Abstract
We present a flexible architecture for trusted computing, called Terra, that allows applications with a wide range of security requirements to run simultaneously on commodity hardware. Applications on Terra enjoy the semantics of running on a separate, dedicated, tamper-resistant hardware platform, while retaining the ability to run side-by-side with normal applications on a general-purpose computing platform. Terra achieves this synthesis by use of a trusted virtual machine monitor (TVMM) that partitions a tamper-resistant hardware platform into multiple, isolated virtual machines (VM), providing the appearance of multiple boxes on a single, general-purpose platform. To each VM, the TVMM provides the semantics of either an "open box," i.e. a general-purpose hardware platform like today's PCs and workstations, or a "closed box," an opaque special-purpose platform that protects the privacy and integrity of its contents like today's game consoles and cellular phones. The software stack in each VM can be tailored from the hardware interface up to meet the security requirements of its application(s). The hardware and TVMM can act as a trusted party to allow closed-box VMs to cryptographically identify the software they run, i.e. what is in the box, to remote parties. We explore the strengths and limitations of this architecture by describing our prototype implementation and several applications that we developed for it.
- IBM mainframe servers: Case studies. http://www-1.ibm.com/servers/eserver/zseries/library/casestudies/.]]Google Scholar
- IP security protocol (IPsec) charter. http://www.ietf.org/html.charters/ipsec-charter.html.]]Google Scholar
- Security: IBM zSeries partitioning achieves highest certification. http://www-1.ibm.com/servers/eserver/zseries/security/certification.html, December 2002.]]Google Scholar
- Microsoft next-generation secure computing base---technical FAQ. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/NGSCB.asp , February 2003.]]Google Scholar
- R. Anderson. Cryptography and competition policy: Issues with trusted computing. In Proc. Workshop on Economics and Info. Sec., pages 1--11, May 2003.]]Google ScholarDigital Library
- R. Anderson and M. Kuhn. Tamper resistance---A cautionary note. In Proc. 2nd USENIX Workshop on Electronic Commerce, pages 1--11, Nov. 1996.]] Google ScholarDigital Library
- W. Arbaugh, D. Farber, and J. Smith. A secure and reliable bootstrap architecture. In Proc. 1997 IEEE Symp. Sec., pages 65--71, May 1997.]] Google ScholarDigital Library
- K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In IEEE Symp. Sec. and Privacy, Oakland, May 2002. IEEE, IEEE Computer Society Press.]] Google ScholarDigital Library
- G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provably secure coalition-resistant group signature scheme. In Proc. CRYPTO'2000, 2000.]] Google ScholarDigital Library
- M. Bellare, R. Canetti, and H. Krawczyk. Message authentication using hash functions---the HMAC construction. CryptoBytes, 2(1), Spring 1996.]]Google Scholar
- B. Bershad, S. Savage, P. Pardyak, E. Sirer, M. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. Extensibility, safety, and performance in the SPIN operating system. In Proc. 15th ACM Symp. Operating Sys. Principles, Dec. 1995.]] Google ScholarDigital Library
- E. Bugnion, S. Devine, and M. Rosenblum. Disco: running commodity operating systems on scalable multiprocessors. In Proc. 16th ACM Symp. Operating Sys. Principles, Oct. 1997.]] Google ScholarDigital Library
- A. Carroll, M. Juarez, J. Polk, and T. Leininger. Microsoft Palladium: A business overview. http://www.microsoft.com/PressPass/features/2002/jul02/0724palladiumwp.asp, August 2002.]]Google Scholar
- D. Chaum and E. V. Heyst. Group signatures. Advances in Cryptology, Eurocrypt '91, 547:257--265, 1991. Springer-Verlag Lecture Notes on Computer Science.]]Google Scholar
- P. M. Chen and B. D. Noble. When virtual is better than real. In Proc. 2001 Workshop on Hot Topics in Operating Sys. (HotOS-VIII), Schloss Elmau, Germany, May 2001.]] Google ScholarDigital Library
- A. Chou, J. Yang, B. Chelf, S. Hallem, and D. Engler. An empirical study of operating system errors. In Proc. 18th ACM Symp. Operating Sys. Principles, Oct. 2001.]] Google ScholarDigital Library
- R. J. Creasy. The origin of the VM/370 time-sharing system. IBM J. Research and Development, 25(5):483--490, September 1981.]]Google ScholarDigital Library
- P. Cummings, D. Fullan, M. Goldstien, M. Gosse, J. Picciotto, J. Woodward, and J. Wynn. Compartmented model workstation: Results through prototyping. In Proc. IEEE Symp. Sec. and Privacy, pages 27 -- 29, April 1987.]]Google ScholarCross Ref
- DarkNova. Interview with an aimbot coder. http://www.lamerkatz.com/webvoid/issue7/1.shtml.]]Google Scholar
- J. J. Donovan and S. E. Madnick. Hierarchical approach to computer system integrity. IBM Sys. J., 14(2):188--202, 1975.]]Google ScholarDigital Library
- G. W. Dunlap, S. T. King, S. Cinar, M. Basrai, and P. M. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proc. 2002 Symp. Operating Sys. Design and Implementation, December 2002.]] Google ScholarDigital Library
- J. Dyer, M. Lindemann, R. Perez, R. Sailer, S. Smith, L. van Doorn, and S. Weingart. Building the IBM 4758 secure coprocessor. IEEE Comp., 34:57--66, October 2001.]] Google ScholarDigital Library
- P. England. Personal communication.]]Google Scholar
- D. Engler, M. Kaashoek, and J. O'Toole. Exokernel: An operating system architecture for application-level resource managment. In Proc. 15th ACM Symp. Operating Sys. Principles, Dec. 1995.]] Google ScholarDigital Library
- P. Englund, B. Lampson, J. Manferdelli, M. Peinado, and B. Willman. A trusted open platform. IEEE Spectrum, pages 55--62, 2003.]] Google ScholarDigital Library
- Flocutus. The ultimative Quake cheating page: Illegitimate cheats. http://www.gamescenter.de/uqc/illegal.htm.]]Google Scholar
- T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. Net. and Distributed Sys. Sec. Symp., February 2003.]]Google Scholar
- T. Garfinkel, M. Rosenblum, and D. Boneh. A Broader Vision for Trusted Computing. In 9th Workshop on Hot Topics in Operating Sys. (HotOS-IX), May 2003.]]Google Scholar
- M. Gasser, A. Goldstein, C. Kaufman, and B. Lampson. The digital distributed system security architecture. In Proc. 12th NIST-NCSC Nat'l Comp. Sec. Conf., pages 305--319, 1989.]]Google Scholar
- B. Gold, R. Linde, R. J. Peller, M. Schaefer, J. Scheid, and P. D. Ward. A security retrofit for VM/370. In AFIPS Natl. Comp. Conf., volume 48, pages 335--344, June 1979.]]Google ScholarCross Ref
- B. Gold, R. Linde, R. J. Peller, M. Schaefer, J. Scheid, and P. D. Ward. A security retrofit for VM/370. In AFIPS Natl. Comp. Conf., volume 48, pages 335--344, June 1979.]]Google ScholarCross Ref
- R. Goldberg. Architectural Principles for Virtual Computer Systems. PhD thesis, Harvard University, 1972.]]Google Scholar
- R. Goldberg. Survey of virtual machine research. IEEE Computer Magazine, 7:34--45, June 1974.]]Google ScholarDigital Library
- R. Howworth. Virtual servers pay off. IT Week, March 2003.]]Google Scholar
- I. id Software. Quake. http://www.idsoftware.com/games/quake/.]]Google Scholar
- A. Iliev and S. Smith. Prototyping an armored data vault: Rights management on Big Brother's computer. Privacy-Enhancing Technology, 2002. Springer-Verlag Lecture Notes on Computer Science.]]Google Scholar
- G. Jain. Certificate revocation: A survey. http://www.cis.upenn.edu/~jaing/papers/.]]Google Scholar
- P. Karger, M. Zurko, D. Bonin, A. Mason, and C. Kahn. A retrospective on the VAX VMM security kernel. In IEEE Trans. Soft. Eng., Nov. 1991.]] Google ScholarDigital Library
- B. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authentication in distributed systems: Theory and practice. ACM Trans. Comp. Sys., 10(4):265--310, 1992.]] Google ScholarDigital Library
- B. Leslie and G. Heiser. Towards untrusted device drivers. Technical Report 0303, University of New South Whales, March 2003.]]Google Scholar
- D. Lie, C. A. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. C. Mitchell, and M. Horowitz. Architectural support for copy and tamper resistant software. In Architectural Support for Programming Languages and Operating Systems (ASPLOS IX), pages 168--177, 2000.]] Google ScholarDigital Library
- J. Liedtke. On mu-kernel construction. In Proc. 15th Symp. Operating Sys. Principles, pages 237--250, December 1995.]] Google ScholarDigital Library
- P. Loscocco and S. Smalley. Integrating flexible support for security policies into the linux operating system. In Proc. USENIX Tech. Conf., FREENIX Track, pages 29--42, 2001.]] Google ScholarDigital Library
- P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. The inevitability of failure: The flawed assumption of security in modern computing environments. In Proc. Nat'l Info. Sys. Sec. Conf., pages 303--314, October 1998.]]Google Scholar
- M. Accetta et al. Mach: A new kernel foundation for UNIX development. In Proc. USENIX Summer Conf., 1986.]]Google Scholar
- R. Merkle. Protocols for public key cryptosystems. In IEEE Symp. Security and Privacy, Oakland, April 1980. IEEE, IEEE Computer Society Press.]]Google ScholarCross Ref
- R. Meushaw and D. Simard. NetTop: Commercial technology in high assurance applications. http://www.vmware.com/pdf/TechTrendNotes.pdf, 2000.]]Google Scholar
- Paul England and Marcus Peinado. Authenticated operation of open computing devices. In Proc. 7th Australian Conf. Info. Sec. and Privacy, pages 346--361, 2002. Springer-Verlag Lecture Notes on Computer Science.]] Google ScholarDigital Library
- A. Perrig, S. Smith, D. Song, and J. Tygar. SAM: A flexible and secure auction architecture using trusted hardware. eJETA.org: The Electronic Journal for E-Commerce Tools and Applications, 1(1), January 2002.]]Google Scholar
- S. R. Ames, Jr. Security kernels: A solution or a problem? In Proc. IEEE Symp. Sec. and Privacy, April 1981.]]Google Scholar
- M. Schaefer and B. Gold. Program confinement in KVM/370. In Proc. 1977 Ann. ACM Conf., pages 404--410, October 1977.]] Google ScholarDigital Library
- J. S. Shapiro, J. M. Smith, and D. J. Farber. EROS: A fast capability system. In Symp. Operating Sys. Principles, pages 170--185, 1999.]] Google ScholarDigital Library
- S. W. Smith. Outbound authentication for programmable secure coprocessors. In D. Gollman et al., editor, ESORICS 2002: 7th European Symp. Research in Comp. Sec., volume 2502/2002, pages 72--89, Zurich, Switzerland, October 2002. Springer-Verlag Heidelberg.]] Google ScholarDigital Library
- S. W. Smith and D. Safford. Practical server privacy with secure coprocessors. IBM Sys. J., 40(3):683--695, 2001.]] Google ScholarDigital Library
- J. Sugerman, G. Venkitachalam, and B. Lim. Virtualizing I/O devices on VMware workstation's hosted virtual machine monitor. In Proc. 2001 Ann. USENIX Tech. Conf., Boston, MA, USA, June 2001.]] Google ScholarDigital Library
- M. M. Swift, B. N. Bershad, and H. M. Levy. Improving the reliability of commodity operating systems. In Proc. 19th Symp. Operating Sys. Principles, October 2003.]] Google ScholarDigital Library
- P. S. Tasker. Trusted computer systems. In Proc. IEEE Symp. Sec. and Privacy, April 1981.]]Google ScholarCross Ref
- Trusted Computing Platform Alliance. TCPA main specification v. 1.1b. http://www.trustedcomputing.org/.]]Google Scholar
- J. D. Tygar and B. Yee. Dyad: A system for using physically secure coprocessors. In IP Workshop Proc., 1994.]]Google Scholar
- C. A. Waldspurger. Memory resource management in VMware ESX Server. In Proc. 2002 Symp. Operating Sys. Design and Implementation, December 2002.]] Google ScholarDigital Library
- A. Whitaker, M. Shaw, and S. D. Gribble. Scale and performance in the Denali isolation kernel. In Proc. 5th USENIX Symp. Operating Sys. Design and Implementation, December 2002.]] Google ScholarDigital Library
- E. Wobber, M. Abadi, M. Burrows, and B. Lampson. Authentication in the Taos operating system. ACM Trans. Comp. Sys., 12(1):3--32, 1994.]] Google ScholarDigital Library
- B. Yee and D. Tygar. Secure coprocessors in electronic commerce applications. In Proc. 1st USENIX Workshop on Elec. Commerce, New York, New York, July 1995.]] Google ScholarDigital Library
Index Terms
- Terra: a virtual machine-based platform for trusted computing
Recommendations
Terra: a virtual machine-based platform for trusted computing
SOSP '03: Proceedings of the nineteenth ACM symposium on Operating systems principlesWe present a flexible architecture for trusted computing, called Terra, that allows applications with a wide range of security requirements to run simultaneously on commodity hardware. Applications on Terra enjoy the semantics of running on a separate, ...
Hybrid CPU Management for Adapting to the Diversity of Virtual Machines
As an important cornerstone for clouds, virtualization plays a vital role in building this emerging infrastructure. Virtual machines (VMs) with a variety of workloads may run simultaneously on a physical machine in the cloud platform. The scheduling ...
Virtual Machine Migration Method between Different Hypervisor Implementations and Its Evaluation
WAINA '12: Proceedings of the 2012 26th International Conference on Advanced Information Networking and Applications WorkshopsVirtualization technologies are an important building block for cloud services. Each service will run on virtual machines (VMs) deployed over different hyper visors in the future. Therefore, a VM migration method between different hyper visor ...
Comments