![Page 1: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/1.jpg)
Department of Computer Science Institute for System Architecture, Operating Systems Group
CARSTEN WEINHOLD
SECURITY ARCHITECTURES
![Page 2: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/2.jpg)
TU Dresden Security Architectures
Motivation
2
■ Common observations:
■ Users are plagued by malware
■ Companies and government agencies are high value targets
■ Critical data gets stolen
■ ...
■ Sad truth: threats won‘t go away
![Page 3: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/3.jpg)
TU Dresden Security Architectures
Classical Architectures
3
![Page 4: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/4.jpg)
TU Dresden Security Architectures
Isolation■ Isolation in commodity OSes based
on user accounts
■ Problems:
■ Same privileges for all apps
■ Permissive Interfaces (e.g., ptrace to manipulate other address spaces)
■ Malware is dangerous and real
■ Efforts to restrict privileges:
■ SELinux, AppArmor, Seatbelt, ...4
![Page 5: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/5.jpg)
TU Dresden Security Architectures
Physical Isolation■ Separate computers
■ Applications and data physically isolated
■ Effective, but ...
■ High costs
■ Needs more space
■ Inconvenient
■ Exposure to network may pose threat
5
OS
Hardware
App
Hardware
OS
App
PC 1 PC 2
![Page 6: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/6.jpg)
TU Dresden Security Architectures
Virtual Machines■ Multiple VMs, OSes
■ Isolation enforced by virtualization layer
■ Saves space, energy, maintenance effort
■ But still ...
■ Switching between VMs is inconvenient
■ Even more code6
OS
Virtualization Layer
App
Hardware
OS
App
VM 1 VM 2
![Page 7: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/7.jpg)
TU Dresden Security Architectures
So far ...
■ Huge code bases remain
■ Many targets to attack:
■ Application, Commodity OS
■ Virus scanner, firewall, ...
■ Expensive communication via (virtual) Ethernet
■ High resource consumption even for small applications
7
![Page 8: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/8.jpg)
TU Dresden Security Architectures
Microkernel & Multi-server OS
8
![Page 9: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/9.jpg)
TU Dresden Security Architectures
Loader
Nizza Architecture
9
Microkernel
GUINames UserAuth
SecureStorage
I/OSupport
Legacy OS
LegacyApp
SigningApp
E-CommerceApp
BankingApp
![Page 10: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/10.jpg)
TU Dresden Security Architectures
Nizza Key Principles
10
■ Nizza architecture based on basic design concepts:
■ Strong isolation
■ Application-specific TCBs
■ Legacy reuse
■ Trusted wrapper
■ Trusted Computing
![Page 11: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/11.jpg)
TU Dresden Security Architectures
App-specific TCBs
11
Loader
Microkernel
GUINames UserAuth
SecureStorage
I/OSupport
Key Mgt
IP Stack SigningApp
VirtualEthernet
NetworkApp
Legacy OS
LegacyApp
![Page 12: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/12.jpg)
TU Dresden Security Architectures
App-specific TCBs
■ Reflects principle of least privilege
■ TCB of an application includes only components its security relies upon
■ TCB does not include unrelated applications or services
■ Mechanisms:
■ Address spaces for strong isolation
■ Well-defined interfaces
12
![Page 13: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/13.jpg)
TU Dresden Security Architectures
Legacy Reuse
■ New OS? Do not reinvent the wheel!
■ Existing software can be reused:
■ Applications (e.g., e-mail clients, ...)
■ Protocol stacks (e.g., TCP/IP)
■ Commodity OSes (e.g., Linux)
■ Virtualization is important enabler
■ Legacy code often does not need to be trusted
13
![Page 14: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/14.jpg)
TU Dresden Security Architectures
Easy Reuse
■ Run OS in VM to reuse unmodified applications
■ Useful for applications that are not security critical
■ Also improves isolation:
■ Use VM to sandbox applications and OS
■ Isolation at VM granularity
14
Basic Services
Legacy OS
LegacyApp
Microkernel
![Page 15: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/15.jpg)
TU Dresden Security Architectures
TCB--; Security++;■ To further improve security:
■ Reduce size of attack surface
■ Reduce size of TCB
■ First idea:
■ Port application to microkernel-based multi-server OS
■ Removes huge legacy OS from TCB
■ Possible approaches discussed in lecture on „Legacy Containers“
15
![Page 16: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/16.jpg)
TU Dresden Security Architectures
Splitting Components
16
![Page 17: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/17.jpg)
TU Dresden Security Architectures
Split Applications■ Problems with porting applications:
■ Dependencies need to be satisfied
■ Can be complex, even infeasible
■ Stripped down applications may lack functionality / usability
■ Better idea: split application
■ Make only security-critical parts run on microkernel-based OS
■ Reduces size of TCB even further17
![Page 18: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/18.jpg)
TU Dresden Security Architectures
Example 1: eMail
18
■ Critical functionality to support digitally signed e-mails:
■ Handling of signature keys
■ Requesting passphrase to unlock secret signature key
■ Presenting e-mail message:■ Before sending: „What You See Is What
You Sign“■ After receiving: verify signature, identify
sender
![Page 19: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/19.jpg)
TU Dresden Security Architectures
Signing eMails
19
Loader
Microkernel
GUINames UserAuth
SecureStorage
I/OSupport
Legacy OS
LegacyApp
SigningApp
![Page 20: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/20.jpg)
TU Dresden Security Architectures
Benefit of Splitting
20
■ >1,500,000 SLOC no longer in TCB:
■ Linux kernel, drivers, X-Server
■ C and GUI libraries, Thunderbird
■ TCB size reduced to ~150,000 SLOC:
■ GNU Privacy Guard, e-mail viewer
■ Basic L4 system
■ At least 10 times less code in TCB
■ Method not restricted to applications
![Page 21: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/21.jpg)
TU Dresden Security Architectures
Reuse OS Services?■ Network and file system stacks are
virtually essential subsystems
■ Generally well tested
■ Ready for production use
■ ... but not bug free:
■ Month of Kernel Bugs 2006 [1,2]:■ 14 exploitable flaws in file systems:
UFS, ISO 9660, Ext3, SquashFS, ...■ WiFi drivers: remotely exploitable bugs
21
![Page 22: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/22.jpg)
TU Dresden Security Architectures
Trusted Wrappers
■ Complex protocol stacks should not be part of TCB
■ Reuse untrusted infrastructure through trusted wrapper:
■ Add security measures around existing APIs■ Cryptography■ Redundancy
■ Similar approaches: SSL, VPN22
![Page 23: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/23.jpg)
TU Dresden Security Architectures
Example 2: VPN■ SINA box used by German „BSI“:
23
■ VPN gateway
■ Implements IPSec & PKI
■ Intrusion detection & response
■ Used for secure access to government networks, e.g. in German embassies Image source:
http://www.secunet.com/de/das-unternehmen/presse/bilddatenbank/
![Page 24: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/24.jpg)
TU Dresden Security Architectures
SINA Box Overview
■ Hardware:
■ Different kinds of networks interfaces:■ Red: plaintext, no protection■ Black: encrypted, MACs
■ Tamper / EM protected casing
■ Software:
■ Minimized and hardened Linux
■ Runs only from CD-ROM or Flash24
![Page 25: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/25.jpg)
TU Dresden Security Architectures
Linux is Complex■ Linux is complex!
■ SLOC for Linux 2.6.18:
■ Architecture specific: 817.880
■ x86 specific: 55.463
■ Drivers: 2.365.256
■ Common: 1.800.587
■ Typical config: ~ 2.000.000
■ Minimized & hardened: > 500.00025
![Page 26: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/26.jpg)
TU Dresden Security Architectures
Mikro-SINA
■ Research project Mikro-SINA:
■ Reduce TCB of VPN gateway
■ Enable high-level evaluation for high assurance scenarios
■ Ensure confidentiality and integrity of sensitive data within the VPN
■ Exploit microkernel architecture
26
![Page 27: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/27.jpg)
TU Dresden Security Architectures
IPSec in a Nutshell■ Protocol suite for securing
IP-based communication■ Authentication header (AH)■ Integrity■ Authentication
■ Encapsulating Security Payload (ESP)■ Confidentiality
■ Tunnel mode / transport mode27
Data Link Layer
IPSec
IP
TCP / UDP
Application
![Page 28: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/28.jpg)
TU Dresden Security Architectures
IPSec in L4Linux
■ IPSec is security critical component
■ ... but is integrated into Linux kernel
28
Microkernel
L4Linux
IP Stack
IPSec
![Page 29: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/29.jpg)
TU Dresden Security Architectures
IPSec „Viaduct“■ IPSec code is isolated in „Viaduct“
■ IPSec packets sent/received through TUN/TAP device
29
Microkernel
L4Linux
IP StackIPSec
„Viaduct“eth0
tun0
![Page 30: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/30.jpg)
TU Dresden Security Architectures
Fragmentation■ Problem: Routers can fragment
IPSec packets on the way
■ Let L4Linux reassemble them
30
Microkernel
L4Linux
IP StackIPSec
„Viaduct“eth0
tun0AH /ESP
![Page 31: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/31.jpg)
TU Dresden Security Architectures
L4LinuxL4Linux
Confidentiality■ Untrusted L4Linux must not see both
plaintext and encrypted data
■ Dedicated L4Linux for black/red networks
31
Microkernel
L4Linux
IP StackIPSec
„Viaduct“eth0
tun0AH /ESP
L4Linux
IP Stacketh1
tun0
![Page 32: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/32.jpg)
TU Dresden Security Architectures
Mikro-SINA Results
■ Trusted wrapper for VPN
■ Small TCB:
■ 5.000 SLOC for „Viaduct“
■ Fine grain isolation ■ Principle of least privilege
■ Extensive reuse of legacy code (Drivers, IP stack, ...)
■ More details in [5]32
![Page 33: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/33.jpg)
TU Dresden Security Architectures
Loader
Example 3: Storage
33
Microkernel
GUINames UserAuth
SecureStorage
I/OSupport
Legacy OS
LegacyApp
SigningApp
E-CommerceApp
BankingApp
How to provide secure and reliable storage for trusted applications?
![Page 34: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/34.jpg)
TU Dresden Security Architectures
Loader
Split File System
34
Microkernel
GUINames UserAuth
SecureStorage
I/OSupport
Legacy OS
UntrustedStorage Proxy
SigningApp
![Page 35: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/35.jpg)
TU Dresden Security Architectures
Protection Goals
35
■ Confidentiality: only authorized applications can access file system, all untrusted software cannot get any useful information
■ Integrity: all data and meta data is correct, complete, and up to date; otherwise report integrity error
■ Recoverability: damaged data in untrusted file system can be recovered from trusted backup
![Page 36: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/36.jpg)
TU Dresden Security Architectures
Design Space
36
Protection
Disk Driver
Block Layer
File System
VFS
App
Buffer Cache
■ First end of design space: Protect whole file system at block layer:
■ Common solution (e.g., dm_crypt in Linux)
■ Easy protection for all data
■ A lot of code in TCB
■ Little flexibility
![Page 37: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/37.jpg)
TU Dresden Security Architectures
Design Space
■ Second end of design space: Protect individual files near VFS / API layer:
■ Stacked file system (e.g., ecryptfs in Linux)
■ Flexible protection policies
■ Most parts of file system stack not part of TCB
■ Ideal for trusted wrapper
37
Protection
Disk Driver
Block Layer
File System
VFS
App
Buffer Cache
![Page 38: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/38.jpg)
TU Dresden Security Architectures
VPFS Architecture
38
Wrapper
Disk Driver
Block Layer
File System
VFS
Trusted App
Buffer Cache
Crypto Layer
Proxy Stub
Buffer Cache
FS Proxy
Untrusted Trusted
![Page 39: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/39.jpg)
TU Dresden Security Architectures
File Encryption
39
■ Files in untrusted legacy file system are arrays of encrypted blocks
■ VPFS Server takes care of on the fly encryption / decryption
■ Only buffer cache contains plaintext
![Page 40: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/40.jpg)
TU Dresden Security Architectures
File Integrity
40
0 1 2 3 4 5 6 7 8
■ Hash tree embedded in files
■ Parents authenticate child nodes
![Page 41: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/41.jpg)
TU Dresden Security Architectures
Meta Data Integrity
41
Master Hash File
File
„Small SecureStorage“
File File File
Dir
Dir
Dir
![Page 42: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/42.jpg)
TU Dresden Security Architectures
Validity Checks
42
■ How to trust untrusted meta data?
■ „File exists“ / „File does not exist“:■ Validated inside TCB using cryptographic
proof and hash tree■ Efficient solution possible
■ Directory listings:■ Efficient solution requires functionality to
be implemented in TCB
■ Details in [3]
![Page 43: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/43.jpg)
TU Dresden Security Architectures
VPFS Summary
43
■ Trusted wrapper shown to work for file systems
■ VPFS is general purpose file system
■ Significant reduction in code size:
■ VPFS adds 4,000 to 4,600 SLOC to application TCB
■ Standard Linux file system stack comprises >50,000 SLOC
![Page 44: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/44.jpg)
TU Dresden Security Architectures
User Interfaces
44
![Page 45: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/45.jpg)
TU Dresden Security Architectures
Sharing The Screen
45
■ Isolated applications run in different domains of trust, but separate screens are inconvenient
■ The Nitpicker solution [4]:
■ Let all windows share the same screen
■ ... but securely:■ Make windows & applications identifiable■ Prevent them from spying on each other:
route input securely, no screenshots
![Page 46: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/46.jpg)
TU Dresden Security Architectures
Concepts
46
Buffers
Views
![Page 47: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/47.jpg)
TU Dresden Security Architectures
How It Works
47
Buffers
Views
![Page 48: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/48.jpg)
TU Dresden Security Architectures
Nitpicker In Action
48
![Page 49: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/49.jpg)
TU Dresden Security Architectures
Demo
49
![Page 50: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/50.jpg)
TU Dresden Security Architectures
Open Questions
50
■ A few things not discussed today:
■ Where does VPFS store its secrets?
■ How does VPFS detect corrupt data?
■ How can a remote server be trusted?
■ How can we trust in what we see on the screen?
■ Missing element: Root of Trust
■ Discussed next week
![Page 51: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/51.jpg)
TU Dresden Security Architectures
Coming up next ...
51
■ Later today:
■ Paper reading exercise
■ January 19, 2010
■ Lecture „Trusted Computing“
■ no exercise (but complex lab)
![Page 52: SECURITY ARCHITECTURES - TU Dresdenos.inf.tu-dresden.de/Studium/KMB/WS2009/12-Security-Architectures.pdfInconvenient Exposure to ... VFS / API layer: ... the Nizza Security Architecture“,](https://reader035.vdocuments.net/reader035/viewer/2022070821/5f227c025a884b759d199e2e/html5/thumbnails/52.jpg)
TU Dresden Security Architectures
References■ [1] http://www.heise.de/newsticker/Month-of-Kernel-Bugs-Ein-Zwischenstand--/meldung/81454
■ [2] http://projects.info-pull.com/mokb/
■ [3] Carsten Weinhold and Hermann Härtig, „VPFS: Building a Virtual Private File System with a Small Trusted Computing Base“, Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, 2008, Glasgow, Scotland UK
■ [4] Norman Feske and Christian Helmuth, „A Nitpicker's guide to a minimal-complexity secure GUI“, ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference, 2005, Washington, DC, USA
■ [5] Christian Helmuth, Alexander Warg, Norman Feske, „Mikro-SINA - Hands-on Experiences with the Nizza Security Architecture“, D.A.CH Security 2005, 2005, Darmstadt, Germany
52