Reference:
USENIX Workshop on Hot Topics in Security (HotSec '08)
Abstract:
Complexity in commodity operating systems makes compromises
inevitable. Consequently, a great deal of work has examined how to
protect security-critical portions of applications from the OS
through mechanisms such as microkernels, virtual machine monitors,
and new processor architectures. Unfortunately, most work has
focused on CPU and memory isolation and neglected OS semantics.
Thus, while much is known about how to prevent OS and application
processes from modifying each other, far less is understood about
how different OS components can undermine application security if
they turn malicious.
We consider this problem in the context of our work on Overshadow, a
virtual-machine-based system for retrofitting protection in commodity
operating systems. We explore how malicious behavior in each major OS
subsystem can undermine application security, and present potential
mitigations. While our discussion is presented in terms of Overshadow
and Linux, many of the problems and solutions are applicable to other
systems where trusted applications rely on untrusted, potentially
malicious OS components.
Full paper: [ps] [pdf] [Bibtex Entry]