Bilkent University
Department of Computer Engineering


Virtual Ghost: Protecting Applications from Compromised Operating Systems


Prof. John Criswell
University of Rochester

Commodity operating system kernels are the foundation of our software systems, providing access control, I/O mechanisms, and memory management. However, operating system kernels are vulnerable to a variety of security attacks. Compromising the kernel allows an attacker to render any security protections, provided by the kernel or the applications running on the kernel, useless.

In this talk, I will present Virtual Ghost: a system that protects the confidentiality and integrity of application data from an operating system kernel that is completely under an attackers control. Virtual Ghost provides applications with private, incorruptible memory, incorruptible control flow, and secure key delivery. With these features, applications can protect their data from the operating system kernel. Unlike previous systems, Virtual Ghost employs compiler techniques to protect applications and is faster than previous solutions that rely on hypervisor-based approaches.

Bio: John Criswell is an assistant professor in the Department of Computer Science at the University of Rochester. He earned both his B.S. in Computer Science (2003) and Ph.D. in Computer Science (2014) at the University of Illinois at Urbana-Champaign.

Johns research interests focus on computer security and novel applications of compiler and operating system technology. John's primary research work is on the Secure Virtual Architecture (SVA). SVA enforces security policies on commodity operating system and application code via compiler instrumentation, thereby providing strong protection against sophisticated attacks. Using SVA, John built the first systems that provide strong automated memory safety protection and complete control-flow integrity enforcement to commodity operating system kernels such as Linux and FreeBSD. More recently, John has used SVA to create the Virtual Ghost system that protects application data and control-flow from a compromised operating system kernel. John was awarded the Honorable Mention for the 2014 SIGOPS Dennis M. Ritchie Doctoral Dissertation Award for his work on SVA.


DATE: 19 March, 2015, Thursday @ 13:40