairs:
Angela Demke Brown
University of Toronto
,
Bjarne Steensgaard
Microsoft

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 March 2015

Published in SIGPLAN Volume 50, Issue 7

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National High Technology Research and Development Program of China(863 Program)
Ph.D. Programs Foundation of Ministry of Education of China
National Natural Science Foundation of China

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
737
Total Downloads

Downloads (Last 12 months)26
Downloads (Last 6 weeks)3

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

M SKS KT VG SD S(2023)Dynamic Access Control Through Cryptography in CloudITM Web of Conferences10.1051/itmconf/2023560600156(06001)Online publication date: 9-Aug-2023
https://doi.org/10.1051/itmconf/20235606001
Zhu MTu BWei WMeng D(2017)HA-VMSIProceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments10.1145/3050748.3050767(242-256)Online publication date: 8-Apr-2017
https://dl.acm.org/doi/10.1145/3050748.3050767
Kwon YDunn ALee MHofmann OXu YWitchel E(2016)SegoACM SIGOPS Operating Systems Review10.1145/2954680.287237250:2(277-290)Online publication date: 25-Mar-2016
https://doi.org/10.1145/2954680.2872372
Liu WZhang ZQiao XLi YTan YMeng W(2024)A Software Integrity Authentication Protocol for Zero Trust ArchitectureProceedings of the SIGCOMM Workshop on Zero Trust Architecture for Next Generation Communications10.1145/3672200.3673874(1-6)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3672200.3673874
Wang X(2021)CloudImmu: Transparent Protection of Binary Applications in the CloudMILCOM 2021 - 2021 IEEE Military Communications Conference (MILCOM)10.1109/MILCOM52596.2021.9653063(309-315)Online publication date: 29-Nov-2021
https://doi.org/10.1109/MILCOM52596.2021.9653063
Jiang FCai QLin JLuo BGuan LMa ZBalenson D(2019)TF-BIVProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359795(57-69)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3359789.3359795
Patil RModi C(2019)An Exhaustive Survey on Security Concerns and Solutions at Different Components of VirtualizationACM Computing Surveys10.1145/328730652:1(1-38)Online publication date: 13-Feb-2019
https://dl.acm.org/doi/10.1145/3287306
Dong YYao JGuan HR AJiang Y(2017)MobiXenProceedings of the Conference on Design, Automation & Test in Europe10.5555/3130379.3130605(946-949)Online publication date: 27-Mar-2017
https://dl.acm.org/doi/10.5555/3130379.3130605
Dong YYao JGuan HKrishna RJiang Y(2017)MobiXen: Porting Xen on Android devices for mobile virtualizationDesign, Automation & Test in Europe Conference & Exhibition (DATE), 201710.23919/DATE.2017.7927127(946-949)Online publication date: Mar-2017
https://doi.org/10.23919/DATE.2017.7927127

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations