Citation Context

...he confidentiality and integrity of specific code and data from other actors. In contrast to previous protection mechanisms such as process isolation, sandboxing, managed code, etc. which serve to confine an untrusted program and protect the rest of a system from its actions, isolated execution refers to the inverse: protecting specific code from the rest of the system, however large or privileged. Various forms of isolated execution are possible. Software implementations rely on a trusted component such as a hypervisor that implements isolation (e.g., using page protection and/or encryption) [11, 14, 25, 39, 54, 60, 63]. Conversely, in pure-hardware implementations, no software other than the isolated code is in the trusted computing base. While several hardware isolation mechanisms exist [9, 31, 34, 44, 59], SGX is the first commodity hardware that permits efficient multiplexing among multiple isolated programs without relying on trusted software. However, isolation alone is not sufficient to protect applications. In order to be useful, an isolation mechanism must permit interaction with untrusted software or hardware, to communicate results or access system services, and it is at these points that a naıve...

Citation Context

...C. Interrupt Context Implementation To place the Interrupt Context within the KCoFI VM internal memory, we use the Interrupt Stack Table (IST) feature of the x86 64 [24], as was done in Virtual Ghost =-=[25]-=-. This feature causes the processor to change the stack pointer to a specific location on traps or interrupts regardless of whether a processor privilege mode change has occurred. The KCoFI VM uses th...

Citation Context

...applications on systems like Overshadow, InkTag or Haven. We implement the attacks on Haven and InkTag and demonstrate their power by extracting complete text documents and outlines of JPEG images from widely deployed application libraries. Given these attacks, it is unclear if Overshadow’s vision of protecting unmodified legacy applications from legacy operating systems running on off-the-shelf hardware is still tenable. I. INTRODUCTION The past years have seen a significant effort in the design of systems that shield applications from the operating system [19], [18], [49], [42], [27], [20], [22], [35], [10]. Such shielding systems typically use trusted hardware or a hypervisor to prevent the operating system from reading or writing to an application’s memory and from directly tampering with its execution. The goal is to protect applications even if the operating system is adversarial. This proposition is compelling. The never-ending stream of vulnerabilities found in large, feature-rich legacy operating systems draws into question their ability to truly protect themselves or their applications. Shielding systems promise to fill this gap by using a small, defensible trusted computing ...

Citation Context

...ode and data. Monomi splits the computation between a trusted client and an untrusted server, and it uses partial homomorphic encryption at the server. Mylar [51] is a platform for building Web applications that supports searches over encrypted data. Several systems combine hardware-based isolation [37], [46], [59] with trusted system software [17], [28], [36], [38], [54], [58], [69], which is typically a trusted hypervisor. The Flicker [39] approach uses TXT [31] and avoids using a trusted hypervisor by time-partitioning the host machine between trusted and untrusted operation. Virtual Ghost [18] avoids using a trusted hypervisor and specialized hardware-based isolation mechanisms by instrumenting the kernel. Some systems allow the user to verify the result of a computation without protecting the confidentiality of the data or the code [48]. Pantry [13] can be used to verify the integrity of MapReduce jobs which are implemented in a subset of C. Pantry incurs a high overhead. Hawblitzel et al. presented the concept of formally verified Ironclad Apps [26] running on partially trusted hardware. They report runtime overheads of up to two orders of magnitude. Several security-enhanced Map...

Citation Context

...pport to effectively protect trusted applications. XOMOS [13] achieves the same goal, albeit with a new ABI and an ISA that has not yet been implemented in real hardware. InkTag [6] and Virtual Ghost =-=[4]-=- both aim to further defend these trusted applications from a small subset of potential Iago attacks [2], a new class of attacks in which a malicious kernel crafts return values from system services t...

Citation Context

...on, we are hopeful that with improving SMT solvers and better syntactic heuristics for simplifying the VCs, we will eliminate all timeouts. 8. Related Work Confinement of programs to prevent information release has been studied for many years [22]. We are interested in achieving confinement in user programs, even with buggy or malicious privileged code. We use trusted processors [3, 24, 28, 34] to create isolated memory regions where we keep confidential application code and data, but our techniques are also applicable if isolation is provided by the hypervisor [11, 20, 45], or runtime checks [13]. Independently of the isolation provider, we need to reason about the application code to provide formal guarantees of confinement, which is the goal of our work. Our method to check for WCFI-RW draws inspiration from prior work to perform instrumentation in order to satisfy control-flow integrity (CFI [2, 33]) and software fault isolation (SFI [27, 39, 44]). Like SFI, we introduce run-time checks to constrain memory references. Our run-time checks are similar to the ones used in VC3 [38], but importantly we use the paging hardware to check reads, which is more efficient than relying on compi...

Citation Context

... software approaches often incur substantial performance overhead. In the remainder of this section, we focus mostly on hardwaresupported solutions with the exception of Inktag [21] and Virtual Ghost =-=[12]-=- as representatives of recent state-of-theart software-only isolation schemes. A. Hardware-Assisted Isolation Hardware-assisted solutions are motivated by better security and performance [8], [11], [2...

Citation Context

... software approaches often incur substantial performance overhead. In the remainder of this section, we focus mostly on hardwaresupported solutions with the exception of Inktag [21] and Virtual Ghost =-=[12]-=- as representatives of recent state-of-theart software-only isolation schemes. A. Hardware-Assisted Isolation Hardware-assisted solutions are motivated by better security and performance [8], [11], [2...