PrivExec: Private Execution as an Operating System Service

A short introduction for those who haven't read the full paper.

PrivExec is a novel operating system service for private execution, built on existing, well-tested technologies such as eCryptfs and Overlayfs as a foundation.

PrivExec provides strong, general guarantees of private execution, allowing any application to execute in a mode where storage writes, either to the filesystem or to swap, will not be recoverable by others during or after execution. PrivExec achieves this by binding an ephemeral private execution key to groups of processes that wish to execute privately. This key is used to encrypt all data stored to filesystems, as well as process memory pages written to swap devices, and is never exposed outside of kernel memory or persisted to storage. Once a private execution session has ended, the private execution key is securely wiped from volatile memory. In addition, inter-process communication (IPC) restrictions enforced by PrivExec prevent inadvertent leaks of sensitive data to public processes that might circumvent the system's private storage mechanisms.

PrivExec does not require explicit application support, recompilation, or any other preconditions; it allows any unmodified, legacy binary application to execute privately.

For details, please refer to the full study available here.

Disclaimer

The source code provided on this page does not correspond to the same software described in the original paper. In fact, PrivExec has been reimplemented completely from scratch to address the original work's limitations and usability issues, to increase the code quality, and to port it to a newer Linux kernel version. Consequently, when browsing the source code, expect to see small deviations from the implementation presented in the paper. However, the core design principles of the system remain the same.

An implication of the above is that, the evaluation presented in the paper does not necessarily reflect this version's runtime performance. However, we expect this version to perform as good as (and probably better than) the earlier prototype.

Downloads

PrivExec Kernel Patch for Linux kernel version 3.12.0-rc2 with the Overlayfs patches. (ver.2013.10.21)

Run-PrivExec, the userspace helper tool for launching private execution sessions. (ver.2013.10.21)

Please see the included README files for more information.

Setup

(1) First get the correct Linux kernel version, 3.12.0-rc2 with overlayfs.v20.

git clone git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs.git -b overlayfs.v20 --single-branch

Drop me a line if you can't get this from the original repository.

(2) Apply the PrivExec patch.

cd /path/to/kernel/source/
patch -p1 < ../privexec.3.12.0-rc2

...and compile the kernel as usual. Don't forget to enable ecryptfs and overlayfs support. Also see the notes below.

Important: Make sure you have the MM_OWNER option enabled in your kernel configuration. Otherwise you will run into an error like this:

  CC      mm/memory.o
mm/memory.c: In function ‘do_swap_page’:
mm/memory.c:3000:32: error: ‘struct mm_struct’ has no member named ‘owner’
  struct task_struct *owner = mm->owner; /* privexec */

(3) Compile and install Run-PrivExec.

cd /path/to/run-privexec
make install

For this you need libecryptfs which comes with the ecryptfs-utils package. Your distro must already have it, otherwise get it here.

(4) Set up file capabilities. (Recommended)

setcap cap_sys_chroot,cap_sys_admin+p privexec

...alternatively, go the way of setuid root.

chown root:root privexec
chmod u+s privexec

(5) Configure Run-PrivExec. (See the notes below.)

emacs /etc/privexec/{usr_mount,sys_mount}.conf

You are all set. Go run a private application.

privexec <executable> [args...]

Notes on PrivExec Kernel Patch

(1) PrivExec comes with three additional kernel configuration options.

PRIVEXEC_RELAX_X: This relaxes the PrivExec IPC restrictions on X Server to allow private applications to run on a non-private X Server. You should enable this; otherwise you need to run the entire X Server in private mode or launch private applications in isolated, private X sessions (and Run-PrivExec does not do the latter).

PRIVEXEC_RELAX_MITSHM: This relaxes the PrivExec IPC restrictions on X Server's MITSHM extension to allow clients that utilize the extension to display correctly. Once again, you probably want this. Alternatively, you can disable the MITSHM extension in your xorg.conf to similar effect, like this:

Section "Extensions"
    Option "MIT-SHM" "Disable"
EndSection

PRIVEXEC_DEBUG: Enables PrivExec log messages. Turn this off.

(2) For easy grepping, every block of new code added to the original Linux kernel is tagged with /* privexec */.

Notes on Run-PrivExec

(1) Run-PrivExec requires two configuration files to determine how to set up the private execution environment. The configuration files are security sensitive and you must take care to restrict the file permissions appropriately.

/etc/privexec/usr_mounts.conf: Lists the filesystem mount points (e.g., /, /var, /home) that will be made available to private applications via PrivExec's secure overlays. Private applications will have full read/write access to these locations, but the filesystem modifications they make will not be recoverable during or after the private execution by other processes. List one mount point per line, the file contents should look like this:

/
/run
/var
/home
/home/my_external_storage

/etc/privexec/sys_mounts.conf: Lists the mount points that will be made available to private applications, but WITHOUT any protections; i.e. modifications to these locations will be visible to the whole system. This is meant for mounting special filesystems such as proc and sysfs that are necessary for a functional private execution environment. List one mount point per line, the file contents should look like this:

/proc
/sys
/dev
/dev/pts
/dev/shm
/dev/mqueue

(2) Run-PrivExec will re-mount the filesystems found on the given mount points in the exact given order, and the user is responsible for getting the order right (as in /etc/fstab).

(3) Obviously, you should ONLY include in these configuration files directories that are separate mount points. For example, if /, /var and /home are three separate filesystems on different device partitions in your system, do include them all. Otherwise, if they are on a single partition, you should only specify / in this configuration file; everything under / will be made securely available to the private application.

(4) Example configuration files are provided with this software package under the "./examples" directory and are also installed to the correct locations when you run make install.

Known Issues

Please contact me if you discover other problems.

(1) PrivExec currently does not correctly handle swapoff. Specifically, when a swap device is removed and the swapped out pages are being read back into memory, PrivExec does not decrypt the swap pages of private processes, crashing them. The moral of the story is, do not swapoff when a private process is still running.

(2) PrivExec knows nothing about hibernation.

Change Log

ver.2013.10.21 (1) Filename encryption now works correctly. (2) Private processes now mount secure containers by passing ecryptfs the mount option "ecryptfs_privexec". Omitting the flag allows private processes to mount non-private ecryptfs partitions.

ver.2013.10.13 First release.

Credits

This software is based on the following research work carried out at Northeastern University Systems Security Lab (NEU SecLab).

PrivExec: Private Execution as an Operating System Service
Kaan Onarlioglu, Collin Mulliner, William Robertson, Engin Kirda
Proceedings of the IEEE Symposium on Security and Privacy (S&P)
San Francisco, CA USA, May 2013

Authors' version of the full paper is available here. If you would like to acknowledge our research or software in your works, please use the following citation information.

@inproceedings{sp2013privexec,
    author = {Kaan Onarlioglu and Collin Mulliner and William Robertson and Engin Kirda},
    title = {{PrivExec: Private Execution as an Operating System Service}},
    booktitle = {IEEE Symposium on Security and Privacy (S\&P)},
    month = may,
    year = {2013},
}

PrivExec is free software licensed under GPLv2. © 2013 Kaan Onarlioglu, William Robertson

Run-PrivExec is free software licensed under GPLv3. © 2013 Kaan Onarlioglu