TY - GEN
T1 - Between mutual trust and mutual distrust
T2 - 2015 USENIX Annual Technical Conference, USENIX ATC 2015
AU - Wang, Jun
AU - Xiong, Xi
AU - Liu, Peng
N1 - Funding Information:
This work was supported by NSF CNS-1223710, NSF CNS-1422594, and ARO W911NF-13-1-0421 (MURI).
Publisher Copyright:
© 2015 USENIX Annual Technical Conference.
PY - 2015
Y1 - 2015
N2 - Threads in a multithreaded process share the same address space and thus are implicitly assumed to be mutually trusted. However, one (compromised) thread attacking another is a real world threat. It remains challenging to achieve privilege separation for multithreaded applications so that the compromise or malfunction of one thread does not lead to data contamination or data leakage of other threads. The Arbiter system proposed in this paper explores the solution space. In particular, we find that page table protection bits can be leveraged to do efficient reference monitoring if data objects with the same accessibility stay in the same page. We design and implement Arbiter which consists of a new memory allocation mechanism, a policy manager, and a set of APIs. Programmers specify security policy through annotating the source code. We apply Arbiter to three applications, an in-memory key/-value store, a web server, and a userspace file system, and show how they can benefit from Arbiter in terms of security. Our experiments on the three applications show that Arbiter reduces application throughput by less than 10% and increases CPU utilization by 1.37-1.55×.
AB - Threads in a multithreaded process share the same address space and thus are implicitly assumed to be mutually trusted. However, one (compromised) thread attacking another is a real world threat. It remains challenging to achieve privilege separation for multithreaded applications so that the compromise or malfunction of one thread does not lead to data contamination or data leakage of other threads. The Arbiter system proposed in this paper explores the solution space. In particular, we find that page table protection bits can be leveraged to do efficient reference monitoring if data objects with the same accessibility stay in the same page. We design and implement Arbiter which consists of a new memory allocation mechanism, a policy manager, and a set of APIs. Programmers specify security policy through annotating the source code. We apply Arbiter to three applications, an in-memory key/-value store, a web server, and a userspace file system, and show how they can benefit from Arbiter in terms of security. Our experiments on the three applications show that Arbiter reduces application throughput by less than 10% and increases CPU utilization by 1.37-1.55×.
UR - http://www.scopus.com/inward/record.url?scp=84995447736&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84995447736&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:84995447736
T3 - Proceedings of the 2015 USENIX Annual Technical Conference, USENIX ATC 2015
SP - 361
EP - 373
BT - Proceedings of the 2015 USENIX Annual Technical Conference, USENIX ATC 2015
PB - USENIX Association
Y2 - 8 July 2015 through 10 July 2015
ER -