Pasture: Secure Offline Data Access Using Commodity Trusted Hardware

This paper presents Pasture, a secure messaging and logging library that enables rich mobile experiences by providing secure offline data access. Without trusting users, applications, operating systems, or hypervisors, Pasture leverages commodity trusted hardware to provide two important safety properties: access-undeniability (a user cannot deny any offline data access obtained by his device without failing an audit) and verifiable-revocation (a user who generates a verifiable proof of revocation of unaccessed data can never access that data in the future). For practical viability, Pasture moves costly trusted hardware operations from common data access actions to uncommon recovery and checkpoint actions. We used Pasture to augment three applications with secure offline data access to provide high availability, rich functionality, and improved consistency. Our evaluation suggests that Pasture overheads are acceptable for these applications.

[1]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[2]  Srinivas Devadas,et al.  Virtual monotonic counters and count-limited objects using a TPM without a trusted OS , 2006, STC '06.

[3]  Paul England,et al.  Para-Virtualized TPM Sharing , 2008, TRUST.

[4]  Emin Gün Sirer,et al.  Nexus authorization logic (NAL): Design rationale and applications , 2011, TSEC.

[5]  Bennet S. Yee,et al.  Secure Coprocessors in Electronic Commerce Applications , 1995, USENIX Workshop on Electronic Commerce.

[6]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[7]  Calton Pu,et al.  Reducing TCB complexity for security-sensitive applications: three case studies , 2006, EuroSys.

[8]  Radek Vingralek,et al.  How to build a trusted database system on untrusted storage , 2000, OSDI.

[9]  Dennis Shasha,et al.  Secure Untrusted Data Repository (SUNDR) , 2004, OSDI.

[10]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[11]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[12]  Brent Waters,et al.  Cloaking Malware with the Trusted Platform Module , 2011, USENIX Security Symposium.

[13]  Mark Horowitz,et al.  Implementing an untrusted operating system on trusted hardware , 2003, SOSP '03.

[14]  Emin Gün Sirer,et al.  NetQuery: a knowledge plane for reasoning about network properties , 2010, CoNEXT '10 Student Workshop.

[15]  Mark Bickford,et al.  Nysiad: Practical Protocol Transformation to Tolerate Byzantine Failures , 2008, NSDI.

[16]  Jonathan M. McCune,et al.  Memoir: Practical State Continuity for Protected Modules , 2011, 2011 IEEE Symposium on Security and Privacy.

[17]  Jacob R. Lorch,et al.  TrInc: Small Trusted Hardware for Large Distributed Systems , 2009, NSDI.

[18]  M. Rizer,et al.  Health Information Technology for Economic and Clinical Health Act , 2011 .

[19]  Andrew Bunnie Huang,et al.  Hacking the Xbox: An Introduction to Reverse Engineering , 2003 .

[20]  Haibo Chen,et al.  CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization , 2011, SOSP.

[21]  Andreas Haeberlen,et al.  PeerReview: practical accountability for distributed systems , 2007, SOSP.

[22]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[23]  Leendert van Doorn,et al.  A Practical Guide to Trusted Computing , 2007 .

[24]  Srinath T. V. Setty,et al.  Depot: Cloud Storage with Minimal Trust , 2010, TOCS.

[25]  Stephan Merz,et al.  Verifying Safety Properties with the TLA+ Proof System , 2010, IJCAR.

[26]  Mahadev Satyanarayanan,et al.  Disconnected Operation in the Coda File System , 1999, Mobidata.

[27]  Roxana Geambasu,et al.  Keypad: an auditing file system for theft-prone devices , 2011, EuroSys '11.

[28]  Scott Shenker,et al.  Attested append-only memory: making adversaries stick to their word , 2007, SOSP.

[29]  Catherine C. Marshall,et al.  Cimbiosys: a platform for content-based partial replication , 2009, NSDI 2009.

[30]  Sean W. Smith,et al.  SAM: a flexible and secure auction architecture using trusted hardware , 2001, Proceedings 15th International Parallel and Distributed Processing Symposium. IPDPS 2001.

[31]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[32]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[33]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[34]  Jeffrey S. Chase,et al.  Strong accountability for network storage , 2007, TOS.

[35]  James Newsome,et al.  Building Verifiable Trusted Path on Commodity x86 Computers , 2012, 2012 IEEE Symposium on Security and Privacy.

[36]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[37]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[38]  Ramakrishna Kotla,et al.  Pasture Node State Specification , 2012 .

[39]  C. Redhead The Health Information Technology for Economic and Clinical Health (HITECH) Act , 2009 .

[40]  Hari Balakrishnan,et al.  Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks , 2009, NSDI.

[41]  Lei Gao,et al.  PRACTI Replication , 2006, NSDI.

[42]  Jonathan M. McCune,et al.  Efficient TCB Reduction and Attestation , 2009 .

[43]  Marvin Theimer,et al.  Managing update conflicts in Bayou, a weakly connected replicated storage system , 1995, SOSP.

[44]  G. Edward Suh,et al.  Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Functions , 2005, ISCA 2005.

[45]  Emin Gün Sirer,et al.  Logical attestation: an authorization architecture for trustworthy computing , 2011, SOSP.

[46]  Sean W. Smith,et al.  Security and Privacy for Partial Order Time , 1994 .

[47]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.