Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore ( 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as mu C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS mu C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore (approximate to 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

MA Zhe,YU Xi,YUAN Ao,YI Xiao-lei,SHEN Qing-ni

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.11.009

2011-01-01

Abstract:Virtualization technology is becoming a mainstream network application,Xen as a virtualization product,already in the open source community has been widely promoted,the risk of security by the industry's concern.The article analyzes the Xen security framework of XSM implementation mechanism and key technology,introduced ACM and Flask two different security framework,in-depth analysis of the security model specific principles and methods,combined with the practical application of the scene in the safe protection analysis.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

Ke Xu,Yuexuan Wang,Cheng Wu

DOI: https://doi.org/10.1007/11745693_53

2006-01-01

Abstract:Ensuring the reliability and robustness of complex scientific grid applications is a critical issue for managing and sharing expensive scientific instruments. However, guaranteeing the correct processing of grid applications under all circumstances is difficult and not fully addressed by existing grid infrastructure. Hidden flaws in the applications including unexpected internal behaviors, dissatisfaction of real-time constraints, incompatibility in service interactions, etc may lead to subtle failures in grid systems. This work tries to enhance the trustworthiness of grid applications by investigating existing formal techniques and their extensions. A formal framework based on extensions of Pi calculus is proposed which also integrates formal techniques of model checking and bisimulation analysis to enable the reasoning of grid applications from three perspectives: data, time and behavior. In addition, both application examples and our current implementation architecture are also concluded.

Xiaowei Li,Hongxiang Sun,Qiaoyan Wen

DOI: https://doi.org/10.1109/ccis.2012.6664413

2012-01-01

Abstract:Numerous virtual machines have been designed to make full use of the adequate resources and facilitate people's lives. In turn, it results in the necessity of communication between the virtual machines. As we know, the data of communication between the virtual machines which located on the different hosts, could potentially be altered or intercepted during transport. To solve the problem, we design and operation of the transparent encryption-decryption communication mechanism (TEDCM) in the privilege virtual machine, the result suggests that the TEDCM in our paper is a good choice to solve the problem of information leakage.

Chen Wen-Zhi,Zhu Hong-Wei,Huang Wei

DOI: https://doi.org/10.1109/CW.2008.110

2008-01-01

Abstract:The security problem became more severe since the security requirement of different applications may conflict with the others in distributed application or grid computing. Virtualization technology can improvethe system's security, but did not satisfy the requirement of virtual resource sharing and inner-domain communication in distributed services and grid computing. By dividing the virtual resources into sharing virtual resources and normal ones, SeVMM provided secure mechanism for inter-domain communication control, which formed the base of multi-level security control model for virtual machine monitors, operating systems and applications. Case study and application showed that SeVMM improved the system's security without causing significant performance penalty.

Fengwei Zhang,Jiang Wang,Kun Sun,Angelos Stavrou

DOI: https://doi.org/10.1109/tdsc.2013.53

2014-07-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The advent of cloud computing and inexpensive multi-core desktop architectures has led to the widespread adoption of virtualization technologies. Furthermore, security researchers embraced virtual machine monitors (VMMs) as a new mechanism to guarantee deep isolation of untrusted software components, which, coupled with their popularity, promoted VMMs as a prime target for exploitation. In this paper, we present HyperCheck, a hardware-assisted tampering detection framework designed to protect the integrity of hypervisors and operating systems. Our approach leverages System Management Mode (SMM), a CPU mode in ×86 architecture, to transparently and securely acquire and transmit the full state of a protected machine to a remote server. We have implement two prototypes based on our framework design: HyperCheck-I and HyperCheck-II, that vary in their security assumptions and OS code dependence. In our experiments, we are able to identify rootkits that target the integrity of both hypervisors and operating systems. We show that HyperCheck can defend against attacks that attempt to evade our system. In terms of performance, we measured that HyperCheck can communicate the entire static code of Xen hypervisor and CPU register states in less than 90 million CPU cycles, or 90 ms on a 1 GHz CPU.

computer science, information systems, software engineering, hardware & architecture

Siqin Zhao,Kang Chen,Weimin Zheng

DOI: https://doi.org/10.1109/ChinaGrid.2009.45

2009-01-01

Abstract:It is very important to protect critical resources such as private data and code in computer systems. It is promising to protect private data and to improve the system security by leveraging the isolation attribute of virtual machine(VM). The isolation attribute of VM is provided by Virtual Machine Monitor (VMM) that runs in higher priority than guest OSes. If the critical components are isolated in VMs,access control can be enforced or attestation can be made when the subject is accessing via VMs. In this way, VMs can improve the security level of critical components such as OS, kernel, data, and applications. For computer system security, VMs can be used to detect malware intrusions and to protect critical components, which can be implemented by integrating detection or protection mechanism in either VMM or VMs. Authentication is required to create trustful VMs. This paper surveys technologies related of using virtual machines to enhance system security.

JingZheng Wu,Liping Ding,Yongji Wang,Wei Han

DOI: https://doi.org/10.1109/CLOUD.2011.10

2011-01-01

Abstract:Virtualization technology is the basis of cloud computing, and the most important property of virtualization is isolation. Isolation guarantees security between virtual machines. However, covert channel breaks the isolation and leaks sensitive message covertly. In this paper, we formally model the isolation into noninterference, and define that all the transmission channels violating noninterference are covert channels. With this definition, we present an identification method based on information flow. This method first compiles the source code into a more structured equivalent code with LLVM. And then a search algorithm is proposed to obtain the shared resources and the operational processes in the equivalent code. A new covert channel termed sharing memory covert timing channel (SMCTC) is identified from Xen source code. We construct channel scenario for SMCTC, and evaluate its threat with the metrics of channel capacity and transmission accuracy. The results show that SMCTC is much more threatened than CPU load based and cache based covert channels etc.

Mike Dahlin,Ryan Johnson,Robert Bellarmine Krug,Michael McCoyd,William Young

DOI: https://doi.org/10.48550/arXiv.1110.4672

2011-10-21

Logic in Computer Science

Abstract:Virtualization promises significant benefits in security, efficiency, dependability, and cost. Achieving these benefits depends upon the reliability of the underlying virtual machine monitors (hypervisors). This paper describes an ongoing project to develop and verify MinVisor, a simple but functional Type-I x86 hypervisor, proving protection properties at the assembly level using ACL2. Originally based on an existing research hypervisor, MinVisor provides protection of its own memory from a malicious guest. Our long-term goal is to fully verify MinVisor, providing a vehicle to investigate the modeling and verification of hypervisors at the implementation level, and also a basis for further systems research. Functional segments of the MinVisor C code base are translated into Y86 assembly, and verified with respect to the Y86 model. The inductive assertions (also known as "compositional cutpoints") methodology is used to prove the correctness of the code. The proof of the code that sets up the nested page tables is described. We compare this project to related efforts in systems code verification and outline some useful steps forward.

Xian Chen,Wenzhi Chen,Peng Long,Zhongyong Lu,Zonghui Wang

DOI: https://doi.org/10.1109/cbd.2013.32

2013-01-01

Abstract:For the ability to explore the memory's fullest potential, memory de-duplication has been widely experimented with in current main stream virtualization platforms. A lot of work has been done to improve the efficiency of memory de-duplication, while too little attention was paid to the introduced security issues which have been proved by prior work. To deal with this security risk and efficiently manage the memory we start our work in this paper. We first conduct extensive experiments on different OS platforms to study the realistic situation of page sharing. By analyzing the results we find: 1) Page sharing is contributed mostly by self-sharing (nearly 90%), and the self-sharing rate varies significantly between Linux and Windows OS platforms. Compared with self-sharing the inter-VM sharing rate is extremely low, under 1% in most cases. 2) Page size has a larger influence on Linux platform than Windows platform, so sub-page de-duplication proposed in prior work may achieve better performance on Linux platform. On the basis of above findings we propose a group-based secure page sharing model (or GSKSM), in which we consider both VM processes and normal processes. We have successfully implemented it in Linux kernel 3.6.6, and the experiment results show it works well with negligible overhead. Finally based on GSKSM we further present an efficient memory management approach (or SEMMA), which combines GSKSM and balloon technique to efficiently manage the memory, and the preliminary experiment result is satisfactory.

Dongdong Huo,Chen Cao,Peng Liu,Yazhe Wang,Mingxuan Li,Zhen Xu

DOI: https://doi.org/10.1016/j.sysarc.2021.102114

IF: 5.836

2021-06-01

Journal of Systems Architecture

Abstract:<p>Cyber-Physical-Social Systems are frequently prescribed for providing valuable information on personalized services. The foundation of these services is big data which must be trustily collected and efficiently processed. Though High Performance Computing and Communication technique makes great contributions to addressing the issue of data processing, its effectiveness still relies on the veracity of data generated from Internet of Things (IoT) devices. Nevertheless, IoT devices, as basic production facilities to ensure data's security, are unable to deploy expensive security extensions. Consequently, it causes the implementation of the task sandboxing, the fundamental security mechanism in Real-Time Operating Systems (RTOS), much simpler and more vulnerable. In this paper, we take ARM Mbed uVisor as an example system, utilizing hypervisor-based task sandboxing mechanisms, and presents three new findings: First, we discover vulnerabilities against Mbed task sandboxing, which can be exploited to compromise system-maintained data structure to manipulate any tasks' data. Second, we present LIPS (Lightweight Intra-Mode Privilege Separation), building a special protection domain to isolate particular system-maintained data structures. Finally, thorough evaluation and experimental tests show the efficiency of LIPS to defeat these attacks, with small runtime overheads and good portability.</p>

computer science, software engineering, hardware & architecture

Xiaolin Wang,Yan Sang,Yi Liu,Yingwei Luo

DOI: https://doi.org/10.1007/978-94-007-2105-0_31

2011-01-01

Abstract:With the development of virtualization technology, some security problems have appeared. Researchers begin to suspect the security of virtualized environment and consider how to evaluate the security degree of virtualized environment. But there are not uniform virtualized environment security evaluation criteria at present. In this paper, we analyze the security problem in virtualized environment and present our virtualized environment security evaluation criteria. We take a further research on support technology and authentication method. First, we introduce the background of the problem. Next, we summarize the related work. After that we present our virtualized environment security evaluation criteria and introduce our work on support technology and authentication method. For support technology, we propose some safety guarantee technology for each security level. For authentication method, we give some ideas for the evaluation of each security level.

Wenjing Xu,Yongwang Zhao,Chengtao Cao,Jean Raphael Ngnie Sighom,Lei Wang,Zhe Jiang,Shihong Zou

DOI: https://doi.org/10.1007/978-3-030-90870-6_46

2021-01-01

Abstract:SyberX is an operating system microkernel used for safety and security-critical applications, such as avionics and unmanned vehicles. In this paper, we present an effective approach to apply formal methods in the development and security evaluation high-assurance level of the SyberX based on Common Criteria (CC) methodology. To achieve the evaluation under the CC at evaluation assurance level 5 augmented (EAL5+), where "+" is applying formal methods compliant to the highest evaluation assurance level, several partners from industry and academia have contributed to this effort. Our work provides a standardized formal specification, security analysis as well as formal verification proofs of the SyberX system. All results have been formalized in the Isabelle/HOL theorem prover. During the verification and code review, we find a total of 5 bugs, all confirmed and fixed by developers.

LI Xun,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.12.015

2011-01-01

Computer Science

Abstract:Kernel-level attacks compromise operating system security by tampering with critical data and control flow in the kernel.Current approaches defend against these attacks by applying code integrity or control flow integrity control methods.However,they focus on only a certain aspect and cannot give a complete integrity monitoring solution.This paper analyzed the kernel integrity principle and got practical requirements to ensure kernel integrity.Critical data objects effect operating system function directly.Only certain code is able to modify critical data objects at certain conditions to ensure data integrity.All factors about code execution sequence are protected and monitored to ensure control flow integrity.Implementation in Xen VMM(Virtual Machine Monitor) using hardware virtualization,or referred to as HVM(Hardware Virtual Machine) is introduced to protect and monitor Linux kernel.Experiments show that the solution can detect and prevent attacks and bugs compromising the kernel.

Hamed Nemati

DOI: https://doi.org/10.48550/arXiv.2005.02605

2020-05-06

Abstract:Over the last years, security kernels have played a promising role in reshaping the landscape of platform security on today's ubiquitous embedded devices. Security kernels, such as separation kernels, enable constructing high-assurance mixed-criticality execution platforms. They reduce the software portion of the system's trusted computing base to a thin layer, which enforces isolation between low- and high-criticality components. The reduced trusted computing base minimizes the system attack surface and facilitates the use of formal methods to ensure functional correctness and security of the kernel. In this thesis, we explore various aspects of building a provably secure separation kernel using virtualization technology. In particular, we examine techniques related to the appropriate management of the memory subsystem. Once these techniques were implemented and functionally verified, they provide reliable a foundation for application scenarios that require strong guarantees of isolation and facilitate formal reasoning about the system's overall security.

Cryptography and Security

Francesco Gadaleta,Raoul Strackx,Nick Nikiforakis,Frank Piessens,Wouter Joosen

DOI: https://doi.org/10.48550/arXiv.1405.6058

2014-05-22

Abstract:Protecting commodity operating systems and applications against malware and targeted attacks has proven to be difficult. In recent years, virtualization has received attention from security researchers who utilize it to harden existing systems and provide strong security guarantees. This has lead to interesting use cases such as cloud computing where possibly sensitive data is processed on remote, third party systems. The migration and processing of data in remote servers, poses new technical and legal questions, such as which security measures should be taken to protect this data or how can it be proven that execution of code wasn't tampered with. In this paper we focus on technological aspects. We discuss the various possibilities of security within the virtualization layer and we use as a case study \HelloRootkitty{}, a lightweight invariance-enforcing framework which allows an operating system to recover from kernel-level attacks. In addition to \HelloRootkitty{}, we also explore the use of special hardware chips as a way of further protecting and guaranteeing the integrity of a virtualized system.

Cryptography and Security

Tieming Chen,Zhenbo Yu,Shijian Li,Bo Chen

DOI: https://doi.org/10.1155/2016/8797568

IF: 2.336

2016-01-01

Journal of Sensors

Abstract:Model checking has successfully been applied on verification of security protocols, but the modeling process is always tedious and proficient knowledge of formal method is also needed although the final verification could be automatic depending on specific tools. At the same time, due to the appearance of novel kind of networks, such as wireless sensor networks (WSN) and wireless body area networks (WBAN), formal modeling and verification for these domain-specific systems are quite challenging. In this paper, a specific and novel formal modeling and verification method is proposed and implemented using an expandable tool called PAT to do WSN-specific security verification. At first, an abstract modeling data structure for CSP#, which is built in PAT, is developed to support the nodemobility related specification for modeling location-based node activity. Then, the traditional Dolev Yao model is redefined to facilitate modeling of location-specific attack behaviors on security mechanism. A throughout formal verification application on a location-based security protocol in WSN is described in detail to show the usability and effectiveness of the proposed methodology. Furthermore, also a novel location-based authentication security protocol in WBAN can be successfully modeled and verified directly using our method, which is, to the best of our knowledge, the first effort on employing model checking for automatic analysis of authentication protocol for WBAN.

Hanjun Gao,Lina Wang,Wei Liu,Yang Peng,Hao Zhang

DOI: https://doi.org/10.1007/978-3-642-31909-9_25

2012-01-01

Abstract:The foreign mapping mechanism of Xen is used in privileged virtual machines (VM) for platform management. With help of it, a privileged VM can map arbitrary machine frames of memory from a specific VM into its page tables. This leaves a vulnerability that malware may compromise the secrecy of normal VMs by exploiting the foreign mapping mechanism. To address this privacy exposure, we present a novel application’s memory privacy protection (AMP2) scheme by exploiting hypervisor. In AMP2, an application can protect its memory privacy by registering its address space into hypervisor; before the application exists or cancels its protection, any foreign mapping to protected pages will be disabled. With these measures, AMP2 prevents sensitive data leakage when malware attempts to eavesdrop them by exploiting foreign mapping. Finally, extensive experiments are performed to validate AMP2. The experimental results show that AMP2 achieves strong privacy resilency while incurs only 2% extra overhead for CPU workloads.