Salus: Kernel Support for Secure Process Compartments

Abstract: Consumer devices are increasingly being used to perform security and privacy critical tasks. The software used to perform these tasks is often vulnerable to attacks, due to bugs in the application itself or in included software libraries. Recent work proposes the isolation of security-sensitive parts of applications into protected modules, each of which can be accessed only through a predefined public interface. But most parts of an application can be considered security-sensitive at some level, and an attacke… Show more

“…Unfortunately, this also enables malicious modules to extract data stored in the same address space, or, even more worrysome, to attack the operating system. Avonds et al [4] and Strackx et al [20] propose a mechanism to isolate potential attack vectors in an application (e.g., parsers) from likely attack targets (e.g., cryptographic keys). Using an approach similar to PMAs, they divide large applications in multiple compartments where each compartment can only be accessed through the interface they expose explicitly.…”

Idea: Towards an Inverted Cloud

“…Unfortunately, this also enables malicious modules to extract data stored in the same address space, or, even more worrysome, to attack the operating system. Avonds et al [4] and Strackx et al [20] propose a mechanism to isolate potential attack vectors in an application (e.g., parsers) from likely attack targets (e.g., cryptographic keys). Using an approach similar to PMAs, they divide large applications in multiple compartments where each compartment can only be accessed through the interface they expose explicitly.…”

Idea: Towards an Inverted Cloud

Trust Evidence for IoT: Trust Establishment from Servers to Sensors

Cali: Compiler-Assisted Library Isolation