Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

XS Japan 2008 App Data English

808 views

Published on

Koichi Onoue: Controlling System Calls and Protecting Application Data in Virtual Machines

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

XS Japan 2008 App Data English

  1. 1. Controlling System Calls and Protecting Application Data in Virtual Machines Koichi Onoue* Yoshihiro Oyama** Akinori Yonezawa* * The University of Tokyo ** The University of Electro-Communications
  2. 2. Protection for Applications • Security systems has been widely applied to provide secure computing environments – Sandboxing systems – Intrusion detecion/prevension systems (IDSes/IPSes) – Anti-virus tools Confidential data Security Application control system OS kernel
  3. 3. Security Systems Can Also Be Compromised! • Security systems and the other applications are running in the same execution space Application 1 was compromised ! Confidential data Application 1 Security Application 2 control system OS kernel
  4. 4. Advantages of Virtual Machine Monitor (VMM) in Terms of Security • VMM can provide strong isolation between VMs Application Application – VMM prevents a compromised VM from OS OS attacking to the other VMs (Guest OS) (Guest OS) • VMM can control access Virtual machine Virtual machine to physical computing (VM) (VM) resources such as a physical memory and a disk Virtual machine monitor (VMM) – VMM is running at the higher privileged level than VMs Hardware
  5. 5. Our Goal • Enhancing application security from outside of VMs – In cooperation with VMM, security systems control behaviors of application and protect application data Target VM Control VM Application Security system VMM
  6. 6. Our Approach • Controlling system calls from outside of target VMs – We confine behaviors of application processes • Controlling memory and file operations related with target applications in a VMM and a control VM – We prevent non-target programs from leaking target application data and tampering with them  Our system control only the target application which users specify We extend a para-virtualization version of Xen
  7. 7. Controlling System Calls from Outside of target VMs
  8. 8. Comparison between “w/o VMM” and “w/ VMM” Security Security system in systems cooperation with VMM (“w/o VMM”) (“w/ VMM”) × ○ Attack against security systems Not hard Hard Execution states ○ × obtained by OS-level Hardware-level security systems
  9. 9. Goal for Controlling System Calls Security Security systems in systems cooperation with VMM × ○ Attack against security systems Not hard Hard Execution states ○ × obtained by OS-level Hardware-level security systems Semantic gap Our goal
  10. 10. Approach for Controlling System Calls • Controlling system calls from outside of VMs – Using information on target OSes • Conforming to security policies Target VM Control VM Security policy application Security system VMM
  11. 11. Bridging the Semantic Gap • What a VMM can observe – Events :Privileged instructions, Interrupts, … – Execution States:Registers, Memory pages, … Semantic gap • What security systems require – Events :System calls, … – Execution states: Process ID, System call number, …
  12. 12. Security Policy • Specifies invoked system calls with pattern matching ... open default: allow fileEq(“/etc/passwd”) or filePrefixEq(“/etc/cron.d”) deny(EPERM) ...
  13. 13. Controlling Memory and File Operations Related with Application Data
  14. 14. Goal for Protecting Application Data • Prevent compromised programs from leaking target data and tampering with them – Attackers use ptrace system call and kernel modules, etc. Memory Virtual disk Target Target Confidential data Tampering Leaking Application OS kernel VM Compromised program
  15. 15. Approach for Protecting Application Data • Hiding “real” application data on a memory and a virtual disk from compromised programs – Compromised programs include target OS • Application data on a memory – Code region, data region, stack region, etc. ➔VMM multiplexes target physical pages • Application data on a virtual disk – Executables, configuration files, etc. ➔ Control VM manages them
  16. 16. OS Memory Management Virtual address Physical address space space OS address translation Application Application
  17. 17. VMM Memory Management Target VM virtual Target VM VMM physical address space physical address address space gPA → space (gVA) (hPA) hPA (gPA) Application Application application gVA → hPA VMM address translation 17
  18. 18. Approach for Protecting Application Memory Data (1/2) • According to the operational mode, a VMM switches accessible physical pages Target VM virtual Target VM VMM physical address space physical address address space space (gVA) (hPA) (gPA) Application Dummy data Application “Real” data Accessible page at user-level Accessible page at kernel-level – Overshadow[Chen et al., 2008] – [Rosenblum et al.,2008]
  19. 19. Approach for Protecting Application Memory Data (2/2) • When the operational mode were changed, a VMM switch the page tables – Exception/Interrupt handling – System call handling
  20. 20. Approach for Protecting Application File Data (1/5) • Control VM manages “real” target files – Executables, configuration and data base files, etc. – Security policy specifies target files Control VM Target VM Security Dummy policy Security system Application configuration “Real” file configuration file Dummy “Real” executable executable VMM
  21. 21. Approach for Protecting Application File Data (2/5) Control VM Target VM Memory Security system Application read a configuration file Configuration file Application VMM
  22. 22. Approach for Protecting Application File Data (3/5) Control VM Target VM Memory Security system VMM intercepts Configuration “read” system call file Application VMM
  23. 23. Approach for Protecting Application File Data (4/5) Security system Control VM Target VM emulates “read” Memory Security system Configuration file Application VMM
  24. 24. Approach for Protecting Application File Data (5/5) Control VM Target VM Memory Security system Configuration VMM notifies file application of a Application result of “read” VMM
  25. 25. Conclusion • We have proposed security system that enhances applications inside target VMs – Controlling of application behaviors • Controlling of system calls from outside of target VMs – Protecting application data on a memory and a virtual disk • Application memory data: VMM multiplexes target physical pages • Application file data: Control VM manages them
  26. 26. Fin

×