Non-repudiable disk I/O in untrusted kernels

It is currently impossible for an application to verify that the data it passes to the kernel for storage is actually submitted to an underlying device or that the data returned to an application by the kernel has actually originated from an underlying device. A compromised or malicious OS can silently discard data written by the application or return fabricated data during a read operation. This is a serious data integrity issue for use-cases where verifiable storage and retrieval of data is a necessary precondition for ensuring correct operation, for example with secure logging, APT monitoring and compliance. We outline a solution for verifiable data storage and retrieval by providing a trustworthy mechanism, based on Intel SGX, to authenticate and verify request data at both the application and storage device endpoints. Even in the presence of a malicious OS our design ensures the authenticity and integrity of data while performing disk I/O and detects any data loss attributable to the untrusted OS fabricating or discarding read and write requests respectively. We provide a nascent prototype implementation for the core system together with an evaluation highlighting the temporal overheads imposed by this mechanism.

[1]  Mario Werner,et al.  SGXIO: Generic Trusted I/O Path for Intel SGX , 2017, CODASPY.

[2]  Todd M. Austin,et al.  Regaining lost cycles with HotCalls: A fast interface for SGX secure enclaves , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).

[3]  Yannis Papakonstantinou,et al.  SSD in-storage computing for list intersection , 2016, DaMoN '16.

[4]  Ryan K. L. Ko,et al.  Cloud computing vulnerability incidents: a statistical overview , 2013 .

[5]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[6]  Benjamin Morin,et al.  What If You Can't Trust Your Network Card? , 2011, RAID.

[7]  Emmett Witchel,et al.  InkTag: secure applications on an untrusted operating system , 2013, ASPLOS '13.

[8]  Youngjin Kwon,et al.  Sego: Pervasive Trusted Metadata for Efficiently Verified Untrusted System Services , 2016, ASPLOS.

[9]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[10]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[11]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[12]  Herbert Bos,et al.  Flip Feng Shui: Hammering a Needle in the Software Stack , 2016, USENIX Security Symposium.

[13]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[14]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[15]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[16]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[17]  David J. DeWitt,et al.  Query processing on smart SSDs: opportunities and challenges , 2013, SIGMOD '13.

[18]  Bohn Stafleu van Loghum,et al.  Online … , 2002, LOG IN.

[19]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[20]  Vikram S. Adve,et al.  Virtual ghost: protecting applications from hostile operating systems , 2014, ASPLOS.