Carsten Weinhold
ABSTRACT
In this paper we present the lessons we learned when developing VPFS, a virtual private file system that is based on both a small amount of trusted storage and an untrusted legacy file system residing on the same machine. VPFS' purpose is to provide secure and reliable storage to highly sensitive applications running on top of a microkernel, which may concurrently execute untrusted software. The confidentiality and integrity guarantees of VPFS do not only apply to file contents, but also to all meta data including integrity of the directory structure.
We explored design alternatives that allow us to securely reuse untrusted infrastructure and thereby minimize the complexity that a file-system implementation adds to the trusted computing base. VPFS is split into two isolated components. A small trusted component implements all security-critical functionality, whereas the untrusted part reuses an existing file-system implementation provided by a virtualized legacy operating system that can be untrusted. In our VPFS prototype, alternative configurations of the trusted component comprise only between 4,000 and 4,600 lines of code, which is at least an order of magnitude smaller than existing commodity file-system stacks.
- Berkeley DB - Oracle Embedded Database. Located at: http://www.oracle.com/database/berkeley-db/.Google Scholar
- Federal Information Processing Standards Publication 180-1: Secure Hash Standard. Available from: http://www.itl.nist.gov/fipspubs/ fip180-1.htm.Google Scholar
- Federal Information Processing Standards Publication 197: Announcing the Advanced Encryption Standard. Available from: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.Google Scholar
- FUSE: Filesystem in Userspace. Located at: http://fuse.sourceforge.net/.Google Scholar
- L4HQ - The L4 Headquarters. Located at: http://www.l4hq.org/.Google Scholar
- L4Linux. Located at: http://os.inf.tu-dresden.de/L4/LinuxOnL4/.Google Scholar
- PostMark Filesystem Performance Benchmark. Located at: http://www.netapp.com/tech library/3022.html.Google Scholar
- Security-Enhanced Linux. Located at: http://www.nsa.gov/selinux/.Google Scholar
- The Fiasco Microkernel. Located at: http://os.inf.tu-dresden.de/fiasco/.Google Scholar
- The Linux Kernel Archives. Located at: http://www.kernel.org/.Google Scholar
- The Month of Kernel Bugs (MoKB) Archive. Located at: http://projects.info-pull.com/mokb/.Google Scholar
- Trusted Computing Group. Located at: https://www.trustedcomputinggroup.org.Google Scholar
- Trusted Computing Group: TPM. Located at: https://www.trustedcomputinggroup.org/groups/tpm/.Google Scholar
- M. Bellare, R. Canetti, and H. Krawczyk. Message Authentication Using Hash Functions: the HMAC Construction. CryptoBytes, 2(1):12--15, 1996.Google Scholar
- R. Coker. Bonnie++. Located at: http://www.coker.com.au/bonnie++/.Google Scholar
- N. Feske and C. Helmuth. A Nitpicker's Guide to a Minimal-Complexity Secure GUI. In ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference, pages 85--94, Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
- C. Frost, M. Mammarella, E. Kohler, A. de los Reyes, S. Hovsepian, A. Matsuoka, and L. Zhang. Generalized File System Dependencies. In SOSP '07: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, pages 307--320, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- K. Goldman, R. Perez, and R. Sailer. Linking Remote Attestation to Secure Tunnel Endpoints. In STC '06 Proceedings of the First ACM Workshop on Scalable Trusted Computing, pages 21--24, New York, NY, USA, 2006. ACM Press. Google ScholarDigital Library
- L. Gong. A Secure Identity-Based Capability System. In IEEE Symposium on Security and Privacy, pages 56--65, Los Alamitos, CA, USA, May 1989. IEEE Computer Society.Google ScholarCross Ref
- V. Gough. EncFS Encrypted Filesystem. Located at: http://arg0.net/wiki/encfs.Google Scholar
- H. Härtig, M. Hohmuth, N. Feske, C. Helmuth, A. Lackorzynski, F. Mehnert, and M. Peter. The Nizza Secure-System Architecture. In Proceedings of CollaborateCom, 2005.Google ScholarCross Ref
- M. Hohmuth, M. Peter, H. Haertig, and J. S. Shapiro. Reducing TCB Size by Using Untrusted Components - Small Kernels versus Virtual-Machine Monitors. In Proceedings of the Eleventh ACM SIGOPS European Workshop, Leuven, Belgium, Sept. 2004. Google ScholarDigital Library
- B. Kauer. Authenticated Booting for L4, November 2004. Available from: http://os.inf.tu-dresden.de/papers_ps/kauer-beleg.pdf.Google Scholar
- J. Li, M. Krohn, D. Maziéres, and D. Shasha. Secure Untrusted Data Repository (SUNDR). In Proceedings of the 6th USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 121--136, San Francisco, CA, Dec. 2004. Google ScholarDigital Library
- U. Maheshwari, R. Vingralek, and B. Shapiro. How to Build a Trusted Database System on Untrusted Storage. In Proceedings of the 4th USENIX Symposium on Operating System Design and Implementation (OSDI), pages 135--150, San Diego, CA, Oct. 2000. Google ScholarDigital Library
- T. J. McCabe. A Complexity Measure. In IEEE Transactions on Software Engineering, SE2(4):308--320, December 1976. Google ScholarDigital Library
- R. Merkle. Protocols for Public Key Cryptosystems. In Proceedings of the IEEE Symposium on Security and Privacy, pages 122--134, 1980.Google Scholar
- Microsoft Corporation. Secure Startup - Full Volume Encryption: Technical Overview. Available from: http://www.microsoft.com/whdc/system/platform/pcdesign/secure-start_tech.mspx.Google Scholar
- M.-J. O. Saarinen. Encrypted Watermarks and Linux Laptop Security. In C. H. Lim and M. Yung, editors. Information Security Applications, 5th International Workshop, volume 3325 of Lecture Notes in Computer Science, pages 27--38. Springer, 2004. Google Scholar
- L. Singaravelu, C. Pu, H. Härtig, and C. Helmuth. Reducing TCB Complexity for Security-Sensitive Applications: Three Case Studies. In EuroSys '06: Proceedings of the ACM SIGOPS/EuroSys European Conference on Computer Systems 2006, pages 161--174, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- R. Ta-Min, L. Litty, and D. Lie. Splitting Interfaces: Making Trust Between Applications and Operating Systems Configurable. In 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2006), November 2006. Google ScholarDigital Library
- C. Weinhold. Design and Implementation of a Trustworthy File System for L4. Master's thesis, TU - Dresden, 2006. available at: http://os.inf.tu-dresden.de/papers_ps/weinhold-diplom.pdf.Google Scholar
- J. Wires and M. J. Feeley. Secure File System Versioning at the Block Level. In EuroSys '07: Proceedings of the ACM SIGOPS/EuroSys European Conference on Computer Systems 2007, pages 203--215, New York, NY, USA, 2007. ACM Press. Google ScholarDigital Library
- C. Wright, M. Martino, and E. Zadok. NCryptfs: A Secure and Convenient Cryptographic File System. In Proceedings of the Annual USENIX Technical Conference, pages 197--210, June 2003.Google Scholar
Index Terms
- VPFS: building a virtual private file system with a small trusted computing base
Recommendations
VPFS: building a virtual private file system with a small trusted computing base
EuroSys '08In this paper we present the lessons we learned when developing VPFS, a virtual private file system that is based on both a small amount of trusted storage and an untrusted legacy file system residing on the same machine. VPFS' purpose is to provide ...
SRVM: Hypervisor Support for Live Migration with Passthrough SR-IOV Network Devices
VEE '16Single-Root I/O Virtualization (SR-IOV) is a specification that allows a single PCI Express (PCIe) device (ysical function or PF) to be used as multiple PCIe devices (virtual functions or VF). In a virtualization system, each VF can be directly assigned ...
SRVM: Hypervisor Support for Live Migration with Passthrough SR-IOV Network Devices
VEE '16: Proceedings of the12th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution EnvironmentsSingle-Root I/O Virtualization (SR-IOV) is a specification that allows a single PCI Express (PCIe) device (ysical function or PF) to be used as multiple PCIe devices (virtual functions or VF). In a virtualization system, each VF can be directly assigned ...
Comments