Verifying System Integrity by Proxy

Users are increasingly turning to online services, but are concerned for the safety of their personal data and critical business tasks. While secure communication protocols like TLS authenticate and protect connections to these services, they cannot guarantee the correctness of the endpoint system. Users would like assurance that all the remote data they receive is from systems that satisfy the users' integrity requirements. Hardware-based integrity measurement (IM) protocols have long promised such guarantees, but have failed to deliver them in practice. Their reliance on non-performant devices to generate timely attestations and ad hoc measurement frameworks limits the efficiency and completeness of remote integrity verification. In this paper, we introduce the integrity verification proxy (IVP), a service that enforces integrity requirements over connections to remote systems. The IVP monitors changes to the unmodified system and immediately terminates connections to clients whose specific integrity requirements are not satisfied while eliminating the attestation reporting bottleneck imposed by current IM protocols. We implemented a proof-of-concept IVP that detects several classes of integrity violations on a Linux KVM system, while imposing less than 1.5% overhead on two application benchmarks and no more than 8% on I/O-bound micro-benchmarks.

[1]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[2]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[3]  James P. Titus,et al.  Security and Privacy , 1967, 2022 IEEE Future Networks World Forum (FNWF).

[4]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[5]  Stefan Katzenbeisser,et al.  Improving the scalability of platform attestation , 2008, STC '08.

[6]  Zhi Wang,et al.  HyperSentry: enabling stealthy in-context measurement of hypervisor integrity , 2010, CCS '10.

[7]  Sean W. Smith Outbound authentication for programmable secure coprocessors , 2004, International Journal of Information Security.

[8]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[9]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[10]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[11]  Keith J. Jones,et al.  10th USENIX Security Symposium , 2001, login Usenix Mag..

[12]  William A. Arbaugh,et al.  VICI Virtual Machine Introspection for Cognitive Immunity , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[13]  Thomas Morris,et al.  Trusted Platform Module , 2011, Encyclopedia of Cryptography and Security.

[14]  Wayne Salamon,et al.  Implementing SELinux as a Linux Security Module , 2003 .

[15]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[16]  Trent Jaeger,et al.  Analyzing Integrity Protection in the SELinux Example Policy , 2003, USENIX Security Symposium.

[17]  Zhi Wang,et al.  Process out-grafting: an efficient "out-of-VM" approach for fine-grained process execution monitoring , 2011, CCS '11.

[18]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[19]  Ahmad-Reza Sadeghi,et al.  Beyond secure channels , 2007, STC '07.

[20]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[21]  Steven Hand,et al.  Improving Xen security through disaggregation , 2008, VEE '08.

[22]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[23]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[24]  Trent Jaeger,et al.  Justifying Integrity Using a Virtual Machine Verifier , 2009, 2009 Annual Computer Security Applications Conference.

[25]  Dieter Gollmann,et al.  Computer Security — ESORICS 2002 , 2002, Lecture Notes in Computer Science.

[26]  Weiqing Sun,et al.  Practical Proactive Integrity Preservation: A Basis for Malware Defense , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[27]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[28]  Brian Hay,et al.  Forensics examination of volatile system data using virtual introspection , 2008, OPSR.

[29]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[30]  Udo Steinberg,et al.  NOVA: a microhypervisor-based secure virtualization architecture , 2010, EuroSys '10.

[31]  Vitaly Shmatikov,et al.  Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October 17-21, 2011 , 2011, CCS.

[32]  Kevin Elphinstone,et al.  Towards Proving Security in the Presence of Large Untrusted Components , 2010, SSV.

[33]  Hong Chen,et al.  Usable Mandatory Integrity Protection for Operating Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[34]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[35]  Arati Baliga,et al.  Automatic Inference and Enforcement of Kernel Data Structure Invariants , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[36]  丸山 宏,et al.  安全なジョブの遠隔実行を可能にするTrusted Platform on demand , 2004 .

[37]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[38]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[39]  Adrian Perrig,et al.  Bootstrapping Trust in Commodity Computers , 2010, 2010 IEEE Symposium on Security and Privacy.

[40]  Trent Jaeger,et al.  Network-Based Root of Trust for Installation , 2011, IEEE Security & Privacy.

[41]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[42]  Emin Gün Sirer,et al.  Logical attestation: an authorization architecture for trustworthy computing , 2011, SOSP.

[43]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[44]  Michael Franz,et al.  Semantic remote attestation: a virtual machine directed approach to trusted computing , 2004 .

[45]  David Lie,et al.  Hypervisor Support for Identifying Covertly Executing Binaries , 2008, USENIX Security Symposium.

[46]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[47]  Trent Jaeger,et al.  Scalable Web Content Attestation , 2012, IEEE Transactions on Computers.

[48]  Krishna P. Gummadi,et al.  Towards Trusted Cloud Computing , 2009, HotCloud.

[49]  Leah H. Jamieson,et al.  Establishing the Genuinity of Remote Computer Systems , 2003, USENIX Security Symposium.

[50]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[51]  Trent Jaeger,et al.  Establishing and Sustaining System Integrity via Root of Trust Installation , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[52]  Sandia Report,et al.  Trusted Execution Technology , 2011 .

[53]  Daniel F. Sterne,et al.  Practical Domain and Type Enforcement for UNIX , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[54]  Trent Jaeger,et al.  Toward Automated Information-Flow Integrity Verification for Security-Critical Applications , 2006, NDSS.

[55]  Ronald Perez,et al.  Linking remote attestation to secure tunnel endpoints , 2006, STC '06.

[56]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[57]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[58]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.