ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Implementing an untrusted operating system on trusted hardware
Full text PdfPdf (281 KB)
Source ACM Symposium on Operating Systems Principles archive
Proceedings of the nineteenth ACM symposium on Operating systems principles table of contents
Bolton Landing, NY, USA
SESSION: Virtual machine monitors table of contents
Pages: 178 - 192  
Year of Publication: 2003
ISBN:1-58113-757-5
Also published in ...
Authors
David Lie  University of Toronto, Toronto, ONT, Canada
Chandramohan A. Thekkath  Microsoft Research, Mountain View, CA
Mark Horowitz  Stanford University, Stanford, CA
Sponsors
SIGOPS: ACM Special Interest Group on Operating Systems
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 21,   Downloads (12 Months): 156,   Citation Count: 23
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/945445.945463
What is a DOI?

ABSTRACT

Recently, there has been considerable interest in providing "trusted computing platforms" using hardware~---~TCPA and Palladium being the most publicly visible examples. In this paper we discuss our experience with building such a platform using a traditional time-sharing operating system executing on XOM~---~a processor architecture that provides copy protection and tamper-resistance functions. In XOM, only the processor is trusted; main memory and the operating system are not trusted.Our operating system (XOMOS) manages hardware resources for applications that don't trust it. This requires a division of responsibilities between the operating system and hardware that is unlike previous systems. We describe techniques for providing traditional operating systems services in this context.Since an implementation of a XOM processor does not exist, we use SimOS to simulate the hardware. We modify IRIX 6.5, a commercially available operating system to create xomos. We are then able to analyze the performance and implementation overheads of running an untrusted operating system on trusted hardware.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
M. J. Accetta, R. V. Baron, W. Bolosky, D. B. Golub, R. F. Rashid, A. Tevanian, and M. W. Young. Mach: A new kernel foundation for UNIX development. In Proceedings of Summer Usenix, pages 93--113, July 1986.
 
2
W. A. Arbaugh , D. J. Farber , J. M. Smith, A secure and reliable bootstrap architecture, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.65, May 04-07, 1997
 
3
Boaz Barak , Oded Goldreich , Russell Impagliazzo , Steven Rudich , Amit Sahai , Salil P. Vadhan , Ke Yang, On the (Im)possibility of Obfuscating Programs, Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, p.1-18, August 19-23, 2001
 
4
Business Software Alliance, 2003. http://www.bsa.org.
 
5
J. Daemen and V. Rijmen. AES proposal: Rijndael. Technical report, National Institute of Standards and Technology (NIST), Mar. 2000. Available at: http://csrc.nist.gov/encryption/aes/rou\-nd2/r2algs.htm.
 
6
P. England, J. DeTreville, and B. Lampson. Digital rights management operating system. U.S. Patent 6,330,670, Dec. 2001.
 
7
P. England, J. DeTreville, and B. Lampson. Loading and identifying a digital rights management operating system. U.S. Patent 6,327,652. Dec. 2001.
8
D. R. Engler , M. F. Kaashoek , J. O'Toole, Jr., Exokernel: an operating system architecture for application-level resource management, Proceedings of the fifteenth ACM symposium on Operating systems principles, p.251-266, December 03-06, 1995, Copper Mountain, Colorado, United States
 
9
Blaise Gassend , G. Edward Suh , Dwaine Clarke , Marten van Dijk , Srinivas Devadas, Caches and Hash Trees for Efficient Memory Integrity Verification, Proceedings of the 9th International Symposium on High-Performance Computer Architecture, p.295, February 08-12, 2003
 
10
T. Gilmont, J. Legat, and J. Quisquater. An architecture of security management unit for safe hosting of multiple agents. In Proceedings of the International Workshop on Intelligent Communications and Multimedia Terminals, pages 79--82, Nov. 1998.
 
11
T. Gilmont, J. Legat, and J. Quisquater. Hardware security for software privacy support. Electronics Letters, 35(24):2096--2097, Nov. 1999.
 
12
J. Heinrich. MIPS R10000 Microprocessor User's Manual, 2.0 edition, 1996.
 
13
H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-hashing for message authentication. http://www.ietf.org/rfc/rfc2104.txt, Feb. 1997.
 
14
M. Kuhn. The TrustNo1 cryptoprocessor concept. Technical Report CS555, Purdue University, Apr. 1997.
15
Butler Lampson , Martín Abadi , Michael Burrows , Edward Wobber, Authentication in distributed systems: theory and practice, ACM Transactions on Computer Systems (TOCS), v.10 n.4, p.265-310, Nov. 1992  [doi>10.1145/138873.138874]
 
16
David Lie , John Mitchell , Chandramohan A. Thekkath , Mark Horowitz, Specifying and Verifying Hardware for Tamper-Resistant Software, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.166, May 11-14, 2003
17
David Lie Chandramohan Thekkath , Mark Mitchell , Patrick Lincoln , Dan Boneh , John Mitchell , Mark Horowitz, Architectural support for copy and tamper resistant software, Proceedings of the ninth international conference on Architectural support for programming languages and operating systems, p.168-177, November 2000, Cambridge, Massachusetts, United States
 
18
U. Maheshwari, R. Vingralek, and B. Shapiro. How to build a trusted database system on untrusted storage. In Proceedings of the 4th Symposium on Operating Systems Design and Implementation, pages 135--150, Oct. 2000.
 
19
J. D. McCalpin. Memory bandwidth and machine balance in current high performance computers. Technical Committee on Computer Architecture (TCCA) Newsletter, Dec. 1995.
 
20
OpenSSL, 2003. http://www.openssl.org.
21
R. L. Rivest , A. Shamir , L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, v.21 n.2, p.120-126, Feb. 1978  [doi>10.1145/359340.359342]
22
Mendel Rosenblum , Edouard Bugnion , Scott Devine , Stephen A. Herrod, Using the SimOS machine simulator to study complex computer systems, ACM Transactions on Modeling and Computer Simulation (TOMACS), v.7 n.1, p.78-103, Jan. 1997  [doi>10.1145/244804.244807]
23
J. M. Rushby, Design and verification of secure systems, ACM SIGOPS Operating Systems Review, v.15 n.5, p.12-21, December 1981
 
24
J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, Sept. 1975.
 
25
SGI IRIX 6.5: Home Page, May 2003. http://www.sgi.com/software/irix6.5.
26
Jonathan S. Shapiro , Jonathan M. Smith , David J. Farber, EROS: a fast capability system, Proceedings of the seventeenth ACM symposium on Operating systems principles, p.170-185, December 12-15, 1999, Charleston, South Carolina, United States
 
27
Sean W. Smith , Elaine R. Palmer , Steve Weingart, Using a High-Performance, Programmable Secure Coprocessor, Proceedings of the Second International Conference on Financial Cryptography, p.73-89, February 23-25, 1998
 
28
The Trusted Computing Platform Alliance, 2003. http://www.trustedpc.com.
 
29
J. D. Tygar and B. Yee. Dyad: A system for using physically secure coprocessors. In Harvard-MIT Workshop on Protection of Intellectual Property, Apr. 1993.

CITED BY  23
Weidong Shi , Hsien-Hsin S. Lee , Chenghuai Lu , Tao Zhang, Attacks and risk analysis for hardware supported software copy protection systems, Proceedings of the 4th ACM workshop on Digital rights management, October 25-25, 2004, Washington DC, USA
Xiaotong Zhuang , Tao Zhang , Santosh Pande, HIDE: an infrastructure for efficiently protecting information leakage on the address bus, ACM SIGPLAN Notices, v.39 n.11, November 2004
Weidong Shi , Hsien-Hsin S. Lee , Chenghuai Lu , Mrinmoy Ghosh, Towards the issues in architectural support for protection of software execution, ACM SIGARCH Computer Architecture News, v.33 n.1, March 2005
Youtao Zhang , Jun Yang , Yongjing Lin , Lan Gao, Architectural support for protecting user privacy on trusted processors, ACM SIGARCH Computer Architecture News, v.33 n.1, March 2005
Alan Shieh , Dan Williams , Emin Gün Sirer , Fred B. Schneider, Nexus: a new operating system for trustworthy computing, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
Ahmad-Reza Sadeghi , Christian Stüble, Property-based attestation for computing platforms: caring about properties, not mechanisms, Proceedings of the 2004 workshop on New security paradigms, September 20-23, 2004, Nova Scotia, Canada
Emmett Witchel , Junghwan Rhee , Krste Asanović, Mondrix: memory isolation for linux using mondriaan memory protection, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
Taeho Kgil , Laura Falk , Trevor Mudge, ChipLock: support for secure microarchitectures, ACM SIGARCH Computer Architecture News, v.33 n.1, March 2005
Amit Vasudevan , Ramesh Yerraballi , Ashish Chawla, A high performance Kernel-Less Operating System architecture, Proceedings of the Twenty-eighth Australasian conference on Computer Science, p.287-296, January 01, 2005, Newcastle, Australia
Guy Gogniat , Tilman Wolf , Wayne Burleson , Jean-Philippe Diguet , Lilian Bossuet , Romain Vaslin, Reconfigurable hardware for high-security/high-performance embedded systems: the SAFES perspective, IEEE Transactions on Very Large Scale Integration (VLSI) Systems, v.16 n.2, p.144-154, February 2008
Neil Vachharajani , Matthew J. Bridges , Jonathan Chang , Ram Rangan , Guilherme Ottoni , Jason A. Blome , George A. Reis , Manish Vachharajani , David I. August, RIFLE: An Architectural Framework for User-Centric Information-Flow Security, Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, p.243-254, December 04-08, 2004, Portland, Oregon
Nathan Tuck , Brad Calder , George Varghese, Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow, Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, p.209-220, December 04-08, 2004, Portland, Oregon
Liqun Chen , Rainer Landfermann , Hans Löhr , Markus Rohe , Ahmad-Reza Sadeghi , Christian Stüble, A protocol for property-based attestation, Proceedings of the first ACM workshop on Scalable trusted computing, November 03-03, 2006, Alexandria, Virginia, USA
Michael E. Locasto , Stelios Sidiroglou , Angelos D. Keromytis, Speculative virtual verification: policy-constrained speculative execution, Proceedings of the 2005 workshop on New security paradigms, September 20-23, 2005, Lake Arrowhead, California
Lenin Singaravelu , Calton Pu , Hermann Härtig , Christian Helmuth, Reducing TCB complexity for security-sensitive applications: three case studies, ACM SIGOPS Operating Systems Review, v.40 n.4, October 2006
Xiaoxin Chen , Tal Garfinkel , E. Christopher Lewis , Pratap Subrahmanyam , Carl A. Waldspurger , Dan Boneh , Jeffrey Dwoskin , Dan R.K. Ports, Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems, ACM SIGARCH Computer Architecture News, v.36 n.1, March 2008
Weidong Shi , Hsien-Hsin S. Lee, Accelerating memory decryption and authentication with frequent value prediction, Proceedings of the 4th international conference on Computing frontiers, May 07-09, 2007, Ischia, Italy
Weidong Shi , Hsien-Hsin S. Lee , Mrinmoy Ghosh , Chenghuai Lu , Alexandra Boldyreva, High Efficiency Counter Mode Security Architecture via Prediction and Precomputation, ACM SIGARCH Computer Architecture News, v.33 n.2, p.14-24, May 2005
Haibo Chen , Jieyun Chen , Wenbo Mao , Fei Yan, Daonity - Grid security from two levels of virtualization, Information Security Tech. Report, v.12 n.3, p.123-138, January, 2007
Jisoo Yang , Kang G. Shin, Using hypervisor to provide data secrecy for user applications on a per-page basis, Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, March 05-07, 2008, Seattle, WA, USA
Romain Vaslin , Guy Gogniat , Jean-Philippe Diguet , Eduardo Wanderley , Russell Tessier , Wayne Burleson, A security approach for off-chip memory in embedded microprocessor systems, Microprocessors & Microsystems, v.33 n.1, p.37-45, February, 2009
Andrew G. Miklas , Stefan Saroiu , Alec Wolman , Angela Demke Brown, Bunker: a privacy-oriented platform for network tracing, Proceedings of the 6th USENIX symposium on Networked systems design and implementation, p.29-42, April 22-24, 2009, Boston, Massachusetts
Ramakrishna Gummadi , Hari Balakrishnan , Petros Maniatis , Sylvia Ratnasamy, Not-a-Bot: improving service availability in the face of botnet attacks, Proceedings of the 6th USENIX symposium on Networked systems design and implementation, p.307-320, April 22-24, 2009, Boston, Massachusetts

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Cryptographic controls

Additional Classification:
  C. Computer Systems Organization
  C.1 PROCESSOR ARCHITECTURES
      C.1.0 General

  D. Software
  D.4 OPERATING SYSTEMS
      D.4.1 Process Management
      D.4.6 Security and Protection
          Subjects: Access controls


General Terms:
Security


Keywords:
XOM, XOMOS, untrusted operating systems

Collaborative Colleagues:
David Lie: colleagues
Chandramohan A. Thekkath: colleagues
Mark Horowitz: colleagues
This Article has also been published in:

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player