Publication Type
Journal Article
Version
acceptedVersion
Publication Date
6-2018
Abstract
Virtualization-based memory isolation has been widely used as a security primitive in various security systems to counter kernel-level attacks. In this article, our in-depth analysis on this primitive shows that its security is significantly undermined in the multicore setting when other hardware resources for computing are not enclosed within the isolation boundary. We thus propose to construct a fully isolated micro-computing environment (FIMCE) as a new primitive. By virtue of its architectural niche, FIMCE not only offers stronger security assurance than its predecessor, but also features a flexible and composable environment with support for peripheral device isolation, thus greatly expanding the scope of applications. In addition, FIMCE can be integrated with recent technologies such as Intel Software Guard Extensions (SGX) to attain even stronger security guarantees. We have built a prototype of FIMCE with a bare-metal hypervisor. To show the benefits of using FIMCE as a building block, we have also implemented four applications which are difficult to construct using the existing memory isolation method. Experiments with these applications demonstrate that FIMCE imposes less than 1% overhead on single-threaded applications, while the maximum performance loss on multithreaded applications is bounded by the degree of parallelism at the processor level.
Keywords
Virtualization, isolation, multicore platform, hypervisor
Discipline
Information Security
Research Areas
Cybersecurity
Publication
ACM Transactions on Information and System Security
Volume
21
Issue
3
First Page
15:1
Last Page
30
ISSN
1094-9224
Identifier
10.1145/3195181
Publisher
Association for Computing Machinery (ACM)
Citation
ZHAO, Siqi and DING, Xuhua.
FIMCE: A fully isolated micro-computing environment for multicore systems. (2018). ACM Transactions on Information and System Security. 21, (3), 15:1-30.
Available at: https://ink.library.smu.edu.sg/sis_research/4282
Copyright Owner and License
Authors
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1145/3195181