Thwarting Memory Disclosure with Efficient Hypervisor-enforced Intra-domain Isolation

Liu, Yutao; Zhou, Tianyu; Chen, Kexin; Chen, Haibo; Xia, Yubin

doi:10.1145/2810103.2813690

Cited by 97 publications

(54 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Such sets have been encrypted as private sets to protect the privacy of label information from the party B. Certain secure domain isolation has been used to protect the splits [34].…”

Section: B Key Algorithmsmentioning

confidence: 99%

SecureGBM: Secure Multi-Party Gradient Boosting

Feng

Huan

Xiong

et al. 2019

2019 IEEE International Conference on Big Data (Big Data)

View full text Add to dashboard Cite

Federated machine learning systems have been widely used to facilitate the joint data analytics across the distributed datasets owned by the different parties that do not trust each others. In this paper, we proposed a novel Gradient Boosting Machines (GBM) framework SecureGBM built-up with a multi-party computation model based on semi-homomorphic encryption, where every involved party can jointly obtain a shared Gradient Boosting machines model while protecting their own data from the potential privacy leakage and inferential identification. More specific, our work focused on a specific "dualparty"secure learning scenario based on two partiesboth party own an unique view (i.e., attributes or features) to the sample group of samples while only one party owns the labels. In such scenario, feature and label data are not allowed to share with others.To achieve the above goal, we firstly extent -LightGBM -a well known implementation of tree-based GBM through covering its key operations for training and inference with SEAL homomorphic encryption schemes. However, the performance of such re-implementation is significantly bottle-necked by the explosive inflation of the communication payloads, based on ciphertexts subject to the increasing length of plaintexts. In this way, we then proposed to use stochastic approximation techniques to reduced the communication payloads while accelerating the overall training procedure in a statistical manner. Our experiments using the real-world data showed that SecureGBM can well secure the communication and computation of LightGBM training and inference procedures for the both parties while only losing less than 3% AUC, using the same number of iterations for gradient boosting, on a wide range of benchmark datasets. More specific, compared to LightGBM, the proposed SecureGBM would slowdown with 3x ∼ 64x time consumption per iteration in the training procedure, while SecureGBM becomes more and more efficient when the scale of the training dataset increases (i.e., the larger training set, the lower slowdown ratio). 1

show abstract

“…Such sets have been encrypted as private sets to protect the privacy of label information from the party B. Certain secure domain isolation has been used to protect the splits [34].…”

Section: B Key Algorithmsmentioning

confidence: 99%

SecureGBM: Secure Multi-Party Gradient Boosting

Feng

Huan

Xiong

et al. 2019

2019 IEEE International Conference on Big Data (Big Data)

View full text Add to dashboard Cite

show abstract

“…Liu et al propose a mechanism for automatically partitioning applications for security, using static and dynamic analyses. However, they do not specifically consider the different ways in which applications may be partitioned, as we have carried out in this paper [26].…”

Section: Related Workmentioning

confidence: 99%

“…Although others have presented details of TEEs [13,14,[23][24][25], tools for automatically partitioning applications [26] and tools for evaluating compartmentalisation schemes [27], to the best of our knowledge, we are the first to present a systematisation of partitioning schemes.…”

Section: Introductionmentioning

confidence: 99%

A framework for application partitioning using trusted execution environments

Atamli-Reineh

Paverd

Petracca

et al. 2017

Concurrency and Computation

View full text Add to dashboard Cite

Summary The size and complexity of modern applications are the underlying causes of numerous security vulnerabilities. In order to mitigate the risks arising from such vulnerabilities, various techniques have been proposed to isolate the execution of sensitive code from the rest of the application and from other software on the platform (such as the operating system). New technologies, notably Intel's Software Guard Extensions (SGX), are becoming available to enhance the security of partitioned applications. SGX provides a trusted execution environment (TEE), called an enclave, that protects the integrity of the code and the confidentiality of the data inside it from other software, including the operating system (OS). However, even with these partitioning techniques, it is not immediately clear exactly how they can and should be used to partition applications. How should a particular application be partitioned? How many TEEs should be used? What granularity of partitioning should be applied? To some extent, this is dependent on the capabilities and performance of the partitioning technology in use. However, as partitioning becomes increasingly common, there is a need for systematisation in the design of partitioning schemes. To address this need, we present a novel framework consisting of four overarching types of partitioning schemes through which applications can make use of TEEs. These schemes range from coarse‐grained partitioning, in which the whole application is included in a single TEE, through to ultra‐fine partitioning, in which each piece of security‐sensitive code and data is protected in an individual TEE. Although partitioning schemes themselves are application specific, we establish application‐independent relationships between the types we have defined. Because these relationships have an impact on both the security and performance of the partitioning scheme, we envisage that our framework can be used by software architects to guide the design of application partitioning schemes. To demonstrate the applicability of our framework, we have carried out case studies on two widely used software packages, the Apache Web server and the OpenSSL library. In each case study, we provide four high‐level partitioning schemes—one for each of the types in our framework. We also systematically review the related work on hardware‐enforced partitioning by categorising previous research efforts according to our framework. Copyright © 2017 John Wiley & Sons, Ltd.

show abstract

“…Today, the landscape of isolation solutions is starting to change with the emergence of new hardware isolation primitives. VM function extended page-table (EPT) switching and memory protection keys (MPKs) provide support for memory isolation and cross-domain invocations with overheads comparable to system calls [45,51,62,68]. Unfortunately, neither MPKs nor EPT switching implement architectural support for isolation of privileged ring 0 kernel code, the code that runs with superuser privileges and can easily escape such isolation by accessing a wide range of privileged CPU instructions.…”

Section: Introductionmentioning

confidence: 99%

Lightweight kernel isolation with virtualization and VM functions

Narayanan

Huang

Tan

et al. 2020

Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

View full text Add to dashboard Cite

Commodity operating systems execute core kernel subsystems in a single address space along with hundreds of dynamically loaded extensions and device drivers. Lack of isolation within the kernel implies that a vulnerability in any of the kernel subsystems or device drivers opens a way to mount a successful attack on the entire kernel.Historically, isolation within the kernel remained prohibitive due to the high cost of hardware isolation primitives. Recent CPUs, however, bring a new set of mechanisms. Extended page-table (EPT) switching with VM functions and memory protection keys (MPKs) provide memory isolation and invocations across boundaries of protection domains with overheads comparable to system calls. Unfortunately, neither MPKs nor EPT switching provide architectural support for isolation of privileged ring 0 kernel code, i.e., control of privileged instructions and well-defined entry points to securely restore state of the system on transition between isolated domains.Our work develops a collection of techniques for lightweight isolation of privileged kernel code. To control execution of privileged instructions, we rely on a minimal hypervisor that transparently deprivileges the system into a non-root VT-x guest. We develop a new isolation boundary that leverages extended page table (EPT) switching with the VMFUNC instruction. We define a set of invariants that allows us to isolate kernel components in the face of an intricate execution model of the kernel, e.g., provide isolation of preemptable, concurrent interrupt handlers. To minimize overheads of virtualization, we develop support for exitless interrupt delivery across isolated domains. We evaluate our

show abstract

Thwarting Memory Disclosure with Efficient Hypervisor-enforced Intra-domain Isolation

Cited by 97 publications

References 35 publications

SecureGBM: Secure Multi-Party Gradient Boosting

SecureGBM: Secure Multi-Party Gradient Boosting

A framework for application partitioning using trusted execution environments

Lightweight kernel isolation with virtualization and VM functions

Contact Info

Product

Resources

About