FACE-CHANGE: Application-Driven Dynamic Kernel View Switching in a Virtual Machine

Gu, Zhongshu; Saltaformaggio, Brendan; Zhang, Xiangyu; Xu, Dongyan

doi:10.1109/dsn.2014.52

Cited by 22 publications

(28 citation statements)

References 18 publications

(13 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Besides these off-line kernel reduction works, kRazor [43] is an OS mechanism that restricts accesses to kernel code from user-level applications based on run-time profiling of workloads. FACE-CHANGE [36] identifies the minimized kernel memory for each application based on runtime profiling and projects the memory while the application is in production using virtualization techniques. All these works on monolithic kernels have motivated us to apply the principle of least privilege to real-time MCS, which was previously absent due to practical hardware and performance constraints.…”

Section: Related Workmentioning

confidence: 99%

Securing Real-Time Microcontroller Systems through Customized Memory View Switching

Kim

Choi

et al. 2018

Proceedings 2018 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Real-time microcontrollers have been widely adopted in cyber-physical systems that require both real-time and security guarantees. Unfortunately, security is sometimes traded for real-time performance in such systems. Notably, memory isolation, which is one of the most established security features in modern computer systems, is typically not available in many real-time microcontroller systems due to its negative impacts on performance and violation of real-time constraints. As such, the memory space of these systems has created an open, monolithic attack surface that attackers can target to subvert the entire systems. In this paper, we present MINION, a security architecture that intends to virtually partition the memory space and enforce memory access control of a real-time microcontroller. MINION can automatically identify the reachable memory regions of realtime processes through off-line static analysis on the system's firmware and conduct run-time memory access control through hardware-based enforcement. Our evaluation results demonstrate that, by significantly reducing the memory space that each process can access, MINION can effectively protect a microcontroller from various attacks that were previously viable. In addition, unlike conventional memory isolation mechanisms that might incur substantial performance overhead, the lightweight design of MINION is able to maintain the real-time properties of the microcontroller.

show abstract

Section: Related Workmentioning

confidence: 99%

Securing Real-Time Microcontroller Systems through Customized Memory View Switching

Kim

Choi

et al. 2018

Proceedings 2018 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

show abstract

“…In the future, CHANCEL can automate shared data initialization using static data-flow analysis to determine shared objects and files, without developer annotation, similar to an existing SGX automated compartmentalization scheme [55]. Furthermore, if the resulting analysis is too imprecise, it can be improved through dynamic analysis with a representative workload [56,57]. Importantly, developer-assisted identification does not pose security threats.…”

Section: Shared Data Initializationmentioning

confidence: 99%

CHANCEL: Efficient Multi-client Isolation Under Adversarial Programs

Ahmad¹,

Kim²,

Seo³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Intel SGX aims to provide the confidentiality of user data on untrusted cloud machines. However, applications that process confidential user data may contain bugs that leak information or be programmed maliciously to collect user data. Existing research that attempts to solve this problem does not consider multi-client isolation in a single enclave. We show that by not supporting such in-enclave isolation, they incur considerable slowdown when concurrently processing multiple clients in different enclave processes, due to the limitations of SGX. This paper proposes CHANCEL, a sandbox designed for multi-client isolation within a single SGX enclave. In particular, CHANCEL allows a program's threads to access both a per-thread memory region and a shared read-only memory region while servicing requests. Each thread handles requests from a single client at a time and is isolated from other threads, using a Multi-Client Software Fault Isolation (MCSFI) scheme. Furthermore, CHANCEL supports various in-enclave services such as an inmemory file system and shielded client communication to ensure complete mediation of the program's interactions with the outside world. We implemented CHANCEL and evaluated it on SGX hardware using both micro-benchmarks and realistic target scenarios, including private information retrieval and product recommendation services. Our results show that CHANCEL outperforms a baseline multi-process sandbox by 4.06 − 53.70× on micro-benchmarks and 0.02−21.18× on realistic workloads while providing strong security guarantees.

show abstract

“…Different from existing research efforts on side/covert channels, we discover a system-wide information leakage in the container cloud settings and design a new methodology to quantitatively assess the capacity of leakage channels for co-residence detection. In addition, compared to the research on minimizing the kernel attack surface for VMs [20], we proposed a two-stage defense mechanism to minimize the space for information leakages and power attacks on container clouds.…”

Section: Cloud Security and Side/covert Channel Attacksmentioning

confidence: 99%

A Study on the Security Implications of Information Leakages in Container Clouds

Gao

Steenkamer²,

Gu³

et al. 2021

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

Container technology provides a lightweight operating system level virtual hosting environment. Its emergence profoundly changes the development and deployment paradigms of multi-tier distributed applications. However, due to the incomplete implementation of system resource isolation mechanisms in the Linux kernel, some security concerns still exist for multiple containers sharing an operating system kernel on a multi-tenancy container-based cloud service. In this paper, we first present the information leakage channels we discovered that are accessible within containers. Such channels expose a spectrum of system-wide host information to containers without proper resource partitioning. By exploiting such leaked host information, it becomes much easier for malicious adversaries (acting as tenants in a container cloud) to launch attacks that might impact the reliability of cloud services. We demonstrate that the information leakage channels could be exploited to infer private data, detect and verify co-residence, build covert channels, and launch more advanced cloud-based attacks. We discuss the root causes of the containers' information leakage and propose a two-stage defense approach. As demonstrated in the evaluation, our defense is effective and incurs trivial performance overhead.

show abstract

FACE-CHANGE: Application-Driven Dynamic Kernel View Switching in a Virtual Machine

Cited by 22 publications

References 18 publications

Securing Real-Time Microcontroller Systems through Customized Memory View Switching

Securing Real-Time Microcontroller Systems through Customized Memory View Switching

CHANCEL: Efficient Multi-client Isolation Under Adversarial Programs

A Study on the Security Implications of Information Leakages in Container Clouds

Contact Info

Product

Resources

About