Article

Reducing TCB complexity for security-sensitive applications: three case studies

Authors:

Lenin Singaravelu,

Hermann Härtig,

Christian HelmuthAuthors Info & Claims

EuroSys '06: Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006

Pages 161 - 174

https://doi.org/10.1145/1217935.1217951

Published: 18 April 2006 Publication History

Abstract

The large size and high complexity of security-sensitive applications and systems software is a primary cause for their poor testability and high vulnerability. One approach to alleviate this problem is to extract the security-sensitive parts of application and systems software, thereby reducing the size and complexity of software that needs to be trusted. At the system software level, we use the Nizza architecture which relies on a kernelized trusted computing base (TCB) and on the reuse of legacy code using trusted wrappers to minimize the size of the TCB. At the application level, we extract the security-sensitive portions of an already existing application into an AppCore. The AppCore is executed as a trusted process in the Nizza architecture while the rest of the application executes on a virtualized, untrusted legacy operating system. In three case studies of real-world applications (e-commerce transaction client, VPN gateway and digital signatures in an e-mail client), we achieved a considerable reduction in code size and complexity. In contrast to the few hundred thousand lines of current application software code running on millions of lines of systems software code, we have AppCores with tens of thousands of lines of code running on a hundred thousand lines of systems software code. We also show the performance penalty of AppCores to be modest (a few percent) compared to current software.

References

[1]

Microsoft. Next-Generation Secure Computing Base. http://www.microsoft.com/resources/ngscb/default.mspx

[2]

Mozilla Foundation. Mozilla Module Owners. http://www.mozilla.org/owners.html

[3]

PeerSee Networks. MatrixSSL - Open Source Embedded SSL. http://www.matrixssl.org/

[4]

Secunia. Vulnerability Report --- Microsoft Internet Explorer 6. http://secunia.com/product/11/

[5]

Secunia. Vulnerability Report --- Mozilla Firefox 1.x. http://secunia.com/product/4227/

[6]

Secunia. Vulnerability Report --- Xll Windowing System (Xll) 6.x.http://secunia.com/product/3913/

[7]

Secunia. Vulnerability Report --- Linux Kernel 2.4.x. http://secunia.com/product/763/

[8]

Secunia. Check Point VPN-1 Products ISAKMP Buffer Overflow Vulnerability. http://secunia.com/advisories/11546/

[9]

Snapgear. Snapgear Embedded Linux. http://www.snapgear.org

[10]

Trusted Computing Group. TCG Main Specification vl.Ib, https://www.trustedcomputinggroup.org/

[11]

J. Bambenek, SANS Institute. BHO scanning tool and New Scam Targets Bank Customers. http://isc.sans.org/diary.php?date=2004-06-29.

[12]

P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In Proc. 19th ACM Symposium on Operating Systems Principles (SOSP 2003), NY, Oct. 2003.

Digital Library

[13]

V. Basili and D. Hutchens. An Empirical Study of a Complexity Family. In IEEE Transactions on Software Engineering, Volume 9, No. 6, November 1983, pp. 664--672.

Digital Library

[14]

D. Brumley, D. X. Song. Privtrans: Automatically Partitioning Programs for Privilege Separation. In Proc. USENIX Security Symposium, San Diego, USA. Aug 9--13, 2004.

Digital Library

[15]

P. M. Chen and B. D. Noble. When Virtual is Better Than Real, In Eighth Workshop on Hot Topics in Operating Systems, May 2001, Elmau, Germany.

Digital Library

[16]

N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh and J. C. Mitchell, Client-side defense against web-based identity theft, In 11th Annual Network and Distributed System Security Symposium (NDSS '04), San Diego, February, 2004.

[17]

D. Engler, D. Chelf, A. Chou, and S. Hallem. Checking system rules using system specific programmer-written compiler extensions. In 4th USENIX OSDI. San Diego, Oct. 2000.

Digital Library

[18]

D. Engler, D. Chen, S. Hallem, A. Chou, and B. Chelf. Bugs as deviant behavior: A general approach to inferring errors in systems code. In 18th SOSP. Banff, Canada, Oct. 2001.

Digital Library

[19]

N. Feske, C. Helmuth: A Nitpicker's guide to a minimal-complexity secure GUI. In Proc. of the 21st Annual Computer Security Applications Conference, Tucson, Arizona, USA, Dec. 2005

Digital Library

[20]

N. E. Fenton, N. Ohlsson., Quantitative Analysis of Faults and Failures in a Complex Software System. In IEEE Trans. Software Eng. 26(8): 797--814, 2000.

Digital Library

[21]

Gaffney, J., Program Control Complexity and Productivity. In Proceedings of the IEEE Workshop on Quantitative Software Models, pg 179, October, 1979.

[22]

T. Garfinkel, B., Pfaff, J. Chow, M. Rosenblun, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In Proc. of the 19th SOSP, October 2003.

Digital Library

[23]

H. Härtig. Security architectures revisited. In Proceedings of the Tenth ACM SIGOPS European Workshop, Saint-Emilion, France, September 2002.

Digital Library

[24]

H. Härtig, M. Hohmuth, N. Feske, C. Helmuth, A. Lack-orzynski, F. Mehnert and M. Peter. The Nizza Secure-System Architecture. In IEEE CollaborateCom 2005. San Jose, USA. Dec 2005.

[25]

H. Härtig, M. Hohmuth, J. Liedtke, S. Schönberg, and J. Wolter. The performance of μ-kernel-based systems. In Proc. 16th ACM Symposium on Operating System Principles, pp 66--77, Oct. 1997.

Digital Library

[26]

C. Helmuth, A. Warg, and N. Feske. Mikro-SINA---Hands-on Experiences with the Nizza Security Architecture. In Proceedings of the D.A.C.H Security 2005, Darmstadt, Germany, March 2005.

[27]

A. Herzberg and A. Gbara, TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks, Cryptology ePrint Archive, Report 2004/155. 2004.

[28]

Hohmuth, M., M. Peter, H. Härtig, and J. Shapiro. "Reducing TCB size by using untrusted components --- small kernels versus virtual machine monitors", in Proc. of the 11th ACM SIGOPS European Workshop, Leuven, Belgium, 2004.

Digital Library

[29]

T. Jaeger, R. Sailer, and X. Zhang, Analyzing Integrity Protection in the SELinux Example Policy, in 12th USENIX Security Symposium, Washington D.C. USA, Aug. 2003.

Digital Library

[30]

D. Kilpatrick, Privman: A Library for Partitioning Applications. In USENIX Annual Technical Conference, FREENIX Track 2003, pp 273--284. San Antonio USA, July 2003.

[31]

D. Lie, C. A. Thekkath and M. Horowitz, Implementing an untrusted operating system on trusted hardware, In 19th ACM-SOSP, 2003, Bolton Landing, NY.

Digital Library

[32]

J. Liedtke, On Micro-Kernel Construction, In 15th ACM Symposium on Operating System Principles, Copper mountain Resort, Colorado, USA. Dec. 1995.

Digital Library

[33]

T. J. McCabe, A Complexity Measure, IEEE Transactions on Software Engineering, SE-2 No. 4, pp. 308--320, Dec. 1976.

Digital Library

[34]

X. Qie, R. Pang, L. L. Peterson, Defensive Programming: Using an Annotation Toolkit to Build DoS-Resistant Software. In OSDI 2002, Boston, Dec. 2002.

Digital Library

[35]

B. Pfitzmann, J. Riordan, C. Stüble, M. Waidner and A. Weber. The PERSEUS System Architecture. Research Report. IBM Research Division. RZ 3335. Sept. 2001.

[36]

N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In 12th USENIX Security Symposium, Washington D.C, Aug. 2003.

Digital Library

[37]

B. Ross, C. Jackson, N. Miyake, D. Boneh and J. C. Mitchell, Stronger Password Authentication Using Browser Extensions. In 14th Usenix Security Symposium, Baltimore, USA, Aug. 2005.

Digital Library

[38]

JH Saltzer and MD Schroeder, The Protection of Information in Computer Systems, Proc. of the IEEE, Vol.63, No.9, Sept. 1975, pp. 1278--1308.

[39]

R. Sailer, X. Zhang, T. Jaeger, and L. V. Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. In Proceedings of Thirteenth USENIX Security Symposium, pp 223--238, August 2004.

Digital Library

[40]

B. Schneier. Software Complexity and Security. Crypto-Gram Newsletter. March 2000. http://www.schneier.com/crypto-gram-0003.html

[41]

J. S. Shapiro, J. M. Smith, and D. J. Farber. EROS: A Fast Capability System. In Proc. 17th ACM Symposium on Operating Systems Principles. Charleston, SC, USA. Dec. 1999.

Digital Library

[42]

J. S. Shapiro, J. Vanderburgh, E. Northup, and D. Chizmadia, Design of the EROS Trusted Window System, In Proc. USENIX Security Symposium, San Diego CA, 2004

Digital Library

[43]

V. Y. Shen, T. Yu, S. M. Thebaut, and L. R. Paulsen, Identifying Error-prone Software --- An Empirical Study, In IEEE TOSE, Vol. SE-11, pp. 317--323, April 1985.

Digital Library

[44]

Shepperd, M., Ince, D. C., Derivation and Validation of Software Metrics. pp 37--40. Oxford Science Publications, 1993.

Digital Library

[45]

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen and J. Lepreau. The Flask Security Architecture: System Support for Diverse Security Policies. In Procedings of the 8th USENLX Security Symposium, Aug. 1999.

Digital Library

[46]

J. D. Tygar and A. Whitten. WWW electronic commerce and Java Trojan horses. In Proc. of the 2nd USENIX Workshop on Electronic Commerce, Nov. 1996, pp. 243--250.

Digital Library

[47]

D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of the ISOC Symposium on Network and Distributed System Security, 2000.

[48]

D. Wheeler. SLOCCount. http://www.dwheeler.com/sloccount/

[49]

Wright, C., C. Cowan, S. Smalley, J. Morris, G. Kroah-Hartman. Linux Security Modules: General Security Support for the Linux Kernel. In the Proceedings of the 2002 Usenix Security Symposium, Aug 2002, San Francisco.

Digital Library

[50]

B. Yee and D. Tygar. Secure coprocessors in electronic commerce applications. In Proc. of the First USENIX Workshop on Electronic Commerce, New York, July 1995.

Digital Library

Cited By

de Niz DAndersson BKlein MLehoczky JVasudevan AKim HMoreno G(2023)Mixed-Trust Computing: Safe and Secure Real-Time SystemsACM Transactions on Cyber-Physical Systems10.1145/3635162Online publication date: 2-Dec-2023
https://doi.org/10.1145/3635162
Schieppati DPatience NGalli FDal PSeck IPatience GFuoco DBanquy XBoffito D(2023)Chemical and Biological Delignification of Biomass: A ReviewIndustrial & Engineering Chemistry Research10.1021/acs.iecr.3c0123162:33(12757-12794)Online publication date: 10-Aug-2023
https://doi.org/10.1021/acs.iecr.3c01231
Gu JMa YZheng BWeng C(2022)Outlier: Enabling Effective Measurement of Hypervisor Code Integrity With Group DetectionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.310490019:6(3686-3698)Online publication date: 1-Nov-2022
https://doi.org/10.1109/TDSC.2021.3104900
Show More Cited By

Index Terms

Reducing TCB complexity for security-sensitive applications: three case studies
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software organization and properties
    1. Software system structures
      1. Software architectures

Recommendations

Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors
EW 11: Proceedings of the 11th workshop on ACM SIGOPS European workshop

Secure systems are best built on top of a small trusted operating system: The smaller the operating system, the easier it can be assured or verified for correctness.In this paper, we oppose the view that virtual-machine monitors (VMMs) are the smallest ...
Reducing TCB complexity for security-sensitive applications: three case studies
Proceedings of the 2006 EuroSys conference

The large size and high complexity of security-sensitive applications and systems software is a primary cause for their poor testability and high vulnerability. One approach to alleviate this problem is to extract the security-sensitive parts of ...
Improving Xen security through disaggregation
VEE '08: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

Virtual machine monitors (VMMs) have been hailed as the basis for an increasing number of reliable or trusted computing systems. The Xen VMM is a relatively small piece of software -- a hypervisor -- that runs at a lower level than a conventional ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSys '06: Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006

April 2006

420 pages

ISBN:1595933220

DOI:10.1145/1217935

Conference Chair:
Yolande Berbers
K. U. Leuven, Belgium
,
Program Chair:
Willy Zwaenepoel
EPFL

ACM SIGOPS Operating Systems Review Volume 40, Issue 4
Proceedings of the 2006 EuroSys conference
October 2006
383 pages
ISSN:0163-5980
DOI:10.1145/1218063
Issue’s Table of Contents

Copyright © 2006 Authors.

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 April 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

EUROSYS06

Sponsor:

SIGOPS

EUROSYS06: Eurosys 2006 Conference

April 18 - 21, 2006

Leuven, Belgium

Acceptance Rates

Overall Acceptance Rate 241 of 1,308 submissions, 18%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

128
Total Citations
View Citations
922
Total Downloads

Downloads (Last 12 months)42
Downloads (Last 6 weeks)5

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

de Niz DAndersson BKlein MLehoczky JVasudevan AKim HMoreno G(2023)Mixed-Trust Computing: Safe and Secure Real-Time SystemsACM Transactions on Cyber-Physical Systems10.1145/3635162Online publication date: 2-Dec-2023
https://doi.org/10.1145/3635162
Schieppati DPatience NGalli FDal PSeck IPatience GFuoco DBanquy XBoffito D(2023)Chemical and Biological Delignification of Biomass: A ReviewIndustrial & Engineering Chemistry Research10.1021/acs.iecr.3c0123162:33(12757-12794)Online publication date: 10-Aug-2023
https://doi.org/10.1021/acs.iecr.3c01231
Gu JMa YZheng BWeng C(2022)Outlier: Enabling Effective Measurement of Hypervisor Code Integrity With Group DetectionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.310490019:6(3686-3698)Online publication date: 1-Nov-2022
https://doi.org/10.1109/TDSC.2021.3104900
Liu YTilevich E(2020)Reducing the Price of Protection: Identifying and Migrating Non-sensitive Code in TEE2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00028(112-120)Online publication date: Dec-2020
https://doi.org/10.1109/TrustCom50675.2020.00028
Konoth RFischer BFokkink WAthanasopoulos ERazavi KBos H(2020)SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions2020 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP48549.2020.00043(569-586)Online publication date: Oct-2020
https://doi.org/10.1109/EuroSP48549.2020.00043
Küçük KGrawrock DMartin A(2019)Managing confidentiality leaks through private algorithms on Software Guard eXtensions (SGX) enclavesEURASIP Journal on Information Security10.1186/s13635-019-0091-52019:1Online publication date: 5-Sep-2019
https://doi.org/10.1186/s13635-019-0091-5
Toffalini FOchoa MSun JZhou JAhn GThuraisingham BKantarcioglu MKrishnan R(2019)Careful-PackingProceedings of the Ninth ACM Conference on Data and Application Security and Privacy10.1145/3292006.3300029(231-242)Online publication date: 13-Mar-2019
https://dl.acm.org/doi/10.1145/3292006.3300029
de Niz DAndersson BKlein MLehoczky JVasudevan AKim HMoreno G(2019)Mixed-Trust Computing for Real-Time Systems2019 IEEE 25th International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA)10.1109/RTCSA.2019.8864566(1-11)Online publication date: Aug-2019
https://doi.org/10.1109/RTCSA.2019.8864566
Bushra NAdhikari NRamkumar M(2019)A TCB Minimizing Model of ComputationSecurity in Computing and Communications10.1007/978-981-13-5826-5_35(455-470)Online publication date: 24-Jan-2019
https://doi.org/10.1007/978-981-13-5826-5_35
Vasudevan AVasudevan A(2019)The Uber eXtensible Micro-Hypervisor Framework (uberXMHF)Practical Security Properties on Commodity Computing Platforms10.1007/978-3-030-25049-2_3(37-71)Online publication date: 21-Sep-2019
https://doi.org/10.1007/978-3-030-25049-2_3
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents