ABSTRACT
The large size and high complexity of security-sensitive applications and systems software is a primary cause for their poor testability and high vulnerability. One approach to alleviate this problem is to extract the security-sensitive parts of application and systems software, thereby reducing the size and complexity of software that needs to be trusted. At the system software level, we use the Nizza architecture which relies on a kernelized trusted computing base (TCB) and on the reuse of legacy code using trusted wrappers to minimize the size of the TCB. At the application level, we extract the security-sensitive portions of an already existing application into an AppCore. The AppCore is executed as a trusted process in the Nizza architecture while the rest of the application executes on a virtualized, untrusted legacy operating system. In three case studies of real-world applications (e-commerce transaction client, VPN gateway and digital signatures in an e-mail client), we achieved a considerable reduction in code size and complexity. In contrast to the few hundred thousand lines of current application software code running on millions of lines of systems software code, we have AppCores with tens of thousands of lines of code running on a hundred thousand lines of systems software code. We also show the performance penalty of AppCores to be modest (a few percent) compared to current software.
- Microsoft. Next-Generation Secure Computing Base. http://www.microsoft.com/resources/ngscb/default.mspxGoogle Scholar
- Mozilla Foundation. Mozilla Module Owners. http://www.mozilla.org/owners.htmlGoogle Scholar
- PeerSee Networks. MatrixSSL - Open Source Embedded SSL. http://www.matrixssl.org/Google Scholar
- Secunia. Vulnerability Report --- Microsoft Internet Explorer 6. http://secunia.com/product/11/Google Scholar
- Secunia. Vulnerability Report --- Mozilla Firefox 1.x. http://secunia.com/product/4227/Google Scholar
- Secunia. Vulnerability Report --- Xll Windowing System (Xll) 6.x.http://secunia.com/product/3913/Google Scholar
- Secunia. Vulnerability Report --- Linux Kernel 2.4.x. http://secunia.com/product/763/Google Scholar
- Secunia. Check Point VPN-1 Products ISAKMP Buffer Overflow Vulnerability. http://secunia.com/advisories/11546/Google Scholar
- Snapgear. Snapgear Embedded Linux. http://www.snapgear.orgGoogle Scholar
- Trusted Computing Group. TCG Main Specification vl.Ib, https://www.trustedcomputinggroup.org/Google Scholar
- J. Bambenek, SANS Institute. BHO scanning tool and New Scam Targets Bank Customers. http://isc.sans.org/diary.php?date=2004-06-29.Google Scholar
- P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In Proc. 19th ACM Symposium on Operating Systems Principles (SOSP 2003), NY, Oct. 2003. Google ScholarDigital Library
- V. Basili and D. Hutchens. An Empirical Study of a Complexity Family. In IEEE Transactions on Software Engineering, Volume 9, No. 6, November 1983, pp. 664--672.Google ScholarDigital Library
- D. Brumley, D. X. Song. Privtrans: Automatically Partitioning Programs for Privilege Separation. In Proc. USENIX Security Symposium, San Diego, USA. Aug 9--13, 2004. Google ScholarDigital Library
- P. M. Chen and B. D. Noble. When Virtual is Better Than Real, In Eighth Workshop on Hot Topics in Operating Systems, May 2001, Elmau, Germany. Google ScholarDigital Library
- N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh and J. C. Mitchell, Client-side defense against web-based identity theft, In 11th Annual Network and Distributed System Security Symposium (NDSS '04), San Diego, February, 2004.Google Scholar
- D. Engler, D. Chelf, A. Chou, and S. Hallem. Checking system rules using system specific programmer-written compiler extensions. In 4th USENIX OSDI. San Diego, Oct. 2000. Google ScholarDigital Library
- D. Engler, D. Chen, S. Hallem, A. Chou, and B. Chelf. Bugs as deviant behavior: A general approach to inferring errors in systems code. In 18th SOSP. Banff, Canada, Oct. 2001. Google ScholarDigital Library
- N. Feske, C. Helmuth: A Nitpicker's guide to a minimal-complexity secure GUI. In Proc. of the 21st Annual Computer Security Applications Conference, Tucson, Arizona, USA, Dec. 2005 Google ScholarDigital Library
- N. E. Fenton, N. Ohlsson., Quantitative Analysis of Faults and Failures in a Complex Software System. In IEEE Trans. Software Eng. 26(8): 797--814, 2000. Google ScholarDigital Library
- Gaffney, J., Program Control Complexity and Productivity. In Proceedings of the IEEE Workshop on Quantitative Software Models, pg 179, October, 1979.Google Scholar
- T. Garfinkel, B., Pfaff, J. Chow, M. Rosenblun, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In Proc. of the 19th SOSP, October 2003. Google ScholarDigital Library
- H. Härtig. Security architectures revisited. In Proceedings of the Tenth ACM SIGOPS European Workshop, Saint-Emilion, France, September 2002. Google ScholarDigital Library
- H. Härtig, M. Hohmuth, N. Feske, C. Helmuth, A. Lack-orzynski, F. Mehnert and M. Peter. The Nizza Secure-System Architecture. In IEEE CollaborateCom 2005. San Jose, USA. Dec 2005.Google Scholar
- H. Härtig, M. Hohmuth, J. Liedtke, S. Schönberg, and J. Wolter. The performance of μ-kernel-based systems. In Proc. 16th ACM Symposium on Operating System Principles, pp 66--77, Oct. 1997. Google ScholarDigital Library
- C. Helmuth, A. Warg, and N. Feske. Mikro-SINA---Hands-on Experiences with the Nizza Security Architecture. In Proceedings of the D.A.C.H Security 2005, Darmstadt, Germany, March 2005.Google Scholar
- A. Herzberg and A. Gbara, TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks, Cryptology ePrint Archive, Report 2004/155. 2004.Google Scholar
- Hohmuth, M., M. Peter, H. Härtig, and J. Shapiro. "Reducing TCB size by using untrusted components --- small kernels versus virtual machine monitors", in Proc. of the 11th ACM SIGOPS European Workshop, Leuven, Belgium, 2004. Google ScholarDigital Library
- T. Jaeger, R. Sailer, and X. Zhang, Analyzing Integrity Protection in the SELinux Example Policy, in 12th USENIX Security Symposium, Washington D.C. USA, Aug. 2003. Google ScholarDigital Library
- D. Kilpatrick, Privman: A Library for Partitioning Applications. In USENIX Annual Technical Conference, FREENIX Track 2003, pp 273--284. San Antonio USA, July 2003.Google Scholar
- D. Lie, C. A. Thekkath and M. Horowitz, Implementing an untrusted operating system on trusted hardware, In 19th ACM-SOSP, 2003, Bolton Landing, NY. Google ScholarDigital Library
- J. Liedtke, On Micro-Kernel Construction, In 15th ACM Symposium on Operating System Principles, Copper mountain Resort, Colorado, USA. Dec. 1995. Google ScholarDigital Library
- T. J. McCabe, A Complexity Measure, IEEE Transactions on Software Engineering, SE-2 No. 4, pp. 308--320, Dec. 1976. Google ScholarDigital Library
- X. Qie, R. Pang, L. L. Peterson, Defensive Programming: Using an Annotation Toolkit to Build DoS-Resistant Software. In OSDI 2002, Boston, Dec. 2002. Google ScholarDigital Library
- B. Pfitzmann, J. Riordan, C. Stüble, M. Waidner and A. Weber. The PERSEUS System Architecture. Research Report. IBM Research Division. RZ 3335. Sept. 2001.Google Scholar
- N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In 12th USENIX Security Symposium, Washington D.C, Aug. 2003. Google ScholarDigital Library
- B. Ross, C. Jackson, N. Miyake, D. Boneh and J. C. Mitchell, Stronger Password Authentication Using Browser Extensions. In 14th Usenix Security Symposium, Baltimore, USA, Aug. 2005. Google ScholarDigital Library
- JH Saltzer and MD Schroeder, The Protection of Information in Computer Systems, Proc. of the IEEE, Vol.63, No.9, Sept. 1975, pp. 1278--1308.Google ScholarCross Ref
- R. Sailer, X. Zhang, T. Jaeger, and L. V. Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. In Proceedings of Thirteenth USENIX Security Symposium, pp 223--238, August 2004. Google ScholarDigital Library
- B. Schneier. Software Complexity and Security. Crypto-Gram Newsletter. March 2000. http://www.schneier.com/crypto-gram-0003.htmlGoogle Scholar
- J. S. Shapiro, J. M. Smith, and D. J. Farber. EROS: A Fast Capability System. In Proc. 17th ACM Symposium on Operating Systems Principles. Charleston, SC, USA. Dec. 1999. Google ScholarDigital Library
- J. S. Shapiro, J. Vanderburgh, E. Northup, and D. Chizmadia, Design of the EROS Trusted Window System, In Proc. USENIX Security Symposium, San Diego CA, 2004 Google ScholarDigital Library
- V. Y. Shen, T. Yu, S. M. Thebaut, and L. R. Paulsen, Identifying Error-prone Software --- An Empirical Study, In IEEE TOSE, Vol. SE-11, pp. 317--323, April 1985. Google ScholarDigital Library
- Shepperd, M., Ince, D. C., Derivation and Validation of Software Metrics. pp 37--40. Oxford Science Publications, 1993. Google ScholarDigital Library
- R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen and J. Lepreau. The Flask Security Architecture: System Support for Diverse Security Policies. In Procedings of the 8th USENLX Security Symposium, Aug. 1999. Google ScholarDigital Library
- J. D. Tygar and A. Whitten. WWW electronic commerce and Java Trojan horses. In Proc. of the 2nd USENIX Workshop on Electronic Commerce, Nov. 1996, pp. 243--250. Google ScholarDigital Library
- D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of the ISOC Symposium on Network and Distributed System Security, 2000.Google Scholar
- D. Wheeler. SLOCCount. http://www.dwheeler.com/sloccount/Google Scholar
- Wright, C., C. Cowan, S. Smalley, J. Morris, G. Kroah-Hartman. Linux Security Modules: General Security Support for the Linux Kernel. In the Proceedings of the 2002 Usenix Security Symposium, Aug 2002, San Francisco. Google ScholarDigital Library
- B. Yee and D. Tygar. Secure coprocessors in electronic commerce applications. In Proc. of the First USENIX Workshop on Electronic Commerce, New York, July 1995. Google ScholarDigital Library
Index Terms
- Reducing TCB complexity for security-sensitive applications: three case studies
Recommendations
Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors
EW 11: Proceedings of the 11th workshop on ACM SIGOPS European workshopSecure systems are best built on top of a small trusted operating system: The smaller the operating system, the easier it can be assured or verified for correctness.In this paper, we oppose the view that virtual-machine monitors (VMMs) are the smallest ...
Reducing TCB complexity for security-sensitive applications: three case studies
Proceedings of the 2006 EuroSys conferenceThe large size and high complexity of security-sensitive applications and systems software is a primary cause for their poor testability and high vulnerability. One approach to alleviate this problem is to extract the security-sensitive parts of ...
Improving Xen security through disaggregation
VEE '08: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsVirtual machine monitors (VMMs) have been hailed as the basis for an increasing number of reliable or trusted computing systems. The Xen VMM is a relatively small piece of software -- a hypervisor -- that runs at a lower level than a conventional ...
Comments