Trust Extension as a Mechanism for Secure Code Execution on Commodity Computers: | ACM Books

Trust Extension as a Mechanism for Secure Code Execution on Commodity ComputersJune 2014

Go to Trust Extension as a Mechanism for Secure Code Execution on Commodity Computers

June 2014

Author:
Bryan Jeffery Parno
Microsoft Research

Publisher:

Association for Computing Machinery and Morgan & Claypool

ISBN:978-1-62705-477-5

DOI:https://doi.org/10.1145/2611399

Published:05 June 2014

Pages:

188

Appears In:

ACM Books

Purchase this Book Recommend ACM DL

ALREADY A SUBSCRIBER?SIGN IN

Bibliometrics

Sections

2014

Abstract

From the Preface

As society rushes to digitize sensitive information and services, it is imperative that we adopt adequate security protections. However, such protections fundamentally conflict with the benefits we expect from commodity computers. In other words, consumers and businesses value commodity computers because they provide good performance and an abundance of features at relatively low costs. Meanwhile, attempts to build secure systems from the ground up typically abandon such goals, and hence are seldom adopted [Karger et al. 1991, Gold et al. 1984, Ames 1981].

In this book, a revised version of my doctoral dissertation, originally written while studying at Carnegie Mellon University, I argue that we can resolve the tension between security and features by leveraging the trust a user has in one device to enable her to securely use another commodity device or service, without sacrificing the performance and features expected of commodity systems.We support this premise over the course of the following chapters.

Introduction. This chapter introduces the notion of bootstrapping trust from one device or service to another and gives an overview of how the subsequent chapters fit together.
Background and related work. This chapter focuses on existing techniques for bootstrapping trust in commodity computers, specifically by conveying information about a computer's current execution environment to an interested party. This would, for example, enable a user to verify that her computer is free of malware, or that a remote web server will handle her data responsibly.
Bootstrapping trust in a commodity computer. At a high level, this chapter develops techniques to allow a user to employ a small, trusted, portable device to securely learn what code is executing on her local computer. While the problem is simply stated, finding a solution that is both secure and usable with existing hardware proves quite difficult.
On-demand secure code execution. Rather than entrusting a user's data to the mountain of buggy code likely running on her computer, in this chapter, we construct an on-demand secure execution environment which can perform security sensitive tasks and handle private data in complete isolation from all other software (and most hardware) on the system. Meanwhile, non-security-sensitive software retains the same abundance of features and performance it enjoys today.
Using trustworthy host data in the network. Having established an environment for secure code execution on an individual computer, this chapter shows how to extend trust in this environment to network elements in a secure and efficient manner. This allows us to reexamine the design of network protocols and defenses, since we can now execute code on end hosts and trust the results within the network.
Secure code execution on untrusted hardware. Lastly, this chapter extends the user's trust one more step to encompass computations performed on a remote host (e.g., in the cloud).We design, analyze, and prove secure a protocol that allows a user to outsource arbitrary computations to commodity computers run by an untrusted remote party (or parties) who may subject the computers to both software and hardware attacks. Our protocol guarantees that the user can both verify that the results returned are indeed the correct results of the specified computations on the inputs provided, and protect the secrecy of both the inputs and outputs of the computations. These guarantees are provided in a non-interactive, asymptotically optimal (with respect to CPU and bandwidth) manner.

Thus, extending a user's trust, via software, hardware, and cryptographic techniques, allows us to provide strong security protections for both local and remote computations on sensitive data, while still preserving the performance and features of commodity computers.

Chapters

Preface

Chapter 1Introduction

Chapter 2Background and Related Work in Trust Establishment

Chapter 3Bootstrapping Trust in a Commodity Computer

Chapter 4On-Demand Secure Code Execution on Commodity Computers

Chapter 5Using Trustworthy Host-Based Information in the Network

Chapter 6Verifiable Computing: Secure Code Execution Despite Untrusted Software and Hardware

Chapter 7Conclusion

Bibliography

References

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In Proc. 12th ACM Conf. on Computer and Communication Security, pages 340–353, 2005. Google ScholarDigital Library
B. Acohido and J. Swartz. Unprotected PCs can be hijacked in minutes. USA Today, Nov. 2004.Google Scholar
Advanced Micro Devices. AMD64 architecture programmer's manual. AMD Publication no. 24593 rev. 3.14, 2007.Google Scholar
W. Aiello, S. N. Bhatt, R. Ostrovsky, and S. Rajagopalan. Fast verification of any remote procedure call: Short witness-indistinguishable one-round proofs for NP. In Proc. 27th Int. Colloquium on Automata, Languages, and Programming, pages 463–474, 2000.Google ScholarCross Ref
A. Alkassar, C. Stüble, and A.-R. Sadeghi. Secure object identification or: Solving the chess grandmaster problem. In Proc. New Security Paradigm Workshop, pages 77–85, 2003. Google ScholarDigital Library
S. R. Ames, Jr. Security kernels: A solution or a problem? In Proc. 1981 IEEE Symp. on Security and Privacy, pages 141–150, 1981.Google Scholar
D. P. Anderson. BOINC: A system for public-resource computing and storage. In Proc. 5th IEEE/ACMWorkshop on Grid Computing, pages 4–10, 2004. Google ScholarCross Ref
D. P. Anderson, J. Cobb, E. Korpela, M. Lebofsky, and D. Werthimer. SETI@Home: An experiment in public-resource computing. Commun. ACM, 45(11):56–61, 2002. Google ScholarDigital Library
R. Anderson. Cryptography and competition policy - issues with “Trusted Computing”. In Proc. 22nd Annual Symp. on Principles of Distributed Computing, pages 3–10, 2003.Google Scholar
R. Anderson and M. Kuhn.Tamper resistance—a cautionary note. In Proc.USENIXWorkshop on Electronic Commerce, pages 1–11, 1995.Google Scholar
W. A. Arbaugh, D. J. Farber, and J. M. Smith. A secure and reliable bootstrap architecture. In Proc. 1997 IEEE Symposium on Security and Privacy, pages 65–71, 1997.Google ScholarCross Ref
ARM. ARM security technology. PRD29-GENC-009492C, 2009.Google Scholar
T. Arnold and L. van Doorn. The IBM PCIXCC: A new cryptographic coprocessor for the IBM eServer. IBM J. Res. Dev., 48(3):475–487, 2004.Google ScholarDigital Library
J. Azema and G. Fayad. M-Shield mobile security technology: making wireless secure. Texas Instruments Whitepaper, 2008. Available at http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf; last retrieved May 2014.Google Scholar
L. Babai. Trading group theory for randomness. In Proc. 17th Annual ACM Symp. on Theory of Computing, pages 421–429, 1985.Google ScholarCross Ref
K.-H. Baek and S. Smith. Preventing theft of quality of service on open platforms. In Proc. Workshop of the 1st Int.Conf.on Security and Privacy for Emerging Areas in Communication Networks, pages 246–257, 2005.Google Scholar
B. Balacheff, L. Chen, S. Pearson, D. Plaquin, and G. Proudler. Trusted Computing Platforms—TCPA Technology in Context. Prentice Hall, 2003.Google Scholar
D. Balfanz. Access Control for Ad-hoc Collaboration. PhD thesis, Princeton University, 2001.Google ScholarDigital Library
D. Balfanz, D. Smetters, P. Stewart, and H. C.Wong. Talking to strangers: Authentication in ad-hoc wireless networks. In Proc. Network and Distributed Systems Security Symp., 2002.Google Scholar
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahay, S. Vadhan, and K. Yang. On the (im)possibility of obfuscating programs. In Advances in Cryptology – Proc. 21st Annual Int. Cryptology Conf., pages 1–18, 2001.Google Scholar
B. Barak, I. Haitner, D. Hofheinz, and Y. Ishai. Bounded key-dependent message security. In Proc. 29th Annual Int. Conf. Theory and Applications of Cryptographic Techniques, pages 423–444, 2010.Google ScholarDigital Library
P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, E. Kotsovinos, A.Madhavapeddy, R. Neugebauer, I. Pratt, and A.Warfield. Xen2002.Technical Report UCAM-CL-TR-553, University of Cambridge, 2003.Google Scholar
P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proc. 19th ACM Symp. on Operating System Principles, pages 164–177, 2003.Google ScholarDigital Library
M. Belenkiy, M. Chase, C. C. Erway, J. Jannotti, A. Küpçü, and A. Lysyanskaya. Incentivizing outsourced computation. In Proc. 3rd Int.Workshop on Economics of Networked Systems, pages 85–90, 2008.Google ScholarDigital Library
S. Berger, R. Cáceres, K. A.Goldman, R.Perez, R. Sailer, and L. van Doorn. vTPM: Virtualizing the trusted platform module. In Proc. 15th USENIX Security Symp., Article 21, 2006.Google Scholar
D. J. Bernstein. Cache-timing attacks on AES. Online at http://cr.yp.to/antiforgery/ cachetiming-20050414.pdf, Apr. 2005. Last retrieved May 2014.Google Scholar
T. Beth and Y. Desmedt. Identification tokens—or: Solving the chess grandmaster problem. In Advances in Cryptology – Proc. 10th Annual Int. Cryptology Conf., pages 169–177, 1991.Google Scholar
B. Bloom. Space/time trade-offs in hash coding with allowable errors. Commun. ACM, 13(7):422–426, 1970. Google ScholarDigital Library
K. Borders and A. Prakash.Web tap: Detecting covert web traffic. In Proc. 11th ACM Conf. on Computer and Communication Security, pages 110–120, 2004. Google ScholarDigital Library
S. Brands and D. Chaum. Distance-bounding protocols. In Proc. Int.Workshop Theory and Application of Cryptographic Techniques, pages 344-359, 1993.Google Scholar
E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation. In Proc. 11th ACM Conf. on Computer and Communication Security, pages 132–145, 2004. Google ScholarDigital Library
A. Brodsky and D. Brodsky. A distributed content-independent method for spam detection. In Proc. 1stWorkshop on Hot Topics in Understanding Botnets, article 3, 2007.Google ScholarDigital Library
D. Brumley and D. Song. Privtrans: Automatically partitioning programs for privilege separation. In Proc. 13th USENIX Security Symp., article 5, 2004.Google Scholar
D. Bruschi, L. Cavallaro, A. Lanzi, and M. Monga. Replay attack in TCG specification and solution. In Proc. 21st Annual Computer Security Applications Conf., pages 127–137, 2005. DOI: 10.1109/CSAC.2005.47. 39Google ScholarDigital Library
C. Castelluccia, A. Francillon, D. Perito, and C. Soriente. On the difficulty of software based attestation of embedded devices. In Proc. 16th ACM Conf. on Computer and Communication Security, pages 400–409, 2009. Google ScholarDigital Library
D. Challener, J. Hoff, R. Catherman, D. Safford, and L. van Doorn. Practical Guide to Trusted Computing. Prentice Hall, 2007.Google Scholar
D. Chaum and T. Pedersen. Wallet databases with observers. In Advances in Cryptology—Proc. 12th Annual Int. Cryptology Conf. , pages 89–105, 1992. DOI: 10.1007/3-540-48071-4_7.Google ScholarCross Ref
B. Chen and R. Morris. Certifying program execution with secure processors. In Proc. 9th Workshop on Hot Topics in Operating Systems, pages 23-23, 2003.Google Scholar
L. Chen and M. D. Ryan. Offline dictionary attack on TCG TPM weak authorisation data, and solution. In Proc. 1st Int. Conf. on Future of Trust in Computing, pages 193–196, 2008. DOI: 10.1007/978-3-8348-9324-6_20.Google ScholarCross Ref
S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In Proc. 14th USENIX Security Symp., article 14, 2005.Google Scholar
X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. K. Ports. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In Proc. 13th Int. Conf. on Architectural Support for Programming Languages and Operating Systems, pages 2–13, 2008. Google Scholar
Y. Chen, P. England, M. Peinado, and B. Willman. High assurance computing on open hardware architectures. Technical Report MSR-TR-2003-20, Microsoft Research, 2003.Google Scholar
B.-G. Chun, P. Maniatis, S. Shenker, and J. Kubiatowicz. Attested append-only memory: Making adversaries stick to their word. In Proc. 21st ACM Symp. on Operating System Principles, pages 189–204, 2007. Google ScholarDigital Library
D. D. Clark and D. R. Wilson. A comparison of commercial and military security policies. In Proc. 1987 IEEE Symp. on Security and Privacy, 1987.Google ScholarCross Ref
A. Datta, J. Franklin, D. Garg, and D. Kaynar. A logic of secure systems and its application to trusted computing. In Proceedings of the IEEE Symposium on Security and Privacy, pages 184–195, 2009.Google ScholarDigital Library
C. Dixon, T. Anderson, and A. Krishnamurthy. Phalanx: Withstanding multimillion-node botnets. In Proc. 5th USENIX Symp. on Networked Systems Design & Implementation, pages 45–58, 2008.Google Scholar
C. Dixon, A. Krishnamurthy, and T. Anderson. An end to the middle. In Proc. 12th Workshop on Hot Topics in Operating Systems, article 2, 2009.Google Scholar
C. Dwork, K. Nissim, M. Naor, M. Langberg, and O. Reingold. Succinct proofs for NP and spooky interactions. Online at http://www.cs.bgu.ac.il/~kobbi/papers/spooky_sub_ crypto.pdf, 2004. Last retrieved May 2014.Google Scholar
J. Dyer, M. Lindemann, R. Perez, R. Sailer, L. van Doorn, S.W. Smith, and S.Weingart. Building the IBM 4758 secure coprocessor. Computer, 34(10):57-66, 2001. DOI: 10.1109/2 .955100.Google Scholar
A. Einstein. On the electrodynamics of moving bodies. Annalen der Physik, 17:891–921, 1905.Google ScholarCross Ref
J.-E. Ekberg and M. Kylänpää. Mobile trusted module (MTM) – an introduction. Technical Report NRC-TR-2007-015, Nokia Research Center, 2007.Google Scholar
P. England, B. Lampson, J. Manferdelli, M. Peinado, and B. Willman. A trusted open platform. Computer, 36(7):55–62, July 2003. DOI: 10.1109/MC.2003.1212691.Google ScholarDigital Library
U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In Proc. 7th USENIX Symp. on Operating System Design and Implementation, pages 75–88, 2006. DOI: 10.1109/MC.2003.1212691.Google ScholarDigital Library
C. Estan and G. Varghese. New directions in traffic measurement and accounting: Focusing on the elephants, ignoring the mice. ACM Trans. Comp. Syst., 21(3):270–313, 2003. Google ScholarDigital Library
W.-C. Feng and T. Schluessler. The case for network witnesses. In Proc. 4th IEEE Workshop on Secure Network Protocols, page 9–14, 2008. DOI: 10.1109/NPSEC.2008.4664874.Google ScholarCross Ref
J. Franklin, M. Luk, A. Seshadri, and A. Perrig. PRISM: Enabling personal verification of code integrity, untampered execution, and trusted I/O or human-verifiable code execution. Technical Report CMU-CyLab-07-010, Carnegie Mellon University, 2007.Google Scholar
J. Franklin, V. Paxson, A. Perrig, and S. Savage. An inquiry into the nature and causes of the wealth of internet miscreants. In Proc. 14th ACM Conf. on Computer and Communication Security, pages 375–388, 2007.Google Scholar
T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine based platform for trusted computing. In Proc. 19th ACM Symp. on Operating System Principles, pages 193–206, 2003.Google ScholarDigital Library
T. Garfinkel, M. Rosenblum, and D. Boneh. Flexible OS support and applications for Trusted Computing. In Proc. 9thWorkshop on Hot Topics in Operating Systems, article 25, 2003.Google Scholar
S. Garriss, R. Cáceres, S. Berger, R. Sailer, L. van Doorn, and X. Zhang. Trustworthy and personalized computing on public kiosks. In Proc. 6th Int. Conf. Mobile Systems, Applications and Services, pages 199–210, 2008. Google ScholarDigital Library
M. Gasser, A. Goldstein, C. Kaufman, and B. Lampson. The digital distributed system security architecture. In Proc. 12th National Computer Security Conf., 1989.Google Scholar
R. Gennaro, C. Gentry, and B. Parno. Non-interactive verifiable computation: Outsourcing computation to untrusted workers. In Advances in Cryptology – Proc. 30th Annual Int. Cryptology Conf., pages 465–482, 2010.Google Scholar
C. Gentry. Fully homomorphic encryption using ideal lattices. In Proc. 41st Annual ACM Symp. on Theory of Computing, pages 169–178, 2009. Google ScholarDigital Library
C. Gentry. A fully homomorphic encryption scheme. PhD thesis, Stanford University, 2009.Google ScholarDigital Library
J. T. Giffin, M. Christodorescu, and L. Kruger. Strengthening software self-check summing via self-modifying code. In Proc. 21st Annual Computer Security Applications Conf., pages 23–32, 2005. DOI: 10.1109/CSAC.2005.53.Google ScholarDigital Library
H. Gobioff, S. Smith, J. Tygar, and B. Yee. Smart cards in hostile environments. In Proc. 2nd USENIX Workshop on Electronic Commerce, 1995.Google Scholar
B. D. Gold, R. R. Linde, and P. F. Cudney. KVM/370 in retrospect. In Proc. 1984 IEEE Symp. on Security and Privacy, pages 13–23, 1984.Google ScholarCross Ref
K. Goldman, R. Perez, and R. Sailer. Linking remote attestation to secure tunnel endpoints. In Proc. 1st ACM Workshop on Scalable Trusted Computing, pages 21–24, 2006. Google ScholarDigital Library
S. Goldwasser, Y. T. Kalai, and G. N. Rothblum. Delegating computation: interactive proofs for muggles. In Proc. 40th Annual ACMSymp. on Theory of Computing, pages 113–122, 2008. Google ScholarDigital Library
S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems. SIAM J. on Comput., 18(1):186–208, 1989. DOI: 10.1137/0218012.Google ScholarDigital Library
P. GolleandI. Mironov. Uncheatable distributed computations. In Proc.TheCryptographers' Track at the RSA Conference 2001, pages 425–440, 2001.Google Scholar
M. T. Goodrich, M. Sirivianos, J. Solis, G. Tsudik, and E. Uzun. Loud and clear: Humanverifiable authentication based on audio. In Proc. 26th Int. Conf. on Distributed Computing Systems, article 10, 2006. DOI: 10.1109/ICDCS.2006.Google ScholarCross Ref
D. Grawrock. The Intel Safer Computing Initiative: Building Blocks for Trusted Computing. Intel Press, 2006.Google Scholar
D. Grawrock. Dynamics of a Trusted Platform. Intel Press, 2008.Google ScholarDigital Library
GSM Association. GSM mobile phone technology adds another billion connections in just 30 months. GSMWorld Press Release, 2006. Available at: http://news.softpedia.com/ news/GSM-Mobile-Phone-Technology-Adds-Another-Billion-Connections-In-Just-30- Months-28182.shtml; last retrieved May 2014.Google Scholar
S. Gueron and M. E. Kounavis. New processor instructions for accelerating encryption and authentication algorithms. Intel Technology J., 13(2):52–65, 2009.Google Scholar
R. Gummadi, H. Balakrishnan, P. Maniatis, and S.Ratnasamy. Not-a-bot: Improving service availability in the face of botnet attacks. In Proc. 6th USENIX Symp. on Networked Systems Design & Implementation, pages 307–320, 2009.Google Scholar
S. Gürgens, C. Rudolph, D. Scheuermann, M. Atts, and R. Plaga. Security evaluation of scenarios based on the TCG's TPM specification. In Proc. 12th European Symp. on Research in Computer Security, pages 438–453, 2007. DOI: 10.1007/978-3-540-74835- 9_29.Google ScholarCross Ref
V. Haldar, D. Chandra, and M. Franz. Semantic remote attestation: a virtual machine directed approach to trusted computing. In Proc. 3rd Conf. on Virtual Machine Research and Technology Symp., Volume 3, article 3, 2004.Google Scholar
J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: Cold boot attacks on encryption keys. Commun. ACM, 52(5):91–98, 2009. Google ScholarDigital Library
S. Halevi and H. Krawczyk. Public-key cryptography and password protocols. ACM Trans. Inf. & Syst. Security, 2(3), 1999. Google ScholarDigital Library
S. Hao, N. A. Syed, N. Feamster, A. G. Gray, and S. Krasser. Detecting spammers with SNARE: Spatio-temporal network-level automatic reputation engine. In Proc. 18th USENIX Security Symp., pages 101–118, 2009.Google Scholar
T. Hardjono and G. Kazmierczak. Overview of theTPM key management standard. Online at https://www.trustedcomputinggroup.org/files/resource_files/ABEDDF95-1D09-3519- AD65431FC12992B4/Kazmierczak20Greg20-20TPM_Key_Management_KMS2008_ v003.pdf, 2008; last retrieved May 2014.Google Scholar
Hewlett-Packard, Intel, Microsoft, Phoenix, and Toshiba. Advanced configuration and power interface specification. Revision 3.0b, Oct. 2006.Google Scholar
S. Hohenberger and A. Lysyanskaya. How to securely outsource cryptographic computations. In Proc. 2nd Int. Conf. on Theory of Cryptography, pages 264–282, 2005. DOI: 10.1007/978-3-540-30576-7_15.Google ScholarDigital Library
T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In Proc. 1st USENIXWorkshop on Large-Scale Exploits and Emergent Threats, article 9, 2008.Google Scholar
J. Howell, J. R. Douceur, J. Elson, and J. R. Lorch. Leveraging legacy code to deploy desktop applications on the web. In Proc. 8th USENIX Symp. on Operating System Design and Implementation, pages 339–354, 2008.Google Scholar
IBM. CCA basic services reference and guide for the IBM 4758 PCI and IBM 4764 PCIX cryptographic coprocessors. 19th Ed., 2008. Available at: http://www-03.ibm.com/ security/cryptocards/pdfs/bs330.pdf; last retrieved May 2014.Google Scholar
Intel Corporation. Intel low pin count (LPC) interface specification. Revision 1.1, 2002. Available at: http://www.intel.com/design/chipsets/industry/25128901.pdf; last retrieved May 2014.Google Scholar
Intel Corporation. Intel trusted execution technology measured launched environment developer's guide. Document number 315168-011, 2014. Available at: http://www.intel.com/content/dam/www/public/us/en/documents/guides/inteltxt- software-development-guide.pdf; last retrieved May 2014.Google Scholar
N. Itoi. Secure coprocessor integration with Kerberos V5. In Proc. 9th USENIX Security Symp., article 9, 2000.Google ScholarDigital Library
N. Itoi, W. A. Arbaugh, S. J. Pollack, and D. M. Reeves. Personal secure booting. In Proc. Australasian Conf. on Information Security and Privacy, pages 130–144, 2000.Google Scholar
T. Jaeger, R. Sailer, and U. Shankar. PRIMA: policy-reduced integrity measurement architecture. In Proc. 11th ACM Symp. on Access Control Models and Technologies, pages 19–28, 2006. Google ScholarDigital Library
S. Jiang.WebALPS implementation and performance analysis. Master's thesis, Dartmouth College, 2001.Google Scholar
S. Jiang, S. Smith, and K. Minami. Securing web servers against insider attack. In Proc. 17th Annual Computer Security Applications Conf., pages 265–276, 2001.Google ScholarCross Ref
R. Johnson and D.Wagner. Finding user/kernel pointer bugs with type inference. In Proc. 13th USENIX Security Symp., article 9, 2004.Google Scholar
Y. T. Kalai and R. Raz. Probabilistically checkable arguments. In Advances in Cryptology – Proc. 29th Annual Int. Cryptology Conf., pages 143–159, 2009. DOI: 10.1007/978-3-642- 03356-8_9.Google ScholarCross Ref
B. Kaliski and J. Staddon. PKCS #1: RSA cryptography specifications. RFC 2437, 1998. Available at: http://www.ietf.org/rfc/rfc2437.txt; last retrieved May 2014.Google ScholarDigital Library
P. A. Karger, M. E. Zurko, D.W. Bonin, A. H. Mason, and C. E. Kahn. A retrospective on the VAX VMM security kernel. IEEE Trans. Softw. Eng., 17(11):1147–1165, Nov. 1991.Google ScholarDigital Library
B. Kauer. OSLO: Improving the security of trusted computing. In Proc. 16th USENIX Security Symp., article 16, 2007.Google Scholar
R. Kennell and L. Jamieson. Establishing the genuinity of remote computer systems. In Proc. 12th USENIX Security Symp., article 21, 2003.Google Scholar
A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure overlay services. In Proc. 2002 SIGCOMM Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communication, pages 61–72, 2002. Google ScholarDigital Library
A. Khorsi.Anoverview of content-basedspamfiltering techniques. Informatica, 31:269–277, 2007.Google Scholar
C. Kil, E. C. Sezer, A. Azab, P. Ning, and X. Zhang. Remote attestation to dynamic system properties: Towards providing complete system integrity evidence. In Proc. Int. Conf. on Dependable Systems and Networks, pages 115–124, 2009. DOI: 10.1109/DSN.2009.5270348.Google ScholarCross Ref
J. Kilian. A note on efficient zero-knowledge proofs and arguments (extended abstract). In Proc. 24th Annual ACM Symp. on Theory of Computing, pages 723–732, 1992. Google ScholarCross Ref
J. Kilian. Improved efficient arguments (preliminary version). In Advances in Cryptology – Proc. 15th Annual Int. Cryptology Conf., pages 311–324, 1995.Google Scholar
D. Kilpatrick. Privman: A library for partitioning applications. In Proc. USENIX 2003 Annual Technical Conf., pages 273–284, 2003.Google Scholar
G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, M. Norrish, R. Kolanski, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In Proc. 22nd ACM Symp. on Operating System Principles, pages 207–220, 2009. Google ScholarDigital Library
E. Kohler. The Click modular router. PhD thesis, Massachusetts Institute of Technology, 2000.Google Scholar
C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. On the spam campaign trail. In Proc. 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats, article 1, 2008.Google ScholarDigital Library
E. T. Krovetz. UMAC: Message authentication code using universal hashing. RFC 4418, 2006. Available at: http://www.ietf.org/rfc/rfc4418.txt; last retrieved May 2014.Google Scholar
J. Kuskin, D. Ofelt, M. Heinrich, J. Heinlein, R. Simoni, K. Gharachorloo, J. Chapin, D. Nakahira, J. Baxter, M. Horowitz, A. Gupta, M. Rosenblum, and J. Hennessy. The Stanford FLASH multiprocessor. In Proc. 21st Annual Symp. on Computer Architecture, pages 302–313, 1994.Google ScholarDigital Library
P. Lang. Flash the Intel BIOS with confidence. Intel Developer UPDATE Magazine, Mar. 2002.Google Scholar
J. LeClaire. Apple ships iPods with Windows virus. Mac NewsWorld, 2006.Google Scholar
R. B. Lee, P. Kwan, J. P. McGregor, J. Dwoskin, and Z. Wang. Architecture for protecting critical secrets in microprocessors. In Proc. 32nd Int. Symp. on Computer Architecture, pages 2–13, 2005. DOI: 10.1109/ISCA.2005.14.Google ScholarCross Ref
A. Leung, L. Chen, and C. J. Mitchell. On a possible privacy flaw in direct anonymous attestation (DAA). In Proc. 1st Int. Conf. on Trusted Computing and Trust in Information Technologies, pages 179-190, 2008. DOI: 10.1007/978-3-540-68979-9_14Google ScholarDigital Library
D. Levin, J. R. Douceur, J. R. Lorch, and T. Moscibroda. TrInc: Small trusted hardware for large distributed systems. In Proc. 6th USENIX Symp. on Networked Systems Design & Implementation, pages 1–14, 2009.Google Scholar
D. Lie, C. A. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. C. Mitchell, and M. Horowitz. Architectural support for copy and tamper resistant software. In Proc. 9th Int. Conf. on Architectural Support for Programming Languages and Operating Systems, pages 168–177, 2000.Google ScholarCross Ref
Y. Lindell and B. Pinkas. A proof of Yao's protocol for secure two-party computation. J. Cryptology, 22(2):161–188, 2009. DOI: 10.1007/s00145-008-9036-8.Google ScholarDigital Library
S. Lohr and J. Markoff. Windows is so slow, but why? The New York Times, 27 March 2006. Available at: http://www.nytimes.com/2006/03/27/technology/27soft.html?pagewanted=all; last retrieved May 2014.Google Scholar
D. Magenheimer. Xen/IA64 code size stats. Xen developer's mailing list: http://lists .xensource.com/, 2005.Google Scholar
J. Marchesini, S.W. Smith,O. Wild, J. Stabiner, andA. Barsamian. Open-source applications of TCPA hardware. In Proc. 20th Annual Computer Security Applications Conf., pages 294–303, 2004. DOI: 10.1109/CSAC.2004.25.Google ScholarDigital Library
R. MayrhoferandH. Gellersen. Shake well before use: Intuitiveandsecure pairing of mobile devices. IEEE Trans. Mobile Comput., 8(6):792–806, 2009. DOI: 10.1109/TMC.2009.51.Google ScholarDigital Library
J. M. McCune. Reducing the Trusted Computing Base for Applications on Commodity Systems. PhD thesis, Carnegie Mellon University, 2009.Google Scholar
J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB reduction and attestation. In Proc. 2000 IEEE Symp. on Security and Privacy, pages 143–158, 2010. DOI: 10.1109/SP.2010.17.Google ScholarDigital Library
J. M. McCune, B. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: An execution infrastructure for TCB minimization. In Proc. 3rd ACMSIGOPS/EuroSys European Conf. on Comp. Syst., pages 315–328, 2008a. Google ScholarDigital Library
J.M.McCune, B.Parno, A.Perrig, M.K.Reiter, andA. Seshadri.MinimalTCBcode execution (extended abstract). In Proc. 2007 IEEE Symp. on Security and Privacy, pages 267–272, 2007. DOI: 10.1109/SP.2007.27.Google ScholarDigital Library
J. M. McCune, B. Parno, A. Perrig, M. K. Reiter, and A. Seshadri. How low can you go? Recommendations for hardware-supported minimalTCBcode execution. In Proc. 13th Int. Conf. on Architectural Support for Programming Languages and Operating Systems, pages 14–25, 2008b. Google Scholar
J. M. McCune, A. Perrig, and M. K. Reiter. Seeing-is-believing: Using camera phones for human-verifiable authentication. In Proc. 2005 IEEE Symp. on Security and Privacy, pages 110–124, 2005. DOI: 10.1109/SP.2005.19.Google ScholarDigital Library
J. M. McCune, A. Perrig, and M. K. Reiter. Safe passage for passwords and other sensitive data. In Proc. Network and Distributed Systems Security Symp., 2009.Google Scholar
J. M. McCune, A. Perrig, A. Sheshadri, and L. Doom. Turtles all the way down: Research challenges in user-based attestation. In Proc. 2nd USENIX Workshop on Hot Topics in Security, 2007.Google Scholar
R. C. Merkle. A certified digital signature. In Advances in Cryptology – Proc. 9th Annual Int. Cryptology Conf., pages 218–238, 1989. DOI: 10.1007/0-387-34805-0_21.Google ScholarCross Ref
E. Messmer. Downadup/conflicker worm: When will the next shoe fall? Network World, 23 January 2009. Available at: http://www.networkworld.com/news/2009/012309-downadup-conflicker-worm.html; last retrieved May 2014.Google Scholar
S. Micali. CS proofs (extended abstract). In Proc. 35th Annual Symp. on Foundations of Computer Science, pages 436-453, 1994.Google ScholarDigital Library
Microsoft Corporation. Code access security. MSDN .NET Framework Developer's Guide—Visual Studio .NET Framework 3.5, 2008a. Available at: http://msdn.microsoft.com/en-us/library/930b76w0(v=vs.90).aspx; last retrieved May 2014.Google Scholar
Microsoft Corporation. Full volume encryption using Windows BitLocker drive encryption. Microsoft Services Datasheet, 2008b. Available at: http://download.microsoft.com/download/E/C/1/EC157B02-3020-4010-AAB7-DBA5507CFB5E/FullVolumeEncryption-BitLocker.pdf; last retrieved May 2014.Google Scholar
S. C. Misra and V. C. Bhavsar. Relationships between selected software measures and latent bug-density: Guidelines for improving quality. In Proc. Int. Conf. on Computational Science and Its Applications, pages 734–732, Jan. 2003.Google ScholarCross Ref
C. Mitchell, editor. Trusted Computing. The Institution of Engineerjng and Technology, 2005.Google Scholar
D. Molnar. The SETI@Home problem. ACMCrossroads, 7(1), 2000.Google Scholar
F. Monrose, P. Wyckoff, and A. Rubin. Distributed execution with remote audit. In Proc. Network and Distributed Systems Security Symp., 1999.Google Scholar
T. Moyer, K. Butler, J. Schiffman, P. McDaniel, and T. Jaeger. Scalable web content attestation. In Proc. 25th Annual Computer Security Applications Conf., pages 95–104, 2009.Google ScholarDigital Library
G. C. Necula and P. Lee. The design and implementation of a certifying compiler. In Proc. ACMSIGPLAN 1998 Conf. on Programming Language Design and Implementation, pages 333–344, 1998. Google ScholarDigital Library
G. C. Necula, S. McPeak, S. Rahul, andW.Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In Proc. 11th Int. Conf. on Compiler Construction, pages 213–228, 2002.Google ScholarCross Ref
B. Parno. Bootstrapping trust in a “trusted” platform. In Proc. 3rd USENIXWorkshop on Hot Topics in Security, July 2008.Google Scholar
B. Parno, D. Wendlandt, E. Shi, A. Perrig, B. Maggs, and Y.-C. Hu. Portcullis: Protecting connection setup from denial-of-capability attacks. In Proc. 2007 SIGCOMM Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communication, pages 289–300, 2007. Google Scholar
B. Parno, Z. Zhou, and A. Perrig. Help me help you: Using trustworthy host-based information in the network. Technical Report CMU-CyLab-09-016, Carnegie Mellon University, 2009.Google Scholar
B. Parno, Z. Zhou, and A. Perrig. Using trustworthy host-based information in the network. In Proc. 7th ACM Workshop on Scalable Trusted Computing, pages 33–44, 2012. Google ScholarDigital Library
C. Percival. Cache missing for fun and profit. In Proceedings of BSDCan, 2005. Available at: http://www.daemonology.net/papers/htt.pdf; last retrieved May 2014.Google Scholar
A. Perrig, S. Smith, D. Song, and J. Tygar. SAM: A flexible and secure auction architecture using trusted hardware. In Proc. 16th Int. Parallel & Distributed Processing Symp., pages 1764–1773, 2002. DOI: 10.1109/IPDPS.2001.925165.Google ScholarCross Ref
N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In Proc. 12th USENIX Security Symp., article 16, 2003.Google Scholar
A. Ramachandran, K. Bhandankar, M. B. Tariq, and N. Feamster. Packets with provenance. Technical Report GT-CS-08-02, Georgia Institute of Technology, 2008.Google Scholar
A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In Proc. 2006 SIGCOMM Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communication, pages 291–302, 2006. Google ScholarDigital Library
B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger password authentication using browser extensions. In Proc. 14th USENIX Security Symp., 2005.Google Scholar
G. Rothblum. Delegating Computation Reliably: Paradigms and Constructions. PhD thesis, Massachusetts Institute of Technology, 2009.Google Scholar
G.Rothblum and S. Vadhan. Are PCPs inherent in efficient arguments? In Proc. 24th Annual IEEE Conf. on Computational Complexity, pages 81–92, 2009. DOI: 10.1109/CCC.2009 .40.Google ScholarCross Ref
C. Rudolph. Covert identity information in direct anonymous attestation (DAA). In New Approaches for Security, Privacy and Trust in Complex Environments,H, Venter, M. Eloff, L. Labuschagne, J. Eloff, and R. Solms (editors), pages 443-448, Springer, 2007. DOI:10.1007/978-0-387-72367-9_38.Google Scholar
A.-R. Sadeghi, M. Selhorst, C. Stüble, C. Wachsmann, and M. Winandy. TCG inside? - A note on TPM specification compliance. In Proc. 1st ACM Workshop on Scalable Trusted Computing, pages 47–56, 2006. Google Scholar
A.-R. Sadeghi and C. Stueble. Property-based attestation for computing platforms: caring about properties, not mechanisms. In Proc. 2004 Workshop on New Security Paradigms, pages 67–77, 2004. Google Scholar
R. Sailer, E. Valdez, T. Jaeger, R. Perez, L. van Doorn, J. L. Griffin, and S. Berger. sHype: Secure hypervisor approach to trusted virtualized systems. Technical Report RC23511, IBM Research, Feb. 2005.Google Scholar
R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and implementation of a TCG-based integrity measurement architecture. In Proc. 13th USENIX Security Symp., article 16, 2004Google Scholar
L. Sarmenta, M. van Dijk, C. O'Donnell, J. Rhodes, and S. Devadas. Virtual monotonic counters and count-limited objects using a TPM without a trusted OS (extended version). Technical Report MIT-CSAIL-2006-064, Massachusetts Institute of Technology, 2006.Google Scholar
N. Saxena, J.-E. Ekberg, K. Kostiainen, and N. Asokan. Secure device pairing based on a visual channel (short paper). In Proc. 2006 IEEE Symp. on Security and Privacy, pages 306–313, 2006. DOI: 10.1109/SP.2006.35.Google ScholarDigital Library
B. Schneier and J. Kelsey. Cryptographic support for secure logs on untrusted machines. In Proc. 7th USENIX Security Symp., article 4, 1998.Google Scholar
A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proc. 21st ACM Symp. on Operating System Principles, pages 335–350, 2007. Google ScholarDigital Library
A. Seshadri, M.Luk, E. Shi, A.Perrig, L. van Doorn, andP. Khosla. Pioneer:Verifying integrity and guaranteeing execution of code on legacy platforms. In Proc. 20th ACM Symp. on Operating System Principles, pages 1–16, 2005. Google Scholar
A. Seshadri, A. Perrig, L. van Doorn, and P. Khosla. SWATT: Software-based attestation for embedded devices. In Proc. 2004 IEEE Symp. on Security and Privacy, page 272, 2004. DOI: 10.1109/SECPRI.2004.1301329.Google ScholarCross Ref
U. Shankar, T. Jaeger, and R. Sailer. Toward automated information-flow integrity verification for security-critical applications. In Proc. Network and Distributed Systems Security Symp., 2006.Google Scholar
T. Shanley. The Unabridged Pentium 4. AddisonWesley, 2004.Google Scholar
E. Shi, A. Perrig, and L. van Doorn. BIND: A time-of-use attestation service for secure distributed systems. In Proc. 2005 IEEE Symp. on Security and Privacy, pages 154–168, 2005. DOI: 10.1109/SP.2005.4.Google ScholarDigital Library
L. Singaravelu, C. Pu, H. Haertig, and C. Helmuth. Reducing TCB complexity for securitysensitive applications: Three case studies. In Proc. 1st ACMSIGOPS/EuroSys European Conf. on Comp. Syst., pages 161–174, 2006. Google Scholar
S. Smith and V. Austel. Trusting trusted hardware: Towards a formal model for programmable secure coprocessors. In Proc. 3rd USENIXWorkshop on Electronic Commerce, article 8, 1998.Google Scholar
S. W. Smith. WebALPS: Using trusted co-servers to enhance privacy and security of web transactions. IBM Research Report RC-21851, 2000.Google Scholar
S.W. Smith. Outbound authentication for programmable secure coprocessors. Int. J. Inf. Sec., 3:28–41, 2004. DOI: 10.1007/s10207-004-0033-0.Google ScholarDigital Library
S. W. Smith. Trusted Computing Platforms: Design and Applications. Springer, 2005. DOI:10.1007/b103637.46Google ScholarCross Ref
S. W. Smith, R. Perez, S. H. Weingart, and V. Austel. Validating a high-performance, programmable secure coprocessor. In Proc. 22nd National Information Systems Security Conf., 1999. Avaliable from http://csrc.nist.gov/nissc/1999/proceeding/papers/p16.pdf; last retrieved May 2014.Google Scholar
S.W. Smith and S.Weingart. Building a high-performance, programmable secure coprocessor. Computer Networks, 31(9):831–860, 1999. DOI: 10.1016/S1389-1286(98)00019-X.Google ScholarDigital Library
C. Soriente, G. Tsudik, and E. Uzun. HAPADEP: Human-assisted pure audio device pairing. In Proc. 11th Int. Conf. on Information Security, pages 385–400, 2008. DOI: 10.1007/978-3-540-85886-7_27.Google ScholarDigital Library
C. Soriente, G. Tsudik, and E. Uzun. Secure pairing of interface constrained devices. Int. J. Security and Networks, 4(1):17–26, 2009. DOI: 10.1504/IJSN.2009.023423.Google ScholarDigital Library
E. R. Sparks. A security assessment of trusted platform modules. Technical Report TR2007-597, Dartmouth College, 2007.Google Scholar
D. Spinellis. Reflection as a mechanism for software integrity verification. ACMTrans. Inf. & Syst. Security, 3(1):51–62, 2000. Google ScholarDigital Library
F. Stajano and R. Anderson. The resurrecting duckling: Security issues for ad-hoc wireless networks. In Proc. 7th Int.Workshop on Security Protocols, pages 172–182, 1999.Google Scholar
Standards for Efficient Cryptography Group. SEC 2: Recommended elliptic curve domain parameters, Certicom Corp, 2000. Available at: http://www.secg.org/collateral/sec2_final.pdf; last accessed May 2014.Google Scholar
G. E. Suh, D. Clarke, B. Gassend, M. van Dijk, and S. Devadas. AEGIS: Architecture for tamper-evident and tamper-resistant processing. In Proc. 17th Annual Int. Conf. on Supercomputing, pages 160–171, 2003. Google ScholarDigital Library
R. Ta-Min, L. Litty, and D. Lie. Splitting interfaces: Making trust between applications and operating systems configurable. In Proc. 7th USENIX Symp. on Operating System Design and Implementation, pages 279–292, 2006.Google Scholar
C. Tarnovsky. Security failures in secure devices. In Black Hat DC Presentation, 2008. Available at: http://www.blackhat.com/presentations/bh-dc-08/Tarnovsky/Presentation/bh-dc-08-tarnovsky.pdf; last retrieved May 2014.Google Scholar
K. Thompson, G. J. Miller, and R. Wilder. Wide-area Internet traffic patterns and characteristics. IEEE Network, 11(6):10–23, 1997. DOI: 10.1109/65.642356.Google ScholarDigital Library
Trusted Computing Group. PC client specific TPM interface specification (TIS). Version 1.2, Revision 1.00, 2005. Available at: http://www.trustedcomputinggroup.org/files/resource_files/87BCE22B-1D09-3519-ADEBA772FBF02CBD/TCG_PCClientTPMSpecification_1-20_1-00_FINAL.pdf; last retrieved May 2014.Google Scholar
Trusted Computing Group. Trusted Platform Module Main Specification. Version 1.2, Revision 103, 2007. Available at: https://www.trustedcomputinggroup.org/resources/tpm_main_specification; last retrieved May 2014.Google Scholar
TrustedComputingGroup.TCGmobile trustedmodulespecification.Version 1.0,Revision 6, 2008. Available at: http://www.trustedcomputinggroup.org/files/resource_files/87852F33-1D09-3519-AD0C0F141CC6B10D/Revision_6-tcg-mobiletrusted-module-1_0.pdf; last retrieved May 2014.Google Scholar
M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorphic encryption over the integers. In Proc. Int. Conf. Theory and Application of Cryptographic Techniques, pages 24–43, 2010. DOI: 10.1007/978-3-642-13190-5_2.Google ScholarDigital Library
A. Vasudevan, B. Parno, N. Qu, V. D. Gligor, and A. Perrig. Lockdown: A safe and practical environment for security applications. TechnicalReport CMU-CyLab-09-011, Carnegie Mellon University, 2009.Google Scholar
S. Venkataraman, D. Song, P. B. Gibbons, and A. Blum. New streaming algorithms for fast detection of superspreaders. In Proc. Network and Distributed Systems Security Symp., 2005.Google Scholar
J. von Helden, I. Bente, and J. Vieweg. Trusted network connect (TNC). European Trusted Infrastructure Summer School, 2009. Available at: http://www.iaik.tugraz.at/content/about_iaik/events/ETISS2009/; last retrieved May 2014.Google Scholar
M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S. Shenker. DDoS defense by offense. In Proc. 2006 SIGCOMM Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communication, pages 303–314, 2006. Google ScholarDigital Library
C.Wallace.WorldwidePCmarket to double by 2010. ForresterResearch, Inc. PressRelease, Dec. 2004.Google Scholar
N.Weaver, S. Staniford, and V. Paxson. Very fast containment of scanning worms. In Proc. 13th USENIX Security Symp., pages 29–44, 2004.Google Scholar
S.Weingart. Physical security for the μABYSS system. In Proc. 1987 IEEE Symp. on Security and Privacy, pages 52–59, 1987.Google Scholar
D. A. Wheeler. Linux kernel 2.6: It's worth more! Available at: http://www.dwheeler.com/essays/linux-kernel-cost.html, 2004; last retrieved May 2014.Google Scholar
S. White, S.Weingart,W. Arnold, and E. Palmer. Introduction to the Citadel architecture: Security in physically exposed environments. Technical Report RC16672, IBM T. J. Watson Research Center, 1991.Google Scholar
M. M. Williamson. Throttling viruses: Restricting propagation to defeat malicious mobile code. In Proc. 18th Annual Computer Security Applications Conf., pages 61–68, 2002. DOI: 10.1109/CSAC.2002.1176279. 133Google ScholarCross Ref
M. M. Williamson. Design, implementation and test of an email virus throttle. In Proc. 19th Annual Computer Security Applications Conf., pages 76–85, 2003. DOI: 10.1109/CSAC .2003.1254312.Google ScholarCross Ref
G. Wurster, P. van Oorschot, and A. Somayaji. A generic attack on checksumming-based software tamper resistance. In Proc. 2005 IEEE Symp. on Security and Privacy, pages 127–138, 2005. DOI: 10.1109/SP.2005.2.Google ScholarDigital Library
X. Yang, D.Wetherall, and T. Anderson. A DoS-limiting network architecture. In Proc. 2005 SIGCOMM Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communication, pages 127–138, 2005. Google ScholarCross Ref
A. Yao. Protocols for secure computations. In Proceedings of the IEEE Symposium on Foundations of Computer Science, pages 160–164, 1982. DOI: 10.1109/SFCS.1982.88.Google ScholarCross Ref
A. Yao. How to generate and exchange secrets. In Proc. 27th Annual Symp. on Foundations of Computer Science, pages 162–167, 1986. DOI: 10.1109/SFCS.1986.25.Google ScholarDigital Library
B. S. Yee. Using Secure Coprocessors. PhD thesis, Carnegie Mellon University, 1994.Google Scholar
S. Zdancewic, L. Zheng, N. Nystrom, and A. Myers. Secure program partitioning. ACM Trans. Comp. Syst., 20(3):283–328, 2002. Google ScholarDigital Library
X. Zhuang, T. Zhang, H. Lee, and S. Pande. Hardware assisted control flow obfuscation for embedded processors. In Proc. 2004 Int. Conf. on Compilers, Architecture and Synthesis for Embedded Systems, pages 292–302, 2004. Google ScholarDigital Library

Cited By

Contributors

Bryan Jeffrey Parno
Carnegie Mellon University
- Publication Years2003 - 2024
- Publication counts68
- Citation count2,574
- Available for Download40
- Downloads (cumulative)50,914
- Downloads (12 months)8,816
- Downloads (6 weeks)1,306
- Average Downloads per Article1,273
- Average Citation per Article38
View Full Profile

Index Terms

Trust Extension as a Mechanism for Secure Code Execution on Commodity Computers

Comments

Recommendations

Trust extension as a mechanism for secure code execution on commodity computers
Trust extension as a mechanism for secure code execution on commodity computers
A secure virtual execution environment for untrusted code
ICISC'07: Proceedings of the 10th international conference on Information security and cryptology

This paper proposes a Secure Virtual Execution Environment called Pollux for untrusted code. Pollux achieves both the OS isolation and the functionality benefits provided by the isolated untrusted applications. It accomplishes the OS isolation by ...

Save to Binder