1 How Low Can You Go? Recommendations for Hardware- Supported Minimal TCB Code Execution Bryan Parno Arvind Seshadri Adrian Perrig Carnegie Mellon University.

Slides:

Advertisements

Similar presentations

Remus: High Availability via Asynchronous Virtual Machine Replication

Advertisements

P3- Represent how data flows around a computer system

1 Flicker: Minimal TCB Code Execution Jonathan M. McCune Carnegie Mellon University March 27, 2008 Bryan Parno, Arvind Seshadri Adrian Perrig, Michael.

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary.

1 Privacy Enhancing Technologies Elaine Shi Lecture 5 Trusted Computing.

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Supporting Parallel Applications on Clusters of Workstations: The Intelligent Network Interface Approach.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Extensibility, Safety and Performance in the SPIN Operating System Department of Computer Science and Engineering, University of Washington Brian N. Bershad,

Disco: Running Commodity Operating Systems on Scalable Multiprocessors Bugnion et al. Presented by: Ahmed Wafa.

Figure 2.8 Compiler phases Compiling. Figure 2.9 Object module Linking.

INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.

OS Spring’03 Introduction Operating Systems Spring 2003.

1 Flicker: An Execution Infrastructure for TCB Minimization April 4, 2008 Jonathan McCune 1, Bryan Parno 1, Adrian Perrig 1, Michael Reiter 2, and Hiroshi.

1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.

TrustVisor: Efficient TCB Reduction and Attestation Jonathan M

1 Operating Systems Ch An Overview. Architecture of Computer Hardware and Systems Software Irv Englander, John Wiley, Bare Bones Computer.

1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.

Week 6 Operating Systems.

Computer Organization Review and OS Introduction CS550 Operating Systems.

Security in the industry H/W & S/W What is AMD’s ”enhanced virus protection” all about? What’s coming next? Presented by: Micha Moffie.

Chapter 3 Operating Systems Introduction to CS 1 st Semester, 2015 Sanghyun Park.

Zen and the Art of Virtualization Paul Barham, et al. University of Cambridge, Microsoft Research Cambridge Published by ACM SOSP’03 Presented by Tina.

Bootstrapping Trust in Commodity Computers Bryan Parno, Jonathan McCune, Adrian Perrig 1 Carnegie Mellon University.

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人：張逸文.

1 Fault Tolerance in the Nonstop Cyclone System By Scott Chan Robert Jardine Presented by Phuc Nguyen.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Composition and Evolution of Operating Systems Introduction to Operating Systems: Module 2.

TrustOTP: Smartphone as One-Time Password Token

An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko

Chapter 1: Introduction. 1.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 1: Introduction What Operating Systems Do Computer-System.

Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,

The IBM VM CS450/550 Section 2 Stephen Kam. IBM VM - Origins Originally an experimental OS called “CP-67” Designed to run on the IBM System/360 Model.

 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.

Operating Systems Lesson Objective: Understanding the functions of an operating system. Learning Outcome: Answer some basic questions on operating systems.

Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)

GPUs: Overview of Architecture and Programming Options Lee Barford firstname dot lastname at gmail dot com.

Introduction to Operating Systems and Concurrency.

Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)

THAWAN KOOBURAT MICHAEL SWIFT UNIVERSITY OF WISCONSIN - MADISON 1 The Best of Both Worlds with On-Demand Virtualization.

Lecture on Central Process Unit (CPU)

Cloud Computing Lecture 5-6 Muhammad Ahmad Jan.

Frederick P. Brooks, Jr. Kenan Professor & Department Founder.

Operating Systems. Categories of Software System Software –Operating Systems (OS) –Language Translators –Utility Programs Application Software.

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

Embedded Real-Time Systems

INTRODUCTION TO COMPUTERS. A computer system is an electronic device used to input data, process data, store data for later use and produce output in.

Virtualization.

Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.

Trusted Computing and the Trusted Platform Module

Processes and threads.

Network Operating Systems (NOS)

Architecture Background

1. 2 VIRTUAL MACHINES By: Satya Prasanna Mallick Reg.No

OS Virtualization.

Bastion secure processor architecture

User-mode Secret Protection (SP) architecture

Hi, Everyone! Chunyi Peng

Hi, Everyone! Chunyi Peng

The Design & Implementation of Hyperupcalls

Operating System Introduction.

SCONE: Secure Linux Containers Environments with Intel SGX

Necessary Background for OS

Presentation transcript:

1 How Low Can You Go? Recommendations for Hardware- Supported Minimal TCB Code Execution Bryan Parno Arvind Seshadri Adrian Perrig Carnegie Mellon University March 3, 2008 Michael K. Reiter University of North Carolina Jonathan M. McCune

2 The Flicker Project Hardware Recommen- dations [ASPLOS ’08] Flicker Execution Architecture [EuroSys ’08] Extended Abstract [IEEE S&P ’07] Goals –Minimize Trusted Computing Base –Do not trust OS –Commodity hardware This talk –Performance today –Recommendations for tomorrow

3 Today, TCB for sensitive code S: Includes App Includes OS Includes other Apps Includes hardware With Flicker, S’s TCB: Includes Shim Includes some hardware CPU, RAM TPM, Chipset TCB Reduction with Flicker DMA Devices (Network, Disk, USB, etc.) OS App 1 … App S S Shim

4 Basic Flicker Architecture 1.Pause current execution environment (legacy OS) 2.Execute security-sensitive code using late launch 3.Preserve session-state with TPM sealed storage 4.Resume previous environment Not the intended use of late launch, sealed storage Intended use is an infrequent, disruptive event –Use to replace lowest-level system software –All but one CPU must be halted for late launch Our use resembles a context switch –Setup protected execution environment for sensitive app –Late launch and TPM sealed storage on the critical path

5 Flicker Execution Flow TPM PCRs: K … 000 CPU OS App Shim S S Module RAM OS App Module SKINIT Reset Module Shim S S 000

6 S S S S S S Context Switch with Sealed Storage PCRs: 000 … 000 … Time Shim S S Data OS Shim S S Seal data under combination of code, inputs, outputs Data unavailable to other code Shim S S S S

7 Outline Background on Flicker architecture Performance of Flicker today Recommendations for tomorrow

8 TPM-related Performance During every Flicker context switch –Application state protection while OS runs

9 TPM Microbenchmarks Significant variation by TPM model

10 Breakdown of Late Launch Overhead After ~4KB, code can measure itself

11 Late Launch Performance Late launch requires APs to stop execution –More cores = more expensive CPU Memory Controller TPM CPU Memory Controller CPU Memory Controller CPU Memory Controller CPU Memory Controller Other CPUs I/O Devices TPM RAM … STOP

12 Outline Background on Flicker architecture Performance of Flicker today Recommendations for tomorrow

13 Overheads and Recommendations O1 Late launch and TPM sealed storage overhead on every context switch R1 Secure context switch between sensitive applications without TPM O2 Other cores must halt to enable late launch R2 Secure execution on multiple CPUs concurrently O3 TPM equipped to store measurements from only one late launch R3 TPM support for concurrent Flicker sessions

14 New States for Memory Pages CPU i None All Launch Suspend Resume Exit Sensitive Application Sensitive Application Avoid TPM for short-term data protection Memory Controller already supports DMA protection vector Memory

15 Concurrent Flicker Sessions Other CPUs continue to perform useful work Memory Controllers isolate secure state CPU Memory Controller CPU Memory Controller Other CPUs I/O Devices TPM RAM

16 Add Secure Execution PCRs to TPM TPM Each SE PCR holds state for one Flicker session Bounds number of concurrent Flicker sessions Static PCRs Dynamic PCRs Secure Execution PCRs

17 Anticipated Improvement Late launch cost only incurred when Flicker session launches TPM (Un)Seal only used for long-term storage Multicore systems remain interactive Context switch overheads (common case) resemble VM switches today

18 Related Work Secure coprocessors –Dyad [Yee 1994] –IBM 4758 [Dyer et al. 2001] VMM-based isolation –BIND [Shi, Perrig, van Doorn 2005] –AppCores [Singaravelu et al. 2006] –Trustworthy Kiosks [Garriss et al. 2006] –Proxos [Ta-Min, Litty, Lie 2006] –Overshadow [Chen et al. 2008]

19 Conclusions TCB for applications can be greatly reduced Recommendations to enhance performance –State protection during context switch –Flicker sessions on multiple CPUs –TPM support for concurrent Flicker sessions

20 Thank you!