The University of Arizona

Events & News


DateThursday, October 1, 2009
Time11:00 am
LocationGS 906
DetailsLight refreshments - 9th floor Atrium - 10:45AM
SpeakerJohn Hartman
TitleAssociate Professor
AffiliationUniversity of Arizona

Running Trusted Applications on Untrusted Operating Systems

ABSTRACT: An application is only as secure as the operating system on which
it runs. You may trust an application -- because it has been fully
tested, extensively debugged, or even proven correct formally, --
but if it you run it on an untrusted operating system then all bets
are off. The fundamental problem is that a traditional (commodity)
operating system has access to all of the resources of the computer,
preventing applications from keeping secrets. The operating system is
free to inspect and modify all of an application's resources, including
its memory, files, network traffic, etc., and there is nothing the
application can do about it.

To address this problem, we propose a new system architecture
based on virtualization in which the tasks of resource allocation,
resource enforcement, and resource abstraction are distributed among
different components, rather than concentrated in the operating system.
Resource abstractions such as files are implemented by a trusted library
that is linked with the application. The commodity operating system
remains responsible for resource allocation, deciding which resources are
allocated to which applications. However, the commodity operating system
does not handle resource enforcement, and cannot access a resource once
has been allocated to an application. Resource enforcement is implemented
by a hypervisor, and is based on assigning resources to entities and
ensuring that private resources are only accessible to the entity that
owns them. In the case of memory, this means that the commodity operating
system decides which machine pages are allocated to which processes,
but cannot see the contents of the pages once they have been allocated.
Should an entity access a page to which it doesn't have access it sees
an obscured version of the page, allowing it to manipulate pages without
accessing their contents. Code pages belong to entities, and the current
entity is defined to be the entity that owns the currently executing page.

We have implemented a prototype of the system on the Bochs CPU
simulator using the Linux operating system as an example of a commodity
untrusted operating system. The prototype protects memory pages, so
that a process's private pages cannot be accessed by Linux. We have run
several unmodified applications on an unmodified version of Linux using
the prototype.