Summer School on Secure and Trustworthy Computing
9.30 – 10.30 Virgil Gligor, CMU: Establishing and Maintaining Root of Trust on Commodity Computer Systems
Suppose that a trustworthy program must be booted on a commodity system that may contain persistent malware. For example, a formally verified micro-kernel, micro-hypervisor, or a subsystem obtained from a trustworthy provider must be booted on a computer system that runs Windows, Linux, or Android applications. Establishing root of trust in a commodity system assures the user that either the system is in a malware-free state in which the trustworthy-program boot takes place or the presence of malware is discovered, with high probability. Obtaining such assurance is challenging because persistent malware can survive in system state across repeated secure- and trusted-boot operations. These operations do not have malware-unmediated access to device memories that are not directly addressable by CPU instructions or trusted platform modules (TPMs); e.g., local memories of peripherals (e.g., keyboards, printers), network interface cards, disk controllers. To date, concrete assurance for root-of-trust establishment has not been obtained on real systems that scale to large configurations.
Establishing root of trust makes all persistent malware ephemeral and forces the adversary to repeat the malware-insertion attack, perhaps at some added cost. Nevertheless, some malware-controlled software can always be assumed to exist in commodity operating systems and applications. The inherent size and complexity of their operating systems and applications (aka the “giants”) render them vulnerable to successful adversary attacks. In contrast, small and simple software components with rather limited function and high-assurance layered security properties (aka the “wimps”) can be resistant to adversary attacks.
Maintaining root of trust assures a user that a commodity computer’s wimps are isolated from, and safely co-exist with, adversary-controlled giants. To demonstrate wimp isolation, accurate and complete adversary definitions must be provided. Without such definitions, (in)security cannot be measured, risks of use cannot be accurately quantified, and system recovery from penetration events cannot have lasting value. However, isolation cannot guarantee wimps’ survival in commodity markets, since wimps trade basic system services to achieve small attack surfaces, diminish adversary capabilities, and weaken attack strategies. To survive, secure wimps must use services of, or compose with, insecure giants. This appears to be “paradoxical:” wimps can counter all adversary attacks but survive only if they use giants’ adversary-controlled services from which they have to defend themselves.
I this seminar, I will first illustrate mechanisms that support root-of-trust establishment via “verifiable boot” operations that can be repeated by a user at any time without having to detect never-seen-before malware. Verifiable boot does not need to use and manage any secrets or TPMs to protect chains of software measurements. Second, I will present a method to define a wimp’s adversary accurately and completely using a structure found in cryptographic protocols. A consequence of such definitions is the ability to produce partial orders on adversary attacks. Third, I will present secure wimp composition with giants, via examples of experimental systems designed and implemented at CMU CyLab.
10.30 -11.00 Coffee break
11.00 – 12.30 VN. Asokan, Aalto University: Challenges in Realizing Secure Cloud Storage Services
Cloud storage services are ubiquitous and widely used. To date, no popular cloud-storage service offers client-side encryption of stored data as a default functionality. One reason for this is that while client-side encryption improves privacy of user data, doing so naively will conflict with other objectives. In this lecture, I will discuss two such conflicts: (a) with the storage provider’s business requirement for cross-user deduplication (storing only one copy when many users uplaod the same file); and (b) with the end user usability requirement of accessing cloud storage from multiple devices. I will discuss our recent work on a secure deduplication scheme which does not require the presence of independent third parties as a solution to ‘a’ and OmniShare as a solution to ‘b’.
12.30 – 13.30 Lunch
13.30 – 15.00 Lucas Davi and Ahmad-Reza Sadeghi, TU Darmstadt: Modern Runtime Exploitation Techniques and Defenses
Memory corruption attacks exploit program bugs in modern software programs to compromise computing platforms. Although these attacks are known for several decades, they still pose a severe threat today’s software programs. These attacks can be applied to a variety of architectures starting from Desktop PCs and mobile devices to tiny embedded devices employed in sensors. In particular, code-reuse attacks such as return-oriented programming have significantly raised the sophistication of memory corruption attacks since they induce malicious actions based on only existing benign code. Fortunately, the security community including industrial efforts by Google and Microsoft have recently introduced a variety of defenses. On the other hand, attackers quickly adapted and proposed new attack techniques leading to a continuing arms race. In this lecture, we will provide an overview on state-of-the-art exploitation techniques and defenses against these attacks. In addition, the students will learn the practical concepts of runtime exploitation based on a hands-on lab.
15.00 – 15.30 Coffee break
15.30 – 17.00 Radu Sion, Stony Brook University: Security, Energy, and Karma in Modern Clouds
In this talk we explore the economics of cloud computing in general
and outsourcing your virtual machines in particular. We identify cost
trade-offs and postulate the key principles of outsourcing that define
when cloud deployment is appropriate and why. We also briefly touch on
several main cyber-security aspects that impact the appeal of clouds.
The results may surprise and are especially interesting from a cost
and energy point of view.
“Green” and its “low power” cousin are the new hot spots in computing.
In cloud data centers, at scale, ideas of deploying low-power ARM
architectures or even large numbers of extremely “wimpy” nodes [5, 33]
seem increasingly appealing. Skeptics on the other hand maintain that we
cannot get more than what we pay for and no free lunches can be had. In
this white paper we explore these theses and provide insights into the
power-performance tradeoff at scale for ARM architectures. We quantify
the cost/performance ratio precisely-enough to allow for a broader
conclusion. We then offer an intuition as to why this may still hold in
2030.