FIMCE: A fully isolated micro-computing environment for multicore systems

FIMCE: A fully isolated micro-computing environment for multicore systems

Virtualization-based memory isolation has been widely used as a security primitive in various security systems to counter kernel-level attacks. In this article, our in-depth analysis on this primitive shows that its security is significantly undermined in the multicore setting when other hardware re...

Full description

Saved in:
Bibliographic Details
Main Authors: ZHAO, Siqi, DING, Xuhua
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2018
Subjects:
Virtualization
isolation
multicore platform
hypervisor
Information Security
Systems Architecture
Online Access:https://ink.library.smu.edu.sg/sis_research/4266
https://ink.library.smu.edu.sg/context/sis_research/article/5269/viewcontent/FIMCE_A_fully_isolated_micro_computing_environment_for_multicore_systems.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-5269
record_format dspace
spelling sg-smu-ink.sis_research-52692020-01-13T08:36:37Z FIMCE: A fully isolated micro-computing environment for multicore systems ZHAO, Siqi DING, Xuhua Virtualization-based memory isolation has been widely used as a security primitive in various security systems to counter kernel-level attacks. In this article, our in-depth analysis on this primitive shows that its security is significantly undermined in the multicore setting when other hardware resources for computing are not enclosed within the isolation boundary. We thus propose to construct a fully isolated micro-computing environment (FIMCE) as a new primitive. By virtue of its architectural niche, FIMCE not only offers stronger security assurance than its predecessor, but also features a flexible and composable environment with support for peripheral device isolation, thus greatly expanding the scope of applications. In addition, FIMCE can be integrated with recent technologies such as Intel Software Guard Extensions (SGX) to attain even stronger security guarantees. We have built a prototype of FIMCE with a bare-metal hypervisor. To show the benefits of using FIMCE as a building block, we have also implemented four applications which are difficult to construct using the existing memory isolation method. Experiments with these applications demonstrate that FIMCE imposes less than 1% overhead on single-threaded applications, while the maximum performance loss on multithreaded applications is bounded by the degree of parallelism at the processor level. 2018-06-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4266 info:doi/10.1145/3195181 https://ink.library.smu.edu.sg/context/sis_research/article/5269/viewcontent/FIMCE_A_fully_isolated_micro_computing_environment_for_multicore_systems.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Virtualization isolation multicore platform hypervisor Information Security Systems Architecture
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Virtualization
isolation
multicore platform
hypervisor
Information Security
Systems Architecture
spellingShingle Virtualization
isolation
multicore platform
hypervisor
Information Security
Systems Architecture
ZHAO, Siqi
DING, Xuhua
FIMCE: A fully isolated micro-computing environment for multicore systems
description Virtualization-based memory isolation has been widely used as a security primitive in various security systems to counter kernel-level attacks. In this article, our in-depth analysis on this primitive shows that its security is significantly undermined in the multicore setting when other hardware resources for computing are not enclosed within the isolation boundary. We thus propose to construct a fully isolated micro-computing environment (FIMCE) as a new primitive. By virtue of its architectural niche, FIMCE not only offers stronger security assurance than its predecessor, but also features a flexible and composable environment with support for peripheral device isolation, thus greatly expanding the scope of applications. In addition, FIMCE can be integrated with recent technologies such as Intel Software Guard Extensions (SGX) to attain even stronger security guarantees. We have built a prototype of FIMCE with a bare-metal hypervisor. To show the benefits of using FIMCE as a building block, we have also implemented four applications which are difficult to construct using the existing memory isolation method. Experiments with these applications demonstrate that FIMCE imposes less than 1% overhead on single-threaded applications, while the maximum performance loss on multithreaded applications is bounded by the degree of parallelism at the processor level.
format text
author ZHAO, Siqi
DING, Xuhua
author_facet ZHAO, Siqi
DING, Xuhua
author_sort ZHAO, Siqi
title FIMCE: A fully isolated micro-computing environment for multicore systems
title_short FIMCE: A fully isolated micro-computing environment for multicore systems
title_full FIMCE: A fully isolated micro-computing environment for multicore systems
title_fullStr FIMCE: A fully isolated micro-computing environment for multicore systems
title_full_unstemmed FIMCE: A fully isolated micro-computing environment for multicore systems
title_sort fimce: a fully isolated micro-computing environment for multicore systems
publisher Institutional Knowledge at Singapore Management University
publishDate 2018
url https://ink.library.smu.edu.sg/sis_research/4266
https://ink.library.smu.edu.sg/context/sis_research/article/5269/viewcontent/FIMCE_A_fully_isolated_micro_computing_environment_for_multicore_systems.pdf
_version_ 1770574594106720256

Similar Items