1 Flicker: An Execution Infrastructure for TCB Minimization April 4, 2008 Jonathan McCune 1, Bryan Parno 1, Adrian Perrig 1, Michael Reiter 2, and Hiroshi.

Slides:

Advertisements

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Advertisements

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Content Overview Virtual Disk Port to Intel platform

Trusted Platform Module

Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.

1 Flicker: Minimal TCB Code Execution Jonathan M. McCune Carnegie Mellon University March 27, 2008 Bryan Parno, Arvind Seshadri Adrian Perrig, Michael.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

BIND: A F INE - GRAINED ATTESTATION S ERVICE FOR S ECURE D ISTRIBUTED S YSTEMS Presented by: Maryam Alipour-Aghdam University of Guelph.

Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.

Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary.

1 Privacy Enhancing Technologies Elaine Shi Lecture 5 Trusted Computing.

Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.

Preventing Theft of Quality of Service on Open Platforms Kwang-Hyun Baek and Sean W. Smith Department of Computer Science Dartmouth College

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Using Secure Coprocessors to Protect Access to Enterprise Networks Dr. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

1 How Low Can You Go? Recommendations for Hardware- Supported Minimal TCB Code Execution Bryan Parno Arvind Seshadri Adrian Perrig Carnegie Mellon University.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Figure 1.1 Interaction between applications and the operating system.

outline Purpose Design Implementation Market Conclusion presentation Outline.

TrustVisor: Efficient TCB Reduction and Attestation Jonathan M

Towards Application Security On Untrusted OS

Bootstrapping Trust in Commodity Computers Bryan Parno, Jonathan McCune, Adrian Perrig 1 Carnegie Mellon University.

© Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. Trusted Computing Yaron Sheffer Manager, Standards.

Trusted Computing BY: Sam Ranjbari Billy J. Garcia.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Extending user controlled security domain.

Bob Gilber, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara RAID 2011,9 報告者：張逸文 1.

Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

1 Configurable Security for Scavenged Storage Systems NetSysLab The University of British Columbia Abdullah Gharaibeh with: Samer Al-Kiswany, Matei Ripeanu.

An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko

Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.

Cosc 4765 Trusted Platform Module. What is TPM The TPM hardware along with its supporting software and firmware provides the platform root of trust. –It.

出處 :2010 2nd International Conference on Signal Processing Systems (ICSPS) 作者 :Zhidong Shen 、 Qiang Tong 演講者 : 碩研資管一甲吳俊逸.

11 World-Leading Research with Real-World Impact! ZeroVM Backgroud Prosunjit Biswas Institute for Cyber Security University of Texas at San Antonio April.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.

Reducing Trust Domain with TXT Daniel De Graaf. TXT overview Original TPM – Static Root of Trust – BIOS, all boot ROMs, bootloader, hypervisor, OS TPM.

An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK

Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)

Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)

Frederick P. Brooks, Jr. Kenan Professor & Department Founder.

1 Information Security – Theory vs. Reality , Winter Lecture 12: Trusted computing architecture (cont.), Eran Tromer Slides credit:

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

Introduction to Performance Tuning Chia-heng Tu PAS Lab Summer Workshop 2009 June 30,

Trusted Component Deployment Trusted Components Bernd Schoeller January 30 th, 2006.

Computer Security module October 2008 Mark D. Ryan HP Labs, Bristol University of Birmingham Trusted Platform Module (TPM) introduction.

Computer Security module October 2009 Mark D. Ryan University of Birmingham Trusted Platform Module (TPM) introduction.

Trusted Computing and the Trusted Platform Module

EnGarde: Mutually Trusted Inspection of SGX Enclaves

Trusted Computing and the Trusted Platform Module

Outline What does the OS protect? Authentication for operating systems

Outline What does the OS protect? Authentication for operating systems

User-mode Secret Protection (SP) architecture

Sai Krishna Deepak Maram, CS 6410

SCONE: Secure Linux Containers Environments with Intel SGX

Shielding applications from an untrusted cloud with Haven

Bruce Maggs (with some slides from Bryan Parno)

Bruce Maggs (with some slides from Bryan Parno)

Presentation transcript:

1 Flicker: An Execution Infrastructure for TCB Minimization April 4, 2008 Jonathan McCune 1, Bryan Parno 1, Adrian Perrig 1, Michael Reiter 2, and Hiroshi Isozaki 1,3 1 Carnegie Mellon University 2 University of North Carolina 3 Toshiba Corporation

2 CPU, RAM TPM, Chipset CPU, RAM TPM, Chipset Trusted Computing Base (TCB) DMA Devices (Network, Disk, USB, etc.) OS App S S 1 … DMA Devices (Network, Disk, USB, etc.) OS App 1 … S S Shim

3 Flicker’s Properties Isolate security-sensitive code execution from all other code and devices Attest to security-sensitive code and its arguments and nothing else Convince a remote party that security- sensitive code was protected Add < 250 LoC to the software TCB Shim S S Software TCB < 250 LoC

4 Outline Introduction Background –Trusted Platform Module (TPM) –Late Launch Flicker Architecture and Extensions Flicker Applications Performance Evaluation Related Work and Conclusions

5 TPM Background The Trusted Platform Module (TPM) is a dedicated security chip Can provide an attestation to remote parties –Platform Configuration Registers (PCRs) summarize the computer’s software state PCR_Extend(N, V): PCR N = SHA-1(PCR N | V) –TPM provides a signature over PCR values –A subset of dynamic PCRs can be reset without a reboot

6 Late Launch Background Supported by new commodity CPUs –SVM for AMD –TXT (formerly LaGrande) for Intel Designed to launch a VMM without a reboot –Hardware-based protections ensure launch integrity New CPU instruction (SKINIT/SENTER) accepts a memory region as input and atomically: –Resets dynamic PCRs –Disables interrupts –Extends a measurement of the region into PCR 17 –Begins executing at the start of the memory region

7 Architecture Overview Core technique –Pause current execution environment (untrusted OS) –Execute security-sensitive code with hardware- enforced isolation –Resume previous execution Extensions –Attest only to code execution and protection –Preserve state securely across invocations –Establish secure communication with remote parties

8 Execution Flow TPM PCRs: K … 000 CPU OS App Shim S S Module RAM OS App Module SKINIT Reset Inputs Outputs Module 0h0 0H00 Shim S S 000

9 TPM PCRs: 0 K -1 … TPM PCRs: K -1 … 000 Shim S S Inputs Outputs Attestation

10 TPM PCRs: K -1 … 000 Shim S S Inputs Outputs Attestation What code are you running? Shim S S Inputs Outputs Sign (), K -1 Sign ), K -1 … OS App S S 5 App 5 App 4 App 4 App 3 App 3 App 2 App 2 App 1 App 1 ( Versus

11 Shim S S S S S S Context Switch with Sealed Storage PCRs: 000 … 000 … Time Shim S S Data OS Shim S S Seal data under combination of code, inputs, outputs Data unavailable to other code Shim S S S S

12 Outline Introduction Background Flicker Architecture and Extensions Flicker Applications –Developer’s Perspective –Example Applications Performance Evaluation Related Work and Conclusions

13 Developing With Flicker Sensitive code linked against the Flicker library Customized linker script lays out binary Application interacts with Flicker via a Flicker kernel module #include “flicker.h” void flicker_main(void *inputs) { } const char* msg = “Hello, world”; for(int i=0;i<13;i++) OUTPUT[i] = msg[i]; Made available at: /proc/flicker/output

14 Default Functionality Shim can execute arbitrary x86 code but provides very limited functionality Fortunately, many security-sensitive functions do not require much –E.g., key generation, encryption/decryption, FFT Functionality can be added to support a particular security-sensitive operation We have partially automated the extraction of support code for security-sensitive code

15 Existing Flicker Modules OS Protection Memory protection, ring 3 execution Crypto Crypto ops (RSA, SHA-1, etc.) Memory Alloc. Malloc/free/realloc Secure Channel Secure remote communication TPM Driver Communicate with TPM TPM Utilities Perform TPM ops

16 Outline Introduction Background Flicker Architecture and Extensions Flicker Applications –Developer’s Perspective –Example Applications Performance Evaluation Related Work and Conclusions

17 Application: Rootkit Detector Hardware OS App 1 App 1 … Shim D D App n App n Run detector OS Administrator can check the integrity of remote hosts –E.g., only allow uncompromised laptops to connect to the corporate VPN

18 Application: SSH Passwords Start Gen {K, K -1 } K Encrypt K (passwd) OK! Shim S S K S S K -1 Shim S S K -1 Shim S S Encrypt K (passwd)passwd

19 Other Applications Implemented Enhanced Certificate Authority (CA) –Private signing key isolated from entire system Verifiable distributed computing –Verifiably perform a computational task on a remote computer –Ex: distcc

20 Outline Introduction Background Flicker Architecture and Extensions Flicker Applications Performance Evaluation Related Work and Conclusions

21 Generic Context-Switch Overhead Each Flicker context switch requires: –SKINIT –TPM-based protection of application state SKINIT 14 ms Unseal application state905 ms Reseal application state 20 ms Total939 ms Results

22 Rootkit Detection Performance SKINIT 14 ms Hash of Kernel 22 ms PCR Extend Result 1 ms TPM Quote973 ms Total1023 ms 37 ms Disruption Non-Disruptive Running detector every 30 seconds has negligible impact on system throughput

23 SSH Performance Setup time (217 ms) dominated by key generation (185 ms) Password verification (937 ms) dominated by TPM Unseal (905 ms) Adds < 2 seconds of delay to client login

24 Optimizing Flicker’s Performance Non-volatile storage –Access control based on PCRs –Read in 20ms, Write in 200 ms –Store a symmetric key for “sealing” and “unsealing” state Reduces context-switch overhead by an order of magnitude

25 Hardware Performance Improvements Late launch cost only incurred when Flicker session launches TPM (Un)Seal only used for long-term storage Multicore systems remain interactive Context switch overheads (common case) resemble VM switches today (~0.5 μs) [ASPLOS 2008]

26 Ongoing Work Creating a trusted path to the user Porting implementation to Intel Improving automatic privilege separation

27 Related Work Secure coprocessors –Dyad [Yee 1994], IBM 4758 [JiSmiMi 2001] System-wide attestation –Secure Boot [ArFaSm 1997], IMA [SaZhJaDo 2004], Enforcer [MaSmWiStBa 2004] VMM-based isolation –BIND [ShPeDo2005], AppCores [SiPuHaHe 2006], Proxos [TaLiLi 2006] “Traditional” uses of late launch –Trustworthy Kiosks [GaCáBeSaDoZh 2006], OSLO [Kauer 2007],

28 Conclusions Flicker greatly reduces an application’s TCB Isolate security-sensitive code execution Provide fine-grained attestations Allow application writers to focus on the security of their own code

29 Thank you!