Abstract
We investigate a new point in the design space of red/green systems [19,30], which provide the user with a highly-protected, yet also highly-constrained trusted (“green”) environment for performing security-sensitive transactions, as well as a high-performance, general-purpose environment for all other (non-security-sensitive or “red”) applications. Through the design and implementation of the Lockdown architecture, we evaluate whether partitioning, rather than virtualizing, resources and devices can lead to better security or performance for red/green systems. We also design a simple external interface to allow the user to securely learn which environment is active and easily switch between them. We find that partitioning offers a new tradeoff between security, performance, and usability. On the one hand, partitioning can improve the security of the “green” environment and the performance of the “red” environment (as compared with a virtualized solution). On the other hand, with current systems, partitioning makes switching between environments quite slow (13-31 seconds), which may prove intolerable to users.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Vmware esx server node evaluator’s guide, http://www.vmware.com/pdf/esx_vin_eval.pdf
The l4ka project (2011), http://www.l4ka.org
Source lines of code (2011), http://en.wikipedia.com/wiki/Source_lines_of_code
Xen pcipassthrough (October 2011), http://wiki.xensource.com/xenwiki/XenPCIpassthrough
Xen vgapassthrough (October 2011), http://wiki.xensource.com/xenwiki/XenVGAPassthrough
Xen vtdhowto (October 2011), http://wiki.xensource.com/xenwiki/VTdHowTo
Advanced Micro Devices. AMD64 architecture programmer’s manual: Volume 2: System programming. AMD Publication no. 24594 rev. 3.11 (December 2005)
Balfanz, D., Simon, D.R.: Windowbox: A simple security model for the connected desktop. In: Proceedings of the 4th USENIX Windows Systems Symposium (2000)
Bernstein, D.J.: Cache-timing attacks on aes (April 2005), http://cr.yp.to/papers.html
Bhargava, R., Serebrin, B., Spadini, F., Manne, S.: Accelerating two-dimensional page walks for virtualized systems. In: ASPLOS (March 2008)
Chen, X., Garfinkel, T., Lewis, E.C., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., Dwoskin, J., Ports, D.R.K.: Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In: ASPLOS (2008)
Cox, R.S., Gribble, S.D., Levy, H.M., Hansen, J.G.: A safety-oriented platform for web applications. In: IEEE S&P, pp. 350–364 (May 2006)
Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A virtual machine-based platform for trusted computing. In: SOSP (October 2003)
Hewlett-Packard, Intel, Microsoft, Phoenix, and Toshiba. Advanced configuration and power interface specification. Revision 3.0b (October 2006)
Intel Corporation. Trusted execution technology – preliminary architecture specification and enabling considerations. Document number 31516803 (November 2006)
Karger, P., Safford, D.: I/O for virtual machine monitors: Security and performance issues. IEEE Security and Privacy 6(5), 16–23 (2008)
Keller, E., Szefer, J., Rexford, J., Lee, R.B.: Nohype: virtualized cloud infrastructure without the virtualization. In: International Symposium on Computer Architecture (2010)
Lampson, B.: A note on the confinement problem. Comm. of the ACM 16(10) (1973)
Lampson, B.: Usable security: How to get it. Comm. of the ACM 52(11) (2009)
Leinenbach, D., Santen, T.: Verifying the Microsoft Hyper-V Hypervisor with VCC. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 806–809. Springer, Heidelberg (2009)
Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: Proceedings of the USENIX Security Symposium (2008)
McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: TrustVisor: Efficient TCB reduction and attestation. In: IEEE S&P (May 2010)
McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: An execution infrastructure for TCB minimization. In: EuroSys (April 2008)
McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Seshadri, A.: Minimal TCB code execution (extended abstract). In: IEEE Symposium on Security and Privacy (May 2007)
McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Seshadri, A.: How low can you go? Recommendations for hardware-supported minimal TCB code execution. In: ACM ASPLOS (March 2008)
McCune, J.M., Perrig, A., Seshadri, A., van Doorn, L.: Turtles all the way down: Research challenges in user-based attestation. In: USENIX Workshop on Hot Topics in Security (2007)
Meushaw, R., Simard, D.: Nettop: Commercial technology in high assurance applications. VMware Tech Trend Notes 9(4), 1–8 (2000)
National Security Agency. High assurance platform program (January 2009), http://www.nsa.gov/ia/programs/h_a_p/index.shtml
PCI SIG. Single Root I/O Virtualization and Sharing Specification. V. 1.1 (2010)
Peinado, M., Chen, Y., England, P., Manferdelli, J.L.: NGSCB: A Trusted Open System. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 86–97. Springer, Heidelberg (2004)
Percival, C.: Cache missing for fun & profit. In: BSDCan (2005)
Phoenix Technologies. TrustedCore: Foundation for secure CRTM and BIOS implementation (2006), https://forms.phoenix.com/whitepaperdownload/docs/trustedcore_wp.pdf
Phoenix Technologies. Transitioning the Plug-In Industry from Legacy to Unified Extensible Firmware Interface (UEFI). Intel Developer Forum (September 2009)
Piotrowski, M., Joseph, A.D.: Virtics: A system for privilege separation of legacy desktop applications. Technical Report UCB/EECS-2010-70, EECS Department, University of California, Berkeley (May 2010)
Potter, S., Nieh, J.: Apiary: Easy-to-use desktop application fault containment on commodity operating systems. In: USENIX Annual Technical Conference (2010)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In: ACM CCS (2009)
Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: SOSP (2007)
Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: ACM CCS (2007)
Singaravelu, L., Pu, C., Haertig, H., Helmuth, C.: Reducing TCB complexity for security-sensitive applications: Three case studies. In: EuroSys (2006)
Steinberg, U., Kauer, B.: Nova: A microhypervisor-based secure virtualization architecture. In: EuroSys (2010)
Sun, K., Wang, J., Zhang, F., Stavrou, A.: Secureswitch: Bios-assisted isolation and switch between trusted and untrusted commodity oses. In: NDSS (2012)
Ta-Min, R., Litty, L., Lie, D.: Splitting interfaces: Making trust between applications and operating systems configurable. In: OSDI (2006)
The Qubes OS, http://qubes-os.org/Home.html
Trusted Computing Group. Trusted Platform Module Main Specification. V. 1.2 (2007)
Vasudevan, A., Parno, B., Qu, N., Gligor, V.D., Perrig, A.: Lockdown: A safe and practical environment for security applications. Technical Report CMU-CyLab-09-011, CyLab, Carnegie Mellon University (July 2009)
Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choudhury, P., Venter, H.: The multi-principal OS construction of the gazelle web browser. In: USENIX Security Symposium (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Vasudevan, A., Parno, B., Qu, N., Gligor, V.D., Perrig, A. (2012). Lockdown: Towards a Safe and Practical Architecture for Security Applications on Commodity Platforms. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds) Trust and Trustworthy Computing. Trust 2012. Lecture Notes in Computer Science, vol 7344. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30921-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-30921-2_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30920-5
Online ISBN: 978-3-642-30921-2
eBook Packages: Computer ScienceComputer Science (R0)