Mitigating the lying-endpoint problem in virtualized network access frameworks

Authors:
Ravi Sahita;Uday R. Savagaonkar;Prashant Dewan;David Durham
Affiliations:
Intel Corporation, Hillsboro, OR;Intel Corporation, Hillsboro, OR;Intel Corporation, Hillsboro, OR;Intel Corporation, Hillsboro, OR
Venue:
DSOM'07 Proceedings of the Distributed systems: operations and management 18th IFIP/IEEE international conference on Managing virtualization of networks and services
Year:
2007

Citing 12
Cited 1

Exokernel: an operating system architecture for application-level resource management

SOSP '95 Proceedings of the fifteenth ACM symposium on Operating systems principles
Mondrian memory protection

Proceedings of the 10th international conference on Architectural support for programming languages and operating systems
Simple Memory Protection for Embedded Operating System Kernels

Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference
Secure Execution via Program Shepherding

Proceedings of the 11th USENIX Security Symposium
A secure and reliable bootstrap architecture

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Xen and the art of virtualization

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Terra: a virtual machine-based platform for trusted computing

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Scale and performance in the Denali isolation kernel

OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
A Safety-Oriented Platform for Web Applications

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Certifying program execution with secure processors

HOTOS'03 Proceedings of the 9th conference on Hot Topics in Operating Systems - Volume 9
Efficient techniques for comprehensive protection from memory error exploits

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Minimal TCB Code Execution

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy

Determining the integrity of application binaries on unsecure legacy machines using software based remote attestation

ICISS'10 Proceedings of the 6th international conference on Information systems security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Malicious root-kits modify the in-memory state of programs executing on an endpoint to hide themselves from security software. Such attacks negatively affect network-based security frameworks that depend on the trustworthiness of endpoint software. In network access control frameworks this issue is called the lying-endpoint problem, where a compromised endpoint spoofs software integrity reports to render the framework untrustworthy. We present a novel architecture called Virtualization-enabled Integrity Services (VIS) to protect the run-time integrity of network-access software in an untrusted environment. We describe the design of a VIS-protected network access stack, and characterize its performance. We show that a network access stack running on an existing operating system can be protected using VIS with less than 5% overhead, even when each network packet causes protection enforcement.