Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Flicker: An Execution Infrastructure for TCB Minimization April 4, 2008 Jonathan McCune 1, Bryan Parno 1, Adrian Perrig 1, Michael Reiter 2, and Hiroshi.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Flicker: An Execution Infrastructure for TCB Minimization April 4, 2008 Jonathan McCune 1, Bryan Parno 1, Adrian Perrig 1, Michael Reiter 2, and Hiroshi."— Presentation transcript:

1 1 Flicker: An Execution Infrastructure for TCB Minimization April 4, 2008 Jonathan McCune 1, Bryan Parno 1, Adrian Perrig 1, Michael Reiter 2, and Hiroshi Isozaki 1,3 1 Carnegie Mellon University 2 University of North Carolina 3 Toshiba Corporation

2 2 CPU, RAM TPM, Chipset CPU, RAM TPM, Chipset Trusted Computing Base (TCB) DMA Devices (Network, Disk, USB, etc.) OS App S S 1 … DMA Devices (Network, Disk, USB, etc.) OS App 1 … S S Shim

3 3 Flicker’s Properties Isolate security-sensitive code execution from all other code and devices Attest to security-sensitive code and its arguments and nothing else Convince a remote party that security- sensitive code was protected Add < 250 LoC to the software TCB Shim S S Software TCB < 250 LoC

4 4 Outline Introduction Background –Trusted Platform Module (TPM) –Late Launch Flicker Architecture and Extensions Flicker Applications Performance Evaluation Related Work and Conclusions

5 5 TPM Background The Trusted Platform Module (TPM) is a dedicated security chip Can provide an attestation to remote parties –Platform Configuration Registers (PCRs) summarize the computer’s software state PCR_Extend(N, V): PCR N = SHA-1(PCR N | V) –TPM provides a signature over PCR values –A subset of dynamic PCRs can be reset without a reboot

6 6 Late Launch Background Supported by new commodity CPUs –SVM for AMD –TXT (formerly LaGrande) for Intel Designed to launch a VMM without a reboot –Hardware-based protections ensure launch integrity New CPU instruction (SKINIT/SENTER) accepts a memory region as input and atomically: –Resets dynamic PCRs –Disables interrupts –Extends a measurement of the region into PCR 17 –Begins executing at the start of the memory region

7 7 Architecture Overview Core technique –Pause current execution environment (untrusted OS) –Execute security-sensitive code with hardware- enforced isolation –Resume previous execution Extensions –Attest only to code execution and protection –Preserve state securely across invocations –Establish secure communication with remote parties

8 8 Execution Flow TPM PCRs: K -1 729 … 000 CPU OS App Shim S S Module RAM OS App Module SKINIT Reset Inputs Outputs Module 0h0 0H00 Shim S S 000

9 9 TPM PCRs: 0 K -1 … TPM PCRs: K -1 … 000 Shim S S Inputs Outputs Attestation

10 10 TPM PCRs: K -1 … 000 Shim S S Inputs Outputs Attestation What code are you running? Shim S S Inputs Outputs Sign (), K -1 Sign ), K -1 … OS App S S 5 App 5 App 4 App 4 App 3 App 3 App 2 App 2 App 1 App 1 ( Versus

11 11 Shim S S S S S S Context Switch with Sealed Storage PCRs: 000 … 000 … Time Shim S S Data OS Shim S S Seal data under combination of code, inputs, outputs Data unavailable to other code Shim S S S S

12 12 Outline Introduction Background Flicker Architecture and Extensions Flicker Applications –Developer’s Perspective –Example Applications Performance Evaluation Related Work and Conclusions

13 13 Developing With Flicker Sensitive code linked against the Flicker library Customized linker script lays out binary Application interacts with Flicker via a Flicker kernel module #include “flicker.h” void flicker_main(void *inputs) { } const char* msg = “Hello, world”; for(int i=0;i<13;i++) OUTPUT[i] = msg[i]; Made available at: /proc/flicker/output

14 14 Default Functionality Shim can execute arbitrary x86 code but provides very limited functionality Fortunately, many security-sensitive functions do not require much –E.g., key generation, encryption/decryption, FFT Functionality can be added to support a particular security-sensitive operation We have partially automated the extraction of support code for security-sensitive code

15 15 Existing Flicker Modules OS Protection Memory protection, ring 3 execution Crypto Crypto ops (RSA, SHA-1, etc.) Memory Alloc. Malloc/free/realloc Secure Channel Secure remote communication TPM Driver Communicate with TPM TPM Utilities Perform TPM ops

16 16 Outline Introduction Background Flicker Architecture and Extensions Flicker Applications –Developer’s Perspective –Example Applications Performance Evaluation Related Work and Conclusions

17 17 Application: Rootkit Detector Hardware OS App 1 App 1 … Shim D D App n App n Run detector OS Administrator can check the integrity of remote hosts –E.g., only allow uncompromised laptops to connect to the corporate VPN

18 18 Application: SSH Passwords Start Gen {K, K -1 } K Encrypt K (passwd) OK! Shim S S K S S K -1 Shim S S K -1 Shim S S Encrypt K (passwd)passwd

19 19 Other Applications Implemented Enhanced Certificate Authority (CA) –Private signing key isolated from entire system Verifiable distributed computing –Verifiably perform a computational task on a remote computer –Ex: SETI@Home, Folding@Home, distcc

20 20 Outline Introduction Background Flicker Architecture and Extensions Flicker Applications Performance Evaluation Related Work and Conclusions

21 21 Generic Context-Switch Overhead Each Flicker context switch requires: –SKINIT –TPM-based protection of application state SKINIT 14 ms Unseal application state905 ms Reseal application state 20 ms Total939 ms Results

22 22 Rootkit Detection Performance SKINIT 14 ms Hash of Kernel 22 ms PCR Extend Result 1 ms TPM Quote973 ms Total1023 ms 37 ms Disruption Non-Disruptive Running detector every 30 seconds has negligible impact on system throughput

23 23 SSH Performance Setup time (217 ms) dominated by key generation (185 ms) Password verification (937 ms) dominated by TPM Unseal (905 ms) Adds < 2 seconds of delay to client login

24 24 Optimizing Flicker’s Performance Non-volatile storage –Access control based on PCRs –Read in 20ms, Write in 200 ms –Store a symmetric key for “sealing” and “unsealing” state Reduces context-switch overhead by an order of magnitude

25 25 Hardware Performance Improvements Late launch cost only incurred when Flicker session launches TPM (Un)Seal only used for long-term storage Multicore systems remain interactive Context switch overheads (common case) resemble VM switches today (~0.5 μs) [ASPLOS 2008]

26 26 Ongoing Work Creating a trusted path to the user Porting implementation to Intel Improving automatic privilege separation

27 27 Related Work Secure coprocessors –Dyad [Yee 1994], IBM 4758 [JiSmiMi 2001] System-wide attestation –Secure Boot [ArFaSm 1997], IMA [SaZhJaDo 2004], Enforcer [MaSmWiStBa 2004] VMM-based isolation –BIND [ShPeDo2005], AppCores [SiPuHaHe 2006], Proxos [TaLiLi 2006] “Traditional” uses of late launch –Trustworthy Kiosks [GaCáBeSaDoZh 2006], OSLO [Kauer 2007],

28 28 Conclusions Flicker greatly reduces an application’s TCB Isolate security-sensitive code execution Provide fine-grained attestations Allow application writers to focus on the security of their own code

29 29 Thank you! parno@cmu.edu

Download ppt "1 Flicker: An Execution Infrastructure for TCB Minimization April 4, 2008 Jonathan McCune 1, Bryan Parno 1, Adrian Perrig 1, Michael Reiter 2, and Hiroshi."

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Content Overview Virtual Disk Port to Intel platform

Content Overview Virtual Disk Port to Intel platform
Trusted Platform Module

Trusted Platform Module
Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.

Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.
1 Flicker: Minimal TCB Code Execution Jonathan M. McCune Carnegie Mellon University March 27, 2008 Bryan Parno, Arvind Seshadri Adrian Perrig, Michael.

1 Flicker: Minimal TCB Code Execution Jonathan M. McCune Carnegie Mellon University March 27, 2008 Bryan Parno, Arvind Seshadri Adrian Perrig, Michael.
Vpn-info.com.

Vpn-info.com.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
BIND: A F INE - GRAINED ATTESTATION S ERVICE FOR S ECURE D ISTRIBUTED S YSTEMS Presented by: Maryam Alipour-Aghdam University of Guelph.

BIND: A F INE - GRAINED ATTESTATION S ERVICE FOR S ECURE D ISTRIBUTED S YSTEMS Presented by: Maryam Alipour-Aghdam University of Guelph.
Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.

Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.
Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary.

Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary.
1 Privacy Enhancing Technologies Elaine Shi Lecture 5 Trusted Computing.

1 Privacy Enhancing Technologies Elaine Shi Lecture 5 Trusted Computing.
Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.

Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.

Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.
Preventing Theft of Quality of Service on Open Platforms Kwang-Hyun Baek and Sean W. Smith Department of Computer Science Dartmouth College

Preventing Theft of Quality of Service on Open Platforms Kwang-Hyun Baek and Sean W. Smith Department of Computer Science Dartmouth College
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Using Secure Coprocessors to Protect Access to Enterprise Networks Dr. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Using Secure Coprocessors to Protect Access to Enterprise Networks Dr. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Similar presentations

Ads by Google