Publication Type
Journal Article
Version
publishedVersion
Publication Date
9-2013
Abstract
Most commodity peripheral devices and their drivers are geared to achieve high performance with security functions being opted out. The absence of strong security measures invites attacks on the I/O data and consequently posts threats to those services feeding on them, such as fingerprint-based biometric authentication. In this article, we present a generic solution called DriverGuard, which dynamically protects the secrecy of I/O flows such that the I/O data are not exposed to the malicious kernel. Our design leverages a composite of cryptographic and virtualization techniques to achieve fine-grained protection without using any extra devices and modifications on user applications. We implement the DriverGuard prototype on Xen by adding around 1.7K SLOC. DriverGuard is lightweight as it only needs to protect around 2% of the driver code’s execution. We measure the performance and evaluate the security of DriverGuard with three input devices (keyboard, fingerprint reader and camera) and three output devices (printer, graphic card, and sound card). The experiment results show that DriverGuard induces negligible overhead to the applications.
Keywords
Virtualization, hypervisor, I/O data protection, untrusted OS, trusted path
Discipline
Information Security
Research Areas
Information Security and Trust
Publication
ACM Transactions on Information and System Security
Volume
16
Issue
2
First Page
6
Last Page
30
ISSN
1094-9224
Identifier
10.1145/2505123
Publisher
ACM
Citation
CHENG, Yueqiang; DING, Xuhua; and DENG, Robert H..
DriverGuard: Virtualization based fine-grained protection on I/O flows. (2013). ACM Transactions on Information and System Security. 16, (2), 6-30.
Available at: https://ink.library.smu.edu.sg/sis_research/1939
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
http://dx.doi.org/10.1145/2505123