[Show abstract][Hide abstract] ABSTRACT: Remote attestation is the activity of making a claim about properties of a target by supplying evidence to an appraiser over
a network. We identify five central principles to guide development of attestation systems. We argue that (i) attestation
must be able to deliver temporally fresh evidence; (ii) comprehensive information about the target should be accessible; (iii)
the target, or its owner, should be able to constrain disclosure of information about the target; (iv) attestation claims
should have explicit semantics to allow decisions to be derived from several claims; and (v) the underlying attestation mechanism
must be trustworthy. We illustrate how to acquire evidence from a running system, and how to transport it via protocols to
remote appraisers. We propose an architecture for attestation guided by these principles. Virtualized platforms, which are
increasingly well supported on stock hardware, provide a natural basis for our attestation architecture.
KeywordsTrust and attestation–Operating system security architecture–Cryptographic protocols–Hardware Security Modules–Strand spaces
International Journal of Information Security 01/2011; 10:63-81. · 0.48 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: Cloud computing uses virtualization to lease small slices of large-scale datacenter facilities to individual paying customers. These multi-tenant environments, on which numerous large and popular web-based applications run today, are founded on the belief that the virtualization platform is sufficiently secure to prevent breaches of isolation between different users who are co-located on the same host. Hypervisors are believed to be trustworthy in this role because of their small size and narrow interfaces. We observe that despite the modest footprint of the hypervisor itself, these platforms have a large aggregate trusted computing base (TCB) that includes a monolithic control VM with numerous interfaces exposed to VMs. We present Xoar, a modified version of Xen that retrofits the modularity and isolation principles used in micro-kernels onto a mature virtualization platform. Xoar breaks the control VM into single-purpose components called service VMs. We show that this componentized abstraction brings a number of benefits: sharing of service components by guests is configurable and auditable, making exposure to risk explicit, and access to the hypervisor is restricted to the least privilege required for each component. Microrebooting components at configurable frequencies reduces the temporal attack surface of individual components. Our approach incurs little performance overhead, and does not require functionality to be sacrificed or components to be rewritten from scratch.
Proceedings of the 23rd ACM Symposium on Operating Systems Principles 2011, SOSP 2011, Cascais, Portugal, October 23-26, 2011; 01/2011
[Show abstract][Hide abstract] ABSTRACT: Attestation is the activity of making a claim about proper- ties of a target by supplying evidence to an appraiser. We identify ve central principles to guide development of attestation systems. We argue that (i) attestation must be able to deliver temporally fresh evidence; (ii) comprehensive information about the target should be accessible; (iii) the target, or its owner, should be able to constrain disclosure of in- formation about the target; (iv) attestation claims should have explicit semantics to allow decisions to be derived from several claims; and (v) the underlying attestation mechanism must be trustworthy. We propose an architecture for attestation guided by these principles, as well as an implementation that adheres to this architecture. Virtualized platforms, which are increasingly well supported on stock hardware, provide a nat- ural basis for our attestation architecture.
Information and Communications Security, 10th International Conference, ICICS 2008, Birmingham, UK, October 20-22, 2008, Proceedings; 01/2008
[Show abstract][Hide abstract] ABSTRACT: This paper introduces the Linux Kernel Integrity Monitor (LKIM) as an improvement over conventional methods of software integrity measurement. LKIM employs contextual inspection as a means to more completely characterize the operational integrity of a running kernel. In addition to cryptographically hashing static code and data in the kernel, dynamic data structures are examined to provide improved integrity measurement. The base approach examines structures that control the execution flow of the kernel through the use of function pointers as well as other data that affect the operation of the kernel. Such structures provide an efficient means of extending the kernel operations, but they are also a means of inserting malicious code without modifying the static parts. The LKIM implementation is discussed and initial performance data is presented to show that contextual inspection is practical
Proceedings of the 2nd ACM Workshop on Scalable Trusted Computing, STC 2007, Alexandria, VA, USA, November 2, 2007; 01/2007
[Show abstract][Hide abstract] ABSTRACT: Abstract The protection mechanisms of current mainstream op erating systems are inadequate to support confiden tiality and integrity requirements for end systems. Mandatory access control (MAC) is needed to address such require ments, but the limitations of traditional MAC have in hibited its adoption into mainstream operating systems. The National Security Agency (NSA) worked with Se cure Computing Corporation (SCC) to develop a fle xi ble MAC architecture called Flask to overcome the lim itations of traditional MAC. The NSA has implemented this architecture in the Linux operating system, produc ing a Security-Enhanced Linux (SELinux) prototype, to make the technology available to a wider community and to enable further research into secure operating sys tems. NAI Labs has developed an example security pol- icy configu ration to demonstrate the benefits of the ar chitecture and to provide a foundation for others to use. This paper describes the security architecture, security mechanisms, application programming interface, secu rity policy configu ration, and performance of SELinux.
Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, June 25-30, 2001, Boston, Massachusetts, USA; 01/2001
[Show abstract][Hide abstract] ABSTRACT: Abstract Security-enhanced Linux incorporates a strong, ex- ible mandatory,access control architecture into Linux. It provides a mechanism to enforce the sep- aration of information based on condentiality,and integrity requirements. This allows threats of tam- pering and bypassing of application security mech- anisms to be addressed and enables the conne- ment of damage,that can be caused by malicious or,awed applications. Using the system’s type enforcement and role-based access control abstrac- tions, it is possible to congure the system to meet a wide range of security needs. This paper describes how Security-enhanced Linux was used to meet a number,of general-purpose system security objec- tives.
[Show abstract][Hide abstract] ABSTRACT: Operating systems must be flexible in their support for security policies, providing sufficient mechanisms for supporting the wide variety of real-world security policies. Such flexibility requires controlling the propagation of access rights, enforcing fine-grained access rights and supporting the revocation of previously granted access rights. Previous systems are lacking in at least one of these areas. In this paper we present an operating system security architecture that solves these problems. Control over propagation is provided by ensuring that the security policy is consulted for every security decision. This control is achieved without significant performance degradation through the use of a security decision caching mechanism that ensures a consistent view of policy decisions. Both fine-grained access rights and revocation support are provided by mechanisms that are directly integrated into the service-providing components of the system. The architecture is described through ...
[Show abstract][Hide abstract] ABSTRACT: Although public awareness of the need for secu rity in computing systems is growing rapidly, current efforts to provide security are unlikely to succeed. Current security efforts suffer from the fla wed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems. In reality, the need for secure operating systems is growing in today's com puting environment due to substantial increases in connectivity and data sharing. The goal of this paper is to motivate a renewed interest in secure operating systems so that future security efforts may build on a solid foundation. This paper identifies se veral secure operating system features which are lacking in main- stream operating systems, argues that these features are necessary to adequately protect general applica tion-space security mechanisms, and provides con crete examples of how current security solutions are critically dependent on these features.
[Show abstract][Hide abstract] ABSTRACT: Risk Adaptable Access Control (RAdAC) is an important emerging technology that has gained the atten tion of many people as a way to change the current information dissemination policies. Systems implementing RAdAC have the ability to enforce a flexible mandatory access control policy based on various changing factors, such as situational and environmental factors. Unfortunately, commonly deployed systems are unable to reliably support this type of access control, but by using existing technology the desired capability could be built. Applica tions of the Flask Security Architecture is one such use of a existing technology. This paper describes how the Flask Security Architecture can be used to provide RAdAC. It describes how this was done in the creation of a pro totype RAdAC system.