Iago Attacks: Why the System Call API is a Bad Untrusted RPC Interface

In Proceedings of ASPLOS 2013. ACM Press, Mar. 2013.

Abstract

In recent years, researchers have proposed systems for running trusted code on an untrusted operating system. Protection mechanisms deployed by such systems keep a malicious kernel from directly manipulating a trusted application’s state. Under such systems, the application and kernel are, conceptually, peers, and the system call API defines an RPC interface between them.

We introduce Iago attacks, attacks that a malicious kernel can mount in this model. We show how a carefully chosen sequence of integer return values to Linux system calls can lead a supposedly protected process to act against its interests, and even to undertake arbitrary computation at the malicious kernel’s behest.

Iago attacks are evidence that protecting applications from malicious kernels is more difficult than previously realized.

Material

local copy (PDF).
also available as UCSD technical report CS2012-0984

Reference

@InProceedings{CS13, author = {Stephen Checkoway and Hovav Shacham}, title = {Iago Attacks: Why The System Call {API} Is a Bad Untrusted {RPC} Interface}, booktitle = {Proceedings of ASPLOS 2013}, year = 2013, editor = {Ras Bodik}, month = mar, publisher = {ACM Press}, pages = {253-64} }

Iago Attacks: Why the System Call API is a Bad Untrusted RPC Interface

Abstract

Material

Reference

Navigation: Hovav Shacham // Publications // [CS13]