Verifying system integrity by proxy
作者: Joshua Schiffman , Hayawardh Vijayakumar , Trent Jaeger
DOI: 10.1007/978-3-642-30921-2_11
关键词: Trusted Platform Module 、 Overhead (engineering) 、 System integrity 、 Correctness 、 Secure communication 、 Data integrity 、 Computer science 、 Virtual machine 、 Computer security 、 Bottleneck
摘要: Users are increasingly turning to online services, but concerned for the safety of their personal data and critical business tasks. While secure communication protocols like TLS authenticate protect connections these they cannot guarantee correctness endpoint system. would assurance that all remote receive is from systems satisfy users' integrity requirements. Hardware-based measurement (IM) have long promised such guarantees, failed deliver them in practice. Their reliance on non-performant devices generate timely attestations ad hoc frameworks limits efficiency completeness verification. In this paper, we introduce verification proxy (IVP), a service enforces requirements over systems. The IVP monitors changes unmodified system immediately terminates clients whose specific not satisfied while eliminating attestation reporting bottleneck imposed by current IM protocols. We implemented proof-of-concept detects several classes violations Linux KVM system, imposing less than 1.5% overhead two application benchmarks no more 8% I/O-bound micro-benchmarks.
core.ac.uk
springer.com
elsevier.com
sci-hub.st 参考文章(58)
Vivek Haldar, Michael Franz, Deepak Chandra, Semantic remote attestation: a virtual machine directed approach to trusted computing VM'04 Proceedings of the 3rd conference on Virtual Machine Research And Technology Symposium - Volume 3. pp. 3- 3 ,(2004)
Thomas Morris, Trusted Platform Module. Encyclopedia of Cryptography and Security (2nd Ed.). pp. 1332- 1335 ,(2011)
Reiner Sailer, Trent Jaeger, Umesh Shankar, Toward Automated Information-Flow Integrity Verification for Security-Critical Applications. network and distributed system security symposium. ,(2006)
Leah H. Jamieson, Rick Kennell, Establishing the genuinity of remote computer systems usenix security symposium. pp. 21- 21 ,(2003)
Reiner Sailer, Trent Jaeger, Xiaolan Zhang, Analyzing integrity protection in the SELinux example policy usenix security symposium. pp. 5- 5 ,(2003)
William A. Arbaugh, Timothy Fraser, Nick L. Petroni, Jesus Molina, Copilot - a coprocessor-based kernel runtime integrity monitor usenix security symposium. pp. 13- 13 ,(2004)
James P. Anderson, Computer Security Technology Planning Study ,(1972)
Peter Mameli, Adina Schwartz, John Kleinig, Seumas Miller, Douglas Salane, Security and Privacy: Global Standards for Ethical Identity Management in Contemporary Liberal Democratic States ,(2012)
Reiner Sailer, Leendert van Doorn, Trent Jaeger, Xiaolan Zhang, Design and implementation of a TCG-based integrity measurement architecture usenix security symposium. pp. 16- 16 ,(2004)
June Andronick, Kevin Elphinstone, David Greenaway, Towards proving security in the presence of large untrusted components international conference on systems. pp. 9- 9 ,(2010)