dancing with giants: wimpy kernels for on-demand isolated i/o presenter: probir roy computer science...
TRANSCRIPT
![Page 1: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/1.jpg)
Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O
Presenter: Probir RoyComputer Science DepartmentCollege of William & Mary
![Page 2: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/2.jpg)
Isolated security-sensitive application
Towards Application Security on Untrusted Operating Systems (by DRK Ports - 2008)
![Page 3: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/3.jpg)
Isolated security-sensitive application
AppShield: Protecting Applications against Untrusted Operating System (by Y Cheng - 2013)
Tamper-Resistant Execution in an Untrusted Operating System Using A Virtual Machine Monitor (H Chen - 2007)
TrustVisor: Efficient TCB Reduction and Attestation (by JM McCune - 2010)
![Page 4: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/4.jpg)
Isolated security-sensitive application
Design, Implementation and Verification of aneXtensible and Modular Hypervisor Framework(by A Vasudevan - 2013)
MiniBox: A Two-Way Sandbox for x86 Native Code (by Y Li - 2014)
Many More ...
![Page 5: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/5.jpg)
Isolated application
Wimps
Giants {
![Page 6: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/6.jpg)
Limitations of Isolated application
softwarecomponents must be verified
Small, simple, limited in function
Wimps
Giants {
- persistent memory- file system and network services,- flexible trusted paths to users, and - isolated I/O services
Wimps Lack :
![Page 7: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/7.jpg)
Limitations of Isolated application:Example
![Page 8: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/8.jpg)
Providing Trustworthy services
Approach 1: Restructure Giant for trust-worthy services
Problem: lacks scalable performance
Approach 2: Include basic services to TCB
Problem: Increases code base
Providing services to Isolated application
![Page 9: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/9.jpg)
Approach 3: Wimps reuse giant-provided services but only after efficientlyverifying their results
Providing services to Isolated application
Requires:
P1: On-demand isolated I/O Channel
P2: Complete Mediation of time-multiplexed accesses to devices
P3: Minimization of the Trusted Codebase
Giants can use Wimp services for protection against persistent threats
![Page 10: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/10.jpg)
Wimpy Kernels for On-demand Isolated I/O
![Page 11: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/11.jpg)
Adversary Model
1) Compromised OS can attack wimp apps or intentionally control or mis-configure any device
2) Malicious wimp application may escalate its privilege by manipulating the interfaces with the I/O isolation system or configuring the wimp app’s devices
3) Wimp Apps can break application isolation or even compromise OS execution and corrupt its data
![Page 12: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/12.jpg)
Security requirements
P1. I/O Channel Isolation.
P2. Complete Mediation.
P3. Minimization of the Trusted Codebase.
(1) the code base ofa trusted I/O kernel must be minimized to facilitate formalverification; and (2) the underlying TCB must be unaffectedby the addition of a trusted I/O kernel
![Page 13: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/13.jpg)
System Component
![Page 14: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/14.jpg)
Implementing Security Properties: Wimpy kernel
Wimpy kernel is an add-on trustworthy component,
Dynamically controls hardware resources necessary to establish isolated I/O channels between wimp apps and I/O devices (P1: I/O Channel Isolation)
![Page 15: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/15.jpg)
On-demand Isolated I/OFour significantadvantages
Enables wimp applications to obtain isolated I/O channels to any subset of a system’s commoditydevices needed during a session
Enables trusted audit and control of physicaldevices without stopping and restarting applications,
Allows unmodified commodity OSes to have unfettered access to all hardware resources and preserve the entireapplication ecosystem unchanged
Offers a significant opportunity for the reduction of the trusted I/O kernel size and complexity
![Page 16: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/16.jpg)
Implementing Security Properties
Wimple Kernel compose with three other system components
MHV: To maintain memory integrity and address space separation (P3-II:TCB must be unaffected)
Untrusted OS: wimpy kernel outsources its most complex functions to the untrusted OS (P3-I: Small and simple Code base)
Wimp apps: minimize wimp kernel code base by de-privileging and exporting some of its code to wimp applications (P3-I: Small and simple Code base)
Wimp kernel mediates all accesses ofthe exported code to I/O devices and channels under its control(P2: Complete Mediation.)
![Page 17: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/17.jpg)
Implementing Security Properties: DetailsOutsource-and-Verify& Export-and-Mediate
![Page 18: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/18.jpg)
Implementing Security Properties: Details
P1 & 3-I: I/O Channel Isolation & Small and simple Code base: Outsource-and-Verify
1) Untrusted OS initializes the USB hierarchy
2) wimpy kernel verifies their correct configuration and initialization.
Outsource
![Page 19: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/19.jpg)
Implementing Security Properties: Details
P1 & 3-I: I/O Channel Isolation & Small and simple Code base: Outsource-and-Verify
1) Untrusted OS initializes the USB hierarchy
2) wimpy kernel verifies their correct configuration and initialization.
Resolve the threat of USB address overlap and remote wake-up attacks
![Page 20: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/20.jpg)
Implementing Security Properties: DetailsOutsource-and-Verify& Export-and-Mediate
![Page 21: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/21.jpg)
Implementing Security Properties: Details
P2 & 3-I: Complete Mediation & Small and simple Code base: Export-and-Mediate
1) Bus subsystem code exported by the wimpy kernel to a wimp app
2) WK verifies the behavior of the wimp apps that may affect wimp app isolation from the OS
![Page 22: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/22.jpg)
Implementing Security Properties: Details
P2 & 3-I: Complete Mediation & Small and simple Code base: Export-and-Mediate
1) Bus subsystem code exported by the wimpy kernel to a wimp app
2) WK verifies the behavior of the wimp apps that may affect wimp app isolation from the OS
![Page 23: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/23.jpg)
SYSTEM LIFE-CYCLE
![Page 24: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/24.jpg)
SYSTEM LIFE-CYCLE
![Page 25: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/25.jpg)
EVALUATION
![Page 26: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/26.jpg)
EVALUATION
Scanning Process
![Page 27: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/27.jpg)
Contribution
Introduce the notion of on-demand isolated I/O channels for security-sensitive applications on unmodified commodity platforms
Present a security architecture based on a minimal wimpy kernel, without affecting the underlying TCB.
how the classic outsource-and-verify and export-and-mediate methods are used to minimize the wimpy kernel, and report on the minimization results in detail.
Implement and Evaluate the wimpy kernel for the USB subsystem
![Page 28: Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary](https://reader034.vdocument.in/reader034/viewer/2022050714/56649ca55503460f94965f03/html5/thumbnails/28.jpg)
Questions