Presentation is loading. Please wait.

Presentation is loading. Please wait.

TrustVisor: Efficient TCB Reduction and Attestation Jonathan M

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "TrustVisor: Efficient TCB Reduction and Attestation Jonathan M"— Presentation transcript:

1 TrustVisor: Efficient TCB Reduction and Attestation Jonathan M
TrustVisor: Efficient TCB Reduction and Attestation Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, Adrian Perrig May 17, 2010

2 Motivating Example Conscientious web server admin / dev
Wants to protect most critical data SSL private key, password file, ACL, … Evaluates low-cost options Her best efforts rest on a house of cards…

3 Challenge: Reducing the Trusted Computing Base
Hardware OS App App 1 S Device Driver 1 2 Kernel Module l m Today’s OSes have too much power Total access to application data App may require little OS support Self-contained computation ‘S’ Trusted computing base for S includes majority of: OS, drivers, and privileged applications!!! OS Kernel (ring 0) App (ring 3)

4 What is S? Self-contained code in an application
Data secrecy and integrity requirements General-purpose computing Some examples Manages a private key for web server or CA Manages Access Control List (ACL) Is a compute client in distributed setting Is similar to a Flicker session [McPaPeReIs2008]

5 Outline Motivation (done) High-Level Overview Detailed Description
Prototype: Apache + SSL Limitations Summary & Conclusions

6 Meet TrustVisor Tiny hypervisor for isolation of code S
No scheduling or Inter-Process Communication Efficient transitions between OS and S External verification of Output = S(Input) Protected storage for S OS white HW App TrustVisor S Untrusted Trusted Attestable V

7 External Verification: Attestation
What code are you running? Verifier Target TrustVisor S Inputs Outputs Sign ( ) , K-1 KTPM, K-1 Trust in attestation rooted in hardware TPM (Trusted Platform Module) SSL-enabled web server scenario: Client can evaluate server before sending data Enables more meaningful SSL server validation

8 … OS Protected Storage Initially, S is “red” (untrusted)
App can register S  “blue” (attestable) TV enables “blue” code to protect data… Access-controlled by identity of S (hash) Enabled by TPM-like Sealed Storage “Micro-TPM” in software App 1 App n S OS TrustVisor S μTPM

9 Alternative Approaches
TrustVisor runtime TCB in lines of code: ~6500 C/ASM + ~2800 Headers Hypervisor + crypto Metric Approach TCB Size (LoC) Protection granularity Performance Monolithic kernel millions best Virtualization VM good Virtual TPM (vTPM) consistent code Overshadow etc. process Security / μ kernel ~100K moderate Flicker <1K fine poor TrustVisor <10K white white white white white white white

10 Outline Motivation (done) High-Level Overview (done)
Detailed Description Prototype: Apache + SSL Limitations Summary & Conclusions

11 TrustVisor  OS Architecture
Virtualizes RAM, CPU Restricts DMA Restricts TPM to Locality 1 App 1 App n OS Device Drivers White TrustVisor TPM Driver Locality 1 Locality 2 DMA Devices (Network, Disk, USB, etc.) Hardware TPM CPU, RAM Chipset

12 TrustVisor  S Architecture
App 1 App n TrustVisor API Registration Invocation Micro-TPM S OS TrustVisor S μTPM S State DMA Devices (Network, Disk, USB, etc.) TPM CPU, RAM Chipset

13 Identifying S to TrustVisor
Applications identify S via registration Page-level protection granularity Applications make “normal” function calls TrustVisor detects switch to S via traps S runs with no access to legacy OS One set of Inputs and Outputs per invocation

14 Sensitive Code Timeline
Multiple invocations during a single registration cycle Invoke S: SSL Session Init S Complete: Session active Invoke S: SSL Session Init S Complete: Session active Initialize TrustVisor Application Starts Application Exits Unregister S Register S S’s Runtime State Protected

15 Micro-TPM Design Small subset of hardware TPM operations for:
Protected Storage + External Verification TPMs are optimized for cost, not speed TrustVisor implements critical-path TPM operations in software on main CPU Extend, Seal, Unseal, Quote, GetRand Reduces latency by orders of magnitude Trust in Micro-TPM still rooted in hardware TPM Infrequent TPM operations do not require virtualization

16 Outline Motivation (done) High-Level Overview (done)
Detailed Description (done) Prototype: Apache + SSL Limitations Summary & Conclusions

17 Example App: Apache + SSL
Goal: Protect long-term private key KSSL-1 Cert revocation is abysmal in practice Desired properties Malware, malicious admin unable to learn KSSL-1 Externally verifiable configuration Two sensitive code modules (S) S1: Generate and seal the long-term key (rare) S2: Unseal and use the key during SSL session establishment (frequent)

18 Apache + SSL Performance
‘ab’ with 10,000 txns / trial, avg 10 trials Memory Virt. Context Switching Normalized to Vanilla Linux (higher is better) 200 Concurrent Transactions

19 Outline Motivation (done) High-Level Overview (done)
Detailed Description (done) Prototype: Apache + SSL (done) Limitations Summary & Conclusions

20 Limitations Design-level Prototype-level
Does not currently provide trusted path to user Requires application awareness Prototype-level No SMP support (currently single CPU) Only protects KSSL-1 Executable code for S must be proactively paged into memory before registration AMD-only

21 Summary & Conclusions Tiny hypervisor to support isolation
Externally verifiable via attestation Frequent TPM operations in software Compelling performance argument Requires no OS changes Conclusions Interesting point in the design space Foundation for future trustworthy systems

22 Q & A Thank you!

Download ppt "TrustVisor: Efficient TCB Reduction and Attestation Jonathan M"

Similar presentations

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Content Overview Virtual Disk Port to Intel platform

Content Overview Virtual Disk Port to Intel platform
Ian Pratt SVP, Products Bromium Inc.

Ian Pratt SVP, Products Bromium Inc.
Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.

Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.
Vpn-info.com.

Vpn-info.com.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary.

Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary.
1 Privacy Enhancing Technologies Elaine Shi Lecture 5 Trusted Computing.

1 Privacy Enhancing Technologies Elaine Shi Lecture 5 Trusted Computing.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.

Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.
1 OS Structure, Processes & Process Management. 2 Recap OS functions  Coordinator  Protection  Communication  Resource management  Service provider.

1 OS Structure, Processes & Process Management. 2 Recap OS functions  Coordinator  Protection  Communication  Resource management  Service provider.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
1 How Low Can You Go? Recommendations for Hardware- Supported Minimal TCB Code Execution Bryan Parno Arvind Seshadri Adrian Perrig Carnegie Mellon University.

1 How Low Can You Go? Recommendations for Hardware- Supported Minimal TCB Code Execution Bryan Parno Arvind Seshadri Adrian Perrig Carnegie Mellon University.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Embedded Real-time Systems The Linux kernel. The Operating System Kernel Resident in memory, privileged mode System calls offer general purpose services.

Embedded Real-time Systems The Linux kernel. The Operating System Kernel Resident in memory, privileged mode System calls offer general purpose services.
1 Flicker: An Execution Infrastructure for TCB Minimization April 4, 2008 Jonathan McCune 1, Bryan Parno 1, Adrian Perrig 1, Michael Reiter 2, and Hiroshi.

1 Flicker: An Execution Infrastructure for TCB Minimization April 4, 2008 Jonathan McCune 1, Bryan Parno 1, Adrian Perrig 1, Michael Reiter 2, and Hiroshi.

Similar presentations

Ads by Google