Abstract
The Flask architecture, which mainly contains object manager (OM) and security server (SS), is widely used to support flexible security policies in operating system. In nature, OM and SS should be isolated from each other to separate decision from enforcement. However, current implementation of Flask, such as SELinux and SEBSD, puts both OM and SS in the same address space. If one component is subverted, the whole system will be exposed to the attacker. In this paper, we present hardware assisted in-VM isolation to improve the security of the Flask implementation. The key of our approach is the separation of SS from other parts of guest OS by constructing hardware assisted page tables at the hypervisor level. In this way SS can execute in a strongly isolated address space with respect to its associated guest OS, and therefore can provide a trustworthy and centralized repository for policy and decision-making. Our experiment shows that our method introduces moderate performance overhead.
Chapter PDF
Similar content being viewed by others
References
Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., Lepreau, J.: The Flask security architecture: system support for diverse security policies. In: Proceedings of the 8th USENIX Security Symposium, Washington, DC, pp. 123–139 (1999)
Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the linux operating system. In: Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference (2001)
Vance, C., Watson, R.: Security Enhanced BSD. Network Associates Laboratories (2003)
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the 10th Annual Network and Distributed Systems Security Symposium (2003)
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based “out-of-the-box” semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 128–138 (2007)
Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: Proceedings of the 29th IEEE Symposiumon Security and Privacy, pp. 233–247 (2008)
Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: Proceedings of the 17th USENIX Security Symposium, pp. 243–258 (2008)
Sharif, M., Lee, W., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 477–487 (2009)
Intel Virtualization Technology, http://www.intel.com/technology/virtualization
Inel Inc. Intel 64 and IA-32 Architecture Software Developer’s Manual Volume 3B: System Programming Guide, Part 1 (2006)
Tux.Org (1996), http://www.tux.org/pub/tux/benchmarks/System/unixbench
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 545–554 (2009)
The Blue Pill Project, http://bluepillproject.org/
King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: implementing malware with virtual machines. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (2006)
Wojtczuk, R., Rutkowska, J.: Xen 0wning trilogy. In: Black Hat Conference (2008)
Wang, J., Stavrou, A., Ghosh, A.K.: HyperCheck: A hardware-assisted integrity monitor. In: Proceedings of the 13th International Symposium on Recent Advances in Intrusion Detection (2010)
Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: HyperSentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 38–49 (2010)
Wang, Z., Jiang, X.: HyperSafe, a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the IEEE Symposium on Security and Privacy (2010)
Wang, X., Zang, J., Wang, Z., Luo, Y., Li, X.: Selective hardware/software memory virtualization. In: Proceedings of the 7th ACM Conference on Virtual Execution Environments, pp. 217–226 (2011)
Devine, S., Bugnion, E., Rosenblum, M.: Virtualization system including a virtual machine monitor for a computer with a segmented architecture. US Patent, 6397242 (1998)
Intel Inc. Intel 64 and IA-32 Architecture Software Developer’s Manual Volume 3B: System Programming Guide, Part 2 (2007)
Shuo, C., Xu, J., Sezer, E.C., Gauriar, P., lyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th conference on USENIX Security Symposium (2005)
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Proceedings of the Symposium on Operating System Principles (2003)
Advanced Micro Devices. AMD64 Architecture Programmer’s Manual Volume 2: System Programming, 3.12 edn. (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Ding, B., Yao, F., Wu, Y., He, Y. (2012). Improving Flask Implementation Using Hardware Assisted In-VM Isolation. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds) Information Security and Privacy Research. SEC 2012. IFIP Advances in Information and Communication Technology, vol 376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30436-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-30436-1_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30435-4
Online ISBN: 978-3-642-30436-1
eBook Packages: Computer ScienceComputer Science (R0)