Microsoft Research builds a safe 'Haven' for shielding apps in the cloud

Microsoft researchers have built a prototype of a new app-shielding technology called Haven, which builds on top of Microsoft's previous Drawbridge operating system work.
Written by Mary Jo Foley, Senior Contributing Editor

Microsoft Research is building on its "Drawbridge" operating system technology to try to give users more confidence in the safety of the cloud.


Company officials detailed that new technology, known as "Haven," in the "Shielding Applications from an Untrusted Cloud with Haven" research paper, shared during the 11th USENIX Symposium on Operating Systems Design and Implementation, happening this week in Broomfield, Colo. (Thanks to "Walking Cat" on Twitter for the link to the paper.)

Microsoft has built a Haven prototype and shared the purpose and design of the technology in the paper.

As Microsoft researchers Andrew Baumann, Marcus Peinado, and Galen Hunt explain, currently cloud providers have full access to user data. But via Haven, Microsoft could eliminate this full access — something of potential interest to customers spooked by data-leak disclosures by former NSA contractor Edward Snowden.

Haven "implements shielded execution of unmodified server applications in an untrusted cloud host," the researchers noted, bringing users "one step closer to a true 'utility computing' model for the cloud, where the utility provides resources (processor cores, storage and networking) but has no access to user data."

There are a number of other existing approaches designed to shield apps from an untrusted operating system, the researchers noted, citing XOMOS, Proxos, Overshadow, CloudVisor, SecureME, InkTag and Virtual Ghost as examples. But systems based solely on protecting application memory from an untrusted OS are vulnerable to Iago attacks through the system call interface, the researchers said.

"Haven defeats Iago attacks by design, using a LibOS (library OS), shield module and substantially smaller (around 20 calls) mutually-distrusting host interface," they said. It also avoids the need for a trusted hypervisor through SGX assistance. (SGX is Intel's software guard extensions, a set of new instructions and memory access changes that are designed to protect apps from malicious privileged code or hardware attacks.)

Haven builds on Drawbridge, "a form of virtualization that seeks to replace the need for a virtual machine to run software across disparate platforms." Drawbridge consists of two core elements: the picoprocess and the library OS. The picoprocess is a secure isolation container constructed from a hardware address space, but with no access to traditional OS services or system calls.

Haven and Drawbridge were developed by some of the same researchers who worked on Microsoft's "Singularity" microkernel operating system. Microsoft's "Midori" operating system skunkworks project can trace its roots back to Singularity. 

As is the case with all Microsoft Research projects, there's no guarantee if or when a given project will be commercialized. It's worth noting, however, that Microsoft seems to have incorporated picoprocesses into Windows 8.1, though they haven't called out that fact or explained why they are there. 

Editorial standards