上海交通大学学报

上海交通大学学报 >

2018 , Vol. 52 >Issue 10: 1339 - 1347

DOI: https://doi.org/10.16183/j.cnki.jsjtu.2018.10.024

学报(中文)

计算机系统隔离研究

展开
  • 上海交通大学 电子信息与电气工程学院, 上海 200240
夏虞斌(1982-),男,上海市人,副教授,主要研究方向为操作系统.

基金资助

国家重点研发计划(2016YFB1000104),国家自然科学基金(61732010,61572314)资助项目

收起

Research on Computer System Isolation

Expand
  • School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Shanghai 200240, China
Fold

摘要

系统隔离是计算机系统整体可靠性、可扩展性的重要支撑技术.传统的系统隔离基于权限构建的层次隔离模型,在设计上将软件分为不同层次,层次由下而上权限不断降低,底层高权限软件层负责对上层低权限软件进行隔离.近年来,随着硬件层不断涌现出硬件辅助虚拟化、ARM TrustZone、Intel SGX(Software Guard Extension)等新技术,离散隔离模型渐渐成为研究热点,为传统的系统软件带来了诸多机遇和挑战.

关键词: 隔离; 操作系统; 虚拟化; 硬件安全扩展

本文引用格式

夏虞斌,陈海波,管海兵 . 计算机系统隔离研究[J]. 上海交通大学学报, 2018 , 52(10) : 1339 -1347 . DOI: 10.16183/j.cnki.jsjtu.2018.10.024

Abstract

System isolation is a key enabling technology for reliability and scalability of computer system. Traditional system isolation is based on privilege layering, which is known as “layered isolation model”. Software is divided into different layers, the lower layer has the higher privilege, which is responsible for the isolation of up-layer software. Recently, as new hardware extensions keep evolving, including hardware assisted virtualization, ARM TrustZone, Intel SGX (Software Guard Extension), a new model, named “disaggregated isolation model”, is becoming a hot research topic, which brings new opportunities and challenges to traditional system software.

Key words: isolation; operating system; virtualization; hardware security extension

参考文献

[1]Linux counter[EB/OL].[2018-03-23]. https://www.linuxcounter.net. [2]ALVES T, FELTON D. Trustzone: Integrated hardware and software security[J]. ARM White Paper, 2004, 3(4): 18-24. [3]ANATI I, GUERON S, JOHNSON S, et al. Innovative technology for CPU based attestation and sealing[EB/OL]. [2018-03-23]. https://software.intel.com/sites/default/files/articles/413939/hasp-2013-innovative-technology-for-attestation-and-sealing.pdf. [4]LIPP M, SCHWARZ M, GRUSS D, et al. Meltdown[EB/OL]. [2018-03-23]. https://arxiv.org/abs/1801.01207. [5]KOCHER P, GENKIN D, GRUSS D, et al. Spectre attacks: Exploiting speculative execution[EB/OL]. [2018-03-24]. https://arxiv.org/abs/1801.01203. [6]KPTI[EB/OL]. [2018-03-24]. https://en.wikipedia.org/wiki/Kernel_page-table_isolation. [7]HUA Z C, DU D, XIA Y B, et al. EPTI: Efficient defence against meltdown attack for unpatched VMs[C]//USENIX ATC. Boston: USENIX, 2018. [8]GARFINKEL T, ROSENBLUM M. A virtual machine introspection based architecture for intrusion detection[J]. Proceedings of Network and Distributed Systems Security Symp, 2003, 3: 191-206. [9]LIU Y T, XIA Y B, GUAN H B, et al. Concurrent and consistent virtual machine introspection with hardware transactional memory [C]//Proceedings of 2014 International Symposium on High Performance Computer Architecture (HPCA’14). Orlando: HPCA, 2014. DOI: 10.1109/HPCA.2014.6835951. [10]CHEN Q S, LIANG L, XIA Y B, et al. Mitigating sync amplification for copy-on-write virtual disk[C]//The 14th USENIX Conference on File and Storage Technologies (FAST’16). Santa Clara: FAST, 2016: 241-247. [11]CHEN H, ZHANG F, CHEN C, et al. Tamper-resistant execution in an untrusted operating system using a virtual machine monitor[J]. Chaos, 2007. DOI: 10.1.1.113.6329. [12]CHEN X, GARFINKEL T, LEWIS E C, et al. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems [J]. ACM SIGOPS Operating Systems Review, 2008, 42(2): 2-13. [13]LI Y L, MCCUNE J, NEWSOME J, et al. MiniBox: A two-way sandbox for x86 native code[C]//Proceedings of the 2014 USENIX conference on USENIX Annual Technical Conference. Philadelphia: ACM, 2014: 409-420. [14]CHECKOWAY S, SHACHAM H. Iago attacks: Why the system call API is a bad untrusted rpc interface[J]. ACM SIGARCH Computer Architecture News, 2013, 41(1): 253-264. [15]HOFMANN O S, KIM S, DUNN A M, et al. Inktag: Secure applications on an untrusted operating system[J]. ACM SIGARCH Computer Architecture News, 2013, 41(1): 265-278. [16]LIE D, THEKKATH C, MITCHELL M, et al. Architectural support for copy and tamper resistant software[J]. ACM SIGPLAN Notices, 2000, 35(11): 168-177. [17]SUH G E, CLARKE D, GASSEND B, et al. AEGIS: Architecture for tamper-evident and tamper-resistant processing[C]//ICS’03 Proceedings of the 17th annual international conference on Supercomputing. San Francisco: ACM, 2003: 160-171. [18]SANTOS N, RAJ H, SAROIU S, et al. Trusted language runtime (TLR): Enabling trusted applications on smartphones[C]//Proceedings of the 12th Workshop on Mobile Computing Systems and Applications. Phoenix: ACM, 2011: 21-26. [19]AZAB A M, NING P, SHAH J, et al. Hypervision across worlds: Real-time kernel protection from the ARM Trustzone secure world[C]//Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. Scottsdale: ACM, 2014: 90-102. [20]SUN H, SUN K, WANG Y W, et al. TrustICE: Hardware-assisted isolated computing environments on mobile devices[C]//45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. Rio de Janeiro, Brazil: IEEE, 2015. DOI: 10.1109/DSN.2015.11. [21]SUN H, SUN K, WANG Y W, et al. TrustOTP: Transforming smartphones into secure one-time password tokens[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Denver: ACM, 2015: 976-988. [22]ARNAUTOV S, TRACH B, GREGOR F, et al. Scone: Secure linux containers with intel SGX[C]//Proceedings of the 12th USENIX conference on Operating Systems Design and Implementation. Savannah: OSDI, 2016: 689-703. [23]BAUMANN A, PEINADO M, HUNT G. Shielding applications from an untrusted cloud with haven[J]. ACM Transactions on Computer Systems, 2015, 33(3): 8. [24]GU J Y, HUA Z C, XIA Y B, et al. Secure live migration of SGX enclaves on untrusted cloud[C]//Proceedings of the 47th IEEE/IFIP International Conference on Dependable Systems and Networks. Denver: IEEE, 2017. DOI: 10.1109/DSN.2017.37. [25]ZHANG F Z, CHEN J, CHEN H B, et al. CloudVisor: Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization[C]//Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles. Cascais, Portugal: ACM, 2011: 203-216. [26]JIN S, AHN J, CHA S, et al. Architectural support for secure virtualization under a vulnerable hypervisor[C]//Proceedings of the 44th Annual IEEE/ACM International Symposium on Microarchitecture. Porto Alegre, Brazil: ACM, 2011: 272-283. [27]SZEFER J, LEE R.Architectural support for hypervisor-secure virtualization[J]. ACM SIGARCH Computer Architecture News, 2012, 40(1): 437-450. [28]XIA Y B, LIU Y T, CHEN H B. Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks[C]//Proceedings of 2013 International Symposium on High Performance Computer Architecture. Shenzhen: IEEE, 2013. DOI: 10.1109/HPCA.2013.6522323. [29]HUA Z C, GU J Y, XIA Y B, et al. vTZ: Virtualizing ARM trustZone[C]//Usenix Security Symposium 2017. Vancouver, Canada: USENIX, 2017. [30]YEE B, SEHR D, DARDYK G, et al. Native client: A sandbox for portable, untrusted x86 native code[C]//30th IEEE Symposium on Security and Privacy. Berkeley: IEEE, 2009. DOI: 10.1109/SP.2009.25. [31]LIU Y T, ZHOU T Y, CHEN K X, et al. Thwarting memory disclosure with efficient hypervisor-enforced intra-domain isolation[C]//Proceedings of the 22th ACM Conference on Computer and Communications Security. Denver: ACM, 2015: 1607-1619. [32]FORD B, LEPREAU J. Evolving mach 3.0 to a migrating thread model[C]//Proceedings of the USENIX Winter 1994 Technical Conference. San Francisco: USENIX, 1994: 9. [33]ELPHINSTONE K, HEISER G. From L3 to seL4: What have we learnt in 20 years of L4 microkernels?[C]//Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles. Farminton: ACM, 2013: 133-150. [34]ENGLER D R, KAASHOEK M F, O’TOOLE J. Exokernel: An operating system architecture for application-level resource management[J]. ACM SIGOPS Operating Systems Review, 1995, 29(5): 251-266. [35]VILANOVA L, BEN-YEHUDA M, NAVARRO N, et al. CODOMs: Protecting software with code-centric memory domains[J]. ACM SIGARCH Computer Architecture News, 2014, 42(3): 469-480. [36]LEVASSEUR J, UHLIG V, STOESS J, et al, Unmodified device driver reuse and improved system dependability via virtual machines[C]//Proceedings of the 6th Symposium on Opearting Systems Design and Implementation. San Francisco: USENIX Association, 2004: 17-30. [37]SWIFT M M, MARTIN S, LEVY H M, et al. Nooks: An architecture for reliable device drivers[C]//Proceedings of the 10th Workshop on ACM SIGOPS European Workshop. Saint-Emillion, France: ACM, 2002: 102-107. [38]ERLINGSSON U, ABADI M, VRABLE M, et al. XFI: Software guards for system address spaces[C]//Proceedings of the 7th Symposium on Operating Systems Design And Implementation. Seattle: USENIX Association, 2006: 75-88. [39]MAO Y D, CHEN H G, ZHOU D, et al. Software fault isolation with API integrity and multi-principal modules[C]//Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles. Cascais, Portugal: ACM, 2011: 115-128. [40]CASTRO M, COSTA M, MARTIN J P, et al. Fast byte-granularity software fault isolation[C]//Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. Big Sky: ACM, 2009: 45-58. [41]LI W H, MA M Y, HAN J C, et al. Building trusted path on untrusted device drivers for mobile devices[C]//Proceedings of the 5th Asia-Pacific Workshop on System. Beijing: ACM, 2014: 8. [42]LI W H, LI H B, CHEN H B, et al. AdAttester: Secure online advertisement attestation on mobile devices using TrustZone[C]//Proceedings of the 13th International Conference on Mobile Systems, Applications, and Services. Florence, Italy: ACM, 2015: 75-88. [43]LI W H, LUO S Y, SUN Z C, et al. VButton: Practical attestation of user-driven operations in mobile apps[C]//The 16th ACM International Conference on Mobile Systems, Applications, and Services. Munich, Germany: ACM, 2018: https://www.sigmobile.org/mobisys/2018/ [44]MURRAY D G, MILOS G, HAND S. Improving Xen security through disaggregation[C]//Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments. Seattle: ACM, 2008: 151-160. [45]COLP P, NANAVATI M, ZHU J, et al. Breaking up is hard to do: Security and functionality in a commodity hypervisor[C]//Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles. Cascais, Portugal: ACM, 2011: 189-202. [46]WU C, WANG Z, JIANG X X. Taming hosted hypervisors with (mostly) deprivileged execution[EB/OL]. [2018-03-24]. https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/NDSS13_DEHYPE.pdf. [47]WANG Z, JIANG X X. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity[C]//2010 IEEE Symposium on Security and Privacy. Berkeley/Oakland: IEEE, 2010. DOI: 10.1109/SP.2010.30. [48]STEINBERG U, KAUER B. NOVA: A microhypervisor-based secure virtualization architecture[C]//EuroSys’10 Proceedings of the 5th European Conference on Computer Systems. Pairs, France: ACM, 2010: 209-220. [49]SHI L, WU Y M, XIA Y B, et al. Deconstructing Xen[C]//The Network and Distributed System Security Symposium 2017. San Diego: NDSS, 2017. DOI: 10.14722/ndss.2017.23455. [50]KOLDINGER E J, CHASE J S, EGGERS S J. Architecture support for single address space operating systems[J]. ACM SIGPLAN Notices, 1992, 27(9): 175-186. [51]VILANOVA L, JORDA M, NAVARRO N, et al. Direct Inter-Process Communication (dIPC): Repurposing the CODOMs architecture to accelerate IPC[C]//Proceedings of the Twelfth European Conference on Computer Systems. Belgrade, Serbia: ACM, 2017: 16-31. [52]HUNT G C, LARUS J R. Singularity: Rethinking the software stack[J]. ACM SIGOPS Operating Systems Review, 2007, 41(2): 37-49. [53]GAMSA B. Tornado: Maximizing locality and concurrency in a shared memory multiprocessor operating system[D]. Toronto: University of Toronto, 1999. [54]LI W H, XIA Y B, CHEN H B, et al. Reducing world switches in virtualized environment with flexible cross-world calls[J]. ACM SIGARCH Computer Architecture News, 2015, 43(3): 375-387.
Options
文章导航

/