research-article

A practical approach for updating an integrity-enforced operating system

Authors:

Christof FetzerAuthors Info & Claims

Middleware '20: Proceedings of the 21st International Middleware Conference

Pages 311 - 325

https://doi.org/10.1145/3423211.3425674

Published: 11 December 2020 Publication History

Abstract

Trusted computing defines how to securely measure, store, and verify the integrity of software controlling a computer. One of the major challenge that make them hard to be applied in practice is the issue with software updates. Specifically, an operating system update causes the integrity violation because it changes the well-known initial state trusted by remote verifiers, such as integrity monitoring systems. Consequently, the integrity monitoring of remote computers becomes unreliable due to the high amount of false positives.

We address this problem by adding an extra level of indirection between the operating system and software repositories. We propose a trusted software repository (TSR), a secure proxy that overcomes the shortcomings of previous approaches by sanitizing software packages. Sanitization consists of modifying unsafe installation scripts and adding digital signatures in a way software packages can be installed in the operating system without violating its integrity. TSR leverages shielded execution, i.e., Intel SGX, to achieve confidentiality and integrity guarantees of the sanitization process.

TSR is transparent to package managers, and requires no changes in the software packages building and distributing processes. Our evaluation shows that running TSR inside SGX is practical; since it induces only ~ 1.18× performance overhead during package sanitization compared to the native execution without SGX. TSR supports 99.76% of packages available in the main and community repositories of Alpine Linux while increasing the total repository size by 3.6%.

References

[1]

SCONE RUST cross-compilers. https://hub.docker.com/r/sconecuratedimages/rust, accessed on 08/09/2019.

[2]

StrongSwan. https://www.strongswan.org, accessed on 15/09/2019.

[3]

Alpine Linux. Alpine Linux community repository. http://dlcdn.alpinelinux.org/alpine/edge/community/, accessed on 16/08/2019.

[4]

Alpine Linux. Alpine Linux main repository. http://dlcdn.alpinelinux.org/alpine/edge/main/, accessed on 16/08/2019.

[5]

Alpine Linux. Alpine Linux package management. https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management, accessed on 16/08/2019.

[6]

I. Anati, S. Gueron, S. Johnson, and V. Scarlata. Innovative technology for cpu based attestation and sealing. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, volume 13 of HASP '13. ACM, 2013.

[7]

Arch Linux. Arch Linux: Arch build system. https://wiki.archlinux.org/index.php/Arch_Build_System, accessed on 16/08/2019.

[8]

A. Bellissimo, J. Burgess, and K. Fu. Secure software updates: Disappointments and new challenges. In Proceedings of the 1st USENIX Workshop on Hot Topics in Security, HOTSEC'06, page 7, USA, 2006. USENIX Association.

[9]

S. Berger, K. Goldman, D. Pendarakis, D. Safford, E. Valdez, and M. Zohar. Scalable attestation: A step toward secure and trusted clouds. IEEE Cloud Computing, 2(5):10--18, Sep. 2015.

[10]

S. Berger, M. Kayaalp, D. Pendarakis, and M. Zohar. File Signatures Needed! Linux Plumbers Conference, 2016.

[11]

Brian Smith. Safe, fast, small crypto using Rust. https://github.com/briansmith/ring, accessed on 10/09/2019.

[12]

J. Cappos, J. Samuel, S. Baker, and J. H. Hartman. A look in the mirror: attacks on package managers. In Proceedings of the 15th ACM conference on Computer and communications security - CCS '08, page 565, Alexandria, Virginia, USA, 2008. ACM Press.

Digital Library

[13]

J. Cappos, J. Samuel, S. Baker, and J. H. Hartman. Package management security. University of Arizona Technical Report, pages 08--02, 2008.

[14]

Cappos, Justin and Baker, Scott and Plichta, Jeremy and Nyugen, Duy and Hardies, Jason and Borgard, Matt and Johnston, Jeffry and Hartman, John H. Stork: Package Management for Distributed VM Environments. In Proceedings of the 21st Large Installation System Administration Conference, LISA'07. USENIX Association, 2007.

[15]

C. Carruth. Speculative load hardening. https://llvm.org/docs/SpeculativeLoadHardening.html, 2019.

[16]

Chef Software Inc. Chef. https://www.chef.io/chef/, accessed on 17/09/2019.

[17]

I. Corporation. Strengthening Security with Intel Platform Trust Technology. In Intel Whitepaper, 2014. https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/enterprise-security-platform-trust-technology-white-paper.pdf.

[18]

V. Costan and S. Devadas. Intel SGX Explained. IACR Cryptology ePrint Archive, 2016.

[19]

Debian Linux. Debian Linux: Debian package management. https://www.debian.org/doc/manuals/debian-reference/ch02.en.html, accessed on 16/08/2019.

[20]

A. M. Devices. AMD Secure Encrypted Virtualization API Version 0.22. Technical Preview, 2019.

[21]

R. T. Fielding. Architectural Styles and the Design of Network-based Software Architectures. PhD thesis, 2000.

Digital Library

[22]

T. L. Foundation. The Update Framework Project. https://theupdateframework.github.io, accessed on 30/05/2020.

[23]

I. Free Software Foundation. Basic tar format. https://www.gnu.org/software/tar/manual/html_node/Standard.html, accessed on 07/05/2020.

[24]

I. Free Software Foundation. Tar - gnu project - free software foundation. https://www.gnu.org/software/tar/, accessed on 14/04/2020.

[25]

P. W. Frields. Infrastructure report, 2008-08-22 UTC 1200. https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html, 2008.

[26]

Gentoo Linux. Gentoo Linux: Portage build system. https://wiki.gentoo.org/wiki/Portage, accessed on 16/08/2019.

[27]

J. C. Gordon. Microsoft azure confidential computing with intel sgx, accessed on 12/09/2020.

[28]

J. Greene. Intel Trusted Execution Technology Hardwarebased Technology for Enhancing Server Platform Security. In Intel Whitepaper, 2012.

[29]

F. Gregor, W. Ozga, S. Vaucher, R. Pires, D. Le Quoc, S. Arnautov, A. Martin, V. Schiavoni, P. Felber, and C. Fetzer. Trust management as a service: Enabling trusted execution in the face of byzantine stakeholders. In Proceedings of the 50th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2020), 2020.

[30]

Hyper. Hyper. https://hyper.rs, accessed on 10/09/2019.

[31]

IBM Corporation. IBM TPM Attestation Client Server. https://sourceforge.net/projects/ibmtpm20acs/, accessed on 15/09/2019.

[32]

IBM Corporation. IBM's TPM 2.0 TSS. https://sourceforge.net/projects/ibmtpm20tss/, accessed on 15/09/2019.

[33]

IEEE and T. O. Group. The open group base specifications issue 7, 2018 edition, ieee std 1003.1-2017. https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_03, accessed on 14/04/2020.

[34]

Intel Corporation. Resources and response to side channel L1TF. https://www.intel.com/content/www/us/en/architecture-and-technology/l1tf.html, 2018.

[35]

Intel corporation. Intel Security Libraries for Data Center (Intel SecL-DC). https://01.org/intel-secl, accessed on 15/09/2019.

[36]

Intel corporation and National Security Agency. Intel Open Cloud Intergrity Technology. https://01.org/opencit, accessed on 15/09/2019.

[37]

S. Johnson, V. Scarlata, C. Rozas, E. Brickell, and F. Mckeen. Intel Software Guard Extensions: EPID Provisioning and Attestation Services. In Intel Whitepaper, 2016.

[38]

Joseph Birr-Pixton. rustls. https://github.com/ctz/rustls, accessed on 10/09/2019.

[39]

P. Karnati. Data-in-use protection on ibm cloud using intel sgx, accessed on 12/09/2020.

[40]

Knockel, Jefrey and Crandall, Jedidiah R. Protecting free and open communications on the internet against man-in-the-middle attacks on third-party software: We're foci'd. In Presented as part of the 2nd USENIX Workshop on Free and Open Communications on the Internet, Bellevue, WA, 2012. USENIX.

[41]

P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom. Spectre attacks: Exploiting speculative execution. In 40th IEEE Symposium on Security and Privacy (S&P'19), 2019.

[42]

R. Krahn, D. Dragoti, F. Gregor, D. Le Quoc, V. Schiavoni, P. Felber, C. Souza, A. Brito, and C. Fetzer. TEEMon: A continuous performance monitoring framework for TEEs. In Proceedings of the 21th International Middleware Conference (Middleware), 2020.

Digital Library

[43]

T. K. Kuppusamy, V. Diaz, and J. Cappos. Mercury: Bandwidth-effective prevention of rollback attacks against community repositories. In Proceedings of the 2017 USENIX Conference on Usenix Annual Technical Conference, USENIX ATC '17, page 673--688, USA, 2017. USENIX Association.

[44]

T. K. Kuppusamy, S. Torres-Arias, V. Diaz, and J. Cappos. Diplomat: Using delegations to protect community repositories. In Proceedings of the 13th Usenix Conference on Networked Systems Design and Implementation, NSDI'16, page 567--581, USA, 2016. USENIX Association.

[45]

D. Le Quoc, F. Gregor, S. Arnautov, R. Kunkeland, P. Bhatotia, and C. Fetzer. secureTF: A Secure TensorFlow Framework. In Proceedings of the 21th International Middleware Conference (Middleware), 2020.

Digital Library

[46]

D. Le Quoc, F. Gregor, J. Singh, and C. Fetzer. Sgx-pyspark: Secure distributed data analytics. In Proceedings of the World Wide Web Conference (WWW), 2019.

Digital Library

[47]

D. Lee, D. Kohlbrenner, S. Shinde, K. Asanović, and D. Song. Keystone: An open framework for architecting trusted execution environments. In Proceedings of the Fifteenth European Conference on Computer Systems, EuroSys '20, New York, NY, USA, 2020. Association for Computing Machinery.

Digital Library

[48]

J. Li, P. L. Reiher, and G. J. Popek. Resilient self-organizing overlay networks for security update delivery. IEEE J.Sel. A. Commun., 22(1):189--202, Sept. 2006.

Digital Library

[49]

C. Liebchen. Advancing Memory-corruption Attacks and Defenses. System Security Lab Fachbereich für Informatik Technische Universitaet Darmstadt, 2018.

[50]

N. D. Matsakis and F. S. Klock, II. The rust language. In Proceedings of HILT, 2014.

[51]

Matthew Garrett. dpkg patch. https://gitlab.com/mjg59/dpkg/-/commits/master, accessed on 22/04/2020.

[52]

J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: An execution infrastructure for tcb minimization. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, Eurosys '08, pages 315--328, New York, NY, USA, 2008. ACM.

Digital Library

[53]

F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy - HASP '13. ACM Press, 2013.

Digital Library

[54]

K. Nikitin, E. Kokoris-Kogias, P. Jovanovic, N. Gailly, L. Gasser, I. Khoffi, J. Cappos, and B. Ford. {CHAINIAC}: Proactive software-update transparency via collectively signed skipchains and verified builds. In 26th {USENIX} Security Symposium (USENIX Security), pages 1271--1287, 2017.

[55]

NIST. CVE-2019-5021. https://nvd.nist.gov/vuln/detail/CVE-2019-5021, accessed on 07/05/2020.

[56]

O. Oleksenko, B. Trach, R. Krahn, A. Martin, C. Fetzer, and M. Silberstein. Varys: Protecting SGX enclaves from practical side-channel attacks. In USENIX ATC, 2018.

[57]

Oleksenko, Oleksii and Trach, Bohdan and Fetzer, Christof and Silberstein, Mark. SpecFuzz: Bringing Spectre-type vulnerabilities to the surface. In USENIX Security Symposium, 2020.

[58]

Puppet Inc. Puppet - server automation framework and application. https://puppet.com, accessed on 17/09/2019.

[59]

RedHat, Inc. Critical: openssh security update. https://access.redhat.com/errata/RHSA-2008:0855, 2008.

[60]

Safford, David and Kasatkin, Dmitry and Zohar, Mimi and Sailer, Reiner and Hallyn, Serge. An Overview of The Linux Integrity Subsystem. http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf, accessed on 01/04/2020.

[61]

R. Sailer, X. Zhang, T. Jaeger, and I. T. J. Watson. Design and Implementation of a TCG-based Integrity Measurement Architecture. In In Proceedings of the 13th USENIX Security Symposium. USENIX Association, 2004.

[62]

J. Shin, B. Jacobs, M. Scott-Nash, J. Hammersley, M. Wiseman, R. Spiger, D. Wilkins, R. Findeisen, D. Challener, D. Desselle, S. Goodman, G. Simpson, K. Brannock, A. Nelson, M. Piwonka, C. Dailey, and R. Springfield. TCG D-RTM Architecture, Document Version 1.0.0. Trusted Computing Group, 2013.

[63]

Slashdot Media. phpMyAdmin corrupted copy on Korean mirror server. https://sourceforge.net/blog/phpmyadmin-back-door/, 2012.

[64]

Stefan Berger. [PATCH v2] Support for PAX extended header and Linux extended attributes. https://linux.debian.maint.dpkg.narkive.com/Jwr2kstj/patch-v2-support-for-pax-extended-header-and-linux-extended-attributes, accessed on 04/04/2020.

[65]

S. Torres-Arias, H. Afzali, T. K. Kuppusamy, R. Curtmola, and J. Cappos. in-toto: Providing farm-to-table guarantees for bits and bytes. In 28th USENIX Security Symposium (USENIX Security), 2019.

[66]

Trusted Computing Group. TCG Trusted Attestation Protocol (TAP) Information Model for TPM Families 1.2 and 2.0 and DICE Family 1.0. Version 1.0, Revision 0.36. https://trustedcomputinggroup.org/resource/tcg-tap-information-model/, accessed on 15/09/2019.

[67]

Trusted Computing Group. TPM Library Part 1: Architecture, Family "2.0", Level 00, Revision 01.38. http://www.trustedcomputinggroup.org/resources/tpm_library_specification, accessed on 15/09/2019.

[68]

Trusted Computing Group. TPM Library Specification, Family "2.0", Level 00, Revision 01.38. http://www.trustedcomputinggroup.org/resources/tpm_library_specification, accessed on 15/09/2019.

[69]

Trusted Computing Group. TCG Infrastructure Working Group Architecture Part II - Integrity Management, Specification Version 1.0, Revision 1.0. https://trustedcomputinggroup.org/wp-content/uploads/IWG_ArchitecturePartII_v1.0.pdf, accessed on 21/09/2019.

[70]

J. Van Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, T. F. Wenisch, Y. Yarom, and R. Strackx. Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In Proceedings of the 27th USENIX Security Symposium. USENIX Association, August 2018.

[71]

J. Winter and K. Dietrich. A Hijacker's Guide to the LPC bus. In Proceedings of the 8th European conference on Public Key Infrastructures, Services, and Applications, Leuven, Belgium, September 2011.

Digital Library

[72]

J. Winter and K. Dietrich. A hijacker's guide to communication interfaces of the trusted platform module. Computers & Mathematics with Applications, 2013.

Digital Library

[73]

L. Zhou, F. Zhang, J. Liao, Z. Ning, J. Xiao, K. Leach, W. Weimer, and G. Wang. KShot: Live Kernel Patching with SMM and SGX.

Cited By

Will NMaziero C(2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3593021
Sardar MFetzer C(2022)Formal Foundations for SCONE Attestation2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume (DSN-S)10.1109/DSN-S54099.2022.00020(31-32)Online publication date: Jun-2022
https://doi.org/10.1109/DSN-S54099.2022.00020
Quoc DGregor FArnautov SKunkel RBhatotia PFetzer C(2020)secureTFProceedings of the 21st International Middleware Conference10.1145/3423211.3425687(44-59)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3423211.3425687

Index Terms

A practical approach for updating an integrity-enforced operating system

Index terms have been assigned to the content through auto-classification.

Recommendations

Traveling forward in time to newer operating systems using ShadowReboot
VEE '13: Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

Operating system (OS) reboots are an essential part of updating kernels and applications on laptops and desktop PCs. Long downtime during OS reboots severely disrupts users' computational activities. This long disruption discourages the users from ...
Traveling forward in time to newer operating systems using ShadowReboot
VEE '13

Operating system (OS) reboots are an essential part of updating kernels and applications on laptops and desktop PCs. Long downtime during OS reboots severely disrupts users' computational activities. This long disruption discourages the users from ...
Subverting Linux' integrity measurement architecture
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Integrity is a key protection objective in the context of system security. This holds for both hardware and software. Since hardware cannot be changed after its manufacturing process, the manufacturer must be trusted to build it properly. However, it is ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

Middleware '20: Proceedings of the 21st International Middleware Conference

December 2020

455 pages

ISBN:9781450381536

DOI:10.1145/3423211

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 December 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Sächsische Aufbaubank
European Commission

Conference

Middleware '20

Sponsor:

ACM

Middleware '20: 21st International Middleware Conference

December 7 - 11, 2020

Delft, Netherlands

Acceptance Rates

Overall Acceptance Rate 203 of 948 submissions, 21%

Upcoming Conference

MIDDLEWARE '24

25th International Middleware Conference

December 2 - 6, 2024

Hong Kong , Hong Kong

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
209
Total Downloads

Downloads (Last 12 months)41
Downloads (Last 6 weeks)2

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Will NMaziero C(2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3593021
Sardar MFetzer C(2022)Formal Foundations for SCONE Attestation2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume (DSN-S)10.1109/DSN-S54099.2022.00020(31-32)Online publication date: Jun-2022
https://doi.org/10.1109/DSN-S54099.2022.00020
Quoc DGregor FArnautov SKunkel RBhatotia PFetzer C(2020)secureTFProceedings of the 21st International Middleware Conference10.1145/3423211.3425687(44-59)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3423211.3425687

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents