DriverGuard: Virtualization-Based Fine-Grained Protection on I/O Flows

Q Engineering

ACM Transactions on Information and System Security Pub Date : 2013-09-01 DOI:10.1145/2505123

Yueqiang Cheng, Xuhua Ding, R. Deng

{"title":"DriverGuard: Virtualization-Based Fine-Grained Protection on I/O Flows","authors":"Yueqiang Cheng, Xuhua Ding, R. Deng","doi":"10.1145/2505123","DOIUrl":null,"url":null,"abstract":"Most commodity peripheral devices and their drivers are geared to achieve high performance with security functions being opted out. The absence of strong security measures invites attacks on the I/O data and consequently posts threats to those services feeding on them, such as fingerprint-based biometric authentication. In this article, we present a generic solution called DriverGuard, which dynamically protects the secrecy of I/O flows such that the I/O data are not exposed to the malicious kernel. Our design leverages a composite of cryptographic and virtualization techniques to achieve fine-grained protection without using any extra devices and modifications on user applications. We implement the DriverGuard prototype on Xen by adding around 1.7K SLOC. DriverGuard is lightweight as it only needs to protect around 2% of the driver code’s execution. We measure the performance and evaluate the security of DriverGuard with three input devices (keyboard, fingerprint reader and camera) and three output devices (printer, graphic card, and sound card). The experiment results show that DriverGuard induces negligible overhead to the applications.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2013-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Information and System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2505123","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q","JCRName":"Engineering","Score":null,"Total":0}

引用次数: 12

Abstract

Most commodity peripheral devices and their drivers are geared to achieve high performance with security functions being opted out. The absence of strong security measures invites attacks on the I/O data and consequently posts threats to those services feeding on them, such as fingerprint-based biometric authentication. In this article, we present a generic solution called DriverGuard, which dynamically protects the secrecy of I/O flows such that the I/O data are not exposed to the malicious kernel. Our design leverages a composite of cryptographic and virtualization techniques to achieve fine-grained protection without using any extra devices and modifications on user applications. We implement the DriverGuard prototype on Xen by adding around 1.7K SLOC. DriverGuard is lightweight as it only needs to protect around 2% of the driver code’s execution. We measure the performance and evaluate the security of DriverGuard with three input devices (keyboard, fingerprint reader and camera) and three output devices (printer, graphic card, and sound card). The experiment results show that DriverGuard induces negligible overhead to the applications.

查看原文本刊更多论文

DriverGuard:基于虚拟化的I/O流细粒度保护

大多数商品外围设备及其驱动程序都是为了实现高性能而不选择安全功能。缺乏强大的安全措施会引起对I/O数据的攻击，从而对那些依赖这些数据的服务造成威胁，例如基于指纹的生物识别身份验证。在本文中，我们提出了一种称为DriverGuard的通用解决方案，它动态地保护I/O流的保密性，使I/O数据不会暴露给恶意内核。我们的设计利用加密和虚拟化技术的组合来实现细粒度的保护，而无需在用户应用程序上使用任何额外的设备和修改。我们通过添加约1.7K SLOC在Xen上实现了DriverGuard原型。DriverGuard是轻量级的，因为它只需要保护大约2%的驱动程序代码的执行。我们用三个输入设备(键盘、指纹识别器和摄像头)和三个输出设备(打印机、图形卡和声卡)来测量DriverGuard的性能和评估安全性。实验结果表明，DriverGuard对应用程序的开销可以忽略不计。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Information and System Security 工程技术-计算机：信息系统

CiteScore

4.50

自引率

0.00%

发文量

审稿时长

3.3 months

期刊介绍： ISSEC is a scholarly, scientific journal that publishes original research papers in all areas of information and system security, including technologies, systems, applications, and policies.