\begin{latexonly}
\svnInfo $Id$  
\end{latexonly}

Commodity operating systems are tasked with storing and processing our
most sensitive information, from managing financial and medical
records to carrying out online purchases. The generality and rich
functionality these systems provide leads to complexity in their
implementation, and hence their assurance often falls short.

%Poor assurance appears
%to be the result of the complexity inherent in these systems --
%while the generality of a commodity operating system makes it useful
%for many tasks, it also makes it difficult to secure.

Many solutions have been proposed for enhancing the assurance of
these systems. Some use microkernels to contain potentially malicious
behavior by placing major OS and application components into
separate isolated processes~\cite{appcore-smaller-tcb}.  Others,
such as NGSCB (formerly
Palladium)~\cite{england03:_trust_open_platf},
Proxos~\cite{ta-min06:_split_inter},
XOM~\cite{lie00:_archit_suppor_for_copy_and}, and
Overshadow~\cite{chen08:_overs}, attempt to retrofit orthogonal,
higher assurance execution environments alongside a commodity OS,
allowing part or all of an application to run in a protected
environment, but still use OS services.  Unfortunately, while these
systems provide CPU and memory isolation in the face of OS
compromise, the implications of continuing to rely on OS services if
they turn malicious are poorly understood.

We explore this problem and potential solutions in the context of
Overshadow, a virtualization-based system we developed that
protects applications in a VM from the guest operating system in
that VM.  Overshadow attempts to maintain the secrecy and integrity
of an application's data even if the OS is completely compromised.
For each major OS component, we examine how malicious behavior could
undermine application secrecy and integrity, and suggest potential
mitigations.  While we present our analysis and solutions in the
context of Linux and Overshadow, they are more generally applicable
to any system attempting to secure application execution in the face
of a compromised OS.

We begin with a review of systems that enforce isolation between
protected applications and untrusted operating systems in
Section~\ref{sec:background}. Next, we explain how a malicious OS can
subvert them, using false system call return values to trick an
application into revealing its secrets, and argue for a solution based
on a verifiable system call interface
in Section~\ref{sec:security}. Finally, we examine the implications of
making specific OS components untrusted, and propose defenses against
possible attacks, in Section~\ref{sec:components}.

%%% Local Variables: 
%%% mode: latex
%%% TeX-command-default: "Make"
%%% TeX-PDF-mode: t
%%% TeX-master: "paper"
%%% End: