Michael Hohmuth
ABSTRACT
Secure systems are best built on top of a small trusted operating system: The smaller the operating system, the easier it can be assured or verified for correctness.In this paper, we oppose the view that virtual-machine monitors (VMMs) are the smallest systems that provide secure isolation because they have been specifically designed to provide little more than this property. The problem with this assertion is that VMMs typically do not support interprocess communication, complicating the use of untrusted components inside a secure systems.We propose extending traditional VMMs with features for secure message passing and memory sharing to enable the use of untrusted components in secure systems. We argue that moving system components out of the TCB into the untrusted part of the system and communicating with them using IPC reduces the overall size of the TCB.We argue that many secure applications can make use of untrusted components through trusted wrappers without risking security properties such as confidentiality and integrity.
- Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the art of virtualization. In Proceedings of the nineteenth ACM symposium on Operating systems principles, pages 164--177. ACM Press, 2003. Google Scholar
Digital Library
- Norman Feske and Hermann Härtig. DOpE---a window server for real-time and embedded systems. Technical Report TUD-FI03-10-September-2003, TU Dresden, 2003.Google ScholarCross Ref
- Bryan Ford, Mike Hibler, Jay Lepreau, Roland McGrath, and Patrick Tullmann. Interface and execution models in the Fluke kernel. In Proceedings of the third symposium on Operating systems design and implementation, pages 101--115. USENIX Association, 1999. Google ScholarDigital Library
- Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, and Dan Boneh. Terra: a virtual machine-based platform for trusted computing. In Proceedings of the nineteenth ACM symposium on Operating systems principles, pages 193--206. ACM Press, 2003. Google ScholarDigital Library
- Morrie Gasser. Building a secure computer system. Van Nostrand Reinhold Co., 1988. Google ScholarDigital Library
- H. Härtig, M. Hohmuth, J. Liedtke, S. Schönberg, and J. Wolter. The performance of μ-kernel-based systems. In Proceedings of the 16th ACM Symposium on Operating System Principles (SOSP), pages 66--77, Saint-Malo, France, October 1997. Google ScholarDigital Library
- Hermann Härtig. Security architectures revisited. In Proceedings of the Tenth ACM SIGOPS European Workshop, Saint-Emilion, France, September 2002. Google ScholarDigital Library
- C. Helmuth, A. Westfeld, and M. Sobirey. μSINA - Eine mikro-kernbasierte Systemarchitektur für sichere Systemkomponenten. In Deutscher IT-Sicherheitskongress des BSI, volume 8 of IT-Sicherheit im verteilten Chaos, pages 439--453. Secumedia-Verlag Ingelsheim, May 2003.Google Scholar
- Michael M. Swift, Brian N. Bershad, and Henry M. Levy. Improving the reliability of commodity operating systems. In Proceedings of the nineteenth ACM symposium on Operating systems principles, pages 207--222. ACM Press, 2003. Google ScholarDigital Library
- Victor L. Voydock and Stephen T. Kent. Security mechanisms in high-level network protocols. ACM Comput. Surv., 15(2):135--171, 1983. Google ScholarDigital Library
- Andrew Whitaker, Marianne Shaw, and Steven D. Gribble. Scale and performance in the Denali isolation kernel. In Proceedings of the fifth symposium on Operating systems design and implementation, pages 195--209. USENIX Association, 2002. Google ScholarDigital Library
- Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors
Recommendations
Reducing TCB complexity for security-sensitive applications: three case studies
EuroSys '06: Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006The large size and high complexity of security-sensitive applications and systems software is a primary cause for their poor testability and high vulnerability. One approach to alleviate this problem is to extract the security-sensitive parts of ...
A Trusted Virtual Machine in an Untrusted Management Environment
Virtualization is a rapidly evolving technology that can be used to provide a range of benefits to computing systems, including improved resource utilization, software portability, and reliability. Virtualization also has the potential to enhance ...
A secure virtual execution environment for untrusted code
ICISC'07: Proceedings of the 10th international conference on Information security and cryptologyThis paper proposes a Secure Virtual Execution Environment called Pollux for untrusted code. Pollux achieves both the OS isolation and the functionality benefits provided by the isolated untrusted applications. It accomplishes the OS isolation by ...
Comments