Abstract
Users are increasingly turning to online services, but are concerned for the safety of their personal data and critical business tasks. While secure communication protocols like TLS authenticate and protect connections to these services, they cannot guarantee the correctness of the endpoint system. Users would like assurance that all the remote data they receive is from systems that satisfy the users’ integrity requirements. Hardware-based integrity measurement (IM) protocols have long promised such guarantees, but have failed to deliver them in practice. Their reliance on non-performant devices to generate timely attestations and ad hoc measurement frameworks limits the efficiency and completeness of remote integrity verification. In this paper, we introduce the integrity verification proxy (IVP), a service that enforces integrity requirements over connections to remote systems. The IVP monitors changes to the unmodified system and immediately terminates connections to clients whose specific integrity requirements are not satisfied while eliminating the attestation reporting bottleneck imposed by current IM protocols. We implemented a proof-of-concept IVP that detects several classes of integrity violations on a Linux KVM system, while imposing less than 1.5% overhead on two application benchmarks and no more than 8% on I/O-bound micro-benchmarks.
This material is based upon work supported by the National Science Foundation under Grant No. CNS-0931914 and CNS-1117692.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Processor-Based Virtualization, AMD64 Style, http://developer.amd.com/documentation/articles/pages/630200615.aspx
Anderson, J.P.: Computer Security Technology Planning Study. Tech. Rep. ESD-TR-73-51, The Mitre Corporation, Air Force Electronic Systems Division, Hanscom AFB, Badford, MA (1972)
Andronick, J., Greenaway, D., Elphinstone, K.: Towards Proving Security in the Presence of Large Untrusted Components. In: Proc. 5th Workshop on Systems Software Verification (2010)
Arbaugh, W.A., Farber, D.J., Smith, J.M.: A Secure and Reliable Bootstrap Architecture. In: Proc. IEEE SSP (1997)
Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: HyperSentry: Enabling Stealthy In-Context Measurement of Hypervisor Integrity. In: Proc. 17th ACM Conference on Computer and Communications Security (2010), http://doi.acm.org/10.1145/1866307.1866313
Badger, L., Sterne, D.F., Sherman, D.L., Walker, K.M., Haghighat, S.A.: Practical domain and type enforcement for unix. In: IEEE Symposium on Security and Privacy (1995)
Baliga, A., Ganapathy, V., Iftode, L.: Automatic Inference and Enforcement of Kernel Data Structure Invariants. In: Proc. ACSAC (2008), http://dx.doi.org/10.1109/ACSAC.2008.29
BBC: Amazon apologises for cloud fault one week on, http://www.bbc.co.uk/news/business-13242782
Berger, S., et al.: vTPM: Virtualizing the Trusted Platform Module. In: USENIX Security Symposium (2006)
Biba, K.J.: Integrity Considerations for Secure Computer Systems. Tech. Rep. MTR-3153, MITRE (1975)
Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Proceedings of the 16th ACM Conference on Computer and Communications Security
Chen, P.M., Noble, B.D.: When Virtual Is Better Than Real. In: Proc. HotOS (2001)
Clark, D.D., Wilson, D.R.: A Comparison of Commercial and Military Computer Security Policies. Security and Privacy (1987)
CVE-2010-3081, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3081
Fraser, T., Evenson, M.R., Arbaugh, W.A.: VICI Virtual Machine Introspection for Cognitive Immunity. In: Proceedings of the 2008 ACSAC (2008), http://dx.doi.org/10.1109/ACSAC.2008.33
Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A Virtual Machine-Based Platform for Trusted Computing. In: Proc. 19th ACM SOSP (2003)
Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proc. NDSS (2003)
Gasmi, Y., Sadeghi, A.R., Stewin, P., Unger, M., Asokan, N.: Beyond Secure Channels. In: Proc. ACM Workshop on Scalable Trusted Computing (2007)
Goldman, K., Perez, R., Sailer, R.: Linking Remote Attestation to Secure Tunnel Endpoints. In: Proc. First ACM Workshop on Scalable Trusted Computing (2006), http://doi.acm.org/10.1145/1179474.1179481
Haldar, V., Chandra, D., Franz, M.: Semantic remote attestation: a virtual machine directed approach to trusted computing. In: Proceedings of the 3rd Conference on Virtual Machine Research And Technology Symposium (2004)
Hay, B., Nance, K.: Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev. 42, 74–82 (2008)
Trusted Execution Technology, http://www.intel.com/technology/security/
Jaeger, T., Sailer, R., Shankar, U.: PRIMA: Policy-Reduced Integrity Measurement Architecture. In: Proc. 11th ACM SACMAT (2006)
Jaeger, T., Sailer, R., Zhang, X.: Analyzing Integrity Protection in the SELinux Example Policy. In: Proc. 12th USENIX-SS (2003)
Joshi, A., King, S.T., Dunlap, G.W., Chen, P.M.: Detecting past and present intrusions through vulnerability-specific predicates. In: SOSP. ACM (2005)
Kennell, R., Jamieson, L.H.: Establishing the genuinity of remote computer systems. In: USENIX Security Symposium (2003), http://portal.acm.org/citation.cfm?id=1251353.1251374
Klein, G., et al.: seL4: Formal Verification of an OS Kernel. In: SOSP (2009)
Li, N., Mao, Z., Chen, H.: Usable Mandatory Integrity Protection for Operating Systems. In: Proc. IEEE SSP (2007)
Integrity: Linux Integrity Module(LIM), http://lwn.net/Articles/287790/
Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor Support for Identifying Covertly Executing Binaries. In: Proc. 17th Usenix Security Symposium (2008)
Maruyama, H., Seliger, F., Nagaratnam, N., Ebringer, T., Munetoh, S., Yoshihama, S., Nakamura, T.: Trusted Platform on Demand. Tech. Rep. RT0564. IBM (2004)
McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: TrustVisor: Efficient TCB Reduction and Attestation. In: Proc. IEEE SSP (2010), http://dx.doi.org/10.1109/SP.2010.17
McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: An Execution Infrastructure for TCB Minimization. In: Proc. 3rd ACM SIGOPS/EuroSys (2008)
Moyer, T., Butler, K., Schiffman, J., McDaniel, P., Jaeger, T.: Scalable Asynchronous Web Content Attestation. In: ACSAC 2009 (2009)
Murray, D.G., Milos, G., Hand, S.: Improving xen security through disaggregation. In: VEE. VEE 2008. ACM (2008)
Linux Kernel Backdoors And Their Detection, http://invisiblethings.org/papers/ITUnderground2004_Linux_kernel_backdoors.ppt
Security-enhanced linux, http://www.nsa.gov/selinux
OpenTC: OpenTC PET, http://www.opentc.net/publications/OpenTC_PET_prototype_documentation_v1.0.pdf
Parno, B., McCune, J.M., Perrig, A.: Bootstrapping Trust in Commodity Computers. In: IEEE SP 2010 (2010)
Payne, B.D., Carbone, M., Lee, W.: Secure and Flexible Monitoring of Virtual Machines. In: ACSAC (2007)
Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security and Privacy (May 2008)
Petroni, N.L., Timothy, J., Jesus, F., William, M., Arbaugh, A.: Copilot - A Coprocessor-based Kernel Runtime Integrity Monitor. In: Proc. 13th USENIX Security Symposium (2004)
Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and Implementation of a TCG-based Integrity Measurement Architecture. In: USENIX Security Symposium (2004)
Santos, N., Gummadi, K.P., Rodrigues, R.: Towards Trusted Cloud Computing. In: HOTCLOUD (2009)
Schiffman, J., Moyer, T., Shal, C., Jaeger, T., McDaniel, P.: Justifying integrity using a virtual machine verifier. In: Annual Computer Security Applications Conference, pp. 83–92(December 2009)
Schiffman, J., Moyer, T., Jaeger, T., McDaniel, P.: Network-based Root of Trust for Installation. IEEE Security & Privacy (2011)
Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: A Tiny Hypervisor To Provide Lifetime Kernel Code Integrity For Commodity Oses. In: Proceedings of Twenty-First ACM SOSP (2007)
Seshadri, A., Luk, M., Shi, E., Perrig, A., van Doorn, L., Khosla, P.: Pioneer: Verifying Code Integrity And Enforcing Untampered Code Execution On Legacy Systems. In: Proceedings of the 20th ACM SOSP (2005)
Shankar, U., Jaeger, T., Sailer, R.: Toward Automated Information-Flow Integrity Verification for Security-Critical Applications. In: Proc. 2006 NDSS (2006)
Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in-vm monitoring using hardware virtualization. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (2009)
Shi, E., Perrig, A., van Doorn, L.: BIND: A Fine-Grained Attestation Service for Secure Distributed Systems. In: IEEE SP 2005 (2005)
Sirer, E.G., de Bruijn, W., Reynolds, P., Shieh, A., Walsh, K., Williams, D., Schneider, F.B.: Logical attestation: an authorization architecture for trustworthy computing. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, New York, NY, USA, pp. 249–264 (2011), http://doi.acm.org/10.1145/2043556.2043580
Smalley, S., Vance, C., Salamon, W.: Implementing SELinux as a Linux Security Module. Tech. Rep. 01-043, NAI Labs (2001)
Smith, S.W.: Outbound Authentication for Programmable Secure Coprocessors. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 72–89. Springer, Heidelberg (2002)
Sony: Update on playstation network and qriocity (April 2011), http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity
Srinivasan, D., Wang, Z., Jiang, X., Xu, D.: Process out-grafting: an efficient ”out-of-vm” approach for fine-grained process execution monitoring. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, New York, NY, USA, pp. 363–374 (2011), http://doi.acm.org/10.1145/2046707.2046751
St. Clair, L., Schiffman, J., Jaeger, T., McDaniel, P.: Establishing and Sustaining System Integrity via Root of Trust Installation. In: Annual Computer Security Applications Conference (2007)
Steinberg, U., Kauer, B.: Nova: a microhypervisor-based secure virtualization architecture. In: Proceedings of the 5th European Conference on Computer Systems, EuroSys 2010, pp. 209–222. ACM, New York (2010)
Stumpf, F., Fuchs, A., Katzenbeisser, S., Eckert, C.: Improving the scalability of platform attestation. In: ACM Workshop on Scalable Trusted Computing (2008)
Sun, W., Sekar, R., Poothia, G., Karandikar, T.: Practical Proactive Integrity Preservation: A Basis for Malware Defense. In: Proc. 2008 IEEE SSP (2008)
Ta-Min, R., Litty, L., Lie, D.: Splitting interfaces: making trust between applications and operating systems configurable. In: OSDI. USENIX Association, Berkeley (2007)
TCG: Infrastructure Subject Key Attestation Evidence Extension Version 1.0, Revision 5. Tech. report (2005)
TCG: Trusted Network Connect: Open Standards for Integrity-based Network Access Control. Technical report (2005), http://www.trustedcomputinggroup.org
TCG: Trusted Platform Module (2005), https://www.trustedcomputinggroup.org/specs/TPM/
Trousers, http://trousers.sourceforge.net/
VMWare VMsafe, http://www.vmware.com/go/vmsafe
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Schiffman, J., Vijayakumar, H., Jaeger, T. (2012). Verifying System Integrity by Proxy. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds) Trust and Trustworthy Computing. Trust 2012. Lecture Notes in Computer Science, vol 7344. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30921-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-30921-2_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30920-5
Online ISBN: 978-3-642-30921-2
eBook Packages: Computer ScienceComputer Science (R0)