Loaded with personal data, e.g. photos, contacts, and call history, mobile phones are truly personal devices. Yet it is often necessary or desirable to share our phones with others. This is especially true as mobile phones are integrating features conventionally provided by other dedicated devices, from MP3 players to games consoles. Unfortunately, when we lend our phones to others, we give away complete access because existing phones assume a single user and provide little protection for private data and applications. In this work, we present xShare, a protection solution to address this problem. xShare allows phone owners to rapidly specify what they want to share and place the phone into a restricted mode where only the data and applications intended for sharing can be accessed. We first present findings from two motivational user studies based on which we provide the design requirements of xShare. We then present the design of xShare based on filelevel access control. We describe the implementation of xShare on Windows Mobile and report a comprehensive usability evaluation of the implementation, including measurements and user studies. The evaluation demonstrates that our xShare implementation has negligible overhead for interactive phone usage, is extremely favored by mobile users, and provides robust protection against attacks by experienced Windows Mobile users and developers.

Symbiotic virtualization is a new approach to system virtualization in which a guest OS targets the native hardware interface as in full system virtualization, but also optionally exposes a software interface that can be used by a VMM, if present, to increase performance and functionality. Neither the VMM nor the OS needs to support the symbiotic virtualization interface to function together, but if both do, both benefit. We describe the design and implementation of the SymCall symbiotic virtualization interface in our publicly available Palacios VMM for modern x86 machines. SymCall makes it possible for Palacios to make clean upcalls into a symbiotic guest, much like system calls. One use of symcalls is to collect semantically rich guest data to enable new VMM features. We describe the implementation of SwapBypass, a VMM-based service based on SymCall that reconsiders swap decisions made by a symbiotic Linux guest, adapting to guest memory pressure given current constraints. Finally, we present a detailed performance evaluation of both SwapBypass and SymCall.

In this paper, we address the problem of safely and conveniently performing ‘‘trial’’ experiments in system administration tasks. System administrators often perform such trial executions that involve installing new software or experimenting with features of existing software. Often such trials require testing of software that run on multiple hosts. For instance, experimenting with a typical client-server application requires understanding the effect of the actions of the client program on the server. Wepropose a distributed safe execution environment (DSEE) where such tasks can be performed safely and conveniently. ADSEE performs one-way isolation of the tasks run inside it: the effects of the client and the server are prevented from escaping outside the DSEE, and therefore are prevented from interfering with the processes running outside the DSEE. At the end of the trial execution, a DSEE allows clear inspection of the effects of running the task on all the hosts that are involved in the task execution. Also, a DSEE allows the changes to the ‘‘committed,’ ’ inwhich case the actions become visible outside the DSEE. Otherwise, they can be ‘‘aborted’ ’ without affecting the system in any way. ADSEE is an ideal platform through which a system administrator can perform such trials without the fear of damaging the system in any manner. Inthis paper, wepresent the design and implementation of a tool called SUEZ that allows a system administrator to create and use distributed safe execution environments. We have experimented with several client-server applications using our tool. By performing these trials in a DSEE, we have found configuration vulnerabilities in our trials that involve some commonly used client-server applications.

Control-hijacking attacks exploit vulnerabilities in programs to take control of the victim applications and eventually their underlying machines. Although much work has been done on detection and prevention of control-hijacking attacks, most of them did not support adequate post-attack response which should include attack signature and patch generation. Ideally, after a control-hijacking attack is detected, the signature generation component should supply the front-end rewall with a filtering rule that could stop the detected attack and its variants from entering the premise, and the patch generation component should create a fix that permanently eliminates the vulnerabilities that the detected attack exploits. This paper describes the design, implementation, and evaluation of a security-enhancing compiler PASAN that can instrument the source code of a C program so that it can detect a control-hijacking attack and automatically generate a signature and a software patch for the detected attack. The attack signatures that PASAN generates can capture polymorphic attacks because they contain regular expressions and length constraints. The automatically generated patches are similar to those created manually so that developers can examine and merge them with the original code base with minimal efforts. We have implemented the rst PASAN prototype as a GNU C compiler extension that aims at stack-based bu er over ow attacks but could be easily generalized to accommodate other control-hijacking attacks. Testing this prototype with seven network daemon programs with known vulnerabilities show that the automatically generated attack signatures can indeed stop the detected attacks and that the patches can successfully fix the vulnerability. In addition, these patches are similar in their structure to those that programmers generate. The run-time performance overhead of application programs instrumented by PASAN is between 10 % and 23%, except two programs, which do not have much internal processing.

Recent advances in virtualization technologies have sparked a renewed interest in the use of kernel and process virtualization as a security mechanism to enforce resource isolation and management. Unfortunately, virtualization solutions incur performance overhead. The magnitude of this overhead is directly proportional to the extend of virtualization they offer: full virtualization incurs an additional indirection layer to interface with the ever increasing hardware devices. In this paper, we propose a hypervisor-assisted, microkernel architecture which aims to provide in-depth resource isolation without the performance penalty of full virtualization. To that end, we extend the hypervisor capabilities with a lightweight VMM which enforces “identity context ” to all assigned devices for each of the hosted kernels. Furthermore, we separate the control from the data plane for all hardware devices using data memory mapping and modifications of the native device drivers to divert control flow via the hypervisor. Our approach is layered, accommodating a wide-range of devices from legacy to experimental devices able to provide native, insilicon context separation. 1

In the recent years the types of malware and level of their sophistication has increased dramatically [1]. In 2007, the number of computer viruses increased by 1 million and most of them were new attacks [2]. Unknown code downloaded and executed from the Internet can cause unrecoverable damage to the Operating System via privilege-escalation attacks. Malicious code can be unintentionally and transparently downloaded due to vulnerabilities in the browsers. To mitigate such attacks, researchers have designed a number of sandboxing techniques to isolate unknown system components to restrict their access to kernel components. In this paper, we describe a hardware-based fine-grained application sandboxing technique that allows for programmer-defined virtual privilege levels to be defined beyond the single user-space privilege level available in today’s processors. We focus on allowing such privilege separation mechanisms to be applied in-place to the browser as it runs within a commodity operating system. 1.