Embassies: Radically Refactoring the Web Jon Howell, Bryan Parno, John R

Total Page:16

File Type:pdf, Size:1020Kb

Embassies: Radically Refactoring the Web Jon Howell, Bryan Parno, John R Embassies: Radically Refactoring the Web Jon Howell, Bryan Parno, John R. Douceur, Microsoft Research Abstract of evolving complexity. On the Internet, application Web browsers ostensibly provide strong isolation for providers, or vendors, run server-side applications over the client-side components of web applications. Unfor- which they exercise total control, from the app down tunately, this isolation is weak in practice; as browsers to the network stack, firewall, and OS. Even when ven- add increasingly rich APIs to please developers, these dors are tenants of a shared datacenter, each tenant au- complex interfaces bloat the trusted computing base and tonomously controls its software stack down to the ma- erode cross-app isolation boundaries. chine code, and each tenant is accessible only via IP. We reenvision the web interface based on the notion The strong isolation among virtualized Infrastructure-as- of a pico-datacenter, the client-side version of a shared a-Service datacenter tenants derives not from physical server datacenter. Mutually untrusting vendors run their separation but from the execution interface’s simplicity. code on the user’s computer in low-level native code con- This paper extends the semantics of datacenter rela- tainers that communicate with the outside world only via tionships to the client’s web experience. Suspending dis- IP. Just as in the cloud datacenter, the simple semantics belief momentarily, suppose every client had ubiquitous makes isolation tractable, yet native code gives vendors high-performance Internet connectivity. In such a world, the freedom to run any software stack. Since the datacen- exploiting datacenter semantics is easy: The client is ter model is designed to be robust to malicious tenants, it merely a screencast (VNC) viewer; every app runs on is never dangerous for the user to click a link and invite its vendor’s servers and streams a video of its display to a possibly-hostile party onto the client. the client. The client bears only a few responsibilities, primarily around providing a trusted path, i.e., enabling 1 Introduction the user to select which vendor to interact with and pro- viding user input authenticity and privacy. A defining feature of the web application model is its We can restore reality by moving the vendors’ code ostensibly strong notion of isolation. On the desktop, a down to the client, with the client acting as a notional user use caution when installing apps, since if an app pico-datacenter. On the client, apps enjoy fast, reliable misbehaves, the consequences are unbounded. On the access to the display, but the semantics of isolation re- web, if the user clicks on a link and doesn’t like what she main identical to the server model: Each vendor has au- sees, she clicks the ‘close’ button, and web app isolation tonomous control over its software stack, and each ven- promises that the closed app has no lasting effect on the dor interacts with other vendors (remote and local) only user’s experience. through opt-in network protocols. Sadly, the promise of isolation is routinely broken, and The pico-datacenter abstraction offers an escape from so in practice, we caution users to avoid clicking on “dan- the battle between isolation and richness, by deconflating gerous links”. Isolation fails because the web’s API, re- the goals into two levels of interface. The client imple- sponsible for application isolation, has simultaneously ments the client execution interface (CEI), which is dedi- pursued application richness, accreting HTTP, MIME, cated to isolating applications and defines how a vendor’s HTML, DOM, CSS, JavaScript, JPG, PNG, Java, Flash, bag of bits is interpreted by the client. Different ven- Silverlight, SVG, Canvas, and more. This richness intro- dors may employ, inside their isolated containers, differ- duces so much complexity that any precise specification ent developer programming interfaces (DPIs). Today’s of the web API is virtually impossible. Yet we can’t hope web API is stuck in a painful battle because it conflates for correct application isolation until we can specify the these goals into a single interface [11]: The API is simul- API’s semantics. Thus, the current web API is a battle taneously a collection of rich, expressive DPI functions between isolation and richness, and isolation is losing. for app developers, and also a CEI that separates vendors. The same battle was fought—and lost—on the desk- The conflated result is a poor CEI that is neither simple top. The initially-simple conventional OS evolved into a nor well-defined. Indeed, this conflation explains why it rich, complex desktop API, an unmanageable disaster of took a decade to prevent text coloring from leaking pri- complexity. Is there hope? Or do isolation (via simple vate information [63], and why today’s web allows cross- specification) and richness inevitably conflict? site fetches of JPGs or JavaScript but not XML [67]. The There is, in fact, a context in which mutually- semantics of web app isolation wind through a teetering untrusting participants interact in near-perfect auton- stack of rich software layers. omy, maintaining arbitrarily strong isolation in the face USENIX Association 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI ’13) 529 We deconflate the CEI and DPI by following the pico- and a simple, well-specified CEI. While it’s difficult to datacenter analogy, arriving at a concrete client archi- prove such a radical change unequivocally superior, this tecture called Embassies.1 We pare the web CEI down paper aims to demonstrate that the goal is both realistic to isolated native code picoprocesses [25], IP for com- and valuable. It makes these contributions: munication beyond the process, and minimal low-level • With the pico-datacenter model, we exploit the UI primitives to support the new display responsibilities lessons of autonomous datacenter tenancy in the identified above. client environment (§3), and argue that the collat- The rich DPI, on the other hand, becomes part of the eral effects of the shift are mostly harmless (§8). web app itself, giving developers unparalleled freedom. • We show a small, well-defined CEI specification This proposal doesn’t require Alice, a web app devel- (§3) that admits small implementations (§6.1) and oper, to start coding in assembly. When she writes a hence suggests that correct isolation is achievable. geotagging site, she codes against the familiar HTML, • With a variety of rich DPI implementations running CSS, and JavaScript DPI. But, per the datacenter model, against our CEI, we demonstrate that application that DPI is implemented by the WebKit library [62] that richness is not compromised but enhanced (§6.2). Alice’s client code links against, just as her server-side • We show how to replace the cross-app interactions code links against PHP. Because Alice chooses the li- baked into today’s browser with bilateral protocols brary, browser incompatibilities disappear. (§4), maintaining familiar functionality while obey- Suppose a buffer overflow is discovered in libpng [50], ing pico-datacenter semantics. a library Alice’s DPI uses to draw images. Because Al- • We implement this refactoring (§5) and show that it ice links WebKit by reference, as soon as the WebKit can achieve plausible performance (§6.3, 6.4). developers patch the bug, her client code automatically inherits the fix. Just like when Alice fixes a bug in libphp 2 Trends in Prior Work on her server, the user needn’t care about this update. Later, Alice adds a comment forum to her application. Embassies is not the first attempt to improve web app Rendering user-generated HTML has always been risky, isolation and richness, and indeed prior proposals im- often leading to XSS vulnerabilities [29]. But Alice prove on one or both of these axes. However, they do not hears about WebGear, a fork of WebKit, that enhances provide true datacenter-style isolation — they incorpo- HTML with sandboxes that solve this problem robustly. rate, for reasons of compatibility, part or all of the aggre- DPI libraries like WebGear can innovate just as browser gate web API inside their trusted computing base (TCB). vendors do today, but without imposing client browser 2.1 Better Browsers for the Same API upgrades; Alice simply changes her app’s linkage. Chrome and IE8+ both shift from a single process Ultimately, independent development of alternative model to one that encapsulates each tab in a separate host DPIs outpace WebGear, and Alice graduates to a .NET OS process. This increases robustness to benign failures, or GTK+ stack that is more powerful, or more secure, or but these modifications don’t change the web interface— more elegant. Alice chooses a feature-full new frame- multiple apps still occupy one tab, and complex cross- work, while Bob sticks with WebBSD, a spartan frame- app interactions still occur across tabs—hence isolation work renowned for robustness, for his encrypted chat among web apps is still weak. OP’s browser refactor- app. Taking the complex, rich semantics out of the ing [20] is also constrained by the web API’s complex CEI gives developers more freedom, while making cross- semantics. vendor isolation—the primary guarantee established by Given this constraint, IBOS pushes the idea of refac- the client—more robust than today’s web API. toring the browser quite far [55]. It realizes the idea of Via the pico-datacenter model, we develop a CEI with: sites as first-class OS principals [26, 57], and container- • a minimal native execution environment, izes renderers to improve isolation. IBOS must still in- • a minimal notion of application identity, clude HTTP to define scheme, host, port web prin- • a minimal primitive for persistent state, cipals, and must use deep-packet inspection on HTML • an IP interface for all external app communication, and MIME to partially enforce the Same-Origin Policy (SOP) [67].
Recommended publications
  • JOE LAM Website: | E-Mail: [email protected] | Phone: (201) 887-7588
    JOE LAM Website: http://joe-lam.com | E-mail: [email protected] | Phone: (201) 887-7588 SUMMARY Microsoft Build Hackathon winner with 9+ years’ professional experience in software development. Ample Experience in managing development teams in various sizes, including project planning, scheduling, and resource allocation. Providing technical guidance and designing system/application architectures on mission critical enterprise projects. Responsible for all aspects of the software development lifecycle and deliver innovative solutions for business needs. TECHNOLOGIES Microsoft Application Development with .Net Framework 4.5.2 in C# ASP.Net (WebAPI, SignalR, MVC, Web Service), WPF (Telerik, DevExpress), Windows Service, Silverlight, WCF, WF, MSMQ, LINQ, Expression Tree, Lambda Expression, RegEx, MEF, TPL, GDI+, Serialization Enterprise Library, Prism, Unity, Reactive Extensions, PostSharp, MS Build, MS Test, NUnit, moq, Protocol Buffers Web Application Development with HTML5, CSS3 and JavaScript ES5 in W3C Standards React, TypeScript, AngularJS, Knockout, jQuery, RequireJS, Lo-Dash, toastr, Bootstrap, Ajax, HighCharts, Google Charts Database Development with SQL Server in T-SQL and MDX ADO.Net, Entity Framework, Sync Framework, SSIS, SSAS, SSRS TECHNIQUES Multi-paradigm programming (OOP, AOP, Functional, Concurrent, EDP, Data-driven, Generic, Reflective, Dynamic), Design Principles (SOILD, SoC, DRY, KISS), IoC, Design Patterns, Data Structures, System & Application Architectures, UI/UX Design, Single Page Application, Responsive Web Design,
    [Show full text]
  • Sandcastle Kingdoms Free Download Document Your C# Code with XML Comments
    sandcastle kingdoms free download Document your C# code with XML comments. XML documentation comments are a special kind of comment, added above the definition of any user-defined type or member. They are special because they can be processed by the compiler to generate an XML documentation file at compile time. The compiler-generated XML file can be distributed alongside your .NET assembly so that Visual Studio and other IDEs can use IntelliSense to show quick information about types or members. Additionally, the XML file can be run through tools like DocFX and Sandcastle to generate API reference websites. XML documentation comments, like all other comments, are ignored by the compiler. You can generate the XML file at compile time by doing one of the following: If you are developing an application with .NET Core from the command line, you can add a GenerateDocumentationFile element to the <PropertyGroup> section of your .csproj project file. You can also specify the path to the documentation file directly using DocumentationFile element. The following example generates an XML file in the project directory with the same root filename as the assembly: This is equivalent to the following: If you are developing an application using Visual Studio, right-click on the project and select Properties . In the properties dialog, select the Build tab, and check XML documentation file . You can also change the location to which the compiler writes the file. If you are compiling a .NET application from the command line, add the DocumentationFile compiler option when compiling. XML documentation comments use triple forward slashes ( /// ) and an XML formatted comment body.
    [Show full text]
  • The Glib/GTK+ Development Platform
    The GLib/GTK+ Development Platform A Getting Started Guide Version 0.8 Sébastien Wilmet March 29, 2019 Contents 1 Introduction 3 1.1 License . 3 1.2 Financial Support . 3 1.3 Todo List for this Book and a Quick 2019 Update . 4 1.4 What is GLib and GTK+? . 4 1.5 The GNOME Desktop . 5 1.6 Prerequisites . 6 1.7 Why and When Using the C Language? . 7 1.7.1 Separate the Backend from the Frontend . 7 1.7.2 Other Aspects to Keep in Mind . 8 1.8 Learning Path . 9 1.9 The Development Environment . 10 1.10 Acknowledgments . 10 I GLib, the Core Library 11 2 GLib, the Core Library 12 2.1 Basics . 13 2.1.1 Type Definitions . 13 2.1.2 Frequently Used Macros . 13 2.1.3 Debugging Macros . 14 2.1.4 Memory . 16 2.1.5 String Handling . 18 2.2 Data Structures . 20 2.2.1 Lists . 20 2.2.2 Trees . 24 2.2.3 Hash Tables . 29 2.3 The Main Event Loop . 31 2.4 Other Features . 33 II Object-Oriented Programming in C 35 3 Semi-Object-Oriented Programming in C 37 3.1 Header Example . 37 3.1.1 Project Namespace . 37 3.1.2 Class Namespace . 39 3.1.3 Lowercase, Uppercase or CamelCase? . 39 3.1.4 Include Guard . 39 3.1.5 C++ Support . 39 1 3.1.6 #include . 39 3.1.7 Type Definition . 40 3.1.8 Object Constructor . 40 3.1.9 Object Destructor .
    [Show full text]
  • Metadefender Core V4.13.1
    MetaDefender Core v4.13.1 © 2018 OPSWAT, Inc. All rights reserved. OPSWAT®, MetadefenderTM and the OPSWAT logo are trademarks of OPSWAT, Inc. All other trademarks, trade names, service marks, service names, and images mentioned and/or used herein belong to their respective owners. Table of Contents About This Guide 13 Key Features of Metadefender Core 14 1. Quick Start with Metadefender Core 15 1.1. Installation 15 Operating system invariant initial steps 15 Basic setup 16 1.1.1. Configuration wizard 16 1.2. License Activation 21 1.3. Scan Files with Metadefender Core 21 2. Installing or Upgrading Metadefender Core 22 2.1. Recommended System Requirements 22 System Requirements For Server 22 Browser Requirements for the Metadefender Core Management Console 24 2.2. Installing Metadefender 25 Installation 25 Installation notes 25 2.2.1. Installing Metadefender Core using command line 26 2.2.2. Installing Metadefender Core using the Install Wizard 27 2.3. Upgrading MetaDefender Core 27 Upgrading from MetaDefender Core 3.x 27 Upgrading from MetaDefender Core 4.x 28 2.4. Metadefender Core Licensing 28 2.4.1. Activating Metadefender Licenses 28 2.4.2. Checking Your Metadefender Core License 35 2.5. Performance and Load Estimation 36 What to know before reading the results: Some factors that affect performance 36 How test results are calculated 37 Test Reports 37 Performance Report - Multi-Scanning On Linux 37 Performance Report - Multi-Scanning On Windows 41 2.6. Special installation options 46 Use RAMDISK for the tempdirectory 46 3. Configuring Metadefender Core 50 3.1. Management Console 50 3.2.
    [Show full text]
  • Visual Build Help
    Visual Build Professional User's Manual Copyright © 1999-2021 Kinook Software, Inc. Contents I Table of Contents Part I Introduction 1 1 Overview ................................................................................................................................... 1 2 Why Visual................................................................................................................................... Build? 1 3 New Features................................................................................................................................... 2 Version 4 .......................................................................................................................................................... 2 Version 5 .......................................................................................................................................................... 3 Version 6 .......................................................................................................................................................... 4 Version 7 .......................................................................................................................................................... 7 Version 8 .......................................................................................................................................................... 9 Version 9 .........................................................................................................................................................
    [Show full text]
  • Applications: M
    Applications: M This chapter contains the following sections: • Mac App Store, on page 7 • MacOS Server Admin, on page 8 • MacPorts, on page 9 • Macy's, on page 10 • Mafiawars, on page 11 • Magenta Logic, on page 12 • MagicJack, on page 13 • Magicland, on page 14 • MagPie, on page 15 • Mail.Ru, on page 16 • Mail.ru Attachment, on page 17 • Mailbox, on page 18 • Mailbox-LM, on page 19 • MailChimp, on page 20 • MAILQ, on page 21 • maitrd, on page 22 • Malware Defense System, on page 23 • Malwarebytes, on page 24 • Mama.cn, on page 25 • Management Utility, on page 26 • MANET, on page 27 • Manolito, on page 28 • Manorama, on page 29 • Manta, on page 30 • MAPI, on page 31 • MapleStory, on page 32 • MapMyFitness, on page 33 • MapQuest, on page 34 • Marca, on page 35 • Marine Traffic, on page 36 • Marketo, on page 37 • Mashable, on page 38 Applications: M 1 Applications: M • Masqdialer, on page 39 • Match.com, on page 40 • Mathrubhumi, on page 41 • Mathworks, on page 42 • MATIP, on page 43 • MawDoo3, on page 44 • MaxDB, on page 45 • MaxPoint Interactive, on page 46 • Maxymiser, on page 47 • MC-FTP, on page 48 • McAfee, on page 49 • McAfee AutoUpdate, on page 50 • McIDAS, on page 51 • mck-ivpip, on page 52 • mcns-sec, on page 53 • MCStats, on page 54 • mdc-portmapper, on page 55 • MDNS, on page 56 • MdotM, on page 57 • Me.com, on page 58 • Me2day, on page 59 • Media Hub, on page 60 • Media Innovation Group, on page 61 • Media Stream Daemon, on page 62 • Media6Degrees, on page 63 • Mediabot, on page 64 • MediaFire, on page 65 • MediaMath, on page
    [Show full text]
  • Development Environment for the Raspberry Pi Using a Cross Compiling Toolchain and Eclipse | Hertaville 07.10.13 13:37
    Development Environment for the Raspberry Pi using a Cross Compiling Toolchain and Eclipse | Hertaville 07.10.13 13:37 Hertaville Welcome to Hertaville! Development Environment for the Raspberry Pi using a Cross Compiling Toolchain and Eclipse Posted on September 28, 2012 by halherta UPDATED July 15th 2013 In this blog entry the setup of a cross-compiling development environment for the Raspberry Pi will be demonstrated. This will include the Official Raspbian (armhf) cross compiling toolchain (available from github) Eclipse for C/C++ Developers (Linux) We will finally write a simple Hello World program on our development PC, compile it using the cross compiler and then deploy it onto our Raspberry Pi board to run it. I’m going to assume that you have already installed a Raspbian Wheezy image on your RPi board and that you have Linux installed on your desktop PC. For this tutorial I am using the Crunchbang 11 Linux OS (64-bit) on my PC. The instructions provided should work on most Debian/Ubuntu based Linux distributions running directly on a PC or as a a guest operating system via VMWare/ VirtualBox . A remote debugging tutorial; which I consider to be the continuation of this tutorial, can be found here. Finally, Derek Molloy has a great video tutorial on setting up a similar environment for the Beaglebone. Watching this video was incredibly informative and helped me set up this tutorial. So what is a cross compiling toolchain and why use one ? A native compiler such as the default gcc tool on the PC is a compiler that runs on an Intel machine, as well as creates binaries intended to be run on an Intel machine.
    [Show full text]
  • Drawing in GTK+
    CSci493.70 Graphical User Interface Programming Prof. Stewart Weiss Drawing in GTK+ Drawing in GTK+ Background In order to understand how to draw in GTK, you rst have to understand something about how GTK draws widgets, because how GTK draws widgets has an important role in how you design your drawing application. An understanding of how GTK draws widgets is also required if you ever plan to build your own custom widgets. Windows and Clipping Most windowing systems are designed around the idea that an application's visual display lies within a rectangular region on the screen called its window. The windowing system, e.g. Gnome or KDE or Explorer, does not automatically save the graphical content of an application's windows; instead it asks the application itself to repaint 1 its windows whenever it is needed. For example, if a window that is stacked below other windows gets raised to the top, then a client program has to repaint the area that was previously obscured. When the windowing system asks a client program to redraw part of a window, it sends an exposure event to the program that contains that window. An exposure event is simply an event sent from the underlying windowing system to a widget to notify it that it must redraw itself. In this context, a "window" means "a rectangular region with automatic clipping", not a top-level application window. Clipping is the act of removing portions of a window that do not need to be redrawn, or looked at the other way, it is determining which are the only regions of a window that must be redrawn.
    [Show full text]
  • Gtk Marries Ada: the GUI Technology Revolution
    GtkGtk MarriesMarries AdaAda:: TheThe GUIGUI TechnologyTechnology RevolutionRevolution [email protected] OverviewOverview History of GtkAda GtkAda Features Why Gtk Rather Than Other Toolkits? Why GtkAda rather than Gtk+? GtkAdaGtkAda -- HistoryHistory á The GIMP – GNU Photoshop clone á The Gtk+ library – Becomes independent á GtkGlade: a Gtk+ GUI builder á Gnome: a desktop manager á GVD: the GNU Visual Debugger GtkAdaGtkAda FeaturesFeatures ááHigh-level binding to the Gtk+ library – object-oriented – type safety – small and efficient ááHighly portable – Unixes: Linux, Solaris, … – Windows NT ááNative GtkAdaGtkAda FeaturesFeatures (2)(2) ááEvent handling ááDrawing services – Lines, rectangles, … – OpenGL (3D graphics) ááStyle support ááLarge set of widgets GtkAdaGtkAda -- WidgetWidget setset á Two types of widgets – containers and visual objects á About 100 widgets are provided á High-level widgets – notebook, text widget, tree, spin button, table, toolbar, ... GtkAdaGtkAda -- ScreenshotsScreenshots á Ctree GtkAdaGtkAda -- ScreenshotsScreenshots (2)(2) á OpenGL WhyWhy Gtk+?Gtk+? á Portable á Native á Extensible á Open Source á Actively developped á Thread-safe WhyWhy Gtk+?Gtk+? (2)(2) á High level widgets á Easy to use scrolling capabilities á Wide range of users á Very powerful layout capabilities – Complete set of containers á Powerful and easy to use GUI builder á Easy to bind TheThe GUIGUI BuilderBuilder ááMulti-language GUI builder – Language-independent save file (XML). – Code-generation specific to each language. – Dynamic loading
    [Show full text]
  • Microkernel Construction Introduction
    Microkernel Construction Introduction Nils Asmussen 04/09/2020 1 / 32 Normal Organization Thursday, 4th DS, 2 SWS Slides: www.tudos.org ! Studies ! Lectures ! MKC Subscribe to our mailing list: www.tudos.org/mailman/listinfo/mkc2020 In winter term: Microkernel-based operating systems (MOS) Various labs 2 / 32 Organization due to COVID-19 Slides and video recordings of lectures will be published Questions can be asked on the mailing list Subscribe to the mailing list! Practical exercises are planed for the end of the semester Depending on how COVID-19 continues, exercises are in person or we use some video-conferencing tool 3 / 32 Goals 1 Provide deeper understanding of OS mechanisms 2 Look at the implementation details of microkernels 3 Make you become enthusiastic microkernel hackers 4 Propaganda for OS research done at TU Dresden and Barkhausen Institut 4 / 32 Outline Organization Monolithic vs. Microkernel Kernel design comparison Examples for microkernel-based systems Vision vs. Reality Challenges Overview About L4/NOVA 5 / 32 Monolithic Kernel System Design u s Application Application Application e r k Kernel e r File Network n e Systems Stacks l m Memory Process o Drivers Management Management d e Hardware 6 / 32 Monolithic Kernel OS (Propaganda) System components run in privileged mode No protection between system components Faulty driver can crash the whole system Malicious app could exploit bug in faulty driver More than 2=3 of today's OS code are drivers No need for good system design Direct access to data structures Undocumented
    [Show full text]
  • Can Microkernels Mitigate Microarchitectural Attacks?⋆
    Can Microkernels Mitigate Microarchitectural Attacks?? Gunnar Grimsdal1, Patrik Lundgren2, Christian Vestlund3, Felipe Boeira1, and Mikael Asplund1[0000−0003−1916−3398] 1 Department of Computer and Information Science, Link¨oping University, Sweden ffelipe.boeira,[email protected] 2 Westermo Network Technologies [email protected] 3 Sectra AB, Link¨oping,Sweden Abstract. Microarchitectural attacks such as Meltdown and Spectre have attracted much attention recently. In this paper we study how effec- tive these attacks are on the Genode microkernel framework using three different kernels, Okl4, Nova, and Linux. We try to answer the question whether the strict process separation provided by Genode combined with security-oriented kernels such as Okl4 and Nova can mitigate microar- chitectural attacks. We evaluate the attack effectiveness by measuring the throughput of data transfer that violates the security properties of the system. Our results show that the underlying side-channel attack Flush+Reload used in both Meltdown and Spectre, is effective on all in- vestigated platforms. We were also able to achieve high throughput using the Spectre attack, but we were not able to show any effective Meltdown attack on Okl4 or Nova. Keywords: Genode, Meltdown, Spectre, Flush+Reload, Okl4, Nova 1 Introduction It used to be the case that general-purpose operating systems were mostly found in desktop computers and servers. However, as IoT devices are becoming in- creasingly more sophisticated, they tend more and more to require a powerful operating system such as Linux, since otherwise all basic services must be im- plemented and maintained by the device developers. At the same time, security has become a prime concern both in IoT and in the cloud domain.
    [Show full text]
  • Operating System Support for Run-Time Security with a Trusted Execution Environment
    Operating System Support for Run-Time Security with a Trusted Execution Environment - Usage Control and Trusted Storage for Linux-based Systems - by Javier Gonz´alez Ph.D Thesis IT University of Copenhagen Advisor: Philippe Bonnet Submitted: January 31, 2015 Last Revision: May 30, 2015 ITU DS-nummer: D-2015-107 ISSN: 1602-3536 ISBN: 978-87-7949-302-5 1 Contents Preface8 1 Introduction 10 1.1 Context....................................... 10 1.2 Problem....................................... 12 1.3 Approach...................................... 14 1.4 Contribution.................................... 15 1.5 Thesis Structure.................................. 16 I State of the Art 18 2 Trusted Execution Environments 20 2.1 Smart Cards.................................... 21 2.1.1 Secure Element............................... 23 2.2 Trusted Platform Module (TPM)......................... 23 2.3 Intel Security Extensions.............................. 26 2.3.1 Intel TXT.................................. 26 2.3.2 Intel SGX.................................. 27 2.4 ARM TrustZone.................................. 29 2.5 Other Techniques.................................. 32 2.5.1 Hardware Replication........................... 32 2.5.2 Hardware Virtualization.......................... 33 2.5.3 Only Software............................... 33 2.6 Discussion...................................... 33 3 Run-Time Security 36 3.1 Access and Usage Control............................. 36 3.2 Data Protection................................... 39 3.3 Reference
    [Show full text]