research-article

Fides: selectively hardening software application components against kernel-level or process-level malware

Authors:

Frank PiessensAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Pages 2 - 13

https://doi.org/10.1145/2382196.2382200

Published: 16 October 2012 Publication History

Abstract

Protecting commodity operating systems against software exploits is known to be challenging, because of their sheer size. The same goes for key software applications such as web browsers or mail clients. As a consequence, a significant fraction of internet-connected computers is infected with malware.

To mitigate this threat, we propose a combined approach of (1) a run-time security architecture that can efficiently protect fine-grained software modules executing on a standard operating system, and (2) a compiler that compiles standard C source code modules to such protected binary modules.

The offered security guarantees are significant: relying on a TCB of only a few thousand lines of code, we show that the power of arbitrary kernel-level or process-level malware is reduced to interacting with the module through the module's public API. With a proper API design and implementation, modules are fully protected.

The run-time architecture can be loaded on demand and only incurs performance overhead when it is loaded. Benchmarks show that, once loaded, it incurs a 3.22% system-wide performance cost. For applications that make intensive use of protected modules, and hence benefit most of the security guarantees provided, the performance cost is up to 14%.

References

[1]

Abadi, M., and Plotkin, G. D. On protection by layout randomization. In Computer Security Foundations Symposium (CSF) (2010), pp. 337--351.

Digital Library

[2]

Agten, P., Strackx, R., Jacobs, B., and Piessens, F. Secure compilation to modern processors. In Computer Security Foundations Symposium (2012), pp. 171--185.

Digital Library

[3]

Appel, A. W. Compiling with Continuations. Cambridge University Press, New York, NY, USA, 2007.

Digital Library

[4]

Azab, A., Ning, P., and Zhang, X. Sice: a hardware-level strongly isolated computing environment for x86 multi-core platforms. In Proceedings of the 18th ACM conference on Computer and communications security (2011), ACM, pp. 375--388.

Digital Library

[5]

Chen, X., Garfinkel, T., Lewis, E. C., Subrahmanyam, P., Waldspurger, C. A., Boneh, D., Dwoskin, J., and Ports, D. R. K. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In ASPLOS (2008).

Digital Library

[6]

Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., and Tobies, S. Vcc: A practical system for verifying concurrent c. In Proceedings of the 22nd International Conference on Theorem Proving in Higher Order Logics (Berlin, Heidelberg, 2009), TPHOLs '09, Springer-Verlag, pp. 23--42.

Digital Library

[7]

Datta, A., Franklin, J., Garg, D., and Kaynar, D. A logic of secure systems and its application to trusted computing. In 30th IEEE Symposium on Security and Privacy (2009), IEEE, pp. 221--236.

Digital Library

[8]

Dolev, D., and Yao, A. C. On the security of public key protocols. IEEE Transactions on Information Theory 29, 2 (1983), 198--208.

Digital Library

[9]

El Defrawy, K., Aurélien Francillon, D., and Tsudik, G. Smart: Secure and minimal architecture for (establishing a dynamic) root of trust. In Proceedings of the Network & Distributed System Security Symposium (NDSS), San Diego, CA (2012).

[10]

England, P., Lampson, B., Manferdelli, J., and Willman, B. A trusted open platform. Computer 36, 7 (July 2003), 55 -- 62.

Digital Library

[11]

Erlingsson, Ú. Low-level software security: Attacks and defenses. Foundations of Security Analysis and Design IV (2007), 92--134.

Digital Library

[12]

Erlingsson, U., Younan, Y., and Piessens, F. Low-level software security by example. In Handbook of Information and Communication Security. Springer, 2010.

[13]

Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., and Boneh, D. Terra: A virtual machine-based platform for trusted computing. ACM SIGOPS Operating Systems Review 37, 5 (2003), 193--206.

Digital Library

[14]

Kauer, B. Oslo: improving the security of trusted computing. In SS'07: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium (Berkeley, CA, USA, 2007), USENIX Association, pp. 1--9.

Digital Library

[15]

King, S., Chen, P., Wang, Y., Verbowski, C., Wang, H., and Lorch, J. SubVirt: Implementing malware with virtual machines. IEEE Symposium on Security and Privacy (Oakland) (2006).

Digital Library

[16]

Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., et al. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles (2009), ACM, pp. 207--220.

Digital Library

[17]

Longley, D., and Rigby, S. An automatic search for security flaws in key management schemes. Computers & Security 11, 1 (1992), 75--89.

Digital Library

[18]

Martignoni, L., Paleari, R., and Bruschi, D. Conqueror: tamper-proof code execution on legacy systems. In Proceedings of the 7th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA) (July 2010), Lecture Notes in Computer Science, Springer, pp. 21--40. Bonn, Germany.

Digital Library

[19]

Martignoni, L., Poosankam, P., Zaharia, M., Han, J., McCamant, S., Song, D., Paxson, V., Perrig, A., Shenker, S., and Stoica, I. Cloud terminal: Secure access to sensitive applications from untrusted systems.

[20]

McCune, J. M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., and Perrig, A. TrustVisor: Efficient TCB reduction and attestation. In Proceedings of the IEEE Symposium on Security and Privacy (May 2010).

Digital Library

[21]

McCune, J. M., Parno, B., Perrig, A., Reiter, M. K., and Isozaki, H. Flicker: An execution infrastructure for TCB minimization. In Proceedings of the ACM European Conference in Computer Systems (EuroSys) (Apr. 2008), ACM, pp. 315--328.

Digital Library

[22]

McCune, J. M., Perrig, A., and Reiter, M. K. Safe passage for passwords and other sensitive data. In Proceedings of the Symposium on Network and Distributed Systems Security (NDSS) (Feb. 2009).

[23]

One, A. Smashing the stack for fun and profit. Phrack magazine 7, 49 (1996).

[24]

Parno, B., Lorch, J. R., Douceur, J. R., Mickens, J., and McCune, J. M. Memoir: Practical state continuity for protected modules. In Proceedings of the IEEE Symposium on Security and Privacy (May 2011).

Digital Library

[25]

Parno, B., Mccune, J. M., and Perrig, A. Bootstrapping trust in commodity computers. In In Proceedings of the IEEE Symposium on Security and Privacy (2010).

Digital Library

[26]

Reynolds, J. Definitional interpreters for higher-order programming languages. In proceedings 25th ACM National Conference (1972), pp. 717--740.

Digital Library

[27]

Rutkowska, J. Subverting VistaTM Kernel For Fun And Profit. Black Hat Briefings (2006).

[28]

Sahita R, Warrier U., D. P. Protecting Critical Applications on Mobile Platforms. Intel Technology Journal 13 (2009), 16--35.

[29]

Saltzer, J., and Schroeder, M. The protection of information in computer systems. Proceedings of the IEEE 63, 9 (1975), 1278--1308.

[30]

Seshadri, A., Luk, M., Qu, N., and Perrig, A. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles (2007), ACM, pp. 335--350.

Digital Library

[31]

Seshadri, A., Luk, M., Shi, E., Perrig, A., van Doorn, L., and Khosla, P. Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP) (Oct. 2005), ACM, pp. 1--15.

Digital Library

[32]

Shacham, H. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security (New York, NY, USA, 2007), CCS '07, ACM, pp. 552--561.

Digital Library

[33]

Singaravelu, L., Pu, C., Hartig, H., and Helmuth, C. Reducing tcb complexity for security-sensitive applications: three case studies. In EuroSys '06: Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006 (New York, NY, USA, 2006), ACM, pp. 161--174.

Digital Library

[34]

Strackx, R., Piessens, F., and Preneel, B. Efficient Isolation of Trusted Subsystems in Embedded Systems. Security and Privacy in Communication Networks (2010), 344--361.

[35]

Strackx, R., Younan, Y., Philippaerts, P., Piessens, F., Lachmund, S., and Walter, T. Breaking the memory secrecy assumption. In Proceedings of the Second European Workshop on System Security (2009), ACM, pp. 1--8.

Digital Library

[36]

Ta-Min, R., Litty, L., and Lie, D. Splitting interfaces: Making trust between applications and operating systems configurable. In Proceedings of the 7th symposium on Operating systems design and implementation (2006), USENIX Association, pp. 279--292.

Digital Library

[37]

Thekkath, D. L. C., Mitchell, M., Lincoln, P., Boneh, D., Mitchell, J., and Horowitz, M. Architectural support for copy and tamper resistant software. SIGOPS Oper. Syst. Rev. 34 (November 2000), 168--177.

Digital Library

[38]

Williams, P., and Boivie, R. Cpu support for secure executables. Trust and Trustworthy Computing (2011), 172--187.

Digital Library

[39]

Younan, Y., Joosen, W., and Piessens, F. Code injection in c and c++: A survey of vulnerabilities and countermeasures. Tech. rep., Department of Computer Science, KULeuven, 2004.

[40]

Zhou, Z., Gligor, V., Newsome, J., and McCune, J. Building verifiable trusted path on commodity x86 computers. In IEEE Symposium on Security and Privacy (2012).

Digital Library

Cited By

Zhou QCao WJia XZhang SChen JJiang NZhang WDu HSong ZHuang Q(2024)HClave: An isolated execution environment design for hypervisor runtime securityComputers & Security10.1016/j.cose.2024.103923(103923)Online publication date: Jun-2024
https://doi.org/10.1016/j.cose.2024.103923
Lin KLiu WZhang KTu B(2023)HyperPS: A Virtual-Machine Memory Protection Approach Through Hypervisor's Privilege SeparationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.320020620:4(2925-2938)Online publication date: 1-Jul-2023
https://doi.org/10.1109/TDSC.2022.3200206
Van Strydonck TNoorman JJackson JAlves Dias LVanderstraeten ROswald DPiessens FDevriese D(2023)CHERI-TrEE: Flexible enclaves on capability machines2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00070(1143-1159)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00070
Show More Cited By

Index Terms

Fides: selectively hardening software application components against kernel-level or process-level malware
1. Security and privacy

Recommendations

How low can you go?: recommendations for hardware-supported minimal TCB code execution
ASPLOS XIII: Proceedings of the 13th international conference on Architectural support for programming languages and operating systems

We explore the extent to which newly available CPU-based security technology can reduce the Trusted Computing Base (TCB) for security-sensitive applications. We find that although this new technology represents a step in the right direction, significant ...
SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms
CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

SICE is a novel framework to provide hardware-level isolation and protection for sensitive workloads running on x86 platforms in compute clouds. Unlike existing isolation techniques, SICE does not rely on any software component in the host environment (...
Flicker: an execution infrastructure for tcb minimization
Eurosys '08: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008

We present Flicker, an infrastructure for executing security-sensitive code in complete isolation while trusting as few as 250 lines of additional code. Flicker can also provide meaningful, fine-grained attestation of the code executed (as well as its ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

57
Total Citations
View Citations
880
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)4

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhou QCao WJia XZhang SChen JJiang NZhang WDu HSong ZHuang Q(2024)HClave: An isolated execution environment design for hypervisor runtime securityComputers & Security10.1016/j.cose.2024.103923(103923)Online publication date: Jun-2024
https://doi.org/10.1016/j.cose.2024.103923
Lin KLiu WZhang KTu B(2023)HyperPS: A Virtual-Machine Memory Protection Approach Through Hypervisor's Privilege SeparationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.320020620:4(2925-2938)Online publication date: 1-Jul-2023
https://doi.org/10.1109/TDSC.2022.3200206
Van Strydonck TNoorman JJackson JAlves Dias LVanderstraeten ROswald DPiessens FDevriese D(2023)CHERI-TrEE: Flexible enclaves on capability machines2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00070(1143-1159)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00070
Cao SHe NGuo YWang H(2023)BREWasm: A General Static Binary Rewriting Framework for WebAssemblyStatic Analysis10.1007/978-3-031-44245-2_8(139-163)Online publication date: 24-Oct-2023
https://doi.org/10.1007/978-3-031-44245-2_8
Li SLi XGu RNieh JZhuang Hui J(2021)A Secure and Formally Verified Linux KVM Hypervisor2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00049(1782-1799)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00049
Hua ZYu YGu JXia YChen HZang B(2021)TZ-Container: protecting container from untrusted OS with ARM TrustZoneScience China Information Sciences10.1007/s11432-019-2707-664:9Online publication date: 19-Aug-2021
https://doi.org/10.1007/s11432-019-2707-6
Li SKoh JNieh JHeninger NTraynor P(2019)Protecting cloud virtual machines from commodity hypervisor and host operating system exploitsProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361433(1357-1374)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361433
Patrignani MAhmed AClarke D(2019)Formal Approaches to Secure CompilationACM Computing Surveys10.1145/328098451:6(1-36)Online publication date: 4-Feb-2019
https://dl.acm.org/doi/10.1145/3280984
Vasudevan AVasudevan A(2019)Micro-Hypervisors: What? Why?Practical Security Properties on Commodity Computing Platforms10.1007/978-3-030-25049-2_1(1-10)Online publication date: 21-Sep-2019
https://doi.org/10.1007/978-3-030-25049-2_1
Maene PGotzfried Jde Clercq RMuller TFreiling FVerbauwhede I(2018)Hardware-Based Trusted Computing Architectures for Isolation and AttestationIEEE Transactions on Computers10.1109/TC.2017.264795567:3(361-374)Online publication date: 1-Mar-2018
https://doi.org/10.1109/TC.2017.2647955
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents