Hardware enforcement of application security policies using tagged memory

Authors:
Nickolai Zeldovich;Hari Kannan;Michael Dalton;Christos Kozyrakis
Affiliations:
MIT;Stanford University;Stanford University;Stanford University
Venue:
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Year:
2008

Citing 24
Cited 17

Authentication in distributed systems: theory and practice

ACM Transactions on Computer Systems (TOCS)
EROS: a fast capability system

Proceedings of the seventeenth ACM symposium on Operating systems principles
A hardware architecture for implementing protection rings

Communications of the ACM
Capability-Based Computer Systems

Capability-Based Computer Systems
Mondrian memory protection

Proceedings of the 10th international conference on Architectural support for programming languages and operating systems
The KeyKOS Nanokernel Architecture

Proceedings of the Workshop on Micro-kernels and Other Kernel Architectures
Setuid Demystified

Proceedings of the 11th USENIX Security Symposium
Design and verification of secure systems

SOSP '81 Proceedings of the eighth ACM symposium on Operating systems principles
Secure program execution via dynamic information flow tracking

ASPLOS XI Proceedings of the 11th international conference on Architectural support for programming languages and operating systems
Minos: Control Data Attack Prevention Orthogonal to Memory Model

Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
RIFLE: An Architectural Framework for User-Centric Information-Flow Security

Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
Improving the reliability of commodity operating systems

ACM Transactions on Computer Systems (TOCS)
Defeating Memory Corruption Attacks via Pointer Taintedness Detection

DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Labels and event processes in the asbestos operating system

Proceedings of the twentieth ACM symposium on Operating systems principles
Mondrix: memory isolation for linux using mondriaan memory protection

Proceedings of the twentieth ACM symposium on Operating systems principles
Building secure high-performance web services with OKWS

ATEC '04 Proceedings of the annual conference on USENIX Annual Technical Conference
Raksha: a flexible information flow architecture for software security

Proceedings of the 34th annual international symposium on Computer architecture
Information flow control for standard OS abstractions

Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes

Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Making information flow explicit in HiStar

OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Splitting interfaces: making trust between applications and operating systems configurable

OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems

Proceedings of the 13th international conference on Architectural support for programming languages and operating systems
How low can you go?: recommendations for hardware-supported minimal TCB code execution

Proceedings of the 13th international conference on Architectural support for programming languages and operating systems
Securing distributed systems with information flow control

NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation

Laminar: practical fine-grained decentralized information flow control

Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
The cake is a lie: privilege rings as a policy resource

Proceedings of the 1st ACM workshop on Virtual machine security
Ordering decoupled metadata accesses in multiprocessors

Proceedings of the 42nd Annual IEEE/ACM International Symposium on Microarchitecture
Neon: system support for derived data management

Proceedings of the 6th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Secure information flow analysis for hardware design: using the right abstraction for the job

PLAS '10 Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security
ColorSafe: architectural support for debugging and dynamically avoiding multi-variable atomicity violations

Proceedings of the 37th annual international symposium on Computer architecture
Sentry: light-weight auxiliary memory access control

Proceedings of the 37th annual international symposium on Computer architecture
Tolerating malicious device drivers in Linux

USENIXATC'10 Proceedings of the 2010 USENIX conference on USENIX annual technical conference
Caisson: a hardware description language for secure information flow

Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation
Making information flow explicit in HiStar

Communications of the ACM
Software fault isolation with API integrity and multi-principal modules

SOSP '11 Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization

SOSP '11 Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
Linux kernel vulnerabilities: state-of-the-art defenses and open problems

Proceedings of the Second Asia-Pacific Workshop on Systems
Architectural support for secure virtualization under a vulnerable hypervisor

Proceedings of the 44th Annual IEEE/ACM International Symposium on Microarchitecture
TagTM - accelerating STMs with hardware tags for fast meta-data access

DATE '12 Proceedings of the Conference on Design, Automation and Test in Europe
A taint marking approach to confidentiality violation detection

AISC '12 Proceedings of the Tenth Australasian Information Security Conference - Volume 125
WHISK: an uncore architecture for dynamic information flow tracking in heterogeneous embedded SoCs

Proceedings of the Ninth IEEE/ACM/IFIP International Conference on Hardware/Software Codesign and System Synthesis

Quantified Score

Hi-index	0.02

Visualization

Abstract

Computers are notoriously insecure, in part because application security policies do not map well onto traditional protection mechanisms such as Unix user accounts or hardware page tables. Recent work has shown that application policies can be expressed in terms of information flow restrictions and enforced in an OS kernel, providing a strong assurance of security. This paper shows that enforcement of these policies can be pushed largely into the processor itself, by using tagged memory support, which can provide stronger security guarantees by enforcing application security even if the OS kernel is compromised. We present the Loki tagged memory architecture, along with a novel operating system structure that takes advantage of tagged memory to enforce application security policies in hardware. We built a full-system prototype of Loki by modifying a synthesizable SPARC core, mapping it to an FPGA board, and porting HiStar, a Unix-like operating system, to run on it. One result is that Loki allows HiStar, an OS already designed to have a small trusted kernel, to further reduce the amount of trusted code by a factor of two, and to enforce security despite kernel compromises. Using various workloads, we also demonstrate that HiStar running on Loki incurs a low performance overhead.