ABSTRACT
It is currently impossible for an application to verify that the data it passes to the kernel for storage is actually submitted to an underlying device or that the data returned to an application by the kernel has actually originated from an underlying device. A compromised or malicious OS can silently discard data written by the application or return fabricated data during a read operation. This is a serious data integrity issue for use-cases where verifiable storage and retrieval of data is a necessary precondition for ensuring correct operation, for example with secure logging, APT monitoring and compliance.
We outline a solution for verifiable data storage and retrieval by providing a trustworthy mechanism, based on Intel SGX, to authenticate and verify request data at both the application and storage device endpoints. Even in the presence of a malicious OS our design ensures the authenticity and integrity of data while performing disk I/O and detects any data loss attributable to the untrusted OS fabricating or discarding read and write requests respectively. We provide a nascent prototype implementation for the core system together with an evaluation highlighting the temporal overheads imposed by this mechanism.
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS '05). ACM, New York, NY, USA, 340--353. https://doi.org/10.1145/1102120.1102165 Google ScholarDigital Library
- Periklis Akritidis, Cristian Cadar, Costin Raiciu, Manuel Costa, and Miguel Castro. 2008. Preventing Memory Error Exploits with WIT. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (SP '08). IEEE Computer Society, Washington, DC, USA, 263--277. https://doi.org/10.1109/SP.2008.30 Google ScholarDigital Library
- B. Alexander. 2016. Introduction to Intel SGX Sealing. https://software.intel.com/en-us/blogs/2016/05/04/introduction-to-intel-sgx-sealing. (2016). Online; accessed 25-Jan-2017.Google Scholar
- Cloud Security Alliance. 2013. Cloud computing vulnerability incidents: A statistical overview. http://goo.gl/oaQYaH. (2013). Online; accessed 25-Jan-2017.Google Scholar
- Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, André Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Daniel O'Keeffe, Mark L Stillwell, David Goltzsche, Dave Eyers, Rüdiger Kapitza, Peter Pietzuch, and Christof Fetzer. 2016. SCONE: Secure Linux Containers with Intel SGX. 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI).Google ScholarDigital Library
- Andrew Baumann, Marcus Peinado, and Galen Hunt. 2015. Shielding Applications from an Untrusted Cloud with Haven. ACM Trans. Comput. Syst. 33, 3, Article 8 (Aug. 2015), 26 pages. https://doi.org/10.1145/2799647Google ScholarDigital Library
- Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. Cryptology ePrint Archive, Report 2016/086. (2016). http://eprint.iacr.org/2016/086.Google Scholar
- John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014. Virtual Ghost: Protecting Applications from Hostile Operating Systems. In Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '14). ACM, New York, NY, USA, 81--96. https://doi.org/10.1145/2541940.2541986 Google ScholarDigital Library
- Jaeyoung Do, Yang-Suk Kee, Jignesh M. Patel, Chanik Park, Kwanghyun Park, and David J. DeWitt. 2013. Query Processing on Smart SSDs: Opportunities and Challenges. In Proceedings of the 2013 ACM SIGMOD International Conference on Management of Data (SIGMOD '13). ACM, New York, NY, USA, 1221--1230. https://doi.org/10.1145/2463676.2465295 Google ScholarDigital Library
- Loïc Duflot, Yves-Alexis Perez, and Benjamin Morin. 2011. What if You Can'T Trust Your Network Card?. In Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection (RAID'11). Springer-Verlag, Berlin, Heidelberg, 378--397. https://doi.org/10.1007/978-3-642-23644-0_20 Google ScholarDigital Library
- Gartner. 2017. Gartner Says Worldwide Public Cloud Services Market to Grow 18 Percent in 2017. http://www.gartner.com/newsroom/id/3616417. (2017). Online; accessed 16-Jun-2017.Google Scholar
- Owen S. Hofmann, Sangman Kim, Alan M. Dunn, Michael Z. Lee, and Emmett Witchel. 2013. InkTag: Secure Applications on an Untrusted Operating System. In Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 13). ACM, New York, NY, USA, 265--278. https://doi.org/10.1145/2451116.2451146 Google ScholarDigital Library
- Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2014. Code-pointer Integrity. In Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation (OSDI'14). USENIX Association, Berkeley, CA, USA, 147--163. http://dl.acm.org/citation.cfm?id=2685048.2685061Google ScholarDigital Library
- Youngjin Kwon, Alan M. Dunn, Michael Z. Lee, Owen S. Hofmann, Yuanzhong Xu, and Emmett Witchel. 2016. Sego: Pervasive Trusted Metadata for Efficiently Verified Untrusted System Services. In Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '16). ACM, New York, NY, USA, 277--290. https://doi.org/10.1145/2872362.2872372Google ScholarDigital Library
- Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V. Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R. Savagaonkar. 2013. Innovative Instructions and Software Model for Isolated Execution. In Proceedings of the 2Nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP'13). ACM, New York, NY, USA, Article 10, 1 pages. https://doi.org/10.1145/2487726.2488368Google Scholar
- Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 09). ACM, New York, NY, USA, 245--258. https://doi.org/10.1145/1542476.1542504 Google ScholarDigital Library
- Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2010. CETS: Compiler Enforced Temporal Safety for C. In Proceedings of the 2010 International Symposium on Memory Management (ISMM '10). ACM, New York, NY, USA, 31--40. https://doi.org/10.1145/1806651.1806657 Google ScholarDigital Library
- Kaveh Razavi, Ben Gras, Erik Bosman, Bart Preneel, Cristiano Giuffrida, and Herbert Bos. 2016. Flip Feng Shui: Hammering a Needle in the Software Stack. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 1--18. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/razaviGoogle ScholarDigital Library
- Andres Riancho. 2014. Amazon AWS Security Basics, Escalating privileges from EC2. https://www.blackhat.com/docs/webcast/11202014-amazon-aws-security-basics.pdf. (2014). Online; accessed 25-Jan-2017.Google Scholar
- Help Net Security. 2015. Equation Group: Cyber espionage, compromising HDD firmware, sophisticated malware. http://tinyurl.com/zsrrlf. (2015). Online; accessed 25-Jan-2017.Google Scholar
- Sudharsan Seshadri, Mark Gahagan, Sundaram Bhaskaran, Trevor Bunker, Arup De, Yanqin Jin, Yang Liu, and Steven Swanson. 2014. Willow: A Userprogrammable SSD. In Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation (OSDI '14). USENIX Association, Berkeley, CA, USA, 67--80. http://dl.acm.org/citation.cfm?id=2685048.2685055Google Scholar
- Jianguo Wang, Dongchul Park, Yang-Suk Kee, Yannis Papakonstantinou, and Steven Swanson. 2016. SSD In-storage Computing for List Intersection. In Proceedings of the 12th International Workshop on Data Management on New Hardware (DaMoN '16). ACM, New York, NY, USA, Article 4, 7 pages. https://doi.org/10.1145/2933349.2933353Google ScholarDigital Library
- Samuel Weiser and Mario Werner. 2017. SGXIO: Generic Trusted I/O Path for Intel SGX. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy (CODASPY 17). ACM, New York, NY, USA, 261--268. https://doi.org/10.1145/3029806.3029822 Google ScholarDigital Library
- Ofir Weisse, Valeria Bertacco, and Todd Austin. 2017. Regaining Lost Cycles with HotCalls: A Fast Interface for SGX Secure Enclaves. In Proceedings of the 44th Annual International Symposium on Computer Architecture (ISCA '17). ACM, New York, NY, USA, 81--93. https://doi.org/10.1145/3079856.3080208 Google ScholarDigital Library
Index Terms
- Non-repudiable disk I/O in untrusted kernels
Recommendations
Intra-disk Parallelism: An Idea Whose Time Has Come
Server storage systems use a large number of disks to achieve high performance, thereby consuming a significant amount of power. In this paper, we propose to significantly reduce the power consumed by such storage systems via intra-disk parallelism, ...
Intra-disk Parallelism: An Idea Whose Time Has Come
ISCA '08: Proceedings of the 35th Annual International Symposium on Computer ArchitectureServer storage systems use a large number of disks to achieve high performance, thereby consuming a significant amount of power. In this paper, we propose to significantly reduce the power consumed by such storage systems via intra-disk parallelism, ...
On Variable Scope of Parity Protection in Disk Arrays
In a common form of a RAID 5 architecture, data is organized on a disk array consisting of N + 1 disks into stripes of N data blocks and one parity block (with parity block locations staggered so as to balance the number of parity blocks on each disk). ...
Comments