Neuschwanstein, Germany, 2004

David Lie

Assistant Professor

 

Department of Electrical & Computer Engineering

SF2001C (Sandford Fleming)
10 King's College Road
Toronto, ON M5S 3G4
email: lie@eecg.toronto.edu (PGP key)

Phone: (416) 946-0251

Fax: (416) 971-2326

Admin: Rosa Esteireiro, (416) 946-8094

 


Home Research Publications Students

 

Home
Research
Publications
Students

Using Virtual Machine Monitors to Secure Commodity Operating Systems

Commodity OSs have grown in size and complexity, giving attackers many vulnerabilities, which they can exploit to hijack control of the OS. At the same time commodity OSs have a very centralized control and privilege structure, meaning that a compromise in any component usually means a compromise of the entire system. Unfortunately, many applications depend on a commodity OS, making it expensive to replace commodity OSs with systems that will be more tolerant to attacks .  On the other hand, utilizing a commodity OS means requires constant vigilance and careful administration.  Virtual Machine Monitors virtualize the interface between the operating system and underlying hardware, allowing multiple operating system images to run simultaneously in separate, strongly isolated virtual machines.  Thus,  from a security perspective, they allow a computer user to run a commodity OS, but also allow the user to arbitrarily isolate code from the commodity OS by putting it in a separate virtual machine.  With a VMM, we can break the computer user's dilemma between having to expend effort to move to a secure OS that is not extensible or does not have many applications, or expend effort trying to make a commodity OS secure.

One of the first issues we are addressing is how to allow an application that is isolated from the commodity OS in its own VM to use parts of the commodity OS in a safe way.  We have developed a prototype system called Proxos, which allows application developers to control what portions of an application are exposed to a commodity Linux system by specifying routing rules that control what system calls an application makes are handled by the Linux OS, and which ones are handled by a secure private OS.   Because Proxos supports the same OS interface Linux, Linux applications can be ported to Proxos with minimal effort.  We describe this system in more detail and evaluate the performance of our  prototype here.  In the future, we hope to further reduce the effort of moving applications to Proxos, explore performance issues, as well as support for other commodity OSs.  I am  also interested in exploring other ways VMMs can be used to make insecure systems safe to use.

Hardware Support for Secure Systems

Trends in hardware indicate that there will be an abundance of transistors to be used on future processors.  How will these transistors be used?  While some of these additional resources will be used to increase performance, security has become a large enough concern that processor companies are interested in finding hardware mechanisms to increase the security and reliability of computer systems.  In this work, we are exploring what basic hardware primitives can be used by software to achieve more secure and robust systems.  We take a two approaches in this work.  One approach examine support that processor manufacturers are putting in newer processors and find ways of utilizing them to support better security.  The other is to explore what hardware mechanisms could be added to existing processors to support security.

Formal Verification for Creating Secure Software

In this project we have the goal of trying to detect and remove all security vulnerabilities from a program without ever having to run it.  We will accomplish this by developing program analysis tools based on methods borrowed from formal verification.  The key difference is that formal verification techniques generally try to prove a property about a program.  Instead of trying to prove properties, we design our system to find as many vulnerabilities or bugs as possible.  Further, we seek to tune our system towards finding security vulnerabilities at the cost of possibly missing other types of bugs.  To do this, we are characterizing what sorts of program characteristics are indicative of a software security flaw.

Other Interests

I also have non-security related interests:

High performance computing

Distributed and Parallel Systems

Past Research Projects

The XOM Secure Architecture

XOM stands for eXecute Only Memory.   It is an idea that grew out of the desire to create copy and tamper resistant software that would exist in a kind of memory that could not be read or modified, but   only executed.  There have been many attempts to create copy and tamper resistant software in the past and all have failed to achieve their overall goals.   The problem is that software only solutions are inherently inadequate simply because by having a machine be able to execute the software, it means the software can be read and understood.  XOM tries to achieve copy and tamper resistance by adding a small amount of hardware support to modern general purpose processors.  In the course of the XOM project, we were able to devise simple hardware mechanisms that enabled applications to hide secrets even in the face of a malicious operating system.

You can read more about XOM by checking out publications on it here.

This page was last updated on 08/24/06.