| 156 | 3 | 55 |
| 下载次数 | 被引频次 | 阅读次数 |
为了解决物联网设备中的安全隔离和隐私数据泄露问题,对类Unix操作系统线程中的信息流控制进行研究,基于ARM指针认证的硬件安全扩展和分散式信息流控制模型,通过对线程添加安全标签和完整性标签,实现进程地址空间的细粒度安全隔离,内存共享保护和安全多线程;通过内核安全原语和安全检查钩子有效防止线程间未授权的数据访问。实验结果表明,基于硬件辅助的信息流控制系统可以获得显著的性能提升,原型系统在实际的物联网程序用例(OpenSSL和Apache HTTP服务器)中,运行时内存占用增加了210 kB,平均性能开销不超过3.66%。
Abstract:In order to solve the problems of security isolation and privacy data leakage in the internet of things(IoT) devices, the information flow control between the Unix-like operating system thread was studied. Based on the hardware security extension(ARM pointer authentication) and the decentralized information flow control(DIFC) model, the thread with security tags and integrity tags were labled, providing fine-grained security isolation within the process address space and protections of sharing memory and multithreading. Some security primitives and security check hooks were added in the kernel to prevent unauthorized data access between threads effectively. The evaluations showed that the hardware-assisted information flow control system could achieve significant performance improvement. And the prototype system induced a small memory footprint and runtime overhead in the practical IoT use case(the OpenSSL and Apache HTTP server).
[1] LOGVINOV O,KRAEMER B,ADAMS C,et al.Standard for an architectural framework for the internet of things (IoT) IEEE p2413[S/OL].[2020-12-07].https://standards.ieee.org/standard/2413-2019.html.
[2] GARTNER INC.Consumer applications to represent 63 percent of total IoT applications in 2017[EB/OL].[2020-12-10].https://www.gartner.com/newsroom/id/3598917.
[3] CELIK Z B,BABUN L,SIKDER A K,et al.Sensitive information tracking in commodity IoT[C]//27th USENIX Security Symposium (USENIX Security 18).Baltimore:USENIX Association,2018:1687-1704.
[4] MABODI K,YUSEFI M,ZANDIYAN S,et al.Multi-level trust-based intelligence schema for securing of internet of things (IoT) against security threats using cryptographic authentication[J].The journal of supercomputing,2020,76(9):7081-7106.
[5] OUADDAH A,MOUSANNIF H,ABOU ELKALAM A,et al.Access control in the internet of things:big challenges and new opportunities[J].Computer networks,2017,112:237-262.
[6] MYERS A C,LISKOV B.A decentralized model for information flow control[J].ACM SIGOPS operating systems review,1997,31(5):129-142.
[7] FERRAIUOLO A,ZHAO M,MYERS A C,et al.HyperFlow:a processor architecture for nonmalleable,timing-safe information flow security[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.New York:ACM Press,2018:1583-1600.
[8] KROHN M,YIP A,BRODSKY M,et al.Information flow control for standard OS abstractions[J].ACM SIGOPS operating systems review,2007,41(6):321-334.
[9] SKANDYLAS C,KHAKPOUR N,ANDERSSON J.Adaptive trust-aware decentralized information flow control[C]//2020 IEEE International Conference on Autonomic Computing and Self-organizing Systems.Piscataway:IEEE Press,2020:92-101.
[10] NADKARNI A,ANDOW B,ENCK W,et al.Practical DIFC enforcement on android[C]//25th USENIX Security Symposium (USENIX Security 16).Austin:USENIX Association,2016:1119-1136.
[11] LIU J,ARDEN O,GEORGE M D,et al.Fabric:building open distributed systems securely by construction[J].Journal of computer security,2017,25(4/5):367-426.
[12] PASQUIER T F J M,SINGH J,EYERS D,et al.Camflow:managed data-sharing for cloud services[J].IEEE transactions on cloud computing,2017,5(3):472-484.
[13] SAPOUNTZIS N,SUN R M,OLIVEIRA D.DDIFT:decentralized dynamic information flow tracking for IoT privacy and security[C]//Proceedings 2019 Workshop on Decentralized IoT Systems and Security.Reston:Internet Society,2019.
[14] GOLLAMUDI A,CHONG S,ARDEN O.Information flow control for distributed trusted execution environments[C]//2019 IEEE 32nd Computer Security Foundations Symposium (CSF).Piscataway:IEEE Press,2019:304-318.
[15] CORTEGGIANI N,CAMURATI G,FRANCILLON A.Inception:system-wide security testing of real-world embedded systems software[C]//27th USENIX Security Symposium (USENIX Security 18).Baltimore:USENIX Association,2018:309-326.
[16] 李雪筠,叶靖,黄正峰,等.基于PUF的硬件辅助软件认证方法[J].郑州大学学报(理学版),2021,53(1):88-94.LI X Y,YE J,HUANG Z F,et al.PUF-based Hardware-assisted software authentication method[J].Journal of Zhengzhou university (natural science edition),2021,53(1):88-94.
[17] ARM LTD.ARMv8 architecture reference manual,for ARMv8-A architecture profile (ARM DDI 0487C.a)[EB/OL].[2020-12-10].https://static.docs.arm.com/ddi0487/ca/DDI0487C_a_armv8_arm.pdf.
[18] SIGURBJARNARSON H,NELSON L,CASTRO-KARNEY B,et al.Nickel:a framework for design and verification of information flow control systems[C]//13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18).Carlsbad:USENIX Association,2018:287-305.
[19] ARM LTD.Fast models fixed virtual platforms (FVP) reference guide[EB/OL].[2020-12-10].https://developer.arm.com/documentation/100966/1110.
[20] LINUX FOUNDATION.Yocto project reference manual[EB/OL].[2020-12-10].https://docs.yoctoproject.org/ref-manual/ref-manual.html.
基本信息:
DOI:10.13705/j.issn.1671-6841.2020420
中图分类号:TP391.44;TN915.08
引用信息:
[1]张立强,陈青松,严飞.基于ARM指针认证的信息流控制系统[J].郑州大学学报(理学版),2021,53(03):42-49.DOI:10.13705/j.issn.1671-6841.2020420.
基金信息:
国家自然科学基金项目(61272452); 国家重点基础研究发展计划(973计划)项目(2014CB340601); 湖北省重点研发计划项目(2020BAA003); 苏州市前瞻性应用研究项目(SYG201845)
2020-12-15
2020
2021-10-28
2021
2
2021-06-05
2021-06-05
2021-06-05