David Lie
Mark Horowitz
ABSTRACT
Recently, there has been considerable interest in providing "trusted computing platforms" using hardware~---~TCPA and Palladium being the most publicly visible examples. In this paper we discuss our experience with building such a platform using a traditional time-sharing operating system executing on XOM~---~a processor architecture that provides copy protection and tamper-resistance functions. In XOM, only the processor is trusted; main memory and the operating system are not trusted.Our operating system (XOMOS) manages hardware resources for applications that don't trust it. This requires a division of responsibilities between the operating system and hardware that is unlike previous systems. We describe techniques for providing traditional operating systems services in this context.Since an implementation of a XOM processor does not exist, we use SimOS to simulate the hardware. We modify IRIX 6.5, a commercially available operating system to create xomos. We are then able to analyze the performance and implementation overheads of running an untrusted operating system on trusted hardware.
- M. J. Accetta, R. V. Baron, W. Bolosky, D. B. Golub, R. F. Rashid, A. Tevanian, and M. W. Young. Mach: A new kernel foundation for UNIX development. In Proceedings of Summer Usenix, pages 93--113, July 1986.]]Google Scholar
- W. Arbaugh, D. Farber, and J. Smith. A secure and reliable bootstrap architecture. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, pages 65--71, May 1997.]] Google ScholarDigital Library
- B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K. Yang. On the (im)possibility of obfuscating programs. Lecture Notes in Computer Science, 2139:19--23, 2001.]] Google ScholarDigital Library
- Business Software Alliance, 2003. http://www.bsa.org.]]Google Scholar
- J. Daemen and V. Rijmen. AES proposal: Rijndael. Technical report, National Institute of Standards and Technology (NIST), Mar. 2000. Available at: http://csrc.nist.gov/encryption/aes/rou\-nd2/r2algs.htm.]]Google Scholar
- P. England, J. DeTreville, and B. Lampson. Digital rights management operating system. U.S. Patent 6,330,670, Dec. 2001.]]Google Scholar
- P. England, J. DeTreville, and B. Lampson. Loading and identifying a digital rights management operating system. U.S. Patent 6,327,652. Dec. 2001.]]Google Scholar
- D. R. Engler, M. F. Kaashoek, and J. O'Toole. Exokernel: An operating system architecture for application-level resource management. In Proceedings of the 15th ACM Symposium on Operating Systems Principles, pages 251--266, 1995.]] Google ScholarDigital Library
- B. Gassend, E. Suh, D. Clarke, M. van Dijk, and S. Devadas. Caches and merkle trees for efficient memory authentication. In Proceedings of the 9th International Symposium on High Performance Computer Architecture, pages 295--306, Feb. 2003.]] Google ScholarDigital Library
- T. Gilmont, J. Legat, and J. Quisquater. An architecture of security management unit for safe hosting of multiple agents. In Proceedings of the International Workshop on Intelligent Communications and Multimedia Terminals, pages 79--82, Nov. 1998.]]Google Scholar
- T. Gilmont, J. Legat, and J. Quisquater. Hardware security for software privacy support. Electronics Letters, 35(24):2096--2097, Nov. 1999.]]Google ScholarCross Ref
- J. Heinrich. MIPS R10000 Microprocessor User's Manual, 2.0 edition, 1996.]]Google Scholar
- H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-hashing for message authentication. http://www.ietf.org/rfc/rfc2104.txt, Feb. 1997.]] Google ScholarDigital Library
- M. Kuhn. The TrustNo1 cryptoprocessor concept. Technical Report CS555, Purdue University, Apr. 1997.]]Google Scholar
- B. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authentication in distributed systems: Theory and practice. ACM Transactions on Computer Systems, 10(4):265--310, Nov. 1992.]] Google ScholarDigital Library
- D. Lie, J. Mitchell, C. A. Thekkath, and M. Horowitz. Specifying and verifying hardware for tamper-resistant software. In Proceedings of the 2003 IEEE Symposium on Security and Privacy, pages 166--178, May 2003.]] Google ScholarDigital Library
- D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural support for copy and tamper resistant software. In Proceedings of the 9th International Conference Architectural Support for Programming Languages and Operating Systems, pages 168--177, Nov. 2000.]] Google ScholarDigital Library
- U. Maheshwari, R. Vingralek, and B. Shapiro. How to build a trusted database system on untrusted storage. In Proceedings of the 4th Symposium on Operating Systems Design and Implementation, pages 135--150, Oct. 2000.]] Google ScholarDigital Library
- J. D. McCalpin. Memory bandwidth and machine balance in current high performance computers. Technical Committee on Computer Architecture (TCCA) Newsletter, Dec. 1995.]]Google Scholar
- OpenSSL, 2003. http://www.openssl.org.]]Google Scholar
- R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM, 21(18):120--126, Feb. 1978.]] Google ScholarDigital Library
- M. Rosenblum, E. Bugnion, S. Devine, and S. A. Herrod. Using the SimOS machine simulator to study complex computer systems. Modeling and Computer Simulation, 7(1):78--103, Jan. 1997.]] Google ScholarDigital Library
- J. Rushby. Design and verification of secure systems. ACM Operating Systems Review, SIGOPS, 15(5):12--21, Dec. 1981.]] Google ScholarDigital Library
- J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, Sept. 1975.]]Google ScholarCross Ref
- SGI IRIX 6.5: Home Page, May 2003. http://www.sgi.com/software/irix6.5.]]Google Scholar
- J. S. Shapiro, J. M. Smith, and D. J. Farber. EROS: a fast capability system. In Proceedings of the 17th ACM Symposium on Operating Systems Principles, pages 170--185, Dec. 1999.]] Google ScholarDigital Library
- S. W. Smith, E. R. Palmer, and S. Weingart. Using a high-performance, programmable secure coprocessor. In Financial Cryptography, pages 73--89, Feb. 1998.]] Google ScholarDigital Library
- The Trusted Computing Platform Alliance, 2003. http://www.trustedpc.com.]]Google Scholar
- J. D. Tygar and B. Yee. Dyad: A system for using physically secure coprocessors. In Harvard-MIT Workshop on Protection of Intellectual Property, Apr. 1993.]]Google Scholar
Index Terms
- Implementing an untrusted operating system on trusted hardware
Recommendations
Implementing an untrusted operating system on trusted hardware
SOSP '03Recently, there has been considerable interest in providing "trusted computing platforms" using hardware~---~TCPA and Palladium being the most publicly visible examples. In this paper we discuss our experience with building such a platform using a ...
The Network Hardware is the Operating System
HOTOS '97: Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI)To build a distributed operating system (OS), the microkernel approach is the most popular. To build an adaptable OS, a minimal microkernel is preferred, but for an adaptable and flexible distributed OS, the previous approaches are not enough because ...
Comments