SuperCall: A Secure Interface For Isolated Execution Environment to Dynamically Use External Services
Publication Type
Conference Proceeding Article
Publication Date
1-2016
Abstract
Recent years have seen many virtualization-based Isolated Execution Environments (IEE) proposed in the literature to protect a Piece of Application Logic (PAL) against attacks from an untrusted guest kernel. A prerequisite of these IEE system is that the PAL is small and self-contained. Therefore, a PAL is deprived of channels to interact with the external execution environment including the kernel and application libraries. As a result, the PAL can only perform limited tasks such as memory-resident computation with inflexible utilization of system resources. To protect more sophisticated tasks, the application developer has to segment it into numerous PALs satisfying the IEE prerequisite, which inevitably lead to development inefficiency and more erroneous code. In this paper, we propose SuperCall, a new function call interface for a PAL to safely and efficiently call external untrusted code in both the kernel and user spaces. It not only allows flexible interactions between a PAL and untrusted environments, but also improved the utilization of resources, without compromising the security of the PAL. We have implemented SuperCall on top of a tiny hypervisor. To demonstrate and evaluate SuperCall, we use it to build a PAL as part of a password checking program. The experiment results show that SuperCall improves the development efficiency and incurs insignificant performance overhead.
Discipline
Information Security
Research Areas
Cybersecurity
Publication
Proceedings of the 11th EAI International Conference on Security and Privacy in Communication Networks.
Volume
164
First Page
193
Last Page
211
ISBN
9783319288642
Identifier
10.1007/978-3-319-28865-9_11
Publisher
Springer International Publishing
City or Country
Dallas, United States
Citation
CHENG, Yueqiang; LI, Qing; YU, Miao; DING, Xuhua; and SHEN, Qingni.
SuperCall: A Secure Interface For Isolated Execution Environment to Dynamically Use External Services. (2016). Proceedings of the 11th EAI International Conference on Security and Privacy in Communication Networks.. 164, 193-211.
Available at: https://ink.library.smu.edu.sg/sis_research/3152
Additional URL
http://link.springer.com/chapter/10.1007%2F978-3-319-28865-9_11