Microsoft has built a Haven prototype and shared the purpose and design of the technology in the paper.
As Microsoft researchers Andrew Baumann, Marcus Peinado, and Galen Hunt explain, currently cloud providers have full access to user data. But via Haven, Microsoft could eliminate this full access — something of potential interest to customers spooked by data-leak disclosures by former NSA contractor Edward Snowden.
Haven "implements shielded execution of unmodified server applications in an untrusted cloud host," the researchers noted, bringing users "one step closer to a true 'utility computing' model for the cloud, where the utility provides resources (processor cores, storage and networking) but has no access to user data."
There are a number of other existing approaches designed to shield apps from an untrusted operating system, the researchers noted, citing XOMOS, Proxos, Overshadow, CloudVisor, SecureME, InkTag and Virtual Ghost as examples. But systems based solely on protecting application memory from an untrusted OS are vulnerable to Iago attacks through the system call interface, the researchers said.
"Haven defeats Iago attacks by design, using a LibOS (library OS), shield module and substantially smaller (around 20 calls) mutually-distrusting host interface," they said. It also avoids the need for a trusted hypervisor through SGX assistance. (SGX is Intel's software guard extensions, a set of new instructions and memory access changes that are designed to protect apps from malicious privileged code or hardware attacks.)
Haven builds on Drawbridge, "a form of virtualization that seeks to replace the need for a virtual machine to run software across disparate platforms." Drawbridge consists of two core elements: the picoprocess and the library OS. The picoprocess is a secure isolation container constructed from a hardware address space, but with no access to traditional OS services or system calls.
As is the case with all Microsoft Research projects, there's no guarantee if or when a given project will be commercialized. It's worth noting, however, that Microsoft seems to have incorporated picoprocesses into Windows 8.1, though they haven't called out that fact or explained why they are there.