计算机系统隔离研究

doi:10.16183/j.cnki.jsjtu.2018.10.024

摘要/Abstract

摘要： 系统隔离是计算机系统整体可靠性、可扩展性的重要支撑技术.传统的系统隔离基于权限构建的层次隔离模型，在设计上将软件分为不同层次，层次由下而上权限不断降低，底层高权限软件层负责对上层低权限软件进行隔离.近年来，随着硬件层不断涌现出硬件辅助虚拟化、ARM TrustZone、Intel SGX(Software Guard Extension)等新技术，离散隔离模型渐渐成为研究热点，为传统的系统软件带来了诸多机遇和挑战.

关键词: 隔离, 操作系统, 虚拟化, 硬件安全扩展

Abstract: System isolation is a key enabling technology for reliability and scalability of computer system. Traditional system isolation is based on privilege layering, which is known as “layered isolation model”. Software is divided into different layers, the lower layer has the higher privilege, which is responsible for the isolation of up-layer software. Recently, as new hardware extensions keep evolving, including hardware assisted virtualization, ARM TrustZone, Intel SGX (Software Guard Extension), a new model, named “disaggregated isolation model”, is becoming a hot research topic, which brings new opportunities and challenges to traditional system software.

Key words: isolation, operating system, virtualization, hardware security extension

中图分类号:

TP 316

夏虞斌，陈海波，管海兵. 计算机系统隔离研究[J]. 上海交通大学学报（自然版）, 2018, 52(10): 1339-1347.

XIA Yubin,CHEN Haibo,GUAN Haibing. Research on Computer System Isolation[J]. Journal of Shanghai Jiaotong University, 2018, 52(10): 1339-1347.

参考文献

［1］Linux counter［EB/OL］.［2018-03-23］. https://www.linuxcounter.net. ［2］ALVES T, FELTON D. Trustzone: Integrated hardware and software security［J］. ARM White Paper, 2004, 3(4): 18-24. ［3］ANATI I, GUERON S, JOHNSON S, et al. Innovative technology for CPU based attestation and sealing［EB/OL］. ［2018-03-23］. https://software.intel.com/sites/default/files/articles/413939/hasp-2013-innovative-technology-for-attestation-and-sealing.pdf. ［4］LIPP M, SCHWARZ M, GRUSS D, et al. Meltdown［EB/OL］. ［2018-03-23］. https://arxiv.org/abs/1801.01207. ［5］KOCHER P, GENKIN D, GRUSS D, et al. Spectre attacks: Exploiting speculative execution［EB/OL］. ［2018-03-24］. https://arxiv.org/abs/1801.01203. ［6］KPTI［EB/OL］. ［2018-03-24］. https://en.wikipedia.org/wiki/Kernel_page-table_isolation. ［7］HUA Z C, DU D, XIA Y B, et al. EPTI: Efficient defence against meltdown attack for unpatched VMs［C］//USENIX ATC. Boston: USENIX, 2018. ［8］GARFINKEL T, ROSENBLUM M. A virtual machine introspection based architecture for intrusion detection［J］. Proceedings of Network and Distributed Systems Security Symp, 2003, 3: 191-206. ［9］LIU Y T, XIA Y B, GUAN H B, et al. Concurrent and consistent virtual machine introspection with hardware transactional memory ［C］//Proceedings of 2014 International Symposium on High Performance Computer Architecture (HPCA’14). Orlando: HPCA, 2014. DOI: 10.1109/HPCA.2014.6835951. ［10］CHEN Q S, LIANG L, XIA Y B, et al. Mitigating sync amplification for copy-on-write virtual disk［C］//The 14th USENIX Conference on File and Storage Technologies (FAST’16). Santa Clara: FAST, 2016: 241-247. ［11］CHEN H, ZHANG F, CHEN C, et al. Tamper-resistant execution in an untrusted operating system using a virtual machine monitor［J］. Chaos, 2007. DOI: 10.1.1.113.6329. ［12］CHEN X, GARFINKEL T, LEWIS E C, et al. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems ［J］. ACM SIGOPS Operating Systems Review, 2008, 42(2): 2-13. ［13］LI Y L, MCCUNE J, NEWSOME J, et al. MiniBox: A two-way sandbox for x86 native code［C］//Proceedings of the 2014 USENIX conference on USENIX Annual Technical Conference. Philadelphia: ACM, 2014: 409-420. ［14］CHECKOWAY S, SHACHAM H. Iago attacks: Why the system call API is a bad untrusted rpc interface［J］. ACM SIGARCH Computer Architecture News, 2013, 41(1): 253-264. ［15］HOFMANN O S, KIM S, DUNN A M, et al. Inktag: Secure applications on an untrusted operating system［J］. ACM SIGARCH Computer Architecture News, 2013, 41(1): 265-278. ［16］LIE D, THEKKATH C, MITCHELL M, et al. Architectural support for copy and tamper resistant software［J］. ACM SIGPLAN Notices, 2000, 35(11): 168-177. ［17］SUH G E, CLARKE D, GASSEND B, et al. AEGIS: Architecture for tamper-evident and tamper-resistant processing［C］//ICS’03 Proceedings of the 17th annual international conference on Supercomputing. San Francisco: ACM, 2003: 160-171. ［18］SANTOS N, RAJ H, SAROIU S, et al. Trusted language runtime (TLR): Enabling trusted applications on smartphones［C］//Proceedings of the 12th Workshop on Mobile Computing Systems and Applications. Phoenix: ACM, 2011: 21-26. ［19］AZAB A M, NING P, SHAH J, et al. Hypervision across worlds: Real-time kernel protection from the ARM Trustzone secure world［C］//Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. Scottsdale: ACM, 2014: 90-102. ［20］SUN H, SUN K, WANG Y W, et al. TrustICE: Hardware-assisted isolated computing environments on mobile devices［C］//45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. Rio de Janeiro, Brazil: IEEE, 2015. DOI: 10.1109/DSN.2015.11. ［21］SUN H, SUN K, WANG Y W, et al. TrustOTP: Transforming smartphones into secure one-time password tokens［C］//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Denver: ACM, 2015: 976-988. ［22］ARNAUTOV S, TRACH B, GREGOR F, et al. Scone: Secure linux containers with intel SGX［C］//Proceedings of the 12th USENIX conference on Operating Systems Design and Implementation. Savannah: OSDI, 2016: 689-703. ［23］BAUMANN A, PEINADO M, HUNT G. Shielding applications from an untrusted cloud with haven［J］. ACM Transactions on Computer Systems, 2015, 33(3): 8. ［24］GU J Y, HUA Z C, XIA Y B, et al. Secure live migration of SGX enclaves on untrusted cloud［C］//Proceedings of the 47th IEEE/IFIP International Conference on Dependable Systems and Networks. Denver: IEEE, 2017. DOI: 10.1109/DSN.2017.37. ［25］ZHANG F Z, CHEN J, CHEN H B, et al. CloudVisor: Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization［C］//Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles. Cascais, Portugal: ACM, 2011: 203-216. ［26］JIN S, AHN J, CHA S, et al. Architectural support for secure virtualization under a vulnerable hypervisor［C］//Proceedings of the 44th Annual IEEE/ACM International Symposium on Microarchitecture. Porto Alegre, Brazil: ACM, 2011: 272-283. ［27］SZEFER J, LEE R.Architectural support for hypervisor-secure virtualization［J］. ACM SIGARCH Computer Architecture News, 2012, 40(1): 437-450. ［28］XIA Y B, LIU Y T, CHEN H B. Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks［C］//Proceedings of 2013 International Symposium on High Performance Computer Architecture. Shenzhen: IEEE, 2013. DOI: 10.1109/HPCA.2013.6522323. ［29］HUA Z C, GU J Y, XIA Y B, et al. vTZ: Virtualizing ARM trustZone［C］//Usenix Security Symposium 2017. Vancouver, Canada: USENIX, 2017. ［30］YEE B, SEHR D, DARDYK G, et al. Native client: A sandbox for portable, untrusted x86 native code［C］//30th IEEE Symposium on Security and Privacy. Berkeley: IEEE, 2009. DOI: 10.1109/SP.2009.25. ［31］LIU Y T, ZHOU T Y, CHEN K X, et al. Thwarting memory disclosure with efficient hypervisor-enforced intra-domain isolation［C］//Proceedings of the 22th ACM Conference on Computer and Communications Security. Denver: ACM, 2015: 1607-1619. ［32］FORD B, LEPREAU J. Evolving mach 3.0 to a migrating thread model［C］//Proceedings of the USENIX Winter 1994 Technical Conference. San Francisco: USENIX, 1994: 9. ［33］ELPHINSTONE K, HEISER G. From L3 to seL4: What have we learnt in 20 years of L4 microkernels?［C］//Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles. Farminton: ACM, 2013: 133-150. ［34］ENGLER D R, KAASHOEK M F, O’TOOLE J. Exokernel: An operating system architecture for application-level resource management［J］. ACM SIGOPS Operating Systems Review, 1995, 29(5): 251-266. ［35］VILANOVA L, BEN-YEHUDA M, NAVARRO N, et al. CODOMs: Protecting software with code-centric memory domains［J］. ACM SIGARCH Computer Architecture News, 2014, 42(3): 469-480. ［36］LEVASSEUR J, UHLIG V, STOESS J, et al, Unmodified device driver reuse and improved system dependability via virtual machines［C］//Proceedings of the 6th Symposium on Opearting Systems Design and Implementation. San Francisco: USENIX Association, 2004: 17-30. ［37］SWIFT M M, MARTIN S, LEVY H M, et al. Nooks: An architecture for reliable device drivers［C］//Proceedings of the 10th Workshop on ACM SIGOPS European Workshop. Saint-Emillion, France: ACM, 2002: 102-107. ［38］ERLINGSSON U, ABADI M, VRABLE M, et al. XFI: Software guards for system address spaces［C］//Proceedings of the 7th Symposium on Operating Systems Design And Implementation. Seattle: USENIX Association, 2006: 75-88. ［39］MAO Y D, CHEN H G, ZHOU D, et al. Software fault isolation with API integrity and multi-principal modules［C］//Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles. Cascais, Portugal: ACM, 2011: 115-128. ［40］CASTRO M, COSTA M, MARTIN J P, et al. Fast byte-granularity software fault isolation［C］//Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. Big Sky: ACM, 2009: 45-58. ［41］LI W H, MA M Y, HAN J C, et al. Building trusted path on untrusted device drivers for mobile devices［C］//Proceedings of the 5th Asia-Pacific Workshop on System. Beijing: ACM, 2014: 8. ［42］LI W H, LI H B, CHEN H B, et al. AdAttester: Secure online advertisement attestation on mobile devices using TrustZone［C］//Proceedings of the 13th International Conference on Mobile Systems, Applications, and Services. Florence, Italy: ACM, 2015: 75-88. ［43］LI W H, LUO S Y, SUN Z C, et al. VButton: Practical attestation of user-driven operations in mobile apps［C］//The 16th ACM International Conference on Mobile Systems, Applications, and Services. Munich, Germany: ACM, 2018: https://www.sigmobile.org/mobisys/2018/ ［44］MURRAY D G, MILOS G, HAND S. Improving Xen security through disaggregation［C］//Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments. Seattle: ACM, 2008: 151-160. ［45］COLP P, NANAVATI M, ZHU J, et al. Breaking up is hard to do: Security and functionality in a commodity hypervisor［C］//Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles. Cascais, Portugal: ACM, 2011: 189-202. ［46］WU C, WANG Z, JIANG X X. Taming hosted hypervisors with (mostly) deprivileged execution［EB/OL］. ［2018-03-24］. https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/NDSS13_DEHYPE.pdf. ［47］WANG Z, JIANG X X. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity［C］//2010 IEEE Symposium on Security and Privacy. Berkeley/Oakland: IEEE, 2010. DOI: 10.1109/SP.2010.30. ［48］STEINBERG U, KAUER B. NOVA: A microhypervisor-based secure virtualization architecture［C］//EuroSys’10 Proceedings of the 5th European Conference on Computer Systems. Pairs, France: ACM, 2010: 209-220. ［49］SHI L, WU Y M, XIA Y B, et al. Deconstructing Xen［C］//The Network and Distributed System Security Symposium 2017. San Diego: NDSS, 2017. DOI: 10.14722/ndss.2017.23455. ［50］KOLDINGER E J, CHASE J S, EGGERS S J. Architecture support for single address space operating systems［J］. ACM SIGPLAN Notices, 1992, 27(9): 175-186. ［51］VILANOVA L, JORDA M, NAVARRO N, et al. Direct Inter-Process Communication (dIPC): Repurposing the CODOMs architecture to accelerate IPC［C］//Proceedings of the Twelfth European Conference on Computer Systems. Belgrade, Serbia: ACM, 2017: 16-31. ［52］HUNT G C, LARUS J R. Singularity: Rethinking the software stack［J］. ACM SIGOPS Operating Systems Review, 2007, 41(2): 37-49. ［53］GAMSA B. Tornado: Maximizing locality and concurrency in a shared memory multiprocessor operating system［D］. Toronto: University of Toronto, 1999. ［54］LI W H, XIA Y B, CHEN H B, et al. Reducing world switches in virtualized environment with flexible cross-world calls［J］. ACM SIGARCH Computer Architecture News, 2015, 43(3): 375-387.

[1]	赵淄弘，刘明星，严浩，王松，丁捷. 基于PWM隔离的热电阻温度调理模块设计[J]. 上海交通大学学报, 2019, 53(Sup.1): 88-92.
[2]	王松，刘明星，赵淄弘，王舜. 一种新型反应堆安全级DCS模拟量隔离技术[J]. 上海交通大学学报, 2019, 53(Sup.1): 93-97.
[3]	宋杰1，周健1，鲍伟1，黄文焘2，高翔3. 面向交-直流智能变电站运维专家系统的可扩展建模及其规则和隔离策略[J]. 上海交通大学学报（自然版）, 2018, 52(9): 1072-1080.
[4]	张飞, 何雅琴. 基于UCOS-II的矿用数据采集单元(DTU)系统设计[J]. 实验室研究与探索, 2017, 36(5): 131-134.
[5]	陈剑洪1,2，单劲松1，杨荣根1，龚乐君1，陈克非2，于坤1,陈礼青1，孙成富1. 标准模型下基于身份的门限密钥隔离签名[J]. 上海交通大学学报（自然版）, 2013, 47(08): 1239-1245.
[6]	陆平静, 李宝, 车永刚, 庞征斌. 一种基于代码隔离的大程序迭代编译优化方法[J]. 上海交通大学学报（自然版）, 2013, 47(01): 133-137.
[7]	刘栋，冯勇，张彩环，赵向辉. 一种改进的多项式实根隔离算法 [J]. 上海交通大学学报（自然版）, 2010, 44(11): 1477-1480.
[8]	徐峥，王德忠，张继革，周文霞. 主蒸汽隔离阀管系振动与噪声分析[J]. 上海交通大学学报（自然版）, 2010, 44(01): 95-0100.
[9]	姚立红,訾小超,潘理，李建华. 基于带标签有限自动机的隐蔽存储通道搜索[J]. 上海交通大学学报（自然版）, 2008, 42(10): 1646-1649.