The Experts below are selected from a list of 321 Experts worldwide ranked by ideXlab platform
Hermann Hartig - One of the best experts on this subject based on the ideXlab platform.
-
vpfs building a virtual private file system with a small Trusted Computing Base
European Conference on Computer Systems, 2008Co-Authors: Carsten Weinhold, Hermann HartigAbstract:In this paper we present the lessons we learned when developing VPFS, a virtual private file system that is Based on both a small amount of Trusted storage and an unTrusted legacy file system residing on the same machine. VPFS' purpose is to provide secure and reliable storage to highly sensitive applications running on top of a microkernel, which may concurrently execute unTrusted software. The confidentiality and integrity guarantees of VPFS do not only apply to file contents, but also to all meta data including integrity of the directory structure. We explored design alternatives that allow us to securely reuse unTrusted infrastructure and thereby minimize the complexity that a file-system implementation adds to the Trusted Computing Base. VPFS is split into two isolated components. A small Trusted component implements all security-critical functionality, whereas the unTrusted part reuses an existing file-system implementation provided by a virtualized legacy operating system that can be unTrusted. In our VPFS prototype, alternative configurations of the Trusted component comprise only between 4,000 and 4,600 lines of code, which is at least an order of magnitude smaller than existing commodity file-system stacks.
-
EuroSys - VPFS: building a virtual private file system with a small Trusted Computing Base
Proceedings of the 3rd ACM SIGOPS EuroSys European Conference on Computer Systems 2008 - Eurosys '08, 2008Co-Authors: Carsten Weinhold, Hermann HartigAbstract:In this paper we present the lessons we learned when developing VPFS, a virtual private file system that is Based on both a small amount of Trusted storage and an unTrusted legacy file system residing on the same machine. VPFS' purpose is to provide secure and reliable storage to highly sensitive applications running on top of a microkernel, which may concurrently execute unTrusted software. The confidentiality and integrity guarantees of VPFS do not only apply to file contents, but also to all meta data including integrity of the directory structure. We explored design alternatives that allow us to securely reuse unTrusted infrastructure and thereby minimize the complexity that a file-system implementation adds to the Trusted Computing Base. VPFS is split into two isolated components. A small Trusted component implements all security-critical functionality, whereas the unTrusted part reuses an existing file-system implementation provided by a virtualized legacy operating system that can be unTrusted. In our VPFS prototype, alternative configurations of the Trusted component comprise only between 4,000 and 4,600 lines of code, which is at least an order of magnitude smaller than existing commodity file-system stacks.
Carsten Weinhold - One of the best experts on this subject based on the ideXlab platform.
-
vpfs building a virtual private file system with a small Trusted Computing Base
European Conference on Computer Systems, 2008Co-Authors: Carsten Weinhold, Hermann HartigAbstract:In this paper we present the lessons we learned when developing VPFS, a virtual private file system that is Based on both a small amount of Trusted storage and an unTrusted legacy file system residing on the same machine. VPFS' purpose is to provide secure and reliable storage to highly sensitive applications running on top of a microkernel, which may concurrently execute unTrusted software. The confidentiality and integrity guarantees of VPFS do not only apply to file contents, but also to all meta data including integrity of the directory structure. We explored design alternatives that allow us to securely reuse unTrusted infrastructure and thereby minimize the complexity that a file-system implementation adds to the Trusted Computing Base. VPFS is split into two isolated components. A small Trusted component implements all security-critical functionality, whereas the unTrusted part reuses an existing file-system implementation provided by a virtualized legacy operating system that can be unTrusted. In our VPFS prototype, alternative configurations of the Trusted component comprise only between 4,000 and 4,600 lines of code, which is at least an order of magnitude smaller than existing commodity file-system stacks.
-
EuroSys - VPFS: building a virtual private file system with a small Trusted Computing Base
Proceedings of the 3rd ACM SIGOPS EuroSys European Conference on Computer Systems 2008 - Eurosys '08, 2008Co-Authors: Carsten Weinhold, Hermann HartigAbstract:In this paper we present the lessons we learned when developing VPFS, a virtual private file system that is Based on both a small amount of Trusted storage and an unTrusted legacy file system residing on the same machine. VPFS' purpose is to provide secure and reliable storage to highly sensitive applications running on top of a microkernel, which may concurrently execute unTrusted software. The confidentiality and integrity guarantees of VPFS do not only apply to file contents, but also to all meta data including integrity of the directory structure. We explored design alternatives that allow us to securely reuse unTrusted infrastructure and thereby minimize the complexity that a file-system implementation adds to the Trusted Computing Base. VPFS is split into two isolated components. A small Trusted component implements all security-critical functionality, whereas the unTrusted part reuses an existing file-system implementation provided by a virtualized legacy operating system that can be unTrusted. In our VPFS prototype, alternative configurations of the Trusted component comprise only between 4,000 and 4,600 lines of code, which is at least an order of magnitude smaller than existing commodity file-system stacks.
Frank Piessens - One of the best experts on this subject based on the ideXlab platform.
-
WISTP - Secure Resource Sharing for Embedded Protected Module Architectures
Information Security Theory and Practice, 2015Co-Authors: Jo Bulck, Job Noorman, Jan Mühlberg, Frank PiessensAbstract:Low-end embedded devices and the Internet of Things IoT are becoming increasingly important for our lives. They are being used in domains such as infrastructure management, and medical and healthcare systems, where business interests and our security and privacy are at stake. Yet, security mechanisms have been appallingly neglected on many IoT platforms. In this paper we present a secure access control mechanism for extremely lightweight embedded microcontrollers. Being Based on Sancus, a hardware-only Trusted Computing Base and Protected Module Architecture for the embedded domain, our mechanism allows for multiple software modules on an IoT-node to securely share resources. We implement and evaluate our approach for two application scenarios, a shared memory system and a shared flash drive. Our implementation is Based on a Sancus-enabled TI MSP430 microcontroller. We show that our mechanism can give high security guarantees at small runtime overheads and a moderately increased size of the Trusted Computing Base.
-
Secure Resource Sharing for Embedded Protected Module Architectures
2015Co-Authors: Jo Bulck, Job Noorman, Jan Mühlberg, Frank PiessensAbstract:Low-end embedded devices and the Internet of Things (IoT) are becoming increasingly important for our lives. They are being used in domains such as infrastructure management, and medical and healthcare systems, where business interests and our security and privacy are at stake. Yet, security mechanisms have been appallingly neglected on many IoT platforms. In this paper we present a secure access control mechanism for extremely lightweight embedded microcontrollers. Being Based on Sancus, a hardware-only Trusted Computing Base and Protected Module Architecture for the embedded domain, our mechanism allows for multiple software modules on an IoT-node to securely share resources. We implement and evaluate our approach for two application scenarios, a shared memory system and a shared flash drive. Our implementation is Based on a Sancus-enabled TI MSP430 microcontroller. We show that our mechanism can give high security guarantees at small runtime overheads and a moderately increased size of the Trusted Computing Base.
-
sancus low cost trustworthy extensible networked devices with a zero software Trusted Computing Base
USENIX Security Symposium, 2013Co-Authors: Job Noorman, Pieter Agten, Wilfried Daniels, Raoul Strackx, Anthony Van Herrewege, Christophe Huygens, Bart Preneel, Ingrid Verbauwhede, Frank PiessensAbstract:In this paper we propose Sancus, a security architecture for networked embedded devices. Sancus supports extensibility in the form of remote (even third-party) software installation on devices while maintaining strong security guarantees. More specifically, Sancus can remotely attest to a software provider that a specific software module is running uncompromised, and can authenticate messages from software modules to software providers. Software modules can securely maintain local state, and can securely interact with other software modules that they choose to trust. The most distinguishing feature of Sancus is that it achieves these security guarantees without trusting any infrastructural software on the device. The Trusted Computing Base (TCB) on the device is only the hardware. Moreover, the hardware cost of Sancus is low. We describe the design of Sancus, and develop and evaluate a prototype FPGA implementation of a Sancus-enabled device. The prototype extends an MSP430 processor with hardware support for the memory access control and cryptographic functionality required to run Sancus. We also develop a C compiler that targets our device and that can compile standard C modules to Sancus protected software modules.
-
USENIX Security Symposium - Sancus: low-cost trustworthy extensible networked devices with a zero-software Trusted Computing Base
2013Co-Authors: Job Noorman, Pieter Agten, Wilfried Daniels, Raoul Strackx, Anthony Van Herrewege, Christophe Huygens, Bart Preneel, Ingrid Verbauwhede, Frank PiessensAbstract:In this paper we propose Sancus, a security architecture for networked embedded devices. Sancus supports extensibility in the form of remote (even third-party) software installation on devices while maintaining strong security guarantees. More specifically, Sancus can remotely attest to a software provider that a specific software module is running uncompromised, and can authenticate messages from software modules to software providers. Software modules can securely maintain local state, and can securely interact with other software modules that they choose to trust. The most distinguishing feature of Sancus is that it achieves these security guarantees without trusting any infrastructural software on the device. The Trusted Computing Base (TCB) on the device is only the hardware. Moreover, the hardware cost of Sancus is low. We describe the design of Sancus, and develop and evaluate a prototype FPGA implementation of a Sancus-enabled device. The prototype extends an MSP430 processor with hardware support for the memory access control and cryptographic functionality required to run Sancus. We also develop a C compiler that targets our device and that can compile standard C modules to Sancus protected software modules.
Guido Araujo - One of the best experts on this subject based on the ideXlab platform.
-
t dre a hardware Trusted Computing Base for direct recording electronic vote machines
Annual Computer Security Applications Conference, 2010Co-Authors: Roberto Gallo, Henrique Kawakami, Ricardo Dahab, Rafael Azevedo, Saulo Lima, Guido AraujoAbstract:We present a hardware Trusted Computing Base (TCB) aimed at Direct Recording Voting Machines (T-DRE), with novel design features concerning vote privacy, device verifiability, signed-code execution and device resilience. Our proposal is largely compliant with the VVSG (Voluntary Voting System Guidelines), while also strengthening some of its rec-comendations. To the best of our knowledge, T-DRE is the first architecture to employ multi-level, certification-Based, hardware-enforced privileges to the running software. T-DRE also makes a solid case for the feasibility of strong security systems: it is the basis of 165,000 voting machines, set to be used in a large upcoming national election. In short, our contribution is a viable computational Trusted Base for both modern and classical voting protocols.
-
ACSAC - T-DRE: a hardware Trusted Computing Base for direct recording electronic vote machines
Proceedings of the 26th Annual Computer Security Applications Conference on - ACSAC '10, 2010Co-Authors: Roberto Gallo, Henrique Kawakami, Ricardo Dahab, Rafael Azevedo, Saulo Lima, Guido AraujoAbstract:We present a hardware Trusted Computing Base (TCB) aimed at Direct Recording Voting Machines (T-DRE), with novel design features concerning vote privacy, device verifiability, signed-code execution and device resilience. Our proposal is largely compliant with the VVSG (Voluntary Voting System Guidelines), while also strengthening some of its rec-comendations. To the best of our knowledge, T-DRE is the first architecture to employ multi-level, certification-Based, hardware-enforced privileges to the running software. T-DRE also makes a solid case for the feasibility of strong security systems: it is the basis of 165,000 voting machines, set to be used in a large upcoming national election. In short, our contribution is a viable computational Trusted Base for both modern and classical voting protocols.
Xinwen Zhang - One of the best experts on this subject based on the ideXlab platform.
-
Systematic Policy Analysis for High-Assurance Services in SELinux
2008 IEEE Workshop on Policies for Distributed Systems and Networks, 2008Co-Authors: Wenjuan Xu, Xinwen ZhangAbstract:Identifying and protecting the Trusted Computing Base (TCB) of a system is an important task to provide high- assurance services since a set of Trusted subjects should be legitimately articulated for target applications. In this paper, we present a formal policy analysis framework to identify TCB with the consideration of specific security goals. We also attempt to model information flows between domains in SELinux policies and detect security violations among information flows using colored Petri nets.
-
POLICY - Systematic Policy Analysis for High-Assurance Services in SELinux
2008 IEEE Workshop on Policies for Distributed Systems and Networks, 2008Co-Authors: Wenjuan Xu, Xinwen ZhangAbstract:Identifying and protecting the Trusted Computing Base (TCB) of a system is an important task to provide high- assurance services since a set of Trusted subjects should be legitimately articulated for target applications. In this paper, we present a formal policy analysis framework to identify TCB with the consideration of specific security goals. We also attempt to model information flows between domains in SELinux policies and detect security violations among information flows using colored Petri nets.
