Transparent mechanism for remote system call execution
Abstract
One of the approaches to provide application security in the context of untrusted operating system is to use dedicated virtual machine to service certain hardware devices that may be used to compromise data (e.g. network adapter may be used to leak sensitive data). In such architecture it is necessary to somehow provide access to the hardware in the other virtual machine for the trusted applications bypassing the original operating system mechanisms. This article describes a solution for such problem based on the remote system call execution. The presented approach uses hardware virtualization and allows executing system calls remotely without modifying neither application nor operating system code.
References
1. Tanenbaum, A. S., Herder, J. N., Bos, H. Can We Make Operating Systems Reliable and Secure?. Computer 39, 5 (May 2006), pp. 44-51.
2. Burdonov, I., Kosachev, A., Iakovenko, P. Virtualization-based separation of privilege: working with sensitive data in untrusted environment. In Proceedings of the 1st Eurosys Workshop on Virtualization Technology for Dependable Systems, New York, NY, USA, 2009, ACM, pp. 1-6.
3. Яковенко П.Н. Контроль доступа процессов к сетевым ресурсам на базе аппаратной виртуализации. Методы и средства обработки информации. Труды Третьей Всероссийской научной конференции, М, 2009, стр. 355-360.
4. Chen, X., Garfinkel, T., Lewis, E. C., Subrahmanyam, P., Waldspurger, C. A., Boneh, D., Dwoskin, J., Ports, D. R. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In Proceedings of the 13th international Conference on Architectural Support For Programming Languages and Operating Systems, ACM, 2008, pp. 2-13.
5. Adams, K., Agesen, O. A comparison of software and hardware techniques for x86 virtualization. In Proceedings of the 12th international Conference on Architectural Support For Programming Languages and Operating Systems, ACM, 2006, pp. 2-13.
6. VirtualSquare: Remote System Call. http://wiki.virtualsquare.org/index.php/Remote_System_Call
7. Sun Microsystems, Inc. RPC: Remote Procedure Call. Protocol Specification. Version 2. Network working group. RFC 1057. 1988.
8. Sun Microsystems, Inc. NFS: Network File System Protocol Specification. Network working group. RFC 1094. 1989.
9. Shah. A. Deep Virtue: Kernel-based virtualization with KVM. Linux Magazine (86), 2008, pp. 37-39.
Review
For citations:
Iakovenko P.N. Transparent mechanism for remote system call execution. Proceedings of the Institute for System Programming of the RAS (Proceedings of ISP RAS). 2010;18. (In Russ.)
Email this article 