Tuesday, October 31, 2006

Paper: "Splitting Interfaces: Making Trust Between Applications and Operating Systems Configurable"

Splitting Interfaces: Making Trust Between Applications and Operating Systems Configurable
Richard Ta-Min, Lionel Litty, and David Lie, University of Toronto


In current commodity systems, applications have no way of limiting their trust in the underlying operating system (OS), leaving them at the complete mercy of an attacker who gains control over the OS. In this work, we describe the design and implementation of Proxos, a system that allows applications to configure their trust in the OS by partitioning the system call interface into trusted and untrusted components. System call routing rules that indicate which system calls are to be handled by the untrusted commodity OS, and which are to be handled by a trusted private OS, are specified by the application developer. We find that rather than defining a new system call interface, routing system calls of an existing interface allows applications currently targeted towards commodity operating systems to isolate their most sensitive components from the commodity OS with only minor source code modifications.

We have built a prototype of our system on top of the Xen Virtual Machine Monitor with Linux as the commodity OS. In practice, we find that the system call routing rules are short and simple - on the order of 10's of lines of code. In addition, applications in Proxos incur only modest performance overhead, with most of the cost resulting from inter-VM context switches.


Blogger Leonid Ryzhyk said...

Talk summary

Speaker: David Lie

The main observation behind the Proxos architecture is that in modern OS the trusted computing base of an application includes not only the kernel but also all the privileged user-level services that run under the root account. By compromising one of these services, the attacker gets access to all sensitive data in the system.

Proxos aims to reduce the TCB by isolating sensitive applications inside their own private instances of the OS running under control of a virtual machine. All other applications run inside the public "commodity" OS. The commodity OS is also used for communication among secure applications running inside private OS's. This is achieved by selectively routing some of system calls issued by secure applications to the commodity OS. The developer specifies which calls should be routed using the Proxos routing language.

In order to benefit from the Proxos architecture, secure applications need to be split into components running inside the commodity OS and the private OS.

The main performance overhead comes from context switching between the private and the commodity OS, which turns out to be an order of magnitude slower than Linux kernel call. However, at least for the proof-of-concept applications that have been ported to Proxos (web browser, SSH authentication server, and the Apache web server with SSL certificate service), this did not prove to be a problem, as the resulting end-to-end overhead was negligible.


Q: The private OS can become as complex as Linux itself. So how does this help reduce the TCB?
A: Yes, security-sensitive applications still have to trust the entire Linux kernel, but not the privileged processes running on top.

Q: Is it necessary to write proxy code for each ioctl to the commodity OS?
A: Yes, but in our experience things you want to isolate do not require this.

Q: So, you're claiming that context-switch time is irrelevant.
A: This is the case for applications that we have ported so far. Of course, for applications that do more kernel calls the performance impact would be greater.

Q: In your performance evaluation you compare overhead of Proxos against Linux running on top of Xen. What would be the overhead compared to Linux running on hardware?
A: We haven't done such experiments but the overhead can be estimated based on available performance data for Xen.

3:47 PM  

Post a Comment

<< Home