HyperCrypt:基于hypervisor的内核和用户空间加密

2016 11th International Conference on Availability, Reliability and Security (ARES) Pub Date : 2016-08-01 DOI:10.1109/ARES.2016.13

J. Götzfried, Nico Dorr, Ralph Palutke, Tilo Müller

{"title":"HyperCrypt:基于hypervisor的内核和用户空间加密","authors":"J. Götzfried, Nico Dorr, Ralph Palutke, Tilo Müller","doi":"10.1109/ARES.2016.13","DOIUrl":null,"url":null,"abstract":"We present HyperCrypt, a hypervisor-based solution that encrypts the entire kernel and user space to protect against physical attacks on main memory, such as cold boot attacks. HyperCrypt is fully transparent for the guest operating system and all applications running on top of it. At any time, only a small working set of memory pages remains in clear while the vast majority of pages are constantly kept encrypted. By utilizing CPU-bound encryption, the symmetric encryption key is never exposed to RAM. We evaluated our prototype running a standard Linux system with an nginx web sever. With the default configuration of 1024 cleartext pages, successful cold boot attacks are rendered highly unlikely due to large caches of at least 4 MB in modern CPUs. The performance overhead of nginx is raised by factor 1.37 compared to a non-virtualized system.","PeriodicalId":216417,"journal":{"name":"2016 11th International Conference on Availability, Reliability and Security (ARES)","volume":"136 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"15","resultStr":"{\"title\":\"HyperCrypt: Hypervisor-Based Encryption of Kernel and User Space\",\"authors\":\"J. Götzfried, Nico Dorr, Ralph Palutke, Tilo Müller\",\"doi\":\"10.1109/ARES.2016.13\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"We present HyperCrypt, a hypervisor-based solution that encrypts the entire kernel and user space to protect against physical attacks on main memory, such as cold boot attacks. HyperCrypt is fully transparent for the guest operating system and all applications running on top of it. At any time, only a small working set of memory pages remains in clear while the vast majority of pages are constantly kept encrypted. By utilizing CPU-bound encryption, the symmetric encryption key is never exposed to RAM. We evaluated our prototype running a standard Linux system with an nginx web sever. With the default configuration of 1024 cleartext pages, successful cold boot attacks are rendered highly unlikely due to large caches of at least 4 MB in modern CPUs. The performance overhead of nginx is raised by factor 1.37 compared to a non-virtualized system.\",\"PeriodicalId\":216417,\"journal\":{\"name\":\"2016 11th International Conference on Availability, Reliability and Security (ARES)\",\"volume\":\"136 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"15\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 11th International Conference on Availability, Reliability and Security (ARES)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ARES.2016.13\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 11th International Conference on Availability, Reliability and Security (ARES)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ARES.2016.13","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 15

摘要

我们提出HyperCrypt，一个基于管理程序的解决方案，加密整个内核和用户空间，以防止对主内存的物理攻击，如冷启动攻击。HyperCrypt对于客户操作系统和在其上运行的所有应用程序是完全透明的。在任何时候，只有一小部分内存页面是透明的，而绝大多数页面都是持续加密的。通过利用cpu绑定的加密，对称加密密钥永远不会暴露给RAM。我们在一个带有nginx web服务器的标准Linux系统上评估了我们的原型。在1024个明文页面的默认配置下，由于现代cpu中至少有4 MB的大型缓存，成功的冷启动攻击几乎不可能实现。与非虚拟化系统相比，nginx的性能开销提高了1.37倍。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

HyperCrypt: Hypervisor-Based Encryption of Kernel and User Space

We present HyperCrypt, a hypervisor-based solution that encrypts the entire kernel and user space to protect against physical attacks on main memory, such as cold boot attacks. HyperCrypt is fully transparent for the guest operating system and all applications running on top of it. At any time, only a small working set of memory pages remains in clear while the vast majority of pages are constantly kept encrypted. By utilizing CPU-bound encryption, the symmetric encryption key is never exposed to RAM. We evaluated our prototype running a standard Linux system with an nginx web sever. With the default configuration of 1024 cleartext pages, successful cold boot attacks are rendered highly unlikely due to large caches of at least 4 MB in modern CPUs. The performance overhead of nginx is raised by factor 1.37 compared to a non-virtualized system.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2016 11th International Conference on Availability, Reliability and Security (ARES)

自引率

0.00%

发文量