Secure Virtual Architecture: A Novel Foundation for Operating System Security

Опубликовано 6 сентября 2016, 16:28

This talk describes Secure Virtual Architecture (SVA), an efficient and robust approach to provide a safe execution environment for an entire commodity operating system, such as Linux and its hosted applications. SVA defines a simple, but complete, virtual architecture, implemented via a compiler-based virtual machine. The SVA approach is efficient and requires relatively few changes to the guest OS because it is based on a set of novel, and highly efficient, techniques to enforce strong safety properties for *unmodified* C programs. We have ported the Linux kernel to SVA with only minimal changes to the machine-independent part of the kernel. The safety guarantees in SVA are close to, but slightly weaker than, those provided by a safe language like Java, C\#, or Modula-3; these compromises are key to both efficiency and minimal porting changes. The approach is robust because both SVA and the virtual machine are designed to remove the complex, safety-checking compiler from the trusted computing base, and requiring only a simple type checker to be trusted. The SVA design also enables similarly robust implementation of higher-level security properties that can be represented as type systems. The safe execution environment enforced by SVA can provide three benefits for operating system designers and users. First, it can eliminate a large class of vulnerabilities that are by far the most common targets of exploits today. Second, a safe execution environment can foster new avenues for innovation in commodity systems, by incorporating techniques developed in research kernels using safe languages, such as extensibility, type-safe communication, and others. Third, many higher-level security problems could be addressed effectively by a combination of compiler and run-time techniques enabled by a compiler-based virtual machine. The long-term goal of the SVA project is to develop new solutions to higher-level security problems in current systems.