Process Isolation

Process Isolation is the main goal of Fudan research work.

Introduction

Project Daoli strengthens system level security by enforcing behavior conformity with Measured Virtual Machine Monitor (MVMM). The technical component that Fudan offers to Daoli is called CHAOS (Conformity and High Assurance within OSes).

Virtual Machine Monitor (VMM) is a virtualization layer that runs between hardware and operating systems. It is the most privileged software layer on a machine. As VMM is a thin layer and the size of a VMM is commonly rather small, it is regarded as a better base for trust computing. Instead of verifying an operating system and putting it in the trusted zone, our effort is to prevent it from harming the security and privacy of secure applications running upon. Figure on left depicts the general architecture of our design of CHAOS, a prototype that uses virtualization to enhance the confidentiality and integrity of security-sensitive applications.

This slide presentation describes some insights on how we achieve process isolation

Process isolation technology

Fudan has implemented process isolation by modifying Xen and Linux kernel. It is done in para-virtualizatin mode. Process isolation includes two parts of work. One is about hiding user mapping from kernel mode; The other is to handle system call for sealing memory transfered to Guest OS from application.

1. Hiding user mapping
Most attack methods depend on obtaining most privilege from OS and then attack other applications. The process isolation intends to protect secure process from Guest OS. So we don't trust Guest OS and make it unaccessbile to any information of secure process. The most efficient and simple method is to hide the user mapping in page table from Guest OS.
Any time Guest OS obtains control from application, it needs a trap. In virtualization scenario, the control is transferred to Xen first and passed to Guest OS by Xen. During this step, Xen replace the original page directory with another page directory which owns no user mapping. When Guest OS executes, it can't access memory of secure process. Before control is returned from Guest OS to application, Xen restores the original page directory. Now the secure process can do anything.
In user mode, the page table is as follows:

In kernel mode, the page table is as follows:

2. Trusted system call

From the section above, we know that Guest OS can't access user mapping in kernel mode. What if Guest OS must use this information? For example, the application calls the system call to write data into disk. So we must do something to help kernel access user memory. For secure process, we dynamically rewrite the instruction 0x80 to 0x81 when loading it into memory. Now the system call is handled as follows:
1) Interposition module intercepts a TSC from a trusted process;
2) Forward TSC to TSC layer. If with no data exchanges, go to next step directly.If TSC is write-related, data sealing is needed.We must copy these data to a memory region that Guest OS can access;
3) Isolation module conceals the CPU-context and user-level page table mappings;
4) Transfer the execution to the Linux kernel. Then the interrupt handler in Linux serves the TSC request;
5) Return from Linux kernel to Xen;
6) Isolation module restores the concealed CPU-context and page table;
7) If TSC is read-related, data unsealing is needed before entering user mode;
8) Resume the execution of the trusted process in use mode.

Work Description

• Process Isolation on multi domains
  

Fudan modified xen has implemented process isolation on dom0. The current of Fudan job is to implement it in all the domains, which is very important for our grid based on virtual machines.

• Secure migration of virtual machine
  

Virtual machine mgiration is a key functionanity of virtualization. Fudan unviersities modifies xen to implement process isolation in every domain. Now the original snapshot and migration doesn't work. Fudan will implement the secure virtual machine migration based on the memory curtian technology. This must be enchancement for original virtual machine migration.

• Enhancing DMA Access Control

MVMM protects memory contents of secure applications by preventing operating system kernel access to the memory of secure applications. This is done by utilizing hardware paging mechanism to prevent unauthorized memory mappings to secure memory. However, Direct Memory Access (DMA) could undermine this security mechanism. DMA enables direct and arbitrary memory read/write without having to establish a memory mapping in the page table.

Fortunately, hardware supports for security is arriving on time. Intel Trusted eXecution Technology (TXT) brings us NoDMA, which enables a MVMM to efficiently restrict DMA accesses. This guarantees no DMA access could be performed without being explicitly validated by MVMM. By utilizing this feature, we greatly enhance the protection provided by CHAOS, our prototype of MVMM.

• Improving Graphics Security

Confidential contents could also flow to display devices, which calls for additional protection for memory used for display buffers. Users need to be assured that his confidential contents are not peeked and what they see on the screen is truly coming from the application.

Graphics security support from Intel TXT technology provides display adapter exclusive DMA access to special frame buffer. In specific, Trusted Graphics Translation Table (TGTT) decides what range of physical memory the display adapter could exclusively access via DMA. Our task is to make sure that TGTT is under the control of MVMM instead of untrusted device drivers. This requires hardware support such as Intel TXT.

• Preventing Unauthorized Copy & Paste

Applications with Graphic User Interface (GUI) usually have the feature to copy the displayed contents among displaying windows, thus among applications. As for confidential contents of a secure application, this can break the confidentiality properties because untrusted application can inspect or still its sensitive contents. Thus, confidential contents should be allowed to propagate within a secure application group, but not out of it.Xlib is the de-facto display protocol in Linux world. Various kinds of Xwindows, an implementation of Xlib protocol, are widely used on Linux desktop. Essentially, an Xwindows desktop is an application. It acts as a display server, handling user inputs from keyboard and mouse while displaying application outputs on screen. A possible solution to prevent copy & paste problem is to modify the Xwindows application to enforce non-copy policy. By running an Xwindows server as a secure application, and execute secure GUI applications on the server, it is possible to prevent an illegal copy operation. Yet, the security of Xwindows systems is a longstanding open-problem. In this project, we aim to investigate the problem and raise possible solutions.

• Application Migration

To ensure no source code or binary leakage during the distribution of applications, in CHAOS systems, secure applications are encrypted with the public key of the target platform before distribute the software. When launching the software, MVMM is in charge of decrypting it with the private key of the platform. This prevents unauthorized peek of the confidential code and data. However, in a grid computing scenario, when the job is delegated to a server and the server likes to pass the job to other servers, a redistribution of the software is needed. In specific, the server needs to encrypt the software with the public key of the target server before passing on the job. MVMM on the server side should be equipped with such ability to enable application migration.

Demo

This demo shows the work of Fudan university on process isolation. it is large and you'd better download it first

Comments