Lockdown: Towards a Safe and Practical Architecture for Security Applications on Commodity Platforms

  • Amit Vasudevan
  • Bryan Parno
  • Ning Qu
  • Virgil D. Gligor
  • Adrian Perrig
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7344)


We investigate a new point in the design space of red/green systems [19,30], which provide the user with a highly-protected, yet also highly-constrained trusted (“green”) environment for performing security-sensitive transactions, as well as a high-performance, general-purpose environment for all other (non-security-sensitive or “red”) applications. Through the design and implementation of the Lockdown architecture, we evaluate whether partitioning, rather than virtualizing, resources and devices can lead to better security or performance for red/green systems. We also design a simple external interface to allow the user to securely learn which environment is active and easily switch between them. We find that partitioning offers a new tradeoff between security, performance, and usability. On the one hand, partitioning can improve the security of the “green” environment and the performance of the “red” environment (as compared with a virtualized solution). On the other hand, with current systems, partitioning makes switching between environments quite slow (13-31 seconds), which may prove intolerable to users.


Trust Platform Module Device Driver Virtual Machine Monitor Memory Region Network Protection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Vmware esx server node evaluator’s guide,
  2. 2.
    The l4ka project (2011),
  3. 3.
  4. 4.
    Xen pcipassthrough (October 2011),
  5. 5.
    Xen vgapassthrough (October 2011),
  6. 6.
    Xen vtdhowto (October 2011),
  7. 7.
    Advanced Micro Devices. AMD64 architecture programmer’s manual: Volume 2: System programming. AMD Publication no. 24594 rev. 3.11 (December 2005)Google Scholar
  8. 8.
    Balfanz, D., Simon, D.R.: Windowbox: A simple security model for the connected desktop. In: Proceedings of the 4th USENIX Windows Systems Symposium (2000)Google Scholar
  9. 9.
    Bernstein, D.J.: Cache-timing attacks on aes (April 2005),
  10. 10.
    Bhargava, R., Serebrin, B., Spadini, F., Manne, S.: Accelerating two-dimensional page walks for virtualized systems. In: ASPLOS (March 2008)Google Scholar
  11. 11.
    Chen, X., Garfinkel, T., Lewis, E.C., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., Dwoskin, J., Ports, D.R.K.: Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In: ASPLOS (2008)Google Scholar
  12. 12.
    Cox, R.S., Gribble, S.D., Levy, H.M., Hansen, J.G.: A safety-oriented platform for web applications. In: IEEE S&P, pp. 350–364 (May 2006)Google Scholar
  13. 13.
    Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A virtual machine-based platform for trusted computing. In: SOSP (October 2003)Google Scholar
  14. 14.
    Hewlett-Packard, Intel, Microsoft, Phoenix, and Toshiba. Advanced configuration and power interface specification. Revision 3.0b (October 2006)Google Scholar
  15. 15.
    Intel Corporation. Trusted execution technology – preliminary architecture specification and enabling considerations. Document number 31516803 (November 2006)Google Scholar
  16. 16.
    Karger, P., Safford, D.: I/O for virtual machine monitors: Security and performance issues. IEEE Security and Privacy 6(5), 16–23 (2008)CrossRefGoogle Scholar
  17. 17.
    Keller, E., Szefer, J., Rexford, J., Lee, R.B.: Nohype: virtualized cloud infrastructure without the virtualization. In: International Symposium on Computer Architecture (2010)Google Scholar
  18. 18.
    Lampson, B.: A note on the confinement problem. Comm. of the ACM 16(10) (1973)Google Scholar
  19. 19.
    Lampson, B.: Usable security: How to get it. Comm. of the ACM 52(11) (2009)Google Scholar
  20. 20.
    Leinenbach, D., Santen, T.: Verifying the Microsoft Hyper-V Hypervisor with VCC. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 806–809. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: Proceedings of the USENIX Security Symposium (2008)Google Scholar
  22. 22.
    McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: TrustVisor: Efficient TCB reduction and attestation. In: IEEE S&P (May 2010)Google Scholar
  23. 23.
    McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: An execution infrastructure for TCB minimization. In: EuroSys (April 2008)Google Scholar
  24. 24.
    McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Seshadri, A.: Minimal TCB code execution (extended abstract). In: IEEE Symposium on Security and Privacy (May 2007)Google Scholar
  25. 25.
    McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Seshadri, A.: How low can you go? Recommendations for hardware-supported minimal TCB code execution. In: ACM ASPLOS (March 2008)Google Scholar
  26. 26.
    McCune, J.M., Perrig, A., Seshadri, A., van Doorn, L.: Turtles all the way down: Research challenges in user-based attestation. In: USENIX Workshop on Hot Topics in Security (2007)Google Scholar
  27. 27.
    Meushaw, R., Simard, D.: Nettop: Commercial technology in high assurance applications. VMware Tech Trend Notes 9(4), 1–8 (2000)Google Scholar
  28. 28.
    National Security Agency. High assurance platform program (January 2009),
  29. 29.
    PCI SIG. Single Root I/O Virtualization and Sharing Specification. V. 1.1 (2010)Google Scholar
  30. 30.
    Peinado, M., Chen, Y., England, P., Manferdelli, J.L.: NGSCB: A Trusted Open System. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 86–97. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  31. 31.
    Percival, C.: Cache missing for fun & profit. In: BSDCan (2005)Google Scholar
  32. 32.
    Phoenix Technologies. TrustedCore: Foundation for secure CRTM and BIOS implementation (2006),
  33. 33.
    Phoenix Technologies. Transitioning the Plug-In Industry from Legacy to Unified Extensible Firmware Interface (UEFI). Intel Developer Forum (September 2009)Google Scholar
  34. 34.
    Piotrowski, M., Joseph, A.D.: Virtics: A system for privilege separation of legacy desktop applications. Technical Report UCB/EECS-2010-70, EECS Department, University of California, Berkeley (May 2010)Google Scholar
  35. 35.
    Potter, S., Nieh, J.: Apiary: Easy-to-use desktop application fault containment on commodity operating systems. In: USENIX Annual Technical Conference (2010)Google Scholar
  36. 36.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In: ACM CCS (2009)Google Scholar
  37. 37.
    Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: SOSP (2007)Google Scholar
  38. 38.
    Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: ACM CCS (2007)Google Scholar
  39. 39.
    Singaravelu, L., Pu, C., Haertig, H., Helmuth, C.: Reducing TCB complexity for security-sensitive applications: Three case studies. In: EuroSys (2006)Google Scholar
  40. 40.
    Steinberg, U., Kauer, B.: Nova: A microhypervisor-based secure virtualization architecture. In: EuroSys (2010)Google Scholar
  41. 41.
    Sun, K., Wang, J., Zhang, F., Stavrou, A.: Secureswitch: Bios-assisted isolation and switch between trusted and untrusted commodity oses. In: NDSS (2012)Google Scholar
  42. 42.
    Ta-Min, R., Litty, L., Lie, D.: Splitting interfaces: Making trust between applications and operating systems configurable. In: OSDI (2006)Google Scholar
  43. 43.
  44. 44.
    Trusted Computing Group. Trusted Platform Module Main Specification. V. 1.2 (2007)Google Scholar
  45. 45.
    Vasudevan, A., Parno, B., Qu, N., Gligor, V.D., Perrig, A.: Lockdown: A safe and practical environment for security applications. Technical Report CMU-CyLab-09-011, CyLab, Carnegie Mellon University (July 2009)Google Scholar
  46. 46.
    Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choudhury, P., Venter, H.: The multi-principal OS construction of the gazelle web browser. In: USENIX Security Symposium (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Amit Vasudevan
    • 1
  • Bryan Parno
    • 2
  • Ning Qu
    • 3
  • Virgil D. Gligor
    • 1
  • Adrian Perrig
    • 1
  1. 1.CyLabCarnegie Mellon UniversityUSA
  2. 2.Microsoft ResearchUSA
  3. 3.Google Inc.USA

Personalised recommendations