Visible to the public Input-Output (I/O) Systems Security

SoS Newsletter- Advanced Book Block

SoS Logo

Input-Output (I/O)

Systems Security

Management of I/O devices is a critical part of the operating system. Entire I/O subsystems are devoted to its operation.  These subsystems contend both with the movement towards standard interfaces for a wide range of devices to makes it easier to add newly developed devices to existing systems, and the development of entirely new types of devices for which existing standard interfaces can be difficult to apply.  Typically, when accessing files, a security check is performed when the file is created or opened. The security check is typically not done again unless the file is closed and reopened.  If an opened file is passed to an untrusted caller, the security system can, but is not required to prevent the caller from accessing the file.  Research into I/O security addresses the need to provide adequate security economically and to scale.

Research  cited here were published or presented in the first half of 2014.  I/O security topics addressed in these works include avionic systems, virtual machines, device replication, RAID arrays, hypervisor design, and cloud storage.


Muller, K.; Sigl, G.; Triquet, B.; Paulitsch, M., "On MILS I/O Sharing Targeting Avionic Systems," Dependable Computing Conference (EDCC), 2014 Tenth European , vol., no., pp.182,193, 13-16 May 2014. doi: 10.1109/EDCC.2014.35  This paper discusses strategies for I/O sharing in Multiple Independent Levels of Security (MILS) systems mostly deployed in the special environment of avionic systems. MILS system designs are promising approaches for handling the increasing complexity of functionally integrated systems, where multiple applications run concurrently on the same hardware platform. Such integrated systems, also known as Integrated Modular Avionics (IMA) in the aviation industry, require communication to remote systems located outside of the hosting hardware platform. One possible solution is to provide each partition, the isolated runtime environment of an application, a direct interface to the communication's hardware controller. Nevertheless, this approach requires a special design of the hardware itself. This paper discusses efficient system architectures for I/O sharing in the environment of high-criticality embedded systems and the exemplary analysis of Free scale's proprietary Data Path Acceleration Architecture (DPAA) with respect to generic hardware requirements. Based on this analysis we also discuss the development of possible architectures matching with the MILS approach. Even though the analysis focuses on avionics it is equally applicable to automotive architectures such as Auto SAR.

Keywords: aerospace computing; avionics; embedded systems; security of data; DPAA; IMA; MILS I/O sharing; MILS system designs; autoSAR; aviation industry; avionic systems; communication hardware controller; free scale proprietary data path acceleration architecture; hardware platform; high-criticality embedded systems; integrated modular avionics; multiple independent levels of security system; system architectures; Aerospace electronics; Computer architecture; Hardware; Portals; Runtime; Security; Software (ID#: 15-3724)



Aiash, M.; Mapp, G.; Gemikonakli, O., "Secure Live Virtual Machines Migration: Issues and Solutions," Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on , vol., no., pp.160,165, 13-16 May 2014. doi: 10.1109/WAINA.2014.35 In recent years, there has been a huge trend towards running network intensive applications, such as Internet servers and Cloud-based service in virtual environment, where multiple virtual machines (VMs) running on the same machine share the machine's physical and network resources. In such environment, the virtual machine monitor (VMM) virtualizes the machine's resources in terms of CPU, memory, storage, network and I/O devices to allow multiple operating systems running in different VMs to operate and access the network concurrently. A key feature of virtualization is live migration (LM) that allows transfer of virtual machine from one physical server to another without interrupting the services running in virtual machine. Live migration facilitates workload balancing, fault tolerance, online system maintenance, consolidation of virtual machines etc. However, live migration is still in an early stage of implementation and its security is yet to be evaluated. The security concern of live migration is a major factor for its adoption by the IT industry. Therefore, this paper uses the X.805 security standard to investigate attacks on live virtual machine migration. The analysis highlights the main source of threats and suggests approaches to tackle them. The paper also surveys and compares different proposals in the literature to secure the live migration.

Keywords: cloud computing; security of data; virtual machines; Internet server; VMM; X.805 security standard; cloud-based service; fault tolerance; live virtual machine migration; online system maintenance; virtual machine monitor; workload balancing; Authentication; Hardware; Servers; Virtual machine monitors; Virtual machining; Virtualization (ID#: 15-3725)



Ravindran, K.; Rabby, M.; Adiththan, A, "Model-based Control Of Device Replication For Trusted Data Collection," Modeling and Simulation of Cyber-Physical Energy Systems (MSCPES), 2014 Workshop on , vol., no., pp.1,6, 14-14 April 2014. doi: 10.1109/MSCPES.2014.6842399 Voting among replicated data collection devices is a means to achieve dependable data delivery to the end-user in a hostile environment. Failures may occur during the data collection process: such as data corruptions by malicious devices and security/bandwidth attacks on data paths. For a voting system, how often a correct data is delivered to the user in a timely manner and with low overhead depicts the QoS. Prior works have focused on algorithm correctness issues and performance engineering of the voting protocol mechanisms. In this paper, we study the methods for autonomic management of device replication in the voting system to deal with situations where the available network bandwidth fluctuates, the fault parameters change unpredictably, and the devices have battery energy constraints. We treat the voting system as a `black-box' with programmable I/O behaviors. A management module exercises a macroscopic control of the voting box with situational inputs: such as application priorities, network resources, battery energy, and external threat levels.

Keywords: quality of service; security of data; trusted computing; QoS; algorithm correctness; bandwidth attack; black-box; data corruptions; device replication autonomic management; malicious devices; security attack; trusted data collection; voting protocol mechanisms; Bandwidth; Batteries; Data collection; Delays; Frequency modulation; Protocols; Quality of service; Adaptive Fault-tolerance; Attacker Modeling; Hierarchical Control; Sensor Replication; Situational Assessment (ID#: 15-3726)



Smith, S.; Woodward, C.; Liang Min; Chaoyang Jing; Del Rosso, A, "On-line Transient Stability Analysis Using High Performance Computing," Innovative Smart Grid Technologies Conference (ISGT), 2014 IEEE PES , vol., no., pp.1,5, 19-22 Feb. 2014.  doi: 10.1109/ISGT.2014.6816438 In this paper, parallelization and high performance computing are utilized to enable ultrafast transient stability analysis that can be used in a real-time environment to quickly perform “what-if” simulations involving system dynamics phenomena. EPRI's Extended Transient Midterm Simulation Program (ETMSP) is modified and enhanced for this work. The contingency analysis is scaled for large-scale contingency analysis using Message Passing Interface (MPI) based parallelization. Simulations of thousands of contingencies on a high performance computing machine are performed, and results show that parallelization over contingencies with MPI provides good scalability and computational gains. Different ways to reduce the Input/Output (I/O) bottleneck are explored, and findings indicate that architecting a machine with a larger local disk and maintaining a local file system significantly improve the scaling results. Thread-parallelization of the sparse linear solve is explored also through use of the SuperLU_MT library.

Keywords: large-scale systems; message passing; power engineering computing; power system transient stability; real-time systems; EPRI extended transient midterm simulation program; ETMSP; MPI; SuperLU_MT library; high performance computing machine; input-output bottleneck; large-scale contingency analysis; local disk;local file system; message passing interface; on-line transient stability analysis; real-time environment; sparse linear solve; system dynamics phenomena; ultrafast transient stability analysis; Computational modeling; File systems; High performance computing; Power system stability; Stability analysis; Transient analysis; Dynamic security assessment; control center; high performance computing; parallelization; real-time simulation; transient stability (ID#: 15-3727)



Shropshire, J., "Analysis of Monolithic and Microkernel Architectures: Towards Secure Hypervisor Design," System Sciences (HICSS), 2014 47th Hawaii International Conference on , vol., no., pp.5008,5017, 6-9 Jan. 2014. doi: 10.1109/HICSS.2014.615  This research focuses on hyper visor security from holistic perspective. It centers on hyper visor architecture - the organization of the various subsystems which collectively compromise a virtualization platform. It holds that the path to a secure hyper visor begins with a big-picture focus on architecture. Unfortunately, little research has been conducted with this perspective. This study investigates the impact of monolithic and micro kernel hyper visor architectures on the size and scope of the attack surface. Six architectural features are compared: management API, monitoring interface, hyper calls, interrupts, networking, and I/O. These subsystems are core hyper visor components which could be used as attack vectors. Specific examples and three leading hyper visor platforms are referenced (ESXi for monolithic architecture; Xen and Hyper-V for micro architecture). The results describe the relative strengths and vulnerabilities of both types of architectures. It is concluded that neither design is more secure, since both incorporate security tradeoffs in core processes.

Keywords: application program interfaces; security of data; virtualization; ESXi; Hyper-V; Xen; attack surface; hyper calls; hyper visor security; management API; micro architecture; micro kernel hyper visor architectures; microkernel architectures; monitoring interface; monolithic architectures; monolithic hyper visor architectures; networking; secure hyper visor design; security tradeoffs; virtualization platform; Computer architecture; Hardware; Kernel; Monitoring; Security; Virtual machine monitors; Virtual machining; cloud computing; hypervisor security; microkernel architecture; monolithic architecture (ID#: 15-3728)



Youngjung Ahn; Yongsuk Lee; Jin-Young Choi; Gyungho Lee; Dongkyun Ahn, "Monitoring Translation Lookahead Buffers to Detect Code Injection Attacks," Computer , vol.47, no.7, pp.66,72, July 2014. doi: 10.1109/MC.2013.228  By identifying memory pages that external I/O operations have modified, a proposed scheme blocks malicious injected code activation, accurately distinguishing an attack from legitimate code injection with negligible performance impact and no changes to the user application.

Keywords: buffer storage; computer crime; system monitoring; blocks malicious injected code activation; code injection attack detection; external I/O operations; legitimate code injection attack; memory pages identification; translation lookahead buffers monitoring; Decision support systems; Handheld computers; Code injection; TLB; data execution prevention; hackers; invasive software; security (ID#: 15-3729)



Mingqiang Li; Lee, P.P.C., "Toward I/O-Efficient Protection Against Silent Data Corruptions In RAID Arrays," Mass Storage Systems and Technologies (MSST), 2014 30th Symposium on , vol., no., pp.1,12, 2-6 June 2014.  doi: 10.1109/MSST.2014.6855548 Although RAID is a well-known technique to protect data against disk errors, it is vulnerable to silent data corruptions that cannot be detected by disk drives. Existing integrity protection schemes designed for RAID arrays often introduce high I/O overhead. Our key insight is that by properly designing an integrity protection scheme that adapts to the read/write characteristics of storage workloads, the I/O overhead can be significantly mitigated. In view of this, this paper presents a systematic study on I/O-efficient integrity protection against silent data corruptions in RAID arrays. We formalize an integrity checking model, and justify that a large proportion of disk reads can be checked with simpler and more I/O-efficient integrity checking mechanisms. Based on this integrity checking model, we construct two integrity protection schemes that provide complementary performance advantages for storage workloads with different user write sizes. We further propose a quantitative method for choosing between the two schemes in real-world scenarios. Our trace-driven simulation results show that with the appropriate integrity protection scheme, we can reduce the I/O overhead to below 15%.

Keywords: RAID; data integrity; input-output programs; security of data; IO-efficient integrity checking mechanisms; IO-efficient protection; RAID arrays; disk drives; disk errors; integrity checking model; integrity protection schemes; read-write characteristics; silent data corruptions; storage workloads; trace-driven simulation; user write sizes; Arrays; Data models; Disk drives; Redundancy; Systematics; Taxonomy; I/O overhead; RAID; integrity protection schemes; silent data corruptions (ID#: 15-3730)



Mianxiong Dong; He Lit; Ota, K.; Haojin Zhu, "HVSTO: Efficient Privacy Preserving Hybrid Storage In Cloud Data Center," Computer Communications Workshops (INFOCOM WKSHPS), 2014 IEEE Conference on , vol., no., pp.529,534, April 27 2014-May 2 2014.  doi: 10.1109/INFCOMW.2014.6849287 In cloud data center, shared storage with good management is a main structure used for the storage of virtual machines (VM). In this paper, we proposed Hybrid VM storage (HVSTO), a privacy preserving shared storage system designed for the virtual machine storage in large-scale cloud data center. Unlike traditional shared storage, HVSTO adopts a distributed structure to preserve privacy of virtual machines, which are a threat in traditional centralized structure. To improve the performance of I/O latency in this distributed structure, we use a hybrid system to combine solid state disk and distributed storage. From the evaluation of our demonstration system, HVSTO provides a scalable and sufficient throughput for the platform as a service infrastructure.

Keywords: cloud computing; computer centers; data privacy; virtual machines; virtualization; HVSTO; I/O latency performance improvement; distributed storage; distributed structure; hybrid VM storage; large-scale cloud data center; privacy preserving hybrid storage; privacy preserving shared storage system; service infrastructure; solid state disk; virtual machine storage; Conferences; Data privacy; Indexes; Security; Servers; Virtual machining; Virtualization} (ID#: 15-3730)



Chiang, R.; Rajasekaran, S.; Zhang, N.; Huang, H., "Swiper: Exploiting Virtual Machine Vulnerability in Third-Party Clouds with Competition for I/O Resources," Parallel and Distributed Systems, IEEE Transactions on, vol.PP, no.99, pp.1, 1, June 2014. doi: 10.1109/TPDS.2014.2325564 The emerging paradigm of cloud computing, e.g., Amazon Elastic Compute Cloud (EC2), promises a highly flexible yet robust environment for large-scale applications. Ideally, while multiple virtual machines (VM) share the same physical resources (e.g., CPUs, caches, DRAM, and I/O devices), each application should be allocated to an independently managed VM and isolated from one another. Unfortunately, the absence of physical isolation inevitably opens doors to a number of security threats. In this paper, we demonstrate in EC2 a new type of security vulnerability caused by competition between virtual I/O workloads - i.e., by leveraging the competition for shared resources, an adversary could intentionally slow down the execution of a targeted application in a VM that shares the same hardware. In particular, we focus on I/O resources such as hard-drive throughput and/or network bandwidth - which are critical for data-intensive applications. We design and implement Swiper, a framework which uses a carefully designed workload to incur significant delays on the targeted application and VM with minimum cost (i.e., resource consumption). We conduct a comprehensive set of experiments in EC2, which clearly demonstrates that Swiper is capable of significantly slowing down various server applications while consuming a small amount of resources.

Keywords: Cloud computing; Delays; IP networks; Security; Synchronization; Throughput; Virtualization (ID#: 15-3731)



Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.