DOCSLIB.ORG

Time Protection: the Missing OS Abstraction

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Time Protection: the Missing OS Abstraction Qian Ge Yuval Yarom UNSW Australia and Data61 CSIRO The University of Adelaide and Data61 CSIRO [email protected] [email protected] Tom Chothia Gernot Heiser University of Birmingham UNSW Australia and Data61 CSIRO [email protected] [email protected] ABSTRACT use of the hardware, remain a fundamental OS security chal- Timing channels enable data leakage that threatens the se- lenge that has eluded a comprehensive solution to date. Its curity of computer systems, from cloud platforms to smart- importance is highlighted by recent attacks, including the phones and browsers executing untrusted third-party code. extraction of encryption keys across cores [Irazoqui et al. Preventing unauthorised information flow is a core duty 2015; Liu et al. 2015] through side channels, i.e. without the of the operating system, however, present OSes are unable cooperation of the key owner. to prevent timing channels. We argue that OSes must pro- In contrast, covert channels depend on insider help and are vide time protection in addition to the established memory traditionally considered a less significant threat. However, in protection. We examine the requirements of time protec- the recent Spectre attack [Kocher et al. 2019], an adversary tion, present a design and its implementation in the seL4 uses a covert communication channel from speculatively microkernel, and evaluate its efficacy as well as performance executed gadgets to leak information. This demonstrates overhead on Arm and x86 processors. that covert channels pose a real security risk even where no side-channel attack is known. Furthermore, covert chan- nel mechanisms bear the risk of being exploitable as a side 1 INTRODUCTION channel by an ingenious attacker. One of the oldest problems in operating systems (OS) re- We argue that it is time to take temporal isolation seri- search is how to confine programs so they do not leak infor- ously, and make time protection a primary OS duty, just as the mation [Lampson 1973]. To achieve confinement, the operat- established memory protection.1 Such a design must elim- ing system needs to control all of the means of communica- inate, as far as possible, the sharing of hardware resources tion that the program can use. For that purpose, programs are that is the underlying cause of timing channels. The ultimate typically grouped into security domains, with the operating aim should be to obtain temporal isolation guarantees com- system exerting its control on cross-domain communication. parable to the spatial isolation proofs of seL4, but for now we Programs, however, can bypass OS protection by sending focus on a design that is suitable for a verifiable OS kernel, information over channels that are not intended for com- i.e. minimal, general and policy-free. munication. Historically, such covert channels were explored Specifically, we make the following contributions: within the context of military multi-level-secure systems [De- • partment of Defence 1986]. Cloud computing, smartphone We define the requirements for providing time protec- apps and server-provided JavaScript executed in browsers tion, enabling confinement in the presence of microar- mean that we now routinely share computing platforms with chitectural timing channels (Section 3.2); arXiv:1810.05345v2 [cs.OS] 15 Oct 2018 • untrusted, potentially malicious, third-party code. we introduce a policy-free kernel clone operation that OSes have traditionally enforced security through memory allows almost perfect partitioning of a system, i.e. al- protection, i.e. spatial isolation of security domains. Recent ad- most completely removing sharing between security vances include formal proof of spatial security enforcement domains (Section 3.3); • by the seL4 microkernel [Klein et al. 2014], including proof we present an implementation in seL4 (Section 4); • of the absence of covert storage channels [Murray et al. 2013], we show that our implementation of time protection i.e. channels based on storing information that can be later is effective, transparently removing timing channels, loaded [Department of Defence 1986; Schaefer et al. 1977]. within limitations of present hardware (Section 5.3); Spatial isolation can thus be considered a solved problem. The same cannot be said about temporal isolation. Timing 1Note that we use the term “OS” in a generic sense, referring to the most channels, and in particular microarchitectural channels [Ge privileged software level that is responsible for security enforcement. This et al. 2018b], which exploit timing variations due to shared could refer to a hypervisor or the OS of a non-virtualised system. 1 • we show that the overhead imposed by these mecha- state machines, can be used as well. Fundamentally, the cache nisms is low (Section 5.4). channel works by the sender (intentionally or incidentally) modulating its footprint in the cache through its execution, 2 BACKGROUND and the receiver probing this footprint by systematically 2.1 Covert channels and side channels touching cache lines and measuring memory latency by ob- serving its own execution speed. Low latency means that a A covert channel is an information flow that uses a mecha- line is still in the cache from an earlier access, while high nism not intended for information transfer [Lampson 1973]. latency means that the corresponding line has been replaced Covert channels therefore may violate the system’s security by the sender competing for cache space. Such attacks are policy, allowing communication between security domains possible where the resource is shared concurrently (cores that should be isolated. Note that our use of the term (se- or hardware threads sharing a cache) or time-multiplexed curity) domain is more general than the standard OS term (time-sharing a core). protection domain (a specific set of access rights). A security Side-channel attacks are similar, except that the sender domain consists of one or more protection domains. does not actively cooperate, but accesses cache lines accord- There is a traditional distinction between storage and tim- ing to its computational needs. Thus, the attacker must syn- ing channels, where exploitation of the latter requires the chronise its attack with the victim’s execution and eliminate communicating domains to have a common notion of time any noise with more advanced techniques. Side-channel at- [Department of Defence 1986; Schaefer et al. 1977; Wray tacks have been demonstrated against the L1-D [Hu 1992] 1991]. In principle, it is possible to completely eliminate stor- and L1-I caches [Acıiçmez 2007], the last-level cache (LLC) age channels, as was done in the information-flow proof of 2 [Irazoqui et al. 2015; Liu et al. 2015], the TLB [Gras et al. seL4 [Murray et al. 2013]. 2018; Hund et al. 2013] and the BP [Acıiçmez et al. 2007]. Despite recent progress on proving upper bounds for the Interconnects of limited bandwidth can also be used for cache side channels of cryptographic implementations [Doy- covert channels: the sender encodes information into its chev et al. 2013; Köpf et al. 2012], proofs of complete elimi- bandwidth consumption, and the receiver senses the avail- nation of timing channels in a non-trivial system are beyond able bandwidth. So far, interconnects can only be exploited current formal approaches, and measurements are essential as a covert channel while the sender and receiver execute for their analysis. concurrently (on different cores). Also, if only bandwidth can In a narrow sense, a covert channel requires collusion be- be used for signalling, side channels are probably impossible tween the domains, one acting as a sender and the other as to implement, none have been demonstrated to date. a receiver. Typical cases of senders are Trojans, i.e. trusted code that operates maliciously, or untrusted code that is be- 2.3 Countermeasures ing confined [Lampson 1973]. Due to the collusion, a covert channel represents a worst case for bandwidth of a channel. The countermeasures must prevent interference resulting In contrast, a side channel has an unwitting sender, called from resource competition while processing secret informa- the victim, who, through its normal operation, is leaking tion. For bandwidth-limited interconnects, this would require information to an attacker acting as the receiver. An im- time-multiplexing the interconnect or using some hardware 3 portant example is a victim executing in a virtual machine mechanism to partition available bandwidth. (VM) on a public cloud, who is being attacked by a malicious The OS can prevent interference on stateful resources by 4 co-resident VM [İnci et al. 2016; Yarom and Falkner 2014]. flushing between accesses or by partitioning. Flushing is conceptually simple (although can be diffi- 2.2 Microarchitectural channels cult in practice, as we will discuss in Section 4.3). It is only applicable for time-multiplexed hardware; flushing cannot Microarchitectural timing channels result from competition prevent cross-core attacks through a shared cache. Flushing for capacity- or bandwidth-limited hardware features that can also be very costly in the case of large caches (LLC), as are functionally transparent to software [Ge et al. 2018b]. we demonstrate in Section 5.2. Capacity-limited resources include the data and instruc- tion caches, these can be used to establish high-bandwidth 3Intel recently introduced memory bandwidth allocation (MBA) technology, channels [Hu 1992; Liu et al. 2015; Maurice et al. 2017]. How- which imposes approximate limits on the memory bandwidth available to a ever, other microarchitectural state, such as the translation core [Intel Corporation 2016]. This is a step towards bandwidth partitioning, lookasid buffer (TLB), branch predictor (BP) or prefetcher but the approximate enforcement is not sufficient for preventing covert channels. 2Specifically, the proof shows that no machine state that is touched by 4In principle, it is also possible to prevent timing channels by denying the kernel can be used as a storage channel, it does not exclude channels attackers access to real time, but in practice this is infeasible except in through state of which the kernel is unaware.
Recommended publications
  • Quantifying Security Impact of Operating-System Design

    Quantifying Security Impact of Operating-System Design

    Copyright Notice School of Computer Science & Engineering COMP9242 Advanced Operating Systems These slides are distributed under the Creative Commons Attribution 3.0 License • You are free: • to share—to copy, distribute and transmit the work • to remix—to adapt the work • under the following conditions: 2019 T2 Week 09b • Attribution: You must attribute the work (but not in any way that Local OS Research suggests that the author endorses you or your use of the work) as @GernotHeiser follows: “Courtesy of Gernot Heiser, UNSW Sydney” The complete license text can be found at http://creativecommons.org/licenses/by/3.0/legalcode 1 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License Quantifying OS-Design Security Impact Approach: • Examine all critical Linux CVEs (vulnerabilities & exploits database) • easy to exploit 115 critical • high impact Linux CVEs Quantifying Security Impact of • no defence available to Nov’17 • confirmed Operating-System Design • For each establish how microkernel-based design would change impact 2 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 3 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License Hypothetical seL4-based OS Hypothetical Security-Critical App Functionality OS structured in isolated components, minimal comparable Trusted inter-component dependencies, least privilege to Linux Application computing App requires: base • IP networking Operating system Operating system • File storage xyz xyz • Display
  • The OKL4 Microvisor: Convergence Point of Microkernels and Hypervisors

    The OKL4 Microvisor: Convergence Point of Microkernels and Hypervisors

    The OKL4 Microvisor: Convergence Point of Microkernels and Hypervisors Gernot Heiser, Ben Leslie Open Kernel Labs and NICTA and UNSW Sydney, Australia ok-labs.com ©2010 Open Kernel Labs and NICTA. All rights reserved. Microkernels vs Hypervisors > Hypervisors = “microkernels done right?” [Hand et al, HotOS ‘05] • Talks about “liability inversion”, “IPC irrelevance” … > What’s the difference anyway? ok-labs.com ©2010 Open Kernel Labs and NICTA. All rights reserved. 2 What are Hypervisors? > Hypervisor = “virtual machine monitor” • Designed to multiplex multiple virtual machines on single physical machine VM1 VM2 Apps Apps AppsApps AppsApps OS OS Hypervisor > Invented in ‘60s to time-share with single-user OSes > Re-discovered in ‘00s to work around broken OS resource management ok-labs.com ©2010 Open Kernel Labs and NICTA. All rights reserved. 3 What are Microkernels? > Designed to minimise kernel code • Remove policy, services, retain mechanisms • Run OS services in user-mode • Software-engineering and dependability reasons • L4: ≈ 10 kLOC, Xen ≈ 100 kLOC, Linux: ≈ 10,000 kLOC ServersServers ServersServers Apps Servers Device AppsApps Drivers Microkernel > IPC performance critical (highly optimised) • Achieved by API simplicity, cache-friendly implementation > Invented 1970 [Brinch Hansen], popularised late ‘80s (Mach, Chorus) ok-labs.com ©2010 Open Kernel Labs and NICTA. All rights reserved. 4 What’s the Difference? > Both contain all code executing at highest privilege level • Although hypervisor may contain user-mode code as well > Both need to abstract hardware resources • Hypervisor: abstraction closely models hardware • Microkernel: abstraction designed to support wide range of systems > What must be abstracted? • Memory • CPU • I/O • Communication ok-labs.com ©2010 Open Kernel Labs and NICTA.
  • On Invariant Synthesis for Parametric Systems

    On Invariant Synthesis for Parametric Systems

    On Invariant Synthesis for Parametric Systems Dennis Peuter and Viorica Sofronie-Stokkermans Universit¨at Koblenz-Landau, Koblenz, Germany {dpeuter,sofronie}@uni-koblenz.de May 30, 2019 Abstract We study possibilities for automated invariant generation in parametric systems. We use (a refinement of) an algorithm for symbol elimination in theory extensions to devise a method for iteratively strengthening certain classes of safety properties to obtain invariants of the system. We identify conditions under which the method is correct and complete, and situations in which the method is guaranteed to terminate. We illustrate the ideas on various examples. 1 Introduction In the verification of parametric systems it is important to show that a certain property holds for all states reachable from the initial state. One way to solve such problems is to identify an inductive invariant which entails the property to be proved. Finding suitable inductive invariants is non-trivial – the problem is undecidable in general; solutions have been proposed for specific cases, as discussed in what follows. In [Kap06], Kapur proposes methods for invariant generation in theories such as Presburger arithmetic, real closed fields, and for polynomial equations and inequations with solutions in an algebraically closed field. The main idea is to use templates for the invariant (polynomials with undetermined coefficients), and solve constraints for all paths and initial values to determine the coefficients. A similar idea was used by Beyer et al. [BHMR07] for constraints in linear real or rational arithmetic; it is shown that if an invariant is expressible with a given template, then it will be computed. Symbol elimination has been used for interpolation and invariant generation in many papers.
  • The Flask Security Architecture: System Support for Diverse Security Policies

    The Flask Security Architecture: System Support for Diverse Security Policies

    The Flask Security Architecture: System Support for Diverse Security Policies Ray Spencer Secure Computing Corporation Stephen Smalley, Peter Loscocco National Security Agency Mike Hibler, David Andersen, Jay Lepreau University of Utah http://www.cs.utah.edu/flux/flask/ Abstract and even many types of policies [1, 43, 48]. To be gen- erally acceptable, any computer security solution must Operating systems must be flexible in their support be flexible enough to support this wide range of security for security policies, providing sufficient mechanisms for policies. Even in the distributed environments of today, supporting the wide variety of real-world security poli- this policy flexibility must be supported by the security cies. Such flexibility requires controlling the propaga- mechanisms of the operating system [32]. tion of access rights, enforcing fine-grained access rights and supporting the revocation of previously granted ac- Supporting policy flexibility in the operating system is cess rights. Previous systems are lacking in at least one a hard problem that goes beyond just supporting multi- of these areas. In this paper we present an operating ple policies. The system must be capable of supporting system security architecture that solves these problems. fine-grained access controls on low-level objects used to Control over propagation is provided by ensuring that perform higher-level functions controlled by the secu- the security policy is consulted for every security deci- rity policy. Additionally, the system must ensure that sion. This control is achieved without significant perfor- the propagation of access rights is in accordance with mance degradation through the use of a security decision the security policy.
  • Microkernel Vs

    Microkernel Vs

    1 VIRTUALIZATION: IBM VM/370 AND XEN CS6410 Hakim Weatherspoon IBM VM/370 Robert Jay Creasy (1939-2005) Project leader of the first full virtualization hypervisor: IBM CP-40, a core component in the VM system The first VM system: VM/370 Virtual Machine: Origin 3 IBM CP/CMS CP-40 CP-67 VM/370 Why Virtualize 4 Underutilized machines Easier to debug and monitor OS Portability Isolation The cloud (e.g. Amazon EC2, Google Compute Engine, Microsoft Azure) IBM VM/370 Specialized Conversation Mainstream VM al Monitor OS (MVS, Another Virtual subsystem System DOS/VSE copy of VM machines (RSCS, RACF, (CMS) etc.) GCS) Hypervisor Control Program (CP) Hardware System/370 IBM VM/370 Technology: trap-and-emulate Problem Application Privileged Kernel Trap Emulate CP Classic Virtual Machine Monitor (VMM) 7 Virtualization: rejuvenation 1960’s: first track of virtualization Time and resource sharing on expensive mainframes IBM VM/370 Late 1970’s and early 1980’s: became unpopular Cheap hardware and multiprocessing OS Late 1990’s: became popular again Wide variety of OS and hardware configurations VMWare Since 2000: hot and important Cloud computing Docker containers Full Virtualization 9 Complete simulation of underlying hardware Unmodified guest OS Trap and simulate privileged instruction Was not supported by x86 (Not true anymore, Intel VT-x) Guest OS can’t see real resources Paravirtualization 10 Similar but not identical to hardware Modifications to guest OS Hypercall Guest OS registers handlers Improved performance VMware ESX Server 11 Full virtualization Dynamically rewrite privileged instructions Ballooning Content-based page sharing Denali 12 Paravirtualization 1000s of VMs Security & performance isolation Did not support mainstream OSes VM uses single-user single address space 13 Xen and the Art of Virtualization Xen 14 University of Cambridge, MS Research Cambridge XenSource, Inc.
  • Microkernels Meet Recursive Virtual Machines

    Microkernels Meet Recursive Virtual Machines

    Microkernels Meet Recursive Virtual Machines Bryan Ford Mike Hibler Jay Lepreau Patrick Tullmann Godmar Back Stephen Clawson Department of Computer Science, University of Utah Salt Lake City, UT 84112 [email protected] http://www.cs.utah.edu/projects/flux/ Abstract ªverticallyº by implementing OS functionalityin stackable virtual machine monitors, each of which exports a virtual Thispaper describes a novel approach to providingmod- machine interface compatible with the machine interface ular and extensible operating system functionality and en- on which it runs. Traditionally,virtual machines have been capsulated environments based on a synthesis of micro- implemented on and export existing hardware architectures kernel and virtual machine concepts. We have developed so they can support ªnaiveº operating systems (see Fig- a software-based virtualizable architecture called Fluke ure 1). For example, the most well-known virtual machine that allows recursive virtual machines (virtual machines system, VM/370 [28, 29], provides virtual memory and se- running on other virtual machines) to be implemented ef- curity between multiple concurrent virtual machines, all ®ciently by a microkernel running on generic hardware. exporting the IBM S/370 hardware architecture. Further- A complete virtual machine interface is provided at each more, special virtualizable hardware architectures [22, 35] level; ef®ciency derives from needing to implement only have been proposed, whose design goal is to allow virtual new functionality at each level. This infrastructure allows machines to be stacked much more ef®ciently. common OS functionality, such as process management, demand paging, fault tolerance, and debugging support, to This paper presents a new approach to OS extensibil- be provided by cleanly modularized, independent, stack- ity which combines both microkernel and virtual machine able virtual machine monitors, implemented as user pro- concepts in one system.
  • All Computer Applications Need to Store and Retrieve Information

    All Computer Applications Need to Store and Retrieve Information

    MyFS: An Enhanced File System for MINIX A Dissertation Submitted in partial fulfillment of the requirement for the award of the degree of MASTER OF ENGINEERING ( COMPUTER TECHNOLOGY & APPLICATIONS ) By ASHISH BHAWSAR College Roll No. 05/CTA/03 Delhi University Roll No. 3005 Under the guidance of Prof. Asok De Department Of Computer Engineering Delhi College Of Engineering, New Delhi-110042 (University of Delhi) July-2005 1 CERTIFICATE This is to certify that the dissertation entitled “MyFS: An Enhanced File System for MINIX” submitted by Ashish Bhawsar in the partial fulfillment of the requirement for the award of degree of Master of Engineering in Computer Technology and Application, Delhi College of Engineering is an account of his work carried out under my guidance and supervision. Professor D. Roy Choudhury Professor Asok De Head of Department Head of Department Department of Computer Engineering Department of Information Technology Delhi College of Engineering Delhi College of Engineering Delhi Delhi 2 ACKNOWLEDGEMENT It is a great pleasure to have the opportunity to extent my heartiest felt gratitude to everybody who helped me throughout the course of this project. I would like to express my heartiest felt regards to Dr. Asok De, Head of the Department, Department of Information Technology for the constant motivation and support during the duration of this project. It is my privilege and owner to have worked under the supervision. His invaluable guidance and helpful discussions in every stage of this thesis really helped me in materializing this project. It is indeed difficult to put his contribution in few words. I would also like to take this opportunity to present my most sincere regards to Dr.
  • Composing Abstractions Using the Null-Kernel

    Composing Abstractions Using the Null-Kernel

    Composing Abstractions using the null-Kernel James Litton Deepak Garg University of Maryland Max Planck Institute for Software Systems Max Planck Institute for Software Systems [email protected] [email protected] Peter Druschel Bobby Bhattacharjee Max Planck Institute for Software Systems University of Maryland [email protected] [email protected] CCS CONCEPTS hardware, such as GPUs, crypto/AI accelerators, smart NICs/- • Software and its engineering → Operating systems; storage devices, NVRAM etc., and to efficiently support new Layered systems; • Security and privacy → Access control. application requirements for functionality such as transac- tional memory, fast snapshots, fine-grained isolation, etc., KEYWORDS that demand new OS abstractions that can exploit existing hardware in novel and more efficient ways. Operating Systems, Capability Systems At its core, the null-Kernel derives its novelty from being ACM Reference Format: able to support and compose across components, called Ab- James Litton, Deepak Garg, Peter Druschel, and Bobby Bhattachar- stract Machines (AMs) that provide programming interfaces jee. 2019. Composing Abstractions using the null-Kernel. In Work- at different levels of abstraction. The null-Kernel uses an ex- shop on Hot Topics in Operating Systems (HotOS ’19), May 13–15, 2019, Bertinoro, Italy. ACM, New York, NY, USA, 6 pages. https: tensible capability mechanism to control resource allocation //doi.org/10.1145/3317550.3321450 and use at runtime. The ability of the null-Kernel to support interfaces at different levels of abstraction accrues several 1 INTRODUCTION benefits: New hardware can be rapidly deployed using rela- tively low-level interfaces; high-level interfaces can easily Abstractions imply choice, one that OS designers must con- be built using low-level ones; and applications can benefit front when designing a programming interface to expose.
  • Jonathan Corley University of West Georgia 1601 Maple Street Carrollton, GA 30118 Jcorley[At]Westga.Edu

    Jonathan Corley University of West Georgia 1601 Maple Street Carrollton, GA 30118 Jcorley[At]Westga.Edu

    Jonathan Corley University of West Georgia 1601 Maple Street Carrollton, GA 30118 jcorley[at]westga.edu Research Interests CS Education and Outreach, Software Engineering Education Ph.D. in Computer Science, August 2016 University of Alabama, Tuscaloosa, AL, USA Advisor: Dr. Jeff Gray Committee: Dr. Jeffrey Carver, Dr. Randy Smith, Dr. Susan Vrbsky, Dr. Eugene Syriani M.S. in Computer Science, May 2012 University of Alabama, Tuscaloosa, AL, USA Advisor: Dr. Nicholas Kraft B.S. in Computer Science, May 2009 University of Alabama, Tuscaloosa, AL, USA Honors & Awards Outstanding Graduate Researcher, University of Alabama Department of CS, 2016 President of the University of Alabama chapter of Upsilon Pi Epsilon (UPE), 2015 and 2014 UPE is an international honor society for the computing and information disciplines. 1st place, MODELS ACM Student Research Competition Graduate, 2014. Valencia, Spain University of Alabama College of Engineering Outstanding Service by a Graduate Student, 2014 Outstanding ACM Graduate Award, University of Alabama Department of CS, 2013 Vice-President of the University of Alabama chapter of Upsilon Pi Epsilon, 2013 Inducted into the University of Alabama chapter of Upsilon Pi Epsilon, 2011 Publications Refereed Journal and Book Chapter Jonathan Corley, Brian Eddy, Eugene Syriani, and Jeff Gray “Efficient and Scalable Omniscient Debugging for Model Transformations” In Ghosh, S., Li, J. (Eds.) Software Quality Journal Special Issue on Program Debugging: Research, Practice and Challenges. No. 1, January 2017, pp. 7-48 Jonathan Corley, Eugene Syriani, Huseyin Ergin, and Simon Van Mierlo “Cloud-based Multi- View Modeling Environments” In Cruz, A.M., Paiva, S. (Eds.) Modern Software Engineering Methodologies for Mobile and Cloud Environments, IGI Global.
  • Operating Systems & Virtualisation Security Knowledge Area

    Operating Systems & Virtualisation Security Knowledge Area

    Operating Systems & Virtualisation Security Knowledge Area Issue 1.0 Herbert Bos Vrije Universiteit Amsterdam EDITOR Andrew Martin Oxford University REVIEWERS Chris Dalton Hewlett Packard David Lie University of Toronto Gernot Heiser University of New South Wales Mathias Payer École Polytechnique Fédérale de Lausanne The Cyber Security Body Of Knowledge www.cybok.org COPYRIGHT © Crown Copyright, The National Cyber Security Centre 2019. This information is licensed under the Open Government Licence v3.0. To view this licence, visit: http://www.nationalarchives.gov.uk/doc/open-government-licence/ When you use this information under the Open Government Licence, you should include the following attribution: CyBOK © Crown Copyright, The National Cyber Security Centre 2018, li- censed under the Open Government Licence: http://www.nationalarchives.gov.uk/doc/open- government-licence/. The CyBOK project would like to understand how the CyBOK is being used and its uptake. The project would like organisations using, or intending to use, CyBOK for the purposes of education, training, course development, professional development etc. to contact it at con- [email protected] to let the project know how they are using CyBOK. Issue 1.0 is a stable public release of the Operating Systems & Virtualisation Security Knowl- edge Area. However, it should be noted that a fully-collated CyBOK document which includes all of the Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas KA Operating Systems & Virtualisation Security j October 2019 Page 1 The Cyber Security Body Of Knowledge www.cybok.org INTRODUCTION In this Knowledge Area, we introduce the principles, primitives and practices for ensuring se- curity at the operating system and hypervisor levels.
  • Login Dec 07 Volume 33

    Login Dec 07 Volume 33

    COMPUTER SECURITY IS AN OLD problem which has lost none of its rele - GERNOT HEISER vance—as is evidenced by the annual Secu - rity issue of ;login: . The systems research community has increased its attention to security issues in recent years, as can be Your system is seen by an increasing number of security- related papers published in the mainstream secure? Prove it! systems conferences SOSP, OSDI, and Gernot Heiser is professor of operating systems at USENIX. However, the focus is primarily on the University of New South Wales (UNSW) in Sydney and leads the embedded operating-systems group at desktop and server systems. NICTA, Australia’s Centre of Excellence for research in information and communication technology. In 2006 he co-founded the startup company Open Kernel I argued two years ago in this place that security of Labs (OK), which is developing and marketing operat - embedded systems, whether mobile phones, smart ing-system and virtualization technology for embed - ded systems, based on the L4 microkernel. cards, or automobiles, is a looming problem of even bigger proportions, yet there does not seem to [email protected] be a great sense of urgency about it. Although there are embedded operating-system (OS) vendors NICTA is funded by the Australian government’s Backing Australia’s Ability initiative, in part working on certifying their offerings to some of the through the Australian Research Council. highest security standards, those systems do not seem to be aimed at, or even suitable for, mobile wireless devices. Establishing OS Security The accepted way to establish system security is through a process called assurance .
  • Hype and Virtue

    Hype and Virtue

    Hype and Virtue Timothy Roscoe∗ Kevin Elphinstone† Gernot Heiser†‡ National ICT Australia Abstract a source of a new class of problem. We lay out some of these directions towards the end of this paper. In this paper, we question whether hypervisors are really A challenge with any technological development which acting as a disruptive force in OS research, instead argu- creates intense interest simultaneously in both academia ing that they have so far changed very little at a techni- and venture capital circles is separating the long-term sci- cal level. Essentially, we have retained the conventional entific and engineering questions traditionally relegated to Unix-like OS interface and added a new ABI based on PC academic research from the short-term issues closely tied hardware which is highly unsuitable for most purposes. to particular business models, contexts, and in some cases Despite commercial excitement, focus on hypervisor de- individual companies. sign may be leading OS research astray. However, adopt- This is an unashamedly academic paper, deliberately ing a different approach to virtualization and recognizing bracketing short-term commercial pressures to concen- its value to academic research holds the prospect of open- trate instead on longer-term research questions in OS de- ing up kernel research to new directions. sign. We do not wish to devalue short-term research strongly embedded in current products and markets, but we emphasize that it is not our concern here. 1 Introduction In the next section we compare hypervisors to other kernels from a long-term research perspective (rather than Are hypervisors really a disruptive technology? Both the focusing on their short-term applications) and in Section 3 IT industry and the academic OS research community critique the new system interface offered by hypervisors.