research-article

CertiKOS: a certified kernel for secure cloud computing

Authors:

Alexander Vaynberg,

David CostanzoAuthors Info & Claims

APSys '11: Proceedings of the Second Asia-Pacific Workshop on Systems

Article No.: 3, Pages 1 - 5

https://doi.org/10.1145/2103799.2103803

Published: 11 July 2011 Publication History

Abstract

Though attractive as a model for elastic on-demand service, cloud computing solutions based on existing hypervisors cannot guarantee that the provider will service a user's requests correctly, and will not leak sensitive information to unauthorized parties. We introduce CertiKOS (Certified Kit Operating System), a hypervisor architecture that leverages formal certification to ensure correctness and counter information leakage in cloud computing. CertiKOS isolates guest applications not only from each other but from provider-controlled resource management mechanisms. The kernel's API gives untrusted, provider-supplied management software control over allocation and delegation of resources such as memory and I/O devices, but prohibits management code from accessing a guest's memory or other resources while in use, or from interfering with a guest's execution except through clean resource revocation. CertiKOS represents an effort to apply recent advances in certified software design to a ground-up design of a modular and evolvable certified kernel. Through machine-checkable proof certificates and runtime monitoring, CertiKOS aims to offer users the assurance of correct and leak-free execution of their cloud services.

References

[1]

Intel virtualization technology (VT). http://www.intel.com/technology/virtualization/technology.htm.

[2]

Parallel instructional operating system. http://zoo.cs.yale.edu/classes/cs422/pios.

[3]

AMD. AMD64 virtualization codenamed "Pacifica" technology --- secure virtual machine architecture reference manual. Tech. Rep. Publication Number 33047, Revision 3.01, AMD, May 2005.

[4]

Azab, A. M., Ning, P., Wang, Z., Jiang, X., Zhang, X., and Skalsky, N. C. Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In 17th ACM Conference on Computer and Communications Security, 2010, E. Al-Shaer, A. D. Keromytis, and V. Shmatikov, Eds., pp. 38--49.

Digital Library

[5]

Cai, H., Shao, Z., and Vaynberg, A. Certified self-modifying code. In Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, PLDI '07, pp. 66--77.

Digital Library

[6]

CircleID. Survey: Cloud Computing No Hype, But Fear of Security and Control Slowing Adoption. http://www.circleid.com/posts/20090226_cloud_computing_hype_security/.

[7]

CVE. CVE-2008-2100: VMware Buffer Overflows in VIX API Let Local Users Execute Arbitrary Code in Host OS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2100.

[8]

Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, D., Kaashoek, F., and Morris, R. Labels and event processes in the asbestos operating system. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP'07) (Brighton, UK, Oct. 2005), ACM, pp. 17--30.

Digital Library

[9]

Engler, D. R., Kaashoek, M. F., and O'Toole, Jr., J. Exokernel: an operating system architecture for application-level resource management. In Proceedings of the fifteenth ACM symposium on Operating systems principles, SOSP '95, pp. 251--266.

Digital Library

[10]

Feng, X. An Open Framework for Certified System Software. Ph.D. thesis, Department of Computer Science, Yale University, 2007.

Digital Library

[11]

Feng, X., Shao, Z., Dong, Y., and Guo, Y. Certifying low-level programs with hardware interrupts and preemptive threads. In Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation, PLDI '08, pp. 170--182.

Digital Library

[12]

Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., and Boneh, D. Terra: a virtual machine-based platform for trusted computing. In Proceedings of the nineteenth ACM symposium on Operating systems principles, SOSP '03, pp. 193--206.

Digital Library

[13]

Hunt, G. C., Larus, J. R., Abadi, M., Aiken, M., Barham, P., Fahndrich, M., Hawblitzel, C., Hodson, O., Levi, S., Murphy, N., Steensgaard, B., Tarditi, D., Wobber, T., and Zill, B. An overview of the Singularity project. Tech. Rep. MSR-TR-2005-135, Microsoft Research, Redmond, WA, USA, Oct. 2005.

[14]

Keller, E., Szefer, J., Rexford, J., and Lee, R. B. Nohype: Virtualized cloud infrastructure without the virtualization. In Proc. 37th International Symposium on Computer Architecture (37th ISCA'10) (Saint-Malo, France, June 2010), ACM SIGARCH, pp. 350--361.

Digital Library

[15]

Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., and Winwood, S. seL4: Formal verification of an OS kernel. In Proceedings of the 22nd Symposium on Operating Systems Principles (22nd SOSP'09), Operating Systems Review (OSR) (Big Sky, MT, Oct. 2009), ACM SIGOPS, pp. 207--220.

Digital Library

[16]

Krohn, M. N., Yip, A., Brodsky, M. Z., Cliffer, N., Kaashoek, M. F., Kohler, E., and Morris, R. Information flow control for standard os abstractions. In SOSP (2007), pp. 321--334.

Digital Library

[17]

Myers, A. C., and Liskov, B. A decentralized model for information flow control. In SOSP (1997), pp. 129--142.

Digital Library

[18]

Reynolds, J. C. Separation logic: A logic for shared mutable data structures. In LICS (2002), pp. 55--74.

Digital Library

[19]

Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM conference on Computer and communications security, CCS '09, pp. 199--212.

Digital Library

[20]

Sabelfeld, A., and Sands, D. Declassification: Dimensions and principles. Journal of Computer Security 17, 5 (2009), 517--548.

Digital Library

[21]

Sailer, R., Jaeger, T., Valdez, E., Caceres, R., Perez, R., Berger, S., Griffin, J. L., and Doorn, L. v. Building a mac-based security architecture for the xen open-source hypervisor. In Proceedings of the 21st Annual Computer Security Applications Conference (2005), pp. 276--285.

Digital Library

[22]

Santos, N., Gummadi, K. P., and Rodrigues, R. Towards trusted cloud computing. In Proceedings of the conference on Hot topics in cloud computing, HotCloud'09, pp. 3--3.

Digital Library

[23]

Shao, Z. Certified software. Commun. ACM 53 (December 2010), 56--66.

Digital Library

[24]

Trusted Computing Group. TPM main specification. http://www.trustedcomputinggroup.org, Feb. 2005.

[25]

Wang, Z., and Jiang, X. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (2010), SP '10, pp. 380--395.

Digital Library

[26]

Wojtczuk, R. Subverting the Xen hypervisor. In Blackhat (2008). http://www.invisiblethingslab.com/resources/bh08/part1.pdf.

[27]

Yu, D., Hamid, N. A., and Shao, Z. Building certified libraries for pcc: dynamic storage allocation. Sci. Comput. Program. 50 (March 2004), 101--127.

Digital Library

[28]

Zeldovich, N., Boyd-Wickizer, S., Kohler, E., and Mazières, D. Making information flow explicit in HiStar. In Proceedings of the Sixth Symposium on Operating Systems Design and Implementation (Nov. 2006).

Digital Library

Cited By

Feng ZYongwang ZYang LJun S(2024)A Comprehensive Formal Specification of ARINC 653 With Conformity ProofSoftware Testing, Verification and Reliability10.1002/stvr.190135:1Online publication date: Oct-2024
https://doi.org/10.1002/stvr.1901
Chen XLi ZMesicek LNarayanan VBurtsev A(2023)Atmosphere: Towards Practical Verified Kernels in RustProceedings of the 1st Workshop on Kernel Isolation, Safety and Verification10.1145/3625275.3625401(9-17)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3625275.3625401
Zhang FZhang LZhao YLiu YSun J(2023)Refinement-based Specification and Analysis of Multi-core ARINC 653 Using Event-BFormal Aspects of Computing10.1145/361718335:4(1-29)Online publication date: 21-Nov-2023
https://dl.acm.org/doi/10.1145/3617183
Show More Cited By

Index Terms

CertiKOS: a certified kernel for secure cloud computing

Recommendations

CertiKOS: an extensible architecture for building certified concurrent OS kernels
OSDI'16: Proceedings of the 12th USENIX conference on Operating Systems Design and Implementation

Complete formal verification of a non-trivial concurrent OS kernel is widely considered a grand challenge. We present a novel compositional approach for building certified concurrent OS kernels. Concurrency allows interleaved execution of kernel/user ...
CCNA Cloud CLDFND 210-451 Official Cert Guide
The Official VCP5 Certification Guide

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

APSys '11: Proceedings of the Second Asia-Pacific Workshop on Systems

July 2011

97 pages

ISBN:9781450311793

DOI:10.1145/2103799

General Chairs:
Haibo Chen
Fudan University, China
,
Zheng Zhang
Microsoft Research Asia, China
,
Program Chairs:
Sue Moon
KAIST, Korea
,
Yuanyuan Zhou
University of California, San Diego, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

USENIX Assoc: USENIX Assoc

In-Cooperation

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 July 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Conference

APSys '11

Sponsor:

USENIX Assoc

APSys '11: Asia Pacific Workshop on Systems

July 11 - 12, 2011

Shanghai, China

Acceptance Rates

Overall Acceptance Rate 169 of 430 submissions, 39%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

49
Total Citations
View Citations
378
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Feng ZYongwang ZYang LJun S(2024)A Comprehensive Formal Specification of ARINC 653 With Conformity ProofSoftware Testing, Verification and Reliability10.1002/stvr.190135:1Online publication date: Oct-2024
https://doi.org/10.1002/stvr.1901
Chen XLi ZMesicek LNarayanan VBurtsev A(2023)Atmosphere: Towards Practical Verified Kernels in RustProceedings of the 1st Workshop on Kernel Isolation, Safety and Verification10.1145/3625275.3625401(9-17)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3625275.3625401
Zhang FZhang LZhao YLiu YSun J(2023)Refinement-based Specification and Analysis of Multi-core ARINC 653 Using Event-BFormal Aspects of Computing10.1145/361718335:4(1-29)Online publication date: 21-Nov-2023
https://dl.acm.org/doi/10.1145/3617183
Zhou YZhan WLi ZHan TChen TGall H(2023)DRIVE: Dockerfile Rule Mining and Violation DetectionACM Transactions on Software Engineering and Methodology10.1145/3617173Online publication date: 21-Aug-2023
https://dl.acm.org/doi/10.1145/3617173
Zhu HWei LTerragni VLiu YCheung SWu JSheng QZhang BSong L(2023) StubCoder: Automated Generation and Repair of Stub Code for Mock ObjectsACM Transactions on Software Engineering and Methodology10.1145/361717133:1(1-31)Online publication date: 21-Aug-2023
https://dl.acm.org/doi/10.1145/3617171
Zheng JLiu YFeng YXu HZhang M(2023)Contrastive Attention-guided Multi-level Feature Registration for Reference-based Super-resolutionACM Transactions on Multimedia Computing, Communications, and Applications10.1145/361649520:2(1-21)Online publication date: 18-Oct-2023
https://dl.acm.org/doi/10.1145/3616495
Reardon CGregory JHaring KDossett BMiller OInyang A(2023)Augmented Reality Visualization of Autonomous Mobile Robot Change Detection in Uninstrumented EnvironmentsACM Transactions on Human-Robot Interaction10.1145/3611654Online publication date: 21-Aug-2023
https://dl.acm.org/doi/10.1145/3611654
Tang SWang GRan QLi LShen LTan P(2023)High-Resolution Volumetric Reconstruction for Clothed HumansACM Transactions on Graphics10.1145/360603242:5(1-15)Online publication date: 21-Aug-2023
https://dl.acm.org/doi/10.1145/3606032
Mousavi HEbnenasir AMahmoudzadeh E(2023)Formal Specification, Verification and Repair of Contiki’s SchedulerACM Transactions on Cyber-Physical Systems10.1145/36059487:4(1-28)Online publication date: 14-Oct-2023
https://dl.acm.org/doi/10.1145/3605948
Pedersen JChalmers K(2023)Toward Verifying Cooperatively Scheduled Runtimes Using CSPFormal Aspects of Computing10.1145/360594235:4(1-45)Online publication date: 21-Nov-2023
https://dl.acm.org/doi/10.1145/3605942
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents