he widespread use of personal computers running vulnerable commodity operating systems (OSes) has put the personal data of millions of users at risk – data that is easily exploited for identity theft or other fraudulent activities [17]. Attacks that harvest sensitive data 3 from users’ computers take advantage of two crucial weaknesses in modern commodity OSes: First, it is notoriously easy to introduce malicious software into a commodity OS through viruses, worms, Trojan horses, and spyware. Second, once running locally, malicious software can easily obtain sensitive information through the use of powerful APIs exposed by the OS, such as keystroke interception and disk I/O. Many security practices, such as the use of secure network protocols and security tokens, become much less effective when the attackers can simply sniff at every key the users type for their passwords, PIN, and credit card numbers, or when the attackers can read any file on the file system. While this is well-known, the superior functionalities and price advantages of modern commodity systems mean they will continue to be in widespread use despite their vulnerabilities.
To address these concerns, we introduce Vault, a virtual-machine-based security system designed to protect sensitive data on commodity systems. Vault uses a virtual machine monitor (VMM) to compartmentalize a physical machine into two virtual machines (VMs). Sensitive data are stored and handled only in the trusted VM, while all other computing activities occur in the untrusted VM. Users are free to configure the untrusted VM with a commodity OS and a software load of their own choosing. On the other hand, the trusted VM runs a minimal OS with a restricted set of functionalities. To give an idea of what the user experience is using Vault, consider an online shopping scenario. First, a user starts an online shopping session with a web merchant, using
their favorite web browser in the untrusted VM. During checkout, instead of entering her credit card number into the browser, she explicitly switches to the trusted VM, and inputs it there, where it is then securely transmitted to the merchant’s server. Afterward,the system automatically switches back to the untrusted VM to continue the checkout process.
This design is an example of a broader class of systems that protect sensitive data using of small, isolated, trusted components. The trusted components in Vault are the VMM and the trusted VM. Crucially, the trusted VM has a trusted I/O path to the user,especially for receiving confirmations for actions involving the use of sensitive data.This is because the VMM controls the multiplexing of I/O devices, and thus is able to separate the user interactions with the trusted VM from those with the untrusted VM.As our main contribution, we define a protocol framework for the delegation of the
handling of sensitive data to the trusted VM. This protocol framework prevents attacks from untrusted components and allows users to guard the use of their sensitive data.
We further show that this framework is practical and can be readily integrated with existing applications. We built a prototype for two of the most common online applications involving user secrets: Web-based online shopping and the ssh-agent authentication module used in SSH logins.
The rest of the paper is organized as follows. Section 2 surveys past work in protection of user data in untrusted environments. It is followed by our assumptions on threat and trust in Section 3. Section 4 describes the design of Vault and how different components in the systems interacts to achieve secure use of sensitive data. Then we describe our prototypes in Section 5. In Section 6, we discuss the requirements for widespread adoption of our solution, and argue that it is realistic and achievable. We conclude in
Section 7.
Download
PDF Ebook Practical Uses of Virtual Machines for Protection of Sensitive User Data
