Abstract
Most commodity peripheral devices and their drivers are geared to achieve high performance with security functions being opted out. The absence of strong security measures invites attacks on the I/O data and consequently posts threats to those services feeding on them, such as fingerprint-based biometric authentication. In this article, we present a generic solution called DriverGuard, which dynamically protects the secrecy of I/O flows such that the I/O data are not exposed to the malicious kernel. Our design leverages a composite of cryptographic and virtualization techniques to achieve fine-grained protection without using any extra devices and modifications on user applications. We implement the DriverGuard prototype on Xen by adding around 1.7K SLOC. DriverGuard is lightweight as it only needs to protect around 2% of the driver code’s execution. We measure the performance and evaluate the security of DriverGuard with three input devices (keyboard, fingerprint reader and camera) and three output devices (printer, graphic card, and sound card). The experiment results show that DriverGuard induces negligible overhead to the applications.
- Azab, A. M., Ning, P., Wang, Z., Jiang, X., Zhang, X., and Skalsky, N. C. 2010. Hypersentry: Enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS’10). ACM, New York, 38--49. Google ScholarDigital Library
- Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., and Warfield, A. 2003. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP’03). ACM, New York, 164--177. Google ScholarDigital Library
- Borders, K. and Prakash, A. 2007. Securing network input via a trusted input proxy. In Proceedings of the 2nd USENIX Workshop on Hot Topics in Security (HOTSEC’07). USENIX Association, Berkeley, CA, 7:1--7:5. Google ScholarDigital Library
- Buchanan, E., Roemer, R., Shacham, H., and Savage, S. 2008. When good instructions go bad: Generalizing return-oriented programming to RISC. In Proceedings of CCS’08. P. Syverson and S. Jha Eds., ACM, 27--38. Google ScholarDigital Library
- Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. 2010. Return-oriented programming without returns. In Proceedings of CCS’10. A. Keromytis and V. Shmatikov Eds., ACM, 559--72. Google ScholarDigital Library
- Chen, X., Garfinkel, T., Lewis, E. C., Subrahmanyam, P., Waldspurger, C. A., Boneh, D., Dwoskin, J., and Ports, D. R. K. 2008. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’08). Google ScholarDigital Library
- Cheng, Y., Ding, X., and Deng, R. H. 2011. Driverguard: A fine-grained protection on I/O flows. In Proceedings of the 16th European Conference on Research in Computer Security (ESORICS’11). Springer-Verlag, Berlin, 227--244. Google ScholarDigital Library
- Chhabra, S., Rogers, B., Solihin, Y., and Prvulovic, M. 2011. Secureme: A hardware-software approach to full system security. In Proceedings of the International Conference on Supercomputing (ICS’11). ACM, New York, 108--119. Google ScholarDigital Library
- Chou, A., Yang, J., Chelf, B., Hallem, S., and Engler, D. 2001. An empirical study of operating systems errors. In Proceedings of the 18th ACM Symposium on Operating Systems Principles (SOSP’01). ACM, New York, 73--88. Google ScholarDigital Library
- Colp, P., Nanavati, M., Zhu, J., Aiello, W., Coker, G., Deegan, T., Loscocco, P., and Warfield, A. 2011. Breaking up is hard to do: Security and functionality in a commodity hypervisor. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles (SOSP’11). ACM, New York, 189--202. Google ScholarDigital Library
- CVE-2008-0923. 2008. http://cve.mitre.org/cgi-bin/cvename.cgi-?name=cve-2008-0923.Google Scholar
- Dunn, A. M., Lee, M. Z., Jana, S., Kim, S., Silberstein, M., Xu, Y., Shmatikov, V., and Witchel, E. 2012. Eternal sunshine of the spotless machine: Protecting privacy with ephemeral channels. In Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation (OSDI’12). USENIX Association, Berkeley, CA, 61--75. Google ScholarDigital Library
- Filyanov, A., McCune, J. M., Sadeghi, A.-R., and Winandy, M. 2011. Uni-directional trusted path: Transaction confirmation on just one device. In Proceedings of the IEEE/IFIP Conference on Dependable Systems and Networks. Google ScholarDigital Library
- Fleming, S. 2008. Accessing PCI express configuration registers using intel chipsets. Tech. rep., Intel Corporation, http://www.intel.com/content/www/us/en/intelligent-systems/chipsets-pcie-config-reg-paper.html.Google Scholar
- Ganapathy, V., Renzelmann, M. J., Balakrishnan, A., Swift, M. M., and Jha, S. 2008. The design and implementation of microdrivers. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XIII). ACM, New York, 168--178. Google ScholarDigital Library
- Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., and Boneh, D. 2003. Terra: A virtual machine-based platform for trusted computing. In Proceedings of the 9th ACM Symposium on Operating Systems Principles. ACM, New York, 93--206. Google ScholarDigital Library
- Heintze, N. and Tardieu, O. 2001. Ultra-fast aliasing analysis using CLA: A million lines of C code in a second. In Proceedings of the ACM SIGPLAN 2001 Conference on Programming Language Design and Implementation (PLDI’01). ACM, New York, 254--263. Google ScholarDigital Library
- Heitmeyer, C. L., Archer, M., Leonard, E. I., and McLean, J. 2006. Formal specification and verification of data separation in a separation kernel for an embedded system. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS’06). ACM, New York, 346--355. Google ScholarDigital Library
- IBM Zurich Research Lab. 2008. Security on a stick.Google Scholar
- Intel. 2008. Intel I/O controller hub 9 (ICH9) family datasheet.Google Scholar
- Kemerlis, V. P., Portokalidis, G., Jee, K., and Keromytis, A. D. 2012. LIBDFT: Practical dynamic data flow tracking for commodity systems. In Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (VEE’12). ACM, New York, 121--132. Google ScholarDigital Library
- King, S. T., Chen, P. M., Wang, Y.-M., Verbowski, C., Wang, H. J., and Lorch, J. R. 2006. Subvirt: Implementing malware with virtual machines. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC, 314--327. Google ScholarDigital Library
- Kun, S., Jiang, W., Fengwei, Z., and Angelos, S. 2012. SecureSwitch: BIOS-assisted isolation and switch between trusted and untrusted commodity OSes. In Proceedings of the Symposium on Network and Distributed Systems Security (NDSS).Google Scholar
- Langweg, H. 2004. Building a trusted path for applications using cots components. In Proceedings of NATO RTO IST Panel Symposium on Adaptive Defence in Unclassified Networks.Google Scholar
- Li, Y., McCune, J. M., and Perrig, A. 2011. Viper: Verifying the integrity of peripherals’ firmware. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). ACM, New York, 3--16. Google ScholarDigital Library
- Lineberry, A. 2009. Malicious code injection via /dev/mem. In Black Hat.Google Scholar
- McCune, J. M., Perrig, A., and Reiter, M. K. 2006. Bump in the ether: A framework for securing sensitive user input. In Proceedings of the Annual Conference on USENIX’06 Annual Technical Conference. USENIX Association, Berkeley, CA, 17--17. Google ScholarDigital Library
- McCune, J. M., Parno, B., Perrig, A., Reiter, M. K., and Isozaki, H. 2008. Flicker: An execution infrastructure for TCB minimization. In Proceedings of the ACM European Conference in Computer Systems (EuroSys). Google ScholarDigital Library
- McCune, J. M., Perrig, A., and Reiter, M. K. 2009. Safe passage for passwords and other sensitive data. In Proceedings of the Symposium on Network and Distributed Systems Security (NDSS).Google Scholar
- McCune, J. M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., and Perrig, A. 2010. Trustvisor: Efficient TCB reduction and attestation. In Proceedings of the IEEE Symposium on Security and Privacy (SP’10). IEEE Computer Society, Los Alamitos, CA, 143--158. Google ScholarDigital Library
- Mock, M., Atkinson, D. C., Chambers, C., and Eggers, S. J. 2002. Improving program slicing with dynamic points-to data. SIGSOFT Softw. Eng. Notes 27, 6, 71--80. Google ScholarDigital Library
- Newsome, J. and Song, D. 2005. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In Proceedings of the Network and Distributed Systems Security Symposium.Google Scholar
- Payne, B. D., Carbone, M., Sharif, M., and Lee, W. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the 2008 IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA, 233--247. Google ScholarDigital Library
- Phoenix Technologies. 2006. TrustedCore: Foundation for secure CRTM and BIOS implementation. https://forms.phoenix.com/whitepaperdownload-/docs/trustedcore_wp.pdf.Google Scholar
- Rafal, W., Joanna, R., and Alexander, T. 2008. Xen owning trilogy. website. http://invisible-thingslab.com/itl/Resources.html.Google Scholar
- Santelices, R., Zhang, Y., Jiang, S., Cai, H., and jie Zhang, Y. 2012. Quantitative program slicing: Separating statements by relevance. Tech. rep.Google Scholar
- Saroiu, S. and Wolman, A. 2010. I am a sensor, and I approve this message. In Proceedings of the 11th Workshop on Mobile Computing Systems & Applications (HotMobile’’10). ACM, New York, 37--42. Google ScholarDigital Library
- Seshadri, A., Luk, M., Qu, N., and Perrig, A. 2007. Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In Proceedings of 21st ACM SIGOPS Symposium on Operating Systems Principles (SOSP’07). ACM, New York, 335--350. Google ScholarDigital Library
- Shacham, H. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of CCS’07. S. De Capitani di Vimercati and P. Syverson Eds., ACM, 552--61. Google ScholarDigital Library
- Shi, E., Perrig, A., and Doorn, L. V. 2005. BIND: A fine-grained attestation service for secure distributed systems. In Proceedings of the IEEE Symposium on Security and Privacy. 154--168. Google ScholarDigital Library
- Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Hirano, M., Kourai, K., Oyama, Y., Kawai, E., Kono, K., Chiba, S., Shinjo, Y., and Kato, K. 2009. Bitvisor: A thin hypervisor for enforcing I/O device security. In Proceedings of the ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’09). ACM, New York, 121--130. Google ScholarDigital Library
- Song, D. X., Wagner, D., and Tian, X. 2001. Timing analysis of keystrokes and timing attacks on ssh. In Proceedings of the 10th Conference on USENIX Security Symposium - Volume 10 (SSYM’01). USENIX Association, Berkeley, CA, 25--25. Google ScholarDigital Library
- Sridharan, M., Fink, S. J., and Bodik, R. 2007. Thin slicing. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’07). ACM, New York, 112--122. Google ScholarDigital Library
- Swift, M. M., Bershad, B. N., and Levy, H. M. 2003. Improving the reliability of commodity operating systems. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP’03). ACM, New York, 207--222. Google ScholarDigital Library
- The Blue Pill. http://blackhat.com/presentations/bh-usa-06/BH-US-06-Rutkowska.pdf.Google Scholar
- Vasudevan, A., Parno, B., Qu, N., Gligor, V. D., and Perrig, A. 2012. Lockdown: Towards a safe and practical architecture for security applications on commodity platforms. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing (TRUST’12). Springer-Verlag, Berlin, 34--54. Google ScholarDigital Library
- Wang, J., Stavrou, A., and Ghosh, A. 2010. Hypercheck: A hardware-assisted integrity monitor. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID’10). Springer-Verlag, Berlin, 158--177. Google ScholarDigital Library
- Wang, Z. and Jiang, X. 2010. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of the IEEE Symposium on Security and Privacy (SP’10). IEEE Computer Society, Los Alamitos, CA, 380--395. Google ScholarDigital Library
- Weiser, M. D. 1979. Program slices: Formal, psychological, and practical investigations of an automatic program abstraction method. Ph.D. thesis, AAI8007856, Ann Arbor, MI. Google ScholarDigital Library
- White, A. M., Matthews, A. R., Snow, K. Z., and Monrose, F. 2011. Phonotactic reconstruction of encrypted VOIP conversations: Hookt on fon-iks. In Proceedings of the IEEE Symposium on Security and Privacy (SP’11). IEEE Computer Society, Los Alamitos, CA, 3--18. Google ScholarDigital Library
- Willmann, P., Rixner, S., and Cox, A. L. 2008. Protection strategies for direct access to virtualized I/O devices. In Proceedings of the USENIX Annual Technical Conference. Google ScholarDigital Library
- Yang, J. and Shin, K. G. 2008. Using hypervisor to provide data secrecy for user applications on a per-page basis. In Proceedings of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’08). ACM, New York, 71--80. Google ScholarDigital Library
- Ye, Z. E., Smith, S., and Anthony, D. 2005. Trusted paths for browsers. ACM Trans. Inf. Syst. Secur. 8, 2, 153--186. Google ScholarDigital Library
- Zhou, F., Condit, J., Anderson, Z., Bagrak, I., Ennals, R., Harren, M., Necula, G., and Brewer, E. 2006. Safedrive: Safe and recoverable extensions using language-based techniques. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI’06). USENIX Association, Berkeley, CA, 45--60. Google ScholarDigital Library
- Zhou, Z., Gligor, V. D., Newsome, J., and McCune, J. M. 2012. Building verifiable trusted path on commodity x86 computers. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
Index Terms
- DriverGuard: Virtualization-Based Fine-Grained Protection on I/O Flows
Recommendations
Isolating commodity hosted hypervisors with HyperLock
EuroSys '12: Proceedings of the 7th ACM european conference on Computer SystemsHosted hypervisors (e.g., KVM) are being widely deployed. One key reason is that they can effectively take advantage of the mature features and broad user bases of commodity operating systems. However, they are not immune to exploitable software bugs. ...
Paravirtual Remote I/O
ASPLOS'16The traditional "trap and emulate" I/O paravirtualization model conveniently allows for I/O interposition, yet it inherently incurs costly guest-host context switches. The newer "sidecore" model eliminates this overhead by dedicating host (side)cores to ...
Fast and live hypervisor replacement
VEE 2019: Proceedings of the 15th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution EnvironmentsHypervisors are increasingly complex and must be often updated for applying security patches, bug fixes, and feature upgrades. However, in a virtualized cloud infrastructure, updates to an operational hypervisor can be highly disruptive. Before being ...
Comments