Results 1 - 10
of
26
Shielding applications from an untrusted cloud with haven.
- In OSDI,
, 2014
"... Abstract Today's cloud computing infrastructure requires substantial trust. Cloud users rely on both the provider's staff and its globally-distributed software/hardware platform not to expose any of their private data. We introduce the notion of shielded execution, which protects the conf ..."
Abstract
-
Cited by 14 (3 self)
- Add to MetaCart
(Show Context)
Abstract Today's cloud computing infrastructure requires substantial trust. Cloud users rely on both the provider's staff and its globally-distributed software/hardware platform not to expose any of their private data. We introduce the notion of shielded execution, which protects the confidentiality and integrity of a program and its data from the platform on which it runs (i.e., the cloud operator's OS, VM and firmware). Our prototype, Haven, is the first system to achieve shielded execution of unmodified legacy applications, including SQL Server and Apache, on a commodity OS (Windows) and commodity hardware. Haven leverages the hardware protection of Intel SGX to defend against privileged code and physical attacks such as memory probes, but also addresses the dual challenges of executing unmodified legacy binaries and protecting them from a malicious host. This work motivated recent changes in the SGX specification.
Virtual ghost: Protecting applications from hostile operating systems
- In Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS
, 2014
"... Applications that process sensitive data can be carefully de-signed and validated to be difficult to attack, but they are usually run on monolithic, commodity operating systems, which may be less secure. An OS compromise gives the attacker complete access to all of an application’s data, re-gardless ..."
Abstract
-
Cited by 12 (2 self)
- Add to MetaCart
(Show Context)
Applications that process sensitive data can be carefully de-signed and validated to be difficult to attack, but they are usually run on monolithic, commodity operating systems, which may be less secure. An OS compromise gives the attacker complete access to all of an application’s data, re-gardless of how well the application is built. We propose a new system, Virtual Ghost, that protects applications from a compromised or even hostile OS. Virtual Ghost is the first system to do so by combining compiler instrumentation and run-time checks on operating system code, which it uses to create ghost memory that the operating system cannot read or write. Virtual Ghost interposes a thin hardware abstrac-tion layer between the kernel and the hardware that provides a set of operations that the kernel must use to manipulate
Using ARM TrustZone to Build a Trusted Language Runtime for Mobile Applications
"... This paper presents the design, implementation, and evaluation of the Trusted Language Runtime (TLR), a system that protects the confidentiality and integrity of.NET mobile applications from OS security breaches. TLR enables separating an application’s security-sensitive logic from the rest of the a ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
(Show Context)
This paper presents the design, implementation, and evaluation of the Trusted Language Runtime (TLR), a system that protects the confidentiality and integrity of.NET mobile applications from OS security breaches. TLR enables separating an application’s security-sensitive logic from the rest of the application, and isolates it from the OS and other apps. TLR provides runtime support for the secure component based on a.NET implementation for embedded devices. TLR reduces the TCB of an open source.NET implementation by a factor of78 with a tolerable performance cost. The main benefit of the TLR is to bring the developer benefits of managed code to trusted computing. With the TLR, developers can build their trusted components with the productivity benefits of modern high-level languages, such as strong typing and garbage collection.
Automatic verification of TLA+ proof obligations with SMT solvers
- PROCEEDINGS LPAR-18, LNCS, MÉRIDA
, 2012
"... ..."
cTPM: A Cloud TPM for Cross-Device Trusted Applications
"... suited for cross-device scenarios in trusted mobile ap-plications because they hinder the seamless sharing of data across multiple devices. This paper presents cTPM, an extension of the TPM’s design that adds an addi-tional root key to the TPM and shares that root key with the cloud. As a result, th ..."
Abstract
-
Cited by 5 (2 self)
- Add to MetaCart
(Show Context)
suited for cross-device scenarios in trusted mobile ap-plications because they hinder the seamless sharing of data across multiple devices. This paper presents cTPM, an extension of the TPM’s design that adds an addi-tional root key to the TPM and shares that root key with the cloud. As a result, the cloud can create and share TPM-protected keys and data across multiple devices owned by one user. Further, the additional key lets the cTPM allocate cloud-backed remote storage so that each TPM can benefit from a trusted real-time clock and high-performance, non-volatile storage. This paper shows that cTPM is practical, versatile, and easily applicable to trusted mobile applications. Our simple change to the TPM specification is viable because its fundamental concepts – a primary root key and off-chip, NV storage – are already found in the current spec-ification, TPM 2.0. By avoiding a clean-slate redesign, we sidestep the difficult challenge of re-verifying the se-curity properties of a new TPM design. We demonstrate cTPM’s versatility with two case studies: extending Pas-ture with additional functionality, and re-implementing TrInc without the need for extra hardware. 1
TLA+ Proofs
"... TLA + is a specification language based on standard set theory and temporal logic that has constructs for hierarchical proofs. We describe how to write TLA + proofs and check them with TLAPS, the TLA + Proof System. We use Peterson’s mutual exclusion algorithm as a simple example and show how TLAP ..."
Abstract
-
Cited by 3 (2 self)
- Add to MetaCart
(Show Context)
TLA + is a specification language based on standard set theory and temporal logic that has constructs for hierarchical proofs. We describe how to write TLA + proofs and check them with TLAPS, the TLA + Proof System. We use Peterson’s mutual exclusion algorithm as a simple example and show how TLAPS and the Toolbox (an IDE for TLA +) help users to manage large, complex proofs.
IronFleet: Proving Practical Distributed Systems Correct
"... Abstract Distributed systems are notorious for harboring subtle bugs. Verification can, in principle, eliminate these bugs a priori, but verification has historically been difficult to apply at fullprogram scale, much less distributed-system scale. We describe a methodology for building practical a ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract Distributed systems are notorious for harboring subtle bugs. Verification can, in principle, eliminate these bugs a priori, but verification has historically been difficult to apply at fullprogram scale, much less distributed-system scale. We describe a methodology for building practical and provably correct distributed systems based on a unique blend of TLA-style state-machine refinement and Hoare-logic verification. We demonstrate the methodology on a complex implementation of a Paxos-based replicated state machine library and a lease-based sharded key-value store. We prove that each obeys a concise safety specification, as well as desirable liveness requirements. Each implementation achieves performance competitive with a reference system. With our methodology and lessons learned, we aim to raise the standard for distributed systems from "tested" to "correct."
Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O
"... Abstract—To be trustworthy, security-sensitive applications must be formally verified and hence small and simple; i.e., wimpy. Thus, they cannot include a variety of basic services available only in large and untrustworthy commodity systems; i.e., in giants. Hence, wimps must securely compose with g ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract—To be trustworthy, security-sensitive applications must be formally verified and hence small and simple; i.e., wimpy. Thus, they cannot include a variety of basic services available only in large and untrustworthy commodity systems; i.e., in giants. Hence, wimps must securely compose with giants to survive on commodity systems; i.e., rely on giants ’ services but only after efficiently verifying their results. This paper presents a security architecture based on a wimpy kernel that provides on-demand isolated I/O channels for wimp applications, without bloating the underlying trusted computing base. The size and complexity of the wimpy kernel are minimized by safely outsourcing I/O subsystem functions to an untrusted commodity operating system and exporting driver and I/O subsystem code to wimp applications. Using the USB subsystem as a case study, this paper illustrates the dramatic reduction of wimpy-kernel size and complexity; e.g., over 99 % of the USB code base is removed. Performance measurements indicate that the wimpy-kernel architecture exhibits the desired execution efficiency. I.
Missive: Fast Application Launch From an Untrusted Buffer Cache
, 2014
"... USENIX. ..."
(Show Context)
