WWW.DISSERTATION.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Dissertations, online materials
 
<< HOME
CONTACTS



Pages:   || 2 | 3 | 4 | 5 |   ...   | 45 |

«SCALABLE SECURITY ARCHITECTURE FOR TRUSTED SOFTWARE DAVID CHAMPAGNE A DISSERTATION PRESENTED TO THE FACULTY OF PRINCETON UNIVERSITY IN CANDIDACY FOR ...»

-- [ Page 1 ] --

SCALABLE SECURITY ARCHITECTURE

FOR TRUSTED SOFTWARE

DAVID CHAMPAGNE

A DISSERTATION

PRESENTED TO THE FACULTY

OF PRINCETON UNIVERSITY

IN CANDIDACY FOR THE DEGREE

OF DOCTOR OF PHILOSOPHY

RECOMMENDED FOR ACCEPTANCE

BY THE DEPARTMENT OF

ELECTRICAL ENGINEERING

ADVISOR: RUBY B. LEE JUNE 2010 Copyright © 2010 by David Champagne.

All rights reserved.

À ma mère Lise et mon père Robert Merci d’avoir toujours cru en moi Abstract Security-critical tasks executing on general-purpose computers require protection against software and hardware attacks to achieve their security objectives. Security services providing this protection can be offered by mechanisms rooted in processor hardware, since its storage and computing elements are typically outside the reach of attackers.

This thesis presents the Bastion architecture, a hardware-software security architecture for providing protection scalable to a large number of security-critical tasks.

Protection is enabled by three sets of new mechanisms: for protecting a trusted hypervisor, for fine-grained protection of modules in application or operating system space, and for securing the input and output of Bastion-protected software modules. This thesis also presents an implementation and evaluation of Bastion, and explores alternatives for one of its core security functions: memory authentication.

The hypervisor, a layer of software dedicated to the virtualization of machine resources, is increasingly being involved in security solutions. We use it in Bastion as a manager of security-critical tasks. While past solutions protect the hypervisor from runtime software attacks, Bastion also protects the hypervisor from physical attacks, protects it from offline attacks, and provides it with a secure launch mechanism. Within this protected Bastion hypervisor, we design a second set of mechanisms that provide separate execution compartments for each security-critical task running in the virtual machines hosted by the hypervisor. These compartments are protected against both hardware attacks and software attacks originating from a potentially compromised operating system. To enable security-critical tasks to communicate with the outside world, we provide a third set of mechanisms for secure input and output to and from Bastion-protected compartments. We implement and evaluate a Bastion prototype by modifying the source code of the OpenSPARC processor and hypervisor systems.

Addionally, we survey the design space of alternatives to the Bastion memory authentication mechanism, which is central to protecting critical software execution in Bastion. These contributions can improve security in the digital world by informing the design of the next generation of general-purpose computing platforms.

–  –  –

I would like to express my gratitude to my colleagues, friends and family. First, I wish to thank Professor Ruby Lee, my research advisor. Her generous mentoring was crucial to completing this dissertation and the work it describes. Through the years, she has shown me what it means to be a good architect and an effective communicator. She was always available to provide guidance in my work, helping me define, improve and present technical concepts and research ideas.

I wish to thank Professor Andrew Appel from Princeton University and Reiner Sailer from IBM Research for reviewing my dissertation and providing me with helpful and insightful comments and suggestions. I thank Shih Lien Lu and Keen Chan for offering me the opportunity to spend two instructive summers as an intern at Intel in Oregon.

It has been a great pleasure to work with my colleagues at the Princeton Architecture Laboratory for Multimedia and Security. I have enjoyed discussing research with Jeff Dwoskin, Yu-Yuan Chen, Jakub Szefer, Cédric Lauradoux, Yedidya Hilewitz, Zhenghong Wang, Mahadevan Gomathisankaran, Nachiketh Potlapally and Peter Kwan.

In particular, I thank Reouven Elbaz for his dedication during our joint work on memory integrity, and for his strong friendship.

I also wish to thank Najwa Aaraj, Miloš Ilak, Ronny Luss and Nebojša Stanković for their support during my graduate studies and for their precious friendship. I thank my good friends back home, Jean-Philippe Beaudet, Éric Fontaine, Simon Gignac, Nicolas Lafond, David Lévesque and Frédéric Villeneuve for being there when I needed a kind ear and a good laugh.

Last but most important, I want to thank my family. I am humbled by the love, care and understanding my fiancée Sonya has given me during my years in Princeton. My sister Mélanie has always been an example of determination that continues to inspire me.

And, I am thankful for my loving parents, who taught me self-reliance, hard work and perseverance.

v Contents ABSTRACT

ACKNOWLEDGEMENTS

CONTENTS

LIST OF FIGURES





LIST OF TABLES

CHAPTER 1 - INTRODUCTION

1.1 NEW THREATS

1.2 PAST APPROACHES

1.3 THESIS CONTRIBUTIONS

1.4 THESIS ORGANIZATION

CHAPTER 2 - BACKGROUND

2.1 DEFINITION OF SECURITY

2.1.1 Security Objectives

2.1.2 Trust Model

2.1.3 Threat Model

2.2 PAST APPROACHES

2.2.1 Secure OS

2.2.2 Verify OS

2.2.3 Bypass OS

2.3 CONCRETE ATTACKS

2.3.1 Cold Boot Attack

2.3.2 TPM Reset Attack

2.3.3 Blue Pill Attack

2.3.4 SMM Attack

2.3.5 XBOX Attack

2.3.6 Cipher Instruction Search Attack

2.4 OUR BASELINE PLATFORM

CHAPTER 3 - ARCHITECTURE OVERVIEW

3.1. SECURE EXECUTION COMPARTMENTS

3.1.1. Trusted Software Modules

3.1.2. Trust Domains

3.1.3. Trusted Programming Interface (TPI)

3.2 HARDENED VIRTUALIZATION LAYER

3.3 HARDWARE AND HYPERVISOR EXTENSIONS

3.4 NEW APPLICATIONS

3.4.1 Policy-Protected Objects

vi 3.4.2 Protected Monitor

3.4.3 Hardened Extensions

3.5 CHAPTER SUMMARY

CHAPTER 4 - HARDENED VIRTUALIZATION LAYER

4.1 BACKGROUND ON VIRTUALIZATION

4.1.1 Motivating Virtualization

4.1.2 Forms of Virtualization

4.1.3 Methods for Memory Virtualization

4.1.4 Methods for I/O Virtualization

4.1.5 Virtualization Layer Security

4.2 SECURE HYPERVISOR LAUNCH

4.2.1 Measured Boot versus Secure Boot

4.2.2 Hypervisor Identification

4.2.3 Runtime Hypervisor Protection Setup

4.3 RUNTIME HYPERVISOR MEMORY PROTECTION

4.3.1 Background on Cryptographic Memory Protection

4.3.2 Bastion Hypervisor Memory Protection

4.3.3 Limitations

4.4 CHAPTER SUMMARY

CHAPTER 5 - SECURE EXECUTION COMPARTMENTS

5.1 SECURE LAUNCH

5.1.1 Hypervisor Data Structures

5.1.2 SECURE_LAUNCH Hypercall

5.2 RUNTIME MEMORY PROTECTION AGAINST SOFTWARE ATTACKS

5.2.1 Shadow Access Control

5.2.2 Shadow Page Table Support

5.2.3 Nested Page Table Support

5.2.4 Dynamic Module Memory Allocation

5.2.5 Runtime Relocation of Pages

5.3 RUNTIME MEMORY PROTECTION AGAINST HARDWARE ATTACKS

5.3.1 Protection Setup

5.3.2 Runtime Protection

5.4 SECURE INTER-COMPARTMENT TRANSITIONS

5.4.1 Problem Statement

5.4.2 Past Work on Secure Transitions

5.4.3 Module Invocation

5.4.4 Module Preemption

5.4.5 Secure Inter-Module Collaboration

5.5 SECURE MODULE RETIREMENT

5.6 COMPATIBILITY ISSUES

5.6.1 Demand Paging

5.6.2 Multiple Page Size Support

5.6.3 No-Translation Address Spaces

5.6.4 Processor-Specific Conventions

5.7 CHAPTER SUMMARY

CHAPTER 6 - SUPPORT FOR SECURE INPUT AND OUTPUT

6.1 PROBLEM STATEMENT

6.1.1 Secure I/O Definitions

vii 6.1.2 Secure I/O Example

6.2 OVERVIEW OF BASTION SECURE I/O

6.2.1 Secure I/O Trust Model

6.2.2 Bastion Secure I/O Primitives

6.2.3 Support for Existing I/O Models

6.3 BASTION SECURE I/O SERVICES

6.3.1 Tailored Attestation

6.3.2 Secure Persistent Storage

6.4 USAGE SCENARIOS

6.4.1 Disk I/O

6.4.2 Network I/O

6.4.3 User I/O

6.4.4 Other Local I/O

6.4.5 Virtualized I/O

6.5 MIGRATION, BACKUP AND SOFTWARE UPDATES

6.5.1 Platform-to-Authority Transfer

6.5.2 Authority-to-Platform Transfer

6.6 CHAPTER SUMMARY

APPENDIX TO CHAPTER 6

6.A RELATED WORK IN SECURE I/O

6.A.1 Network I/O

6.A.2 Disk I/O

6.A.3 User I/O

6.B BASIC I/O MECHANISMS

CHAPTER 7 - IMPLEMENTATION

7.1 THE OPENSPARC PROJECT

7.1.1 Software Tools

7.1.2 FPGA Hardware Evaluation Platform

7.2 PROCESSOR HARDWARE

7.2.1 UltraSPARC T1 Substrate

7.2.2 Bastion Registers

7.2.3 Shadow Access Control Logic

7.2.4 Bastion Instructions

7.3 CACHE CONTROLLER AND I/O BRIDGE

7.3.1 MicroBlaze Firmware Roles

7.3.2 Bastion Memory Protection

7.3.3 Secure On-Chip Routines

7.3.4 L2 Cache Storage Emulation

7.4 HYPERVISOR

7.4.1 Sun Hypervisor Overview

7.4.2 Fast Prototyping Strategy

7.4.3 Bastion Hypercalls

7.4.4 TLB Miss Handler Changes

7.5 APPLICATION

7.5.1 Security Segment

7.5.2 Hypercalls

7.5.3 Library and System Calls

7.6 CHAPTER SUMMARY

viii CHAPTER 8 - EVALUATION

8.1 SECURITY

8.1.1 Processor

8.1.2 Hypervisor

8.1.3 Module Compartments

8.1.4 Defense against Concrete Attacks

8.2. FUNCTIONALITY

8.2.1 DRM

8.2.2 Personal Banking

8.2.3 Distributed Computing

8.2.4 ORCON vi

8.3 COMPLEXITY

8.4 PERFORMANCE

8.5 CHAPTER SUMMARY

CHAPTER 9 - CONCLUSION

9.1 THE BASTION ARCHITECTURE

9.2 DIRECTIONS FOR FUTURE RESEARCH

APPENDIX A - ALTERNATIVE MEMORY PROTECTION SCHEMES

A.1 THREAT MODEL

A.1.1 Hardware Attacks

A.1.2 Software Attacks

A.2 INTEGRITY TREES: CRYPTOGRAPHIC SCHEMES FOR MEMORY AUTHENTICATION.... 189 A.2.1 Authentication Primitives for Memory Authentication

A.2.2 Integrity Trees

A.3 INTEGRATION OF INTEGRITY TREES IN COMPUTING PLATFORMS

A.3.1 Tree Traversal Technique

A.3.2 Cached Trees

A.3.3 The Bonsai Merkle Tree

A.4 MEMORY AUTHENTICATION WITH AN UNTRUSTED OPERATING SYSTEM................. 199 A.5 MEMORY AUTHENTICATION WITHOUT A TREE STRUCTURE

A.6 DATA AUTHENTICATION IN SYMMETRIC MULTI-PROCESSORS (SMP)

A.7 APPENDIX SUMMARY

BIBLIOGRAPHY

ix List of Figures FIGURE 3.1. APPLICATION OF BASTION FOR THREE SOFTWARE MODULES A, B AND C....... 26 FIGURE 3.2. THE SECURITY SEGMENT

FIGURE 3.3.

MODULE IDENTITY FOR TWO MODULES FORMING TRUST DOMAIN A.............. 30 FIGURE 3.4. A TRUST DOMAIN DESCRIPTOR

FIGURE 3.5.

NEW HYPERVISOR AND PROCESSOR COMPONENTS IN BASTION

FIGURE 4.1. A BINARY MERKLE HASH TREE

FIGURE 5.1.

THE MODULE STATE TABLE

FIGURE 5.2.

A VMAP ENTRY

FIGURE 5.3.

AN MMAP ENTRY

FIGURE 5.4.

A DMAP ENTRY

FIGURE 5.5.

A TDMAP FOR N ACTIVE TRUST DOMAINS

FIGURE 5.6.

OUR EXTENDED SHADOW PAGE TABLE

FIGURE 5.7.

OUR EXTENDED TLB ENTRY

FIGURE 5.8.

SECURE INTER-MODULE COLLABORATION

FIGURE 6.1.

TRUST MODEL FOR BASTION SECURE I/O

FIGURE 6.2.

READING ENCRYPTED I/O DATA

FIGURE 6.3.

THE TAILORED ATTESTATION PROCEDURE

FIGURE 6.4.

BASTION SECURE HYPERVISOR AND MODULE STORAGE

FIGURE 7.1.

THE OPENSPARC FULL-SYSTEM FPGA IMPLEMENTATION

FIGURE 7.2.

SPARC CPU CORE WITH BASION ADDITIONS

FIGURE 7.3.

OUR INTEGRITY TREE

FIGURE 7.4.

THE BASTION-ENHANCED SUN HYPERVISOR

FIGURE 7.5.

ANALYSIS OF INSTRUCTION TLB MISS EVENTS

FIGURE 7.6.

BASTION LIBC WRAPPER EXAMPLE WITH PUTS

FIGURE 8.1. LATENCY OF SECURE_LAUNCH HYPERCALL FOR VARIOUS MODULE SIZES.... 177

FIGURE A.1: FRAMEWORK OF ATTACK

FIGURE A.2: ACTIVE ATTACKS

FIGURE A.3: AUTHENTICATION PRIMITIVES FOR MEMORY INTEGRITY CHECKING.......... 191 FIGURE A.4: GENERAL MODEL OF 2-ARY INTEGRITY TREE

FIGURE A.5: EXISTING INTEGRITY TREES

FIGURE A.6: BONSAI MERKLE TREE PRINCIPLE

FIGURE A.7: THE BRANCH SPLICING ATTACK

FIGURE A.8: DATA AUTHENTICATION IN A SYMMETRIC MULTI-PROCESSORS (SMP)..... 204 x List of Tables TABLE 2.1. COMPARISON OF PAST APPROACHES WITH OUR BASTION ARCHITECTURE........ 21 TABLE 3.1. TRUSTED PROGRAMMING INTERFACE: NEW BASTION HYPERCALLS................ 32 TABLE 3.2. NEW BASTION INSTRUCTIONS

TABLE 3.3.

NEW BASTION REGISTERS

TABLE 5.1.

OVERVIEW OF THE BASTION INTER-MODULE TRANSIION MECHANISM........... 79 TABLE 5.2. BASTION RULES AND BEST PRACTICES

TABLE 8.1.

HARDWARE COMPLEXITY

TABLE 8.2.

SOFTWARE COMPLEXITY

TABLE 8.3.

COMPLEXITY OF APPLICATION-LEVEL BASTION LIBRARIES

TABLE 8.4.

COMPLEXITY OF LIBC WRAPPER LIBRARY

TABLE 8.5.

BASTION HYPERCALL LATENCIES

TABLE 8.6.

LIBC WRAPPER OVERHEADS

TABLE 8.7.



Pages:   || 2 | 3 | 4 | 5 |   ...   | 45 |


Similar works:

«The QABALISTIC TAROT A TEXTBOOK OF MYSTICAL PHILOSOPHY Robert Wang SAMUEL WEISER, INC. York Beach, Maine The Tarot Symbols on the Tree of Life. CONTENTS PREFACE, xv INTRODUCTION, Modem Tarot Studies: A Nineteenth Century Legacy 1 The Search For Truth.......................................... 5 The Golden Dawn 10 The Golden Dawn Tarot 12 The RiderWaite Deck 13 Aleister Crowley's Thoth Tarot 14 Book T..............................»

«Fetal Testosterone and Early Autism Spectrum Disorder Related Neurodevelopmental Outcomes Bo Y. Park, MPH A Thesis Submitted to the Faculty of Drexel University by Bo Y. Park in partial fulfillment of the requirements for the degree of Doctor of Philosophy June 2015 ©Copyright 2015 Bo Y. Park. All Rights Reserved. Dedication For Eleanor and Evelyn. Tough moments are the beautiful ones. Acknowledgements I am very fortunate to have had the opportunity to learn and grow surrounded by great...»

«PHOTO-DYNAMIC XPS FOR INVESTIGATING PHOTOINDUCED VOLTAGE CHANGES IN SEMICONDUCTING MATERIALS A DISSERTATION SUBMITTED TO THE DEPARTMENT OF CHEMISTRY AND THE GRADUATE SCHOOL OF ENGINEERING AND SCIENCE OF BILKENT UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY By HİKMET SEZEN December, 2011 I I certify that I have read this thesis and that in my opinion is it is fully adequate, in scope and in quality, as a dissertation for the degree of the doctor of...»

«The Concept of Self-Reflexive Intertextuality in the Works of Umberto Eco by Annarita Primier A thesis submitted in conformity with the requirements for the degree of Doctor of Philosophy Centre for Comparative Literature University of Toronto © Copyright by Annarita Primier 2013 ii The Concept of Self-Reflexive Intertextuality in the Works of Umberto Eco Annarita Primier Doctor of Philosophy Centre for Comparative Literature University of Toronto 2013 Abstract Umberto Eco’s novels are...»

«Flexible Turn-Taking for Spoken Dialog Systems Antoine Raux CMU-LTI-08-XXX December 2008 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 Thesis Committee: Maxine Eskenazi, Chair Alan W Black Reid Simmons Diane J. Litman, U. of Pittsburgh Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy. Copyright c 2008 Antoine Raux This research was sponsored by the U.S. National Science Foundation under grant number IIS-0208835 The views...»

«Where are t hey now? Here is what I could f ind about Oberlin CS alums Bob Geit z Summer 2 0 1 1 Pre-major st udent s John Hodgkinson ‟8 1 John earned a Mast er‟s degree f rom Yale and is now a sof t ware developer f or Int uit Corp. David Kaemmer ‟8 6 David f ounded t he Papyrus Design Group, t he maker of t he NASCAR series of comput er games. He is current ly wit h iRacing.com, which he f ounded in 2 0 0 4. Robert King Robert received a Ph.D. f rom U. Penn in 1 9 9 1 Af t er many...»

«The New Zealand Dressmaker: Experiences, Practices and Contribution to Fashionability, 1940 to 1980. A thesis submitted in (partial) fulfilment of the requirements for the degree of Doctor of Philosophy Jan Hamon MA (Fashion & Textile Studies) School of Design and Architecture RMIT University July 2007 i Declaration I certify that except where due acknowledgement has been made, the work is that of the author alone; the work has not been submitted previously, in whole or in part, to qualify for...»

«Modes of Interaction in Computational Architecture by Dragana Čebzan Antić A dissertation Submitted for the degree of Doctor of Philosophy (Centre for Cultural Studies) Goldsmiths, University of London March 2012 1 I hereby declare that this thesis is entirely my work Dragana Čebzan Antić March 2012 2 Abstract This thesis is an enquiry into the importance and influence of interaction in architecture, the importance of which is observed through different modes of interaction occurring in...»

«Application Platforms, Routing Algorithms and Mobility Behavior in Mobile Disruption-Tolerant Networks Arezu M. Moghadam Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Graduate School of Arts and Sciences COLUMBIA UNIVERSITY 2011 c 2011 Arezu M. Moghadam All Rights Reserved ABSTRACT Application Platforms, Routing Algorithms and Mobility Behavior in Mobile Disruption-Tolerant Networks Arezu M. Moghadam Mobile disruption-tolerant networks...»

«ABSTRACT Title of Dissertation: COMMUNICATION INTERFACE PROXIMITY AND USER ANXIETY: COMPARING DESKTOP, LAPTOP, AND HAND-HELD DEVICES AS MEDIA PLATFORMS FOR EMERGENCY ALERTS Wenjing Xie, Doctor of Philosophy, 2009 Directed By: Professor John E. Newhagen Philip Merrill College of Journalism This study is an experiment investigating the effects of communication interface proximity on college students’ anxiety when they receive the alerts about on-campus crimes via e-mails and text messages. It...»

«2016 Show Character Breakdown January 9, 2016 Auditions ANYTHING GOES RENO SWEENEY – Reno is a sexy and charismatic nightclub singer, formerly an evangelist. She is confident, clever, philosophical, funny, persuasive and extremely comfortable with herself. She is the consummate performer and a show stopper with a great belting voice. The actor must have great comedic timing and be able to command the stage. The playing age range (this is the age she appears to be on stage) can be 30-55 years...»

«Does Automotive Service Excellence (ASE) Certification Enhance Job Performance of Automotive Service Technicians? by Emmanuel Kolo Dissertation submitted to the faculty of the Virginia Polytechnic Institute and State University in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Career and Technical Education Department of Teaching and Learning Approved by: Dr. Curtis Finch, Chair Dr. Gary Skaggs Dr. John Burton Dr. Susan Asselin March 2006 Blacksburg, Virginia...»





 
<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.