Using kernel hypervisors to secure applications

Mitchem, T.; Lu, Raymond; O’Brien, Richard T.

doi:10.1109/csac.1997.646188

Cited by 34 publications

(17 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A common approach used to add security to a system is to intercept service requests or to otherwise interpose a layer of security code between all applications and the operating system (e.g., Kernel Hypervisors [37], SPIN [20]), or between particular applications or sets of applications (e.g., L3/L4 [30], Lava [22], KeySAFE [28]). This may be done in capability systems or non-capability systems, and when applied to an operating system the security layer may lie within the operating system itself (as in Spring [36]) or in a component outside of the operating system to which all requests are redirected (as in Janus [17]).…”

Section: Intercepting Requestsmentioning

confidence: 99%

The Flask Security Architecture: System Support for Diverse Security Policies

Spencer¹,

Smalley²,

Loscocco³

et al. 2006

117

View full text Add to dashboard Cite

Operating systems must be flexible in their support for security policies, providing sufficient mechanisms for supporting the wide variety of real-world security policies. Such flexibility requires controlling the propagation of access rights, enforcing fine-grained access rights and supporting the revocation of previously granted access rights. Previous systems are lacking in at least one of these areas. In this paper we present an operating system security architecture that solves these problems. Control over propagation is provided by ensuring that the security policy is consulted for every security decision. This control is achieved without significant performance degradation through the use of a security decision caching mechanism that ensures a consistent view of policy decisions. Both fine-grained access rights and revocation support are provided by mechanisms that are directly integrated into the service-providing components of the system. The architecture is described through its prototype implementation in the Flask microkernelbased operating system, and the policy flexibility of the prototype is evaluated. We present initial evidence that the architecture's impact on both performance and code complexity is modest. Moreover, our architecture is applicable to many other types of operating systems and environments.

show abstract

Section: Intercepting Requestsmentioning

confidence: 99%

The Flask Security Architecture: System Support for Diverse Security Policies

Spencer¹,

Smalley²,

Loscocco³

et al. 2006

117

View full text Add to dashboard Cite

show abstract

“…To accomplish this, they rely on ptrace (2), the /proc file system, and/or special shared libraries. Another category of systems, such as Tron [17], SubDomain [23] and others [29,32,59,44,60,41,51], go a step further. They intercept system calls inside the kernel, and use policy engines to decide whether to permit the call or not.…”

Section: Safe Languages and Compilersmentioning

confidence: 99%

Countering code-injection attacks with instruction-set randomization

Kc¹,

Keromytis²,

Prevelakis³

2003

Proceedings of the 10th ACM Conference on Computer and Communication Security - CCS '03

150

185

View full text Add to dashboard Cite

We describe a new, general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoff's principle, by creating process-specific randomized instruction sets (e.g., machine instructions) of the system executing potentially vulnerable software. An attacker who does not know the key to the randomization algorithm will inject code that is invalid for that randomized processor, causing a runtime exception. To determine the difficulty of integrating support for the proposed mechanism in the operating system, we modified the Linux kernel, the GNU binutils tools, and the bochs-x86 emulator. Although the performance penalty is significant, our prototype demonstrates the feasibility of the approach, and should be directly usable on a suitable-modified processor (e.g., the Transmeta Crusoe).Our approach is equally applicable against code-injecting attacks in scripting and interpreted languages, e.g., web-based SQL injection. We demonstrate this by modifying the Perl interpreter to permit randomized script execution. The performance penalty in this case is minimal. Where our proposed approach is feasible (i.e., in an emulated environment, in the presence of programmable or specialized hardware, or in interpreted languages), it can serve as a low-overhead protection mechanism, and can easily complement other mechanisms.

show abstract

“…To accomplish this they use ptrace(2) and the /proc file system, which allows their tracer to register a call-back that is executed whenever the tracee issues a system call. Other similar systems include Consh [Alexandrov et al, 1998], Mediating Connectors [Balzer and Goldman, 1999], SubDomain [Cowan et al, 2000] and others [Fraser et al, 1999, Ghormley et al, 1998, Walker et al, 1996, Mitchem et al, 1997.…”

Section: Related Workmentioning

confidence: 99%

Recursive Sandboxes: Extending Systrace to Empower Applications

Kurchuk

Keromytis

2004

Security and Protection in Information Processing Systems

View full text Add to dashboard Cite

The systrace system-call interposition mechanism has become a popular method for containing untrusted code through program-specific policies enforced by user-level daemons. We describe our extensions to systrace that allow sandboxed processes to further limit their children processes by issuing dynamically constructed policies. We discuss our extensions to the systrace daemon and the OpenBSD kernel, as well as a simple API for constructing simple policies. We present two separate implementations of our scheme, and compare their performance with the base systrace system. We show how our extensions can be used by processes such as ftpd, sendmail, and sshd.

show abstract

Using kernel hypervisors to secure applications

Cited by 34 publications

References 3 publications

The Flask Security Architecture: System Support for Diverse Security Policies

The Flask Security Architecture: System Support for Diverse Security Policies

Countering code-injection attacks with instruction-set randomization

Recursive Sandboxes: Extending Systrace to Empower Applications

Contact Info

Product

Resources

About