Jvpfs: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components

Jvpfs: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components

jVPFS: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components Carsten Weinhold, Hermann Härtig Technische Universität Dresden, Germany {weinhold,haertig}@os.inf.tu-dresden.de Abstract attacks on core system components such as drivers [2], USB stacks [3], passcode protection [4], common appli- The Virtual Private File System (VPFS) [1] was built to cations such as text messaging [5] or on “jailbreaks” [6], protect confidentiality and integrity of application data which consistitute successful attacks, too, substantiate against strong attacks. To minimize the trusted com- that claim of significant vulnerability. On the other puting base (i.e., the attack surface) it was built as a hand, as smartphones, tablets and similar appliances stacked file system, where a small isolated component have evolved into powerful and versatile mobile comput- in a microkernel-based system reuses a potentially large ers, professional users are starting to use them for criti- and complex untrusted file system; for example, as pro- cal data. For example, a doctor making house calls may vided by a more vulnerable guest OS in a separate virtual use such a device to store patient records, which are not machine. However, its design ignores robustness issues only sensitive from the patient’s point of view, but also that come with sudden power loss or crashes of the un- subject to legal requirements. Or a mobile device may trusted file system. store documents that are classified or contain trade se- This paper addresses these issues. To minimize dam- crets. Mobile payment systems on the other hand have age caused by an unclean shutdown, jVPFS carefully strong integrity requirements to prevent tampering. Yet splits a journaling mechanism between a trusted core and mobile devices are frequently connected to insecure net- the untrusted file system. The journaling approach mini- works (public WiFi, etc.) and in certain situations, users mizes the number of writes needed to maintain consistent even must hand them over to untrusted third parties (e.g., information in a Merkle hash tree, which is stored in the leave them at the reception when visiting a company). untrusted file system to detect attacks on integrity. The A general approach that so far seems mostly attrac- commonly very complex and error-prone recovery func- tive for safety critical systems and to the miltitary is tionality of legacy file systems (in the order of thousands based on small isolation kernels or microkernels. Such of lines of code) can be reused with little increase of com- kernels strongly separate applications, but also operating plexity in the trusted core: less than 350 lines of code system components. Some of them [7], then called “hy- deal with the security-critical aspects of crash recovery. pervisors”, contain the basic functionality to support vir- jVPFS shows acceptable performance better than its pre- tual machine (VM) monitors and legacy OSes as guests. decessor VPFS, while providing much better protection Based on such kernels, critical applications can run in against data loss. their own compartments (built on microkernel services or in their own VMs) that are protected even against suc- 1 Introduction cessful attacks on drivers or other parts of large, insuf- ficently secure legacy OSes. Related work [8, 9] has Both VPFS and its successor jVPFS are built in response also shown that applications can be split such that their to the observation that the enormous code bases of mono- security-critical cores run isolated, but reuse untrusted lithic OSes (hundreds of thousands to millions of lines of parts of the system for their non-critical functionality, code) are likely to contain exploitable weaknesses that thereby reducing the trusted computing base (TCB) of jeopardize platform security. Apparently, this observa- these applications by several orders of magnitude. tion is valid especially for mobile devices that currently have the highest speed of hardware technology innova- VPFS and jVPFS: File Systems for Microkernels. In tion. Almost daily reports, for example on successful previous work on VPFS [1] we built a file-system stack that leverages a microkernel-based isolation architecture Mobile Device to achieve better confidentiality and integrity protection Untrusted Infrastructure of application data. We achieved this by splitting the file- Application TCB system stack into a small trusted and a larger untrusted L4Linux VM Application part that reused Linux file-system infrastructure. Only (Reused Legacy OS) (Isolated, Trusted) the former is within the file-system TCB (see Figure 1 jVPFS Helper for an architectural overview). As VPFS uses untrusted Untrusted components, which might be penetrated or otherwise jVPFS Core corrupt data, integrity guarantees can only cover tamper Trusted evidence: manipulated data is detected through check- L4Linux Kernel sum mismatches and never delivered to applications. Un- fortunately, better integrity protection also reduces avail- ability of file-system data in the event of an unclean shut- Mikrokernel-based OS down; for example, checksums may no longer match the corresponding file contents, if the battery of the mobile device failed unexpectedly or the system crashed. Sealed Memory Untrusted Local Storage With jVPFS, we address the problem of ensuring both robustness and integrity in a split file-system stack as described above. In monolithic file system stacks, the Figure 1: jVPFS in a decomposed system architecture code for ensuring consistency of on-disk structures (e.g., with strong isolation among components. journaling, soft updates [10]) is rather complex and dif- ficult to get right [11, 12]. Recent research [13, 14, 15] present our design and optimizations in Sections 3 and 4, has shown that even file system implementations that are respectively. We evaluate our prototype in Section 5, be- widely used in production environments still have bugs, fore discussing related work in Section 6. commonly found in code paths used for error handling and post-crash recovery. A subset of these bugs are secu- rity critical [2]. It is therefore a primary design goal for 2 Background us to keep the inherent complexity of consistency mech- anisms out of the file-system TCB in order to lower the Figure 1 gives an overview of the system architecture risk of introducing exploitable design and implementa- into which the split jVPFS stack integrates. Strictly fol- tion errors. Nevertheless, existing file system implemen- lowing the principle of least privilege, file-system con- tations are well tested and sufficiently reliable in com- tents are accessible only to the specific application that mon application scenarios (when not subject to sophisti- owns them. The small file-system kernel of jVPFS im- cated attacks). For practical reasons, it is therefore desir- plements all security-critical functionality and reuses the able to reuse this infrastructure in order to reduce engi- file system stack provided by an untrusted, virtualized neering effort. legacy OS. That is, Linux performs all non-critical tasks to manage persistent storage. Contribution. The work presented in this paper makes the following contributions: We extend the file-system TCB for confidentiality, integrity, and freshness of all 2.1 Security Model data and metadata such that these protection goals can be The jVPFS security model is identical to the one for reached even after an unclean shutdown. To this end, we the original version of VPFS [1]; we summarize it here. identify and isolate the security-critical functionality re- We consider a strong attacker who is trying to com- quired to recover a consistent file system after a crash and promise confidentiality, integrity, or freshness of criti- discuss how existing, untrusted consistency infrastruc- cal data stored in a VPFS file system. Confidentiality ture can be reused to complement the security-critical means that, after authorization, the user can access his part. We devise a novel cooperation scheme that lets data only through a specific application. Our notions of trusted and untrusted components cooperate and discuss integrity and freshness apply to both user data (file con- precisely which metadata information must be revealed tents) and metadata (filenames, sizes, timestamps, etc). to untrusted code in order to facilitate this cooperation. The file system provides only complete and correct data We evaluate a prototype implementation. and metadata to the application. We require that VPFS can detect any tampering and whether data and metadata Synopsis. On the following pages, we first provide are up-to-date, preventing an attacker from rolling back required background on our security model and then file-system contents to an older version without being no- ticed. We assume that both software and certain hard- tected against offline attacks by using encryption. In ware attacks are possible. At run time, VPFS relies on jVPFS, AES-CBC encryption ensures confidentiality at hardware address spaces and virtual-machine boundaries the block level, thereby enabling efficient partial updates. in order to isolate the trusted and untrusted components The state of the art technique for efficiently ensuring effectively. To counter offline attacks, VPFS requires the integrity and freshness is to use a Merkle hash tree [20]. mobile device to enforce a secure startup process of the By construction, the tree provides all necessary infor- application TCB and a small amount of access-restricted, mation to verify correctness and completeness

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    14 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us