TrustVisor: Efficient TCB Reduction and Attestation

McCune, Jonathan M.; Liu, Yanlin; Qu, Ning; Zhou, Zongwei; Datta, Anupam; Gligor, Virgil D.; Perrig, Adrian

doi:10.1109/sp.2010.17

Cited by 437 publications

(302 citation statements)

References 19 publications

Supporting

Mentioning

302

Contrasting

Order By: Relevance

“…In addition, by sending out the data, HyperCheck has a lower overhead on the target machine compared to Flicker. To reduce the overhead of Flicker, TrustVisor [24] has a small footprint hypervisor to perform some cryptography operations. However, all the legacy applications should be ported for TrustVisor to work.…”

Section: Related Workmentioning

confidence: 99%

“…Others developed new specialized prototype hypervisors [36,24]. However, having a small code base can only limit the code exposure and thus the attack surface of the hypervisor -it cannot provide strong guarantees about the code integrity of all the hypervisor components.…”

Section: Introductionmentioning

confidence: 99%

“…Our assumptions are that the attacker does not have physical access to the machine and that the SMM BIOS is locked and thus cannot be altered during run. We do not explicitly require trusted boot to initialize HyperCheck [23,24]. However, having a machine equipped with trusted boot can prevent attacks against HyperCheck that simulate a hardware reset.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

HyperCheck: A Hardware-Assisted Integrity Monitor

Jiang

Stavrou

Ghosh

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Over the past few years, virtualization has been employed to environments ranging from densely populated cloud computing clusters to home desktop computers. Security researchers embraced virtual machine monitors (VMMs) as a new mechanism to guarantee deep isolation of untrusted software components. Unfortunately, their widespread adoption promoted VMMs as a prime target for attackers. In this paper, we present HyperCheck, a hardware-assisted tampering detection framework designed to protect the integrity of VMMs and, for some classes of attacks, the underlying operating system (OS). HyperCheck leverages the CPU System Management Mode (SMM), present in x86 systems, to securely generate and transmit the full state of the protected machine to an external server. Using HyperCheck, we were able to ferret-out rootkits that targeted the integrity of both the Xen hypervisor and traditional OSes. Moreover, HyperCheck is robust against attacks that aim to disable or block its operation. Our experimental results show that HyperCheck can produce and communicate a scan of the state of the protected software in less than 40ms.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

HyperCheck: A Hardware-Assisted Integrity Monitor

Jiang

Stavrou

Ghosh

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…This trusted environment can be provisioned by either hardware (e.g., IBM 4767 PCIeCC2 [3], Intel SGX [4]) or hardwaresoftware combination [34,35]. Under this approach, data is stored in untrusted external memory/storage and protected by semantically secure encryption.…”

Section: Introductionmentioning

confidence: 99%

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute

Dang

Dinh

Chang

et al. 2017

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Abstract:We consider privacy-preserving computation of big data using trusted computing primitives with limited private memory. Simply ensuring that the data remains encrypted outside the trusted computing environment is insufficient to preserve data privacy, for data movement observed during computation could leak information. While it is possible to thwart such leakage using generic solution such as ORAM [42], designing efficient privacy-preserving algorithms is challenging. Besides computation efficiency, it is critical to keep trusted code bases lean, for large ones are unwieldy to vet and verify. In this paper, we advocate a simple approach wherein many basic algorithms (e.g., sorting) can be made privacy-preserving by adding a step that securely scrambles the data before feeding it to the original algorithms. We call this approach Scramblethen-Compute (StC), and give a sufficient condition whereby existing external memory algorithms can be made privacy-preserving via StC. This approach facilitates code-reuse, and its simplicity contributes to a smaller trusted code base. It is also general, allowing algorithm designers to leverage an extensive body of known efficient algorithms for better performance. Our experiments show that StC could offer up to 4.1× speedups over known, application-specific alternatives.

show abstract

“…A number of valuable research projects observe that a sensitive application component, such as a random number generator or authentication module, requires little functionality, if any, from the OS, yet are vulnerable to failures of the OS [68,69]. These projects are beyond the scope of this paper, which instead focuses on systems that leverage virtualization to ensure security properties for applications that require legacy OS functionality.…”

Section: Introductionmentioning

confidence: 99%

SoK: Introspections on Trust and the Semantic Gap

Jain

Baig

Zhang

et al. 2014

2014 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

Abstract-An essential goal of Virtual Machine Introspection (VMI) is assuring security policy enforcement and overall functionality in the presence of an untrustworthy OS. A fundamental obstacle to this goal is the difficulty in accurately extracting semantic meaning from the hypervisor's hardwarelevel view of a guest OS, called the semantic gap. Over the twelve years since the semantic gap was identified, immense progress has been made in developing powerful VMI tools.Unfortunately, much of this progress has been made at the cost of reintroducing trust into the guest OS, often in direct contradiction to the underlying threat model motivating the introspection. Although this choice is reasonable in some contexts and has facilitated progress, the ultimate goal of reducing the trusted computing base of software systems is best served by a fresh look at the VMI design space.This paper organizes previous work based on the essential design considerations when building a VMI system, and then explains how these design choices dictate the trust model and security properties of the overall system. The paper then observes portions of the VMI design space which have been under-explored, as well as potential adaptations of existing techniques to bridge the semantic gap without trusting the guest OS.Overall, this paper aims to create an essential checkpoint in the broader quest for meaningful trust in virtualized environments through VM introspection.

show abstract

TrustVisor: Efficient TCB Reduction and Attestation

Cited by 437 publications

References 19 publications

HyperCheck: A Hardware-Assisted Integrity Monitor

HyperCheck: A Hardware-Assisted Integrity Monitor

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute

SoK: Introspections on Trust and the Semantic Gap

Contact Info

Product

Resources

About