An Execution Infrastructure for TCB Minimization

We present Flicker, an infrastructure for executing security-sensitive code in complete isolation while trusting as few as 250 lines of additional code. Flicker can also provide meaningful, fine-grained attestation of the code executed (as well as its inputs and outputs) to a remote party. Flicker guarantees these properties even if the BIOS, OS and DMA-enabled devices are all malicious. Flicker leverages new commodity processors from AMD and Intel and does not require a new OS or VMM. We demonstrate a full implementation of Flicker on an AMD platform and describe our development environment for simplifying the construction of Flicker-enabled code.

[1]  David P. Anderson,et al.  SETI@home: an experiment in public-resource computing , 2002, CACM.

[2]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[3]  David P. Anderson,et al.  BOINC: a system for public-resource computing and storage , 2004, Fifth IEEE/ACM International Workshop on Grid Computing.

[4]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[5]  Sean W. Smith,et al.  Securing Web servers against insider attack , 2001, Seventeenth Annual Computer Security Applications Conference.

[6]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[7]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[8]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[9]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[10]  Sean W. Smith,et al.  Building a high-performance, programmable secure coprocessor , 1999, Comput. Networks.

[11]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[12]  Calton Pu,et al.  Reducing TCB complexity for security-sensitive applications: three case studies , 2006, EuroSys.

[13]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[14]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1998, CCS '98.

[15]  Michael K. Reiter,et al.  Minimal TCB Code Execution (Extended Abstract) , 2007 .

[16]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[17]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[18]  Edward W. Felten,et al.  Access control for ad-hoc collaboration , 2001 .

[19]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[20]  Robert Tappan Morris,et al.  USENIX Association Proceedings of HotOS IX : The 9 th Workshop on Hot Topics in Operating Systems , 2003 .

[21]  Bennet S. Yee,et al.  Using Secure Coprocessors , 1994 .

[22]  Stefan Berger,et al.  Towards Trustworthy Kiosk Computing , 2007, Eighth IEEE Workshop on Mobile Computing Systems and Applications.

[23]  Michael K. Reiter,et al.  How low can you go?: recommendations for hardware-supported minimal TCB code execution , 2008, ASPLOS.

[24]  Andrew C. Myers,et al.  Secure program partitioning , 2002, TOCS.