Reference:
Proceedings of the 13th International Conference on Architectural Support for
Programming Languages and Operating Systems, (ASPLOS 2008)
Abstract:
Commodity operating systems entrusted with securing
sensitive data are remarkably large and complex, and consequently,
frequently prone to compromise. To address this limitation, we
introduce a virtual-machine-based system called overshadow
that protects the privacy and integrity of application data, even in
the event of a total OS compromise. Overshadow presents an
application with a normal view of its resources, but the OS with an
encrypted view. This allows the operating system to carry out the
complex task of managing an application's resources, without
allowing it to read or modify them. Thus, overshadow offers a
last line of defense for application data.
Overshadow builds on multi-shadowing, a novel mechanism
that presents different views of ``physical'' memory, depending on the
context performing the access. This primitive offers an additional
dimension of protection beyond the hierarchical protection domains
implemented by traditional operating systems and processor
architectures.
We present the design and implementation of overshadow and show how
its new protection semantics can be integrated with existing systems.
Our design has been fully implemented and used to protect a wide range
of unmodified legacy applications running on an unmodified Linux
operating system. We evaluate the performance of our implementation,
demonstrating that this approach is practical.
Full paper: [ps] [pdf] [Bibtex Entry]