cfaed Seminar Series

Operating systems nowadays are facing imminent security threats, due to the complexity of applications, OSes and hardware components, and the exposure to adversaries in new computing environments such as public clouds. To isolate applications from these threats, new operating system architectures are invented, including mutually-isolating guest OSes, and host-isolating execution environments like the Intel SGX enclaves. To securely adopt millions of legacy applications, a secure OS architecture must guarantee both the backward-compatibility of system features and the thoroughness of defending the interface to the untrusted world. We present the Graphene library OS, which encapsulates the Linux idiosyncratic behaviors and abstractions in a guest or an enclave, with a narrowed host interface that is highly portable and easy to design defense strategies for. When used as a guest OS, Graphene can enforce simple isolation rules, such as blocking file access, network connection and pipe communication, to fence all the operations on OS states sharable by multiple processes. As a result, Graphene has security isolation compatible to virtual machines, but costs much less memory than a full VM and allows dynamic isolation of processes. When used in an Intel SGX enclave, Graphene (also called Graphene-SGX) restraints minimal entry points to shield applications from malicious host inputs. The defense of Graphene is easy to verify and trust, due to the simplicity of its host interface, and keeping sensitive but vulnerable OS states internal. To evaluate the backward-compatibility of Graphene to Linux applications, we also design a methodology of measuring the completeness of supporting system APIs, weighed by the popularity of applications. The methodology has guided the development of Graphene, to maximize the API support in progress. Graphene has shown competitive results of securing sophisticated applications like web servers, shell scripts and Java virtual machine runtimes right off the shelf. By supporting the JVM runtimes, Graphene becomes an important building block for introducing Intel SGX protection as a feature and first-class citizen to Java applications. As Graphene unlocks the limitation of supporting Java in enclaves, and connects the low-level hardware features with the language-level semantics, it allows further hardening an isolated application by partitioning it using a combination of hardware protection (i.e., SGX) and language protection (e.g., type-safety, object-proxying, information flow filtering).