Jonathan M. McCune
Adrian Perrig
Michael K. Reiter
Abstract
We explore the extent to which newly available CPU-based security technology can reduce the Trusted Computing Base (TCB) for security-sensitive applications. We find that although this new technology represents a step in the right direction, significant performance issues remain. We offer several suggestions that leverage existing processor technology, retain security, and improve performance. Implementing these recommendations will finally allow application developers to focus exclusively on the security of their own code, enabling it to execute in isolation from the numerous vulnerabilities in the underlying layers of legacy code.
Supplemental Material
Available for Download
Slides from the presentation
Supplemental material for How low can you go?: recommendations for hardware-supported minimal TCB code execution
- Advanced Micro Devices. AMD64 architecture programmer's manual: Volume 2: System programming. AMD Publication no. 24594 rev. 3.11, Dec. 2005.Google Scholar
- Advanced Micro Devices. AMD64 virtualization: Secure virtual machine architecture reference manual. AMD Publication no. 33047 rev. 3.01, May 2005.Google Scholar
- D.P. Anderson, J. Cobb, E. Korpela, M. Lebofsky, and D. Werthimer. SETI@Home: An experiment in public-resource computing. Communications of the ACM, 45(11):56--61, 2002. Google ScholarDigital Library
- W.A. Arbaugh, D.J. Farber, and J.M. Smith. A reliable bootstrap architecture. In Proceedings of the IEEE Symposium on Research in Security and Privacy, May 1997. Google ScholarDigital Library
- P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proceedings of the Symposium on Operating Systems Principles, 2003. Google ScholarDigital Library
- S. Chaki, E. Clarke, A. Groce, S. Jha, and H. Veith. Modular verification of software components in C. IEEE Transactions on Software Engineering, 30(6), 2004. Google ScholarDigital Library
- J.G. Dyer, M. Lindemann, R. Perez, R. Sailer, L. van Doorn, S.W. Smith, and S. Weingart. Building the IBM 4758 secure coprocessor. IEEE Computer, 34(10):57--66, 2001. Google ScholarDigital Library
- D. Grawrock. The Intel Safer Computing Initiative: Building Blocks for Trusted Computing. Intel Press, 2006.Google Scholar
- Intel Corporation. Intel low pin count (LPC) interface specification. Revision 1.1, Aug. 2002.Google Scholar
- Intel Corporation. LaGrande technology preliminary architecture specification. Intel Publication no. D52212, May 2006.Google Scholar
- Intel Corporation. Trusted eXecution Technology -- preliminary architecture specification and enabling considerations. Document number 31516803, Nov. 2006.Google Scholar
- P. Jones. RFC3174: US Secure Hash Algorithm 1 (SHA-1). http://www.faqs.org/rfcs/rfc3174.html, Sept. 2001.Google Scholar
- J. Kuskin, D. Ofelt, M. Heinrich, J. Heinlein, R. Simoni, K. Gharachorloo, J. Chapin, D. Nakahira, J. Baxter, M. Horowitz, A. Gupta, M. Rosenblum, and J. Hennessy. The Stanford FLASH multiprocessor. In Proceedings of the Symposium on Computer Architecture, Apr. 1994. Google ScholarDigital Library
- D. Lie, C.A. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J.C. Mitchell, and M. Horowitz. Architectural support for copy and tamper resistant software. In Architectural Support for Programming Languages and Operating Systems, 2000. Google ScholarDigital Library
- D. Magenheimer. Xen/IA64 code size stats. Xen developer's mailing list: http://lists.xensource.com/, Sept. 2005.Google Scholar
- J.M. McCune, B. Parno, A. Perrig, M.K. Reiter, and H. Isozaki. An execution infrastructure for TCB minimization. Technical Report CMU-CyLab-07-018, Carnegie Mellon University, Dec. 2007.Google Scholar
- J.M. McCune, B. Parno, A. Perrig, M.K. Reiter, and A. Seshadri. Minimal TCB code execution (extended abstract). In Proceedings of the IEEE Symposium on Security and Privacy, May 2007. Google ScholarDigital Library
- R. Sailer, E. Valdez, T. Jaeger, R. Perez, L. van Doorn, J.L. Griffin, and S. Berger. sHype: Secure hypervisor approach to trusted virtualized systems. Technical Report RC23511, IBM Research, Feb. 2005.Google Scholar
- R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and implementation of a TCG-based integrity measurement architecture. In Proceedings of the USENIX Security Symposium, 2004. Google ScholarDigital Library
- A. Seshadri, M. Luk, E. Shi, A. Perrig, L. VanDoorn, and P. Khosla. Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In Proceedings of the Symposium on Operating Systems Principals (SOSP), 2005. Google ScholarDigital Library
- T. Shanley. The Unabridged Pentium 4. Addison Wesley, first edition edition, August 2004.Google Scholar
- E. Shi, A. Perrig, and L. van Doorn. BIND: A time-of-use attestation service for secure distributed systems. In Proceedings of IEEE Symposium on Security and Privacy, May 2005. Google ScholarDigital Library
- G.E. Suh, D. Clarke, B. Gassend, M. van Dijk, and S. Devadas. AEGIS: Architecture for tamper-evident and tamper-resistant processing. In Proceedings of the International Conference on Supercomputing, 2003. Google ScholarDigital Library
- Trusted Computing Group. PC client specific TPM interface specification (TIS). Version 1.2, Revision 1.00, July 2005.Google Scholar
- Trusted Computing Group. Trusted platform module main specification. Version 1.2, Revision 94, Mar. 2006.Google Scholar
- B. S. Yee. Using Secure Coprocessors. PhD thesis, Carnegie Mellon University, 1994.Google Scholar
Index Terms
- How low can you go?: recommendations for hardware-supported minimal TCB code execution
Recommendations
Flicker: an execution infrastructure for tcb minimization
Eurosys '08: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008We present Flicker, an infrastructure for executing security-sensitive code in complete isolation while trusting as few as 250 lines of additional code. Flicker can also provide meaningful, fine-grained attestation of the code executed (as well as its ...
SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securitySICE is a novel framework to provide hardware-level isolation and protection for sensitive workloads running on x86 platforms in compute clouds. Unlike existing isolation techniques, SICE does not rely on any software component in the host environment (...
How low can you go?: recommendations for hardware-supported minimal TCB code execution
ASPLOS '08We explore the extent to which newly available CPU-based security technology can reduce the Trusted Computing Base (TCB) for security-sensitive applications. We find that although this new technology represents a step in the right direction, significant ...
Comments