Overshadow
作者: Xiaoxin Chen , Tal Garfinkel , E. Christopher Lewis , Pratap Subrahmanyam , Carl A. Waldspurger
关键词: Context (language use) 、 Computer science 、 Systems architecture 、 Virtual machine 、 Legacy system 、 Memory protection 、 Computer security 、 Data integrity 、 Operating system 、 Virtualization 、 Hypervisor
摘要: Commodity operating systems entrusted with securing sensitive data are remarkably large and complex, consequently, frequently prone to compromise. To address this limitation, we introduce a virtual-machine-based system called Overshadow that protects the privacy integrity of application data, even in event total OScompromise. presents an normal view its resources, but OS encrypted view. This allows carry out complex task managing application's without allowing it read or modify them. Thus, offers last line defense for data.Overshadow builds on multi-shadowing, novel mechanism different views "physical" memory, depending context performing access. primitive additional dimension protection beyond hierarchical domains implemented by traditional processor architectures.We present design implementation show how new semantics can be integrated existing systems. Our has been fully used protect wide range unmodified legacy applications running Linux system. We evaluate performance our implementation, demonstrating approach is practical.
acm.org
drkp.net参考文章(30)
Remzi H. Arpaci-Dusseau, Andrea C. Arpaci-Dusseau, Stephen T. Jones, Antfarm: tracking processes in a virtual machine environment usenix annual technical conference. pp. 1- 1 ,(2006)
Dan Boneh, Hovav Shacham, Nagendra Modadugu, Eu-Jin Goh, SiRiUS: Securing Remote Untrusted Storage. network and distributed system security symposium. ,(2003)
Paul C. Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems international cryptology conference. ,vol. 1109, pp. 104- 113 ,(1996) , 10.1007/3-540-68697-5_9
G. Neiger, Intel Virtualization Technology : Hardware Support for Efficient Processor Virtualization j-INTELTECH-J. ,vol. 10, pp. 167- 177 ,(2006)
Christian Limpach, Eric Jul, Andrew Warfield, Steven Hand, Ian Pratt, Christopher Clark, Jacob Gorm Hansen, Keir Fraser, Live migration of virtual machines networked systems design and implementation. pp. 273- 286 ,(2005) , 10.5555/1251203.1251223
Ralph C. Merkle, Protocols for Public Key Cryptosystems ieee symposium on security and privacy. pp. 122- 122 ,(1980) , 10.1109/SP.1980.10006
Edouard Bugnion, Scott Devine, Kinshuk Govil, Mendel Rosenblum, Disco: running commodity operating systems on scalable multiprocessors ACM Transactions on Computer Systems. ,vol. 15, pp. 412- 447 ,(1997) , 10.1145/265924.265930
Jeffrey S. Dwoskin, Ruby B. Lee, Hardware-rooted trust for secure key management and transient trust computer and communications security. pp. 389- 400 ,(2007) , 10.1145/1315245.1315294
Michael D. Schroeder, Jerome H. Saltzer, A hardware architecture for implementing protection rings Communications of the ACM. ,vol. 15, pp. 157- 170 ,(1972) , 10.1145/361268.361275
Umesh Maheshwari, William Shapiro, Radek Vingralek, How to build a trusted database system on untrusted storage operating systems design and implementation. pp. 10- ,(2000) , 10.5555/1251229.1251239