Scalable Web Content Attestation

The web is a primary means of information sharing for most organizations and people. Currently, a recipient of web content knows nothing about the environment in which that information was generated other than the specific server from whence it came (and even that information can be unreliable). In this paper, we develop and evaluate the Spork system that uses the Trusted Platform Module (TPM) to tie the web server integrity state to the web content delivered to browsers, thus allowing a client to verify that the origin of the content was functioning properly when the received content was generated and/or delivered. We discuss the design and implementation of the Spork service and its browser-side Firefox validation extension. In particular, we explore the challenges and solutions of scaling the delivery of mixed static and dynamic content to a large number of clients using exceptionally slow TPM hardware. We perform an in-depth empirical analysis of the Spork system within Apache web servers. This analysis shows Spork can deliver nearly 8,000 static or over 6,500 dynamic integrity-measured web objects per second. More broadly, we identify how TPM-based content web services can scale to large client loads with manageable overheads and deliver integrity-measured content with manageable overhead.

[1]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[2]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[3]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[4]  Shan Jiang,et al.  WebALPS Implementation and Performance Analysis: Using Trusted Co-servers to Enhance Privacy and Security of Web Interactions , 2001 .

[5]  Ravi S. Sandhu,et al.  Enhancing data authenticity and integrity in P2P systems , 2005, IEEE Internet Computing.

[6]  M. Frans Kaashoek,et al.  SSL splitting: Securely serving data from untrusted caches , 2003, Comput. Networks.

[7]  Sean W. Smith,et al.  Building the IBM 4758 Secure Coprocessor , 2001, Computer.

[8]  Tadayoshi Kohno,et al.  Detecting In-Flight Page Changes with Web Tripwires , 2008, NSDI.

[9]  Trent Jaeger,et al.  Justifying Integrity Using a Virtual Machine Verifier , 2009, 2009 Annual Computer Security Applications Conference.

[10]  G. Edward Suh,et al.  AEGIS: architecture for tamper-evident and tamper-resistant processing , 2003 .

[11]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[12]  Pietro Iglio TrustedBox: a kernel-level integrity checker , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[13]  Sean W. Smith,et al.  Securing Web servers against insider attack , 2001, Seventeenth Annual Computer Security Applications Conference.

[14]  Sean W. Smith,et al.  Experimenting with TCPA/TCG Hardware, Or: How I Learned to Stop Worrying and Love The Bear , 2003 .

[15]  Keith Morneau,et al.  Active Server Pages , 2000 .

[16]  G. Edward Suh,et al.  AEGIS: architecture for tamper-evident and tamper-resistant processing , 2003, ICS.

[17]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[18]  Moni Naor,et al.  Certificate revocation and certificate update , 1998, IEEE Journal on Selected Areas in Communications.

[19]  Trent Jaeger,et al.  Seeding clouds with trust anchors , 2010, CCSW '10.

[20]  Donald E. Eastlake,et al.  (Extensible Markup Language) XML-Signature Syntax and Processing , 2002, RFC.

[21]  Ralph C. Merkle,et al.  Protocols for Public Key Cryptosystems , 1980, 1980 IEEE Symposium on Security and Privacy.

[22]  J. Aaron Pendergrass,et al.  Linux kernel integrity measurement using contextual inspection , 2007, STC '07.

[23]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[24]  Trent Jaeger,et al.  Establishing and Sustaining System Integrity via Root of Trust Installation , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[25]  Josef Pieprzyk,et al.  On-the-fly web content integrity check boosts users' confidence , 2002, CACM.

[26]  Eric A. Brewer,et al.  Reducing WWW Latency and Bandwidth Requirements by Real-Time Distillation , 1996, Comput. Networks.

[27]  王伟,et al.  Active Server Pages与数据库接口探析 , 2002 .

[28]  Günter Pomaska,et al.  PHP Hypertext Preprocessor , 2012 .

[29]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[30]  Michael T. Goodrich,et al.  Implementation of an authenticated dictionary with skip lists and commutative hashing , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[31]  Collin Jackson,et al.  Forcehttps: protecting high-security web sites from network attacks , 2008, WWW.

[32]  Elisa Bertino,et al.  SINE: Cache-friendly integrity for the web , 2009, 2009 5th IEEE Workshop on Secure Network Protocols.

[33]  George M. Mohay,et al.  Kernel and shell based applications integrity assurance , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[34]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.