ABSTRACT
This paper describes the design and implementation of a new operating system authorization architecture to support trustworthy computing. Called logical attestation, this architecture provides a sound framework for reasoning about run time behavior of applications. Logical attestation is based on attributable, unforgeable statements about program properties, expressed in a logic. These statements are suitable for mechanical processing, proof construction, and verification; they can serve as credentials, support authorization based on expressive authorization policies, and enable remote principals to trust software components without restricting the local user's choice of binary implementations.
We have implemented logical attestation in a new operating system called the Nexus. The Nexus executes natively on x86 platforms equipped with secure coprocessors. It supports both native Linux applications and uses logical attestation to support new trustworthy-computing applications. When deployed on a trustworthy cloud-computing stack, logical attestation is efficient, achieves high-performance, and can run applications that provide qualitative guarantees not possible with existing modes of attestation.
- Martín Abadi. Variations in Access Control Logic. In Proc. of the Conference on Deontic Logic in Computer Science, Luxembourg, July 2008. Google ScholarDigital Library
- Andrew W. Appel and Edward W. Felten. Proof-carrying authentication. In Proc. of the Conference on Computer and Communications Security, Singapore, November 1999. Google ScholarDigital Library
- William A. Arbaugh, David J. Farber, and Jonathan M. Smith. A Secure and Reliable Bootstrap Architecture. In Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1997. Google ScholarDigital Library
- Stefan Berger, Ramón Cáceres, Kenneth A. Goldman, Ronald Perez, Reiner Sailer, and Leendert van Doorn. vTPM: Virtualizing the Trusted Platform Module. In Proc. of the USENIX Security Symposium, Vancouver, Canada, August 2006. Google ScholarDigital Library
- Andrea Bittau, Petr Marchenko, Mark Handley, and Brad Karp. Wedge: Splitting Applications into Reduced-privilege Compartments. In Proc. of the Symposium on Networked System Design and Implementation, San Francisco, CA, April 2008. Google ScholarDigital Library
- Byung-Gon Chun, Petros Maniatis, Scott Shenker, and John Kubiatowicz. Attested append-only memory: Making adversaries stick to their word. In Proc. of the Symposium on Operating System Principles, Stevenson, WA, October 2007. Google ScholarDigital Library
- Jack B. Dennis and Earl C. Van Horn. Programming semantics for multiprogrammed computations. Comm. of the ACM, 9:143--155, March 1966. Google ScholarDigital Library
- Petros Efstathopoulos, Maxwell Krohn, Steve VanDeBogart, Cliff Frey, David Ziegler, Eddie Kohler, David Mazières, M. Frans Kaashoek, and Robert T. Morris. Labels and Event Processes in the Asbestos Operating System. In Proc. of the Symposium on Operating Systems Principles, Brighton, UK, October 2005. Google ScholarDigital Library
- Paul England, Butler Lampson, John Manferdelli, Marcus Peinado, and Bryan Willman. A Trusted Open Platform. Computer, 36(7):55--62, July 2003. Google ScholarDigital Library
- Paul England and Jork Loeser. Para-Virtualized TPM Sharing. In Proc. of the International Conference on Trusted Computing and Trust in Information Technologies, Villach, Austria, 2008. Google ScholarDigital Library
- Ùlfar Erlingsson and Fred B. Schneider. IRM Enforcement of Java Stack Inspection. In Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2000. Google ScholarDigital Library
- Electronic Frontier Foundation. Facebook's New Privacy Changes: The Good, The Bad, and The Ugly. http://www.eff.org/deeplinks/2009/12/facebooks-new-privacy-changes-good-bad-and-ugly.Google Scholar
- Kevin Fu, M. Frans Kaashoek, and David Mazières. Fast and Secure Distributed Read-Only File System. In Proc. of the Symposium on Operating Systems Design and Implementation, San Diego, CA, October 2000. Google ScholarDigital Library
- Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, and Dan Boneh. Terra: A Virtual Machine-Based Platform for Trusted Computing. In Proc. of the Symposium on Operating Systems Principles, Bolton Landing, NY, October 2003. Google ScholarDigital Library
- Morrie Gasser, Andy Goldstein, Charlie Kaufman, and Butler Lampson. The Digital Distributed System Security Architecture. In Proc. of the National Computer Security Conference, Baltimore, MD, October 1989.Google Scholar
- Li Gong. Java Security: Present and Near Future. IEEE Micro, 17(3):14--19, May/June 1997. Google ScholarDigital Library
- Ramakrishna Gummadi, Hari Balakrishnan, Petros Maniatis, and Sylvia Ratnasamy. Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks. In Proc. of the Symposium on Networked System Design and Implementation, Boston, MA, April 2009. Google ScholarDigital Library
- Vivek Haldar, Deepak Chandra, and Michael Franz. Semantic Remote attestation: A Virtual Machine Directed Approach to Trusted Computing. In Proc. of the USENIX Virtual Machine Research and Technology Symposium, San Jose, CA, May 2004. Google ScholarDigital Library
- Hermann Härtig. Security Architectures Revisited. In Proc. of the SIGOPS European Workshop, Saint-Emilion, France, September 2002. Google ScholarDigital Library
- Hermann Härtig, Michael Hohmuth, Norman Feske, Christian Helmuth, Adam Lackorzynski, Frank Mehnert, and Michael Peter. The Nizza Secure-System Architecture. In Proc. of the International Conference on Collaborative Computing, San Jose, CA, December 2005.Google Scholar
- Hermann Härtig, Michael Hohmuth, Jochen Liedtke, and Sebastian Schönberg. The Performance of μ-Kernel-Based Systems. In Proc. of the Symposium on Operating Systems Principles, Saint Malo, France, October 1997. Google ScholarDigital Library
- Hermann Härtig and Oliver Kowalski and Winfried Kühnhauser. The BirliX Security Architecture. Journal of Computer Security, 2(1):5--21, 1993.Google Scholar
- William K. Josephson, Emin Gün Sirer, and Fred B. Schneider. Peer-to-Peer Authentication With a Distributed Single Sign-On Service. In Proc. of the Workshop on Peer-to-Peer Systems, San Diego, CA, February 2004. Google ScholarDigital Library
- Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Michael Norrish, Rafal Kolanski, Thomas Sewell, Harvey Tuch, and Simon Winwood. seL4: Formal Verification of an OS Kernel. In Proc. of the Symposium on Operating Systems Principles, Big Sky, MT, October 2009. Google ScholarDigital Library
- Butler Lampson. Computer Security in the Real World. IEEE Computer, 37(6), 2004. Google ScholarDigital Library
- Chris Lesniewski-Laas, Bryan Ford, Jacob Strauss, Robert Morris, and Frans M. Kaashoek. Alpaca: Extensible Authorization for Distributed Services. In Proc. of the Conference on Computer and Communications Security, Alexandria, VA, October 2007. Google ScholarDigital Library
- Dave Levin, John R. Douceur, Jacob R. Lorch, and Thomas Moscibroda. TrInc: Small Trusted Hardware for Large Distributed Systems. In Proc. of the Symposium on Networked System Design and Implementation, Boston, MA, April 2009. Google ScholarDigital Library
- Jinyuan Li, Maxwell Krohn, David Mazières, and Dennis Shasha. Secure Untrusted Data Repository. In Proc. of the Symposium on Operating Systems Design and Implementation, San Francisco, CA, December 2004. Google ScholarDigital Library
- David Lie, Chandramohan A. Thekkath, and Mark Horowitz. Implementing an Untrusted Operating System on Trusted Hardware. In Proc. of the Symposium on Operating Systems Principles, Bolton Landing, NY, October 2003. Google ScholarDigital Library
- Umesh Maheshwari, Radek Vingralek, and William Shapiro. How to Build a Trusted Database System on Untrusted Storage. In Proc. of the Symposium on Operating Systems Design and Implementation, San Diego, CA, October 2000. Google ScholarDigital Library
- Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, and Adrian Perrig. TrustVisor: Efficient TCB Reduction and Attestation. In Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2010. Google ScholarDigital Library
- Jonathan M. McCune, Bryan J. Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki. Flicker: An Execution Infrastructure for TCB Minimization. In Proc. of the European Conference on Computer Systems, Glasgow, Scotland, April 2008. Google ScholarDigital Library
- Ralph C. Merkle. Protocols for Public Key Cryptosystems. In Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1980.Google Scholar
- Ralph C. Merkle. A Certified Digital Signature. In Proc. of the International Cryptology Conference, Santa Barbara, CA, August 1989. Google ScholarDigital Library
- George C. Necula. Proof-Carrying Code. In Proc. of the Symposium on Principles of Programming Languages, pages 106--119, Paris, France, 1997. Google ScholarDigital Library
- Bryan Parno, Jonathan M. McCune, and Adrian Perrig. Bootstrapping Trust in Commodity Computers. In Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2010. Google ScholarDigital Library
- Birgit Pfitzmann, James Riordan, Christian Stüble, Michael Waidner, and Arnd Weber. The PERSEUS System Architecture. Technical Report RZ3335 (93381), IBM Research Division, Zurich, April 2001.Google Scholar
- Rob Pike, Dave Presotto, Sean Dorward, Bob Flandrena, Ken Thompson, Howard Trickey, and Phil Winterbottom. Plan 9 from Bell Labs. Computing Systems, 8(3):221--254, Summer 1995.Google Scholar
- Patrick Reynolds, Oliver Kennedy, Emin Gün Sirer, and Fred B. Schneider. Securing Bgp Using External Security Monitors. Technical Report TR2006--2065, Cornell University, Computing and Information Science, Ithaca, New York, December 2006.Google ScholarCross Ref
- Ahmad-Reza Sadeghi, Christian Stüble, and Marcel Winandy. Property-Based TPM Virtualization. In Proc. of the International Conference on Information Security, Hyderabad, India, December 2008. Google ScholarDigital Library
- Reiner Sailer, Enriquillo Valdez, Trent Jaeger, Ronald Perez, Leendert van Doorn, John Linwood Griffin, and Stefan Berger. sHype: Secure Hypervisor Approach to Trusted Virtualized Systems. Technical Report RC23511 (W0502-006), IBM Research Division, Thomas J. Watson Research Center, Yorktown Heights, NY, February 2005.Google Scholar
- Reiner Sailer, Xiaolan Zhang, Trent Jaeger, and Leendert van Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. In Proc. of the USENIX Security Symposium, San Diego, CA, August 2004. Google ScholarDigital Library
- Luis F. G. Sarmenta, Marten van Dijk, Charles W. O'Donnell, Jonathan Rhodes, and Srinivas Devadas. Virtual Monotonic Counters and Count-limited Objects Using a TPM without a Trusted OS. In Proc. of the Workshop on Scalable Trusted Computing, Fairfax, VA, November 2006. Google ScholarDigital Library
- Fred B. Schneider, Kevin Walsh, and Emin Gün Sirer. Enforceable Security Policies. ACM Transactions on Information and System Security, 1(3), February 2000. Google ScholarDigital Library
- Fred B. Schneider, Kevin Walsh, and Emin Gün Sirer. Nexus Authorization Logic: Design Rationale and Applications. ACM Transactions on Information and System Security, 14(1), May 2011. Google ScholarDigital Library
- Arvind Seshadri, Mark Luk, Elaine Shi, Adrian Perrig, Leendert van Doorn, and Pradeep Khosla. Pioneer: Verifying Integrity and Guaranteeing Execution of Code on Legacy Platforms. In Proc. of the Symposium on Operating Systems Principles, Brighton, UK, October 2005.Google Scholar
- Arvind Seshadri, Adrian Perrig, Leendert van Doorn, and Pradeep Khosla. SWATT: Software-based Attestation for Embedded Devices. In Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2004.Google Scholar
- Jonathan S. Shapiro, Jonathan M. Smith, and David J. Farber. EROS: A Fast Capability System. In Proc. of the Symposium on Operating Systems Principles, Kiawah Island, SC, December 1999. Google ScholarDigital Library
- Elaine Shi, Adrian Perrig, and Leendert van Doorn. BIND: A Fine-Grained Attestation Service for Secure Distributed Systems. In Proc. of the Symposium on Security and Privacy, 2005. Google ScholarDigital Library
- Emin Gün Sirer, Robert Grimm, Arthur J. Gregory, and Brian N. Bershad. Design and Implementation of a Distributed Virtual Machine for Networked Computers. In Proc. of the Symposium on Operating Systems Principles, Kiawah Island, SC, December 1999. Google ScholarDigital Library
- Ray Spencer, Stephen Smalley, Peter Loscocco, Mike Hibler, David Andersen, and Jay Lepreau. The Flask Security Architecture: System Support for Diverse Security Policies. In Proc. of the USENIX Security Symposium, Washington, DC, August 1999. Google ScholarDigital Library
- Richard Stallman. Can You Trust Your Computer? Available at http://www.gnu.org/philosophy/can-you-trust.html.Google Scholar
- Marten van Dijk, Jonathan Rhodes, Luis F. G. Sarmenta, and Srinivas Devadas. Offline Untrusted Storage with Immediate Detection of Forking and Replay Attacks. In Proc. of the Workshop on Scalable Trusted Computing, Alexandria, VA, November 2007. Google ScholarDigital Library
- Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. Efficient Software-Based Fault Isolation. ACM SIGOPS Operating Systems Review, 27(5):203--216, December 1993. Google ScholarDigital Library
- Carsten Weinhold and Hermann Härtig. VPFS: Building a Virtual Private File System with a Small Trusted Computing Base. In Proc. of the European Conference on Computer Systems, Glasgow, Scotland, April 2008. Google ScholarDigital Library
- Dan Williams, Patrick Reynolds, Kevin Walsh, Emin Gün Sirer, and Fred B. Schneider. Device driver safety through a reference validation mechanism. In Proc. of the Symposium on Operating System Design and Implementation, San Diego, CA, December 2008. Google ScholarDigital Library
- Edward Wobber, Martín Abadi, Michael Burrows, and Butler Lampson. Authentication in the Taos operating system. Transactions on Computer Systems, 12(1), 1994. Google ScholarDigital Library
- Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. Making Information Flow Explicit in HiStar. In Proc. of the Symposium on Operating Systems Design and Implementation, Seattle, WA, November 2006. Google ScholarDigital Library
Index Terms
- Logical attestation: an authorization architecture for trustworthy computing
Recommendations
Nexus authorization logic (NAL): Design rationale and applications
Nexus Authorization Logic (NAL) provides a principled basis for specifying and reasoning about credentials and authorization policies. It extends prior access control logics that are based on “says” and “speaks for” operators. NAL enables authorization ...
Understanding SPKI/SDSI using first-order logic
SPKI/SDSI is a language for expressing distributed access control policy, derived from SPKI and SDSI. We provide a first-order logic (FOL) semantics for SDSI, and show that it has several advantages over previous semantics. For example, the FOL ...
Comments