Flicker: An Execution Infrastructure for TCB Minimization

Similar documents
An Execution Infrastructure for TCB Minimization

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Jonathan M. McCune. Carnegie Mellon University. March 27, Bryan Parno, Arvind Seshadri Adrian Perrig, Michael Reiter

Flicker: An Execution Infrastructure for TCB Minimization

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Unicorn: Two- Factor Attestation for Data Security

Framework for Prevention of Insider attacks in Cloud Infrastructure through Hardware Security

Abstract. 1 Introduction /07 $ IEEE 267

Hypervisor Security First Published On: Last Updated On:

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

OVAL + The Trusted Platform Module

EXTERNALLY VERIFIABLE CODE EXECUTION

CIS 4360 Secure Computer Systems Secured System Boot

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

CIS 4360 Secure Computer Systems. Trusted Platform Module

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

The Early System Start-Up Process. Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu

MiniBox: A Two-Way Sandbox for x86 Native Code

CSE543 - Computer and Network Security Module: Trusted Computing

Applications of Attestation:

Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors

Certifying Program Execution with Secure Processors. Benjie Chen Robert Morris Laboratory for Computer Science Massachusetts Institute of Technology

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

IBM Research Report. Towards Trustworthy Kiosk Computing. Scott Garriss Carnegie Mellon University Pittsburgh, PA

Lockdown: A Safe and Practical Environment for Security Applications

Platform Configuration Registers

The Role of Trustworthy Computing to Build Future Secure Internet Architectures

INF3510 Information Security Spring Lecture 4 Computer Security. University of Oslo Audun Jøsang

Bootstrapping Trust in Commodity Computers

Trusted computing. Aurélien Francillon Secappdev 24/02/2015

Mobile Platform Security Architectures A perspective on their evolution

Lecture Embedded System Security Introduction to Trusted Computing

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software

CLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.

Security for the Xen Hypervisor Status Quo & Perspective 2006

Lecture Embedded System Security Introduction to Trusted Computing

CIS 4360 Secure Computer Systems. Trusted Platform Module

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

Leveraging Intel SGX to Create a Nondisclosure Cryptographic library

Intelligent Terminal System Based on Trusted Platform Module

Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services

Crypto Background & Concepts SGX Software Attestation

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

How to create a trust anchor with coreboot.

Lecture Embedded System Security Introduction to Trusted Computing

I Don't Want to Sleep Tonight:

OS Security IV: Virtualization and Trusted Computing

Secure Computation Interfaces

Lecture Embedded System Security Trusted Platform Module

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

Trusted Computing. William A. Arbaugh Department of Computer Science University of Maryland cs.umd.edu

Isolating Operating System Components with Intel SGX

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

ROTE: Rollback Protection for Trusted Execution

Analysis of a Measured Launch

Influential OS Research Security. Michael Raitza

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

TPM v.s. Embedded Board. James Y

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Enforcing Trust in Pervasive Computing. Trusted Computing Technology.

Virtualization. Michael Tsai 2018/4/16

Justifying Integrity Using a Virtual Machine Verifier

Operating System Security: Building Secure Distributed Systems

Advanced Systems Security: Virtual Machine Systems

Eleos: Exit-Less OS Services for SGX Enclaves

Dawn Song

Sugar: Secure GPU Acceleration in Web Browsers

TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing

Trusted Computing to Increase Security and Privacy in eid Authentication

SecVisor: A Tiny Hypervisor for Lifetime Kernel Code Integrity

Protecting your system from the scum of the universe

CONSTRUCTION OF A HIGHLY DEPENDABLE OPERATING SYSTEM

From TPM 1.2 to 2.0 and some more. Federico Mancini AFSecurity Seminar,

Towards Application Security on Untrusted Operating Systems

Intel Software Guard Extensions

Introduction to OS. Introduction MOS Mahmoud El-Gayyar. Mahmoud El-Gayyar / Introduction to OS 1

A TRUSTED STORAGE SYSTEM FOR THE CLOUD

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij

Protecting your system from the scum of the universe

Software Vulnerability Assessment & Secure Storage

MU2b Authentication, Authorization and Accounting Questions Set 2

HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity

CSCI 350 Ch. 1 Introduction to OS. Mark Redekopp Ramesh Govindan and Michael Shindler

Sanctum: Minimal HW Extensions for Strong SW Isolation

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

A Comparison Study of Intel SGX and AMD Memory Encryption Technology

TPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies


Embedded System Security Mobile Hardware Platform Security

TUX : Trust Update on Linux Kernel


Secure, Trusted and Trustworthy Computing

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Transcription:

Flicker: An Execution Infrastructure for TCB Minimization Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Hiroshi Isozaki (EuroSys 08) Presented by: Tianyuan Liu Oct 31, 2017

Outline Motivation Background Trusted Platform Module (TPM) Late Launch Flicker Architecture and Extensions Flicker Application Evaluation Summary

Motivation Security primitives Isolation Virtualization [Garfinkel 03, Singaravelu 06, Ta-Min 06] Trusted hardware [Yee 94, Smith 99, Jiang 01] Remote attestation Trusted boot [Sailer 06] Trusted kernel [Shi 05] But additional trusted computing base (TCB) is huge E.g. a system using secure hypervisor adds 50,000 LoC

Motivation Study shows an average of six bug per 1,000 LoC. Driver code is 3-7x worse. [Tanenbaum 06] E.g. Linux kernel: 2.5M LoC ~ 15,000 bugs (as of 2006) How do we achieve these security primitives whereas the additional TCB is minimized?

Background TPM v1.2 The Trusted Platform Module (TPM) is a dedicated security chip Can provide an attestation to remote parties Platform Configuration Registers (PCRs) summarize the computer s software state PCR_Extend(N, V): PCR[N] = SHA-1(PCR[N] V) TPM provides a signature over PCR values Attestation by validating the PCR states Dynamic PCRs (17 23) can be reset without a reboot and PCR 17 can only be reset by hardware command Sealed storage (later)

Background Late Launch Supported by new commodity CPUs Secure Virtual Machine (SVM) for AMD Trusted execution Technology (TXT) for Intel Designed to launch a VMM/Secure Kernel without a reboot Hardware-based protections ensure launch integrity SVM SKINIT instruction accepts a memory region, a.k.a. Secure Loader Block (SLB) as input: Resets dynamic PCRs (17 23) to 0 Disables direct memory access and interrupts Extends a measurement of the region into PCR 17 Begins executing at the start of the SLB

Flicker Architecture Overview Core technique: running a Piece of Application Logic (PAL) within SLB Hardware isolation (DMA and interrupt protection) Attestation only on PAL (dynamic PCRs are reset) Extensions Store states across multiple sessions Establish secure communication channel with remote parties

Flicker Architecture Execution Flow Step 1: Application writes PAL and inputs to the Flicker-module Step 2: Flicker-module initializes the SLB Step 3: Save the state of untrusted OS Step 4: Run SKINIT Step 5: Execute PAL, clean up, and extend PCR 17 Step 6: Resume (Network, OS Disk,

Flicker Architecture SLB Highlights The entry point and size of SLB is 16 bits. The SLB size is limited to 64KB. If PAL > 64 KB, the entry point of next SLB must be provided. Untrusted OS entry is stored in GDT. The default SLB Core includes no support for heaps, memory management, or virtual memory :(

Flicker Extension Multiple Sessions How to save the states between multiple Flicker sessions? TPM sealed storage: TPM can generate an Attestation Identity Key (AIK) pair The private key is encrypted by its Storage Root Key (SRK) The session state is encrypted by AIK, and private key is sealed by TPM. Every time a new session begins, TPM unseals the private key.

Flicker Application Creating PAL Link sensitive code against Flicker library. Specify the skeleton of the binary in a linker script. (like.edl) Application interacts with Flicker via the Flicker kernel module. Available at (Network, /proc/flicker/output Disk,

Flicker Application Modules 56.522 KB

Flicker Application Examples Rootkit detector The administrator runs it periodically on a remote machine which is potentially compromised. Demonstrate a single Flicker session. Distributed computing (like BOINC project) A client runs the task as PAL proving the server of trustworthy results. Demonstrate multiple Flicker sessions. The control is transferred back to untrusted OS when PAL needs to runs for a long time. SSH password authentication SSH server convinces the clients of the secrecy of their password. Demonstrate secure channel by using a TPM sealed key.

Evaluation Single Session The highest overhead comes from TPM quote. SKINIT latency can be improved by reducing SLB size.

Evaluation Multiple Sessions Baselines are the replication solutions for distributed computing.

Summary Pros: Small additional TCB with strong security primitives. Compatible with state-of-the-art hardware. Cons: The impact of binary size (>64 KB) on performance overhead is not presented. Flexibility of PAL is limited, e.g. how about multi-threading? Bad user experience during Flicker session. The evaluations are less meaningful.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback