SlideShare a Scribd company logo

CT

Download as PPTX, PDF
Yama Haku
Yama Haku

It's just my representation after reading the paper.

1 of 45
Lorenzo Martignoni, Pongsin Poosankam, Matei Zaharia, Jun Han, Stephen McCamant, Dawn Song, Vern Paxson, Adrian Perrig, Scott Shenker, and Ion Stoica University of California, Berkeley and Carnegie Mellon University
Outline  Introduction  Overview  Secure Thin Terminal  Cloud Rendering Engine  Setup and Session Protocols  Implementation and Evaluation  Related Work  Conclusion 2
Introduction(1/3)  Poor of end-to-end information protection  Multiple tiers have many vulnerability  Complexity leads to vulnerabilities  VM for protect sensitive applications  Strong isolation  Heavyweight  TCB(trusted computing base) is too large 3
Introduction(2/3)  Cloud Terminal  STT : Simple client side software  Microvisor : a small hypervisor-like layer  Cloud Rendering Engine(CRE) : executes an application, produce/send bitmap to the STT 4
Introduction(3/3)  Introduce the Cloud Terminal architecture  Evaluate this architecture with realistic applications 5
Overview  Use Cases  Goals and Threat Model  Existing Approaches and Comparison  Architecture 6
Use Cases • Applications that require high information security • Not for intensive computation or rendering • public service scenario ○ User access financial services (e.g. online banking) • corporate scenario ○ Employees access data of organizations (e.g. email) 7
Goals and Threat model(1/3)  Installable on existing PCs  Not require trust in the host OS  Attest its presence to both ends  Support a wide range of sensitive applications  TCB of the system should be small 8
Goals and Threat model(2/3)  Adversary can …  controls the OS  intercept all its network traffic  not have physical access (example)  not infer the user’s input 9
Goals and Threat model(3/3)  Prevent viewing and modifying  Protects against some social engineering attacks  A shared secret between the user and STT  use the user’s TPM  Not designed to prevent DoS 10
Existing Approaches and Comparison(1/3) 11
Existing Approaches and Comparison(2/3)  Red/Green VMs  Red for untrusted application and green for trusted ones  Per-APP VMs [ Terra , QubesOS]  one VM for each sensitive application  Browser OS  E.x. Chrome OS  VDI (virtual desktop infrastructure)  Access virtual desktop VMs through thin client software  Flicker  Run small pieces of application logic (PALs) in an isolated, attestable environment 12
Existing Approaches and Comparison(3/3)  Cloud Terminal  Small, general client ○ displaying arbitrary remote UI ○ applications are isolated from each other ○ be protected from the untrusted host OS  Microvisor ○ isolates itself from the OS ○ smaller than a full hypervisor ○ not need for managing multiple VMs ○ protect an area of memory from the OS 13
Architecture 14
Architecture (Secure Thin Terminal)  Runs on a user’s computer  Provides secure access to a remote application  Common graphical terminal functionality  Isolates itself  Lightweight  Using a hardware root of trust 15
Architecture (Cloud Rendering Engine)  Contain almost all the application functionality  Isolated instance of the application  Run a minimal software stack  VMs share disk and memory pages  Manage centrally 16
Architecture (Cloud Terminal Protocol)  Extends an existing RBP protocol (VNC)  Adding additional levels of security  Using end-to-end encryption 17
Architecture (Public Infrastructure Services)  For public service, rather than corporation  Directory service  Provide a list of CREs  Verification service  Check that users installed a genuine STT 18
Secure Thin Terminal  Microvisor  Cloud Terminal Client  Securing the Execution of the Client  Untrusted User-Space Helper 19
Screenshot of the STT 20
Microvisor(1/2)  Hardware virtualization support (Intel VT)  Intel’s trusted execution extension (TXT) for attestation  Makes its address space inaccessible  Intercepts keystrokes (trap reads to PS/2 port)  Maps the video memory 21
Microvisor(2/2)  Installed after the untrusted OS  Complete control of the system  using a similar manner to malicious hypervisors[9,28]  Establish a dynamic root of trust  use code from the Flicker  Ensure the code of installation can’t be temper  stores a measurement (hash) in the TPM  Generates a key pair  private key is kept in volatile RAM 22
Cloud Terminal Client  A process  Runs in the context of the microvisor  Interacts only through the microvisor’s API  Encrypts the input arguments  Decrypts the output arguments  Data transmitted using the shared session key  Data stored are encrypted  with a symmetric key  store persistently in the TPM using sealed storage 23
Securing the Execution of the Client  Hijack the virtual mapping of the video memory  configure the MMU to redirect accesses to the memory region  Restore the original mapping after Cloud Terminal client is terminated 24
Untrusted User-Space Helper  Runs in user-space  Provides basic networking and storage capabilities  Cannot violate data confidentiality or integrity  Share a memory region with microvisor 25
Cloud Rendering Engine  CRE Scalability  CRE Security 26
CRE Scalability  Spend most of their time waiting for input  Share a high fraction of memory  Key optimizations  Memory sharing  Disk sharing  Stripped-down OS  Reduced timer interrupts 27
CRE Security  Accepts only sessions from attested STTs  Network isolation  separate virtual networks behind a NAT  Resource isolation  Restricted user environment  user account with minimal privileges  Still be possible for attacking  Cross-VM information leakage (link) 28
Setup and Session Protocols  Cloud Terminal Installation  Session Protocol 29
Cloud Terminal Installation  Certifying to the user that installing a genuine STT  verification service  Verify through a secondary channel (a phone)  Stablishing a shared secret between the STT and the user  user select a background image as reverse password  TPM’s private key as a second authentication factor 30
Session Protocol(1/2)  UI displays a list of available applications  obtains from a directory service  Store a master public key in STT and application public key for each application  Using TLS-like protocol 31
Session Protocol(2/2) 32
Implementation and Evaluation  Implementation  Applications  Performance Evaluation  Cost Analysis 33
Implementation(1/2)  Secure Thin Terminal  All components are available for Linux  not yet support to protect STT from malicious DMAs or SMI handlers  Implement on a Lenovo W510 laptop 34
Implementation(2/2)  Cloud Rendering Engine  on Linux, using KVM  KSM daemon to share identical memory pages  Guest OS : Debian GNU/Linux 6 35
Applications  Online banking  Wells Fargo  run Firefox in kiosk mode  configure a whitelist for this proxy  Document viewing  Evince, a Linux PDF viewer  Document editing  AbiWord  Secure email  Gmail 36
Performance Evaluation  How responsive is the STT as a means for accessing remote applications?  How far can a CRE scale while providing a good user experience?  CRE  16-core server with 2.0 GHz processors  64 GB RAM  STT  300 emulated clients  replayed packet traces  loop a 3–5 minute  23 ms network latency from Berkeley to Seattle 37
Performance Evaluation  Qualitative Usability  Client-side Metrics  Server-side Metrics 38
Qualitative Usability  Type paragraphs of text comfortably  Scrolling the page is the slowest 39
Client-side Metrics 40
Server-side Metrics 41
Cost Analysis  CariNet  12core server with 40 GB RAM  100 Mbps connectivity for $1010/month  Overall cost between 1.2 and 2.5 cents per user-hour 42
Related Work  Tahoma : browser OS  IBOS : microkernel-based browser OS  Proxos : partitions a system call interface  Tboot : verified bootstrap of an OS or of a hypervisor  TrustVisor : a hypervisor relies on hardware attestation  Bumpy : type a secure attention sequence to encrypt input  Trusted Input Proxy (TIP) : a hypervisor and a separate VM to pop up dialog boxes for sensitive input  Building Verifiable Trusted Path on Commodity x86 Computers  protect trusted I/O paths from device-level attacks 43
Conclusion  A small secure thin terminal (STT) on the client  A cloud rendering engine (CRE)  achieves a sweet-spot between security, trusted code size, and generality  Implementable on standard hardware  At a low cost 44
End 45

Recommended

Intel vmcs-shadowing-paper
Intel vmcs-shadowing-paperIntel vmcs-shadowing-paper
Intel vmcs-shadowing-paperAhmed Sallam
 
Nos Windows
Nos WindowsNos Windows
Nos WindowsRuben Gonzalez
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxZain Abid
 
10.1.1.44.6790
10.1.1.44.679010.1.1.44.6790
10.1.1.44.6790Alok Tripathi
 
Identifying and analyzing security threats to virtualized cloud computing inf...
Identifying and analyzing security threats to virtualized cloud computing inf...Identifying and analyzing security threats to virtualized cloud computing inf...
Identifying and analyzing security threats to virtualized cloud computing inf...IBM222
 
A TRUSTED IAAS ENVIRONMENT WITH HARDWARE SECURITY MODULE
A TRUSTED IAAS ENVIRONMENT WITH HARDWARE SECURITY MODULE A TRUSTED IAAS ENVIRONMENT WITH HARDWARE SECURITY MODULE
A TRUSTED IAAS ENVIRONMENT WITH HARDWARE SECURITY MODULENexgen Technology
 
Cs 704 d dce ipc-msgpassing
Cs 704 d dce ipc-msgpassingCs 704 d dce ipc-msgpassing
Cs 704 d dce ipc-msgpassingDebasis Das
 

Recommended

Intel vmcs-shadowing-paper
Intel vmcs-shadowing-paperIntel vmcs-shadowing-paper
Intel vmcs-shadowing-paperAhmed Sallam
 
Nos Windows
Nos WindowsNos Windows
Nos WindowsRuben Gonzalez
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxZain Abid
 
10.1.1.44.6790
10.1.1.44.679010.1.1.44.6790
10.1.1.44.6790Alok Tripathi
 
Identifying and analyzing security threats to virtualized cloud computing inf...
Identifying and analyzing security threats to virtualized cloud computing inf...Identifying and analyzing security threats to virtualized cloud computing inf...
Identifying and analyzing security threats to virtualized cloud computing inf...IBM222
 
A TRUSTED IAAS ENVIRONMENT WITH HARDWARE SECURITY MODULE
A TRUSTED IAAS ENVIRONMENT WITH HARDWARE SECURITY MODULE A TRUSTED IAAS ENVIRONMENT WITH HARDWARE SECURITY MODULE
A TRUSTED IAAS ENVIRONMENT WITH HARDWARE SECURITY MODULENexgen Technology
 
Cs 704 d dce ipc-msgpassing
Cs 704 d dce ipc-msgpassingCs 704 d dce ipc-msgpassing
Cs 704 d dce ipc-msgpassingDebasis Das
 
SDN: A New Approach to Networking Technology
SDN: A New Approach to Networking TechnologySDN: A New Approach to Networking Technology
SDN: A New Approach to Networking TechnologyIRJET Journal
 
SECURE KEY MANAGEMENT PROTOCOL IN WIMAX
SECURE KEY MANAGEMENT PROTOCOL IN WIMAXSECURE KEY MANAGEMENT PROTOCOL IN WIMAX
SECURE KEY MANAGEMENT PROTOCOL IN WIMAXIJNSA Journal
 
Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Sarod Paichayonrittha
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
569 492-500
569 492-500569 492-500
569 492-500idescitation
 
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENT
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENTDEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENT
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENTFelipe Prado
 
D do s
D do sD do s
D do ssunilkumar021
 
Ap 06 4_10_simek
Ap 06 4_10_simekAp 06 4_10_simek
Ap 06 4_10_simekNguyen Vinh
 
Implementing nondisruptivedata migrations for UNIX usingTDMF technology.
Implementing nondisruptivedata migrations for UNIX usingTDMF technology.Implementing nondisruptivedata migrations for UNIX usingTDMF technology.
Implementing nondisruptivedata migrations for UNIX usingTDMF technology.IBM India Smarter Computing
 
2. microkernel new
2. microkernel new2. microkernel new
2. microkernel newAbDul ThaYyal
 
Microkernel architecture
Microkernel architecture Microkernel architecture
Microkernel architecture RQK Khan
 
In a monolithic kerne1
In a monolithic kerne1In a monolithic kerne1
In a monolithic kerne1Teja Bheemanapally
 
Unit 2 nms
Unit 2 nmsUnit 2 nms
Unit 2 nmsSid Chaudhary
 
Symbian OS - Client Server Framework
Symbian OS - Client Server FrameworkSymbian OS - Client Server Framework
Symbian OS - Client Server FrameworkAndreas Jakl
 
Linux
LinuxLinux
Linuxajithmr000
 
WEB
WEBWEB
WEBmelatiorkid
 
OSCh19
OSCh19OSCh19
OSCh19Joe Christensen
 
The enterprise differentiator of mq on zos
The enterprise differentiator of mq on zosThe enterprise differentiator of mq on zos
The enterprise differentiator of mq on zosMatt Leming
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityRashmi Agale
 
What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?Priyanka Aash
 
Introduction to Cloud Security.pptx
Introduction to Cloud Security.pptxIntroduction to Cloud Security.pptx
Introduction to Cloud Security.pptxssuser0fc2211
 
DistributedSystems.ppt
DistributedSystems.pptDistributedSystems.ppt
DistributedSystems.pptHumoyunSultonov1
 

More Related Content

What's hot

SDN: A New Approach to Networking Technology
SDN: A New Approach to Networking TechnologySDN: A New Approach to Networking Technology
SDN: A New Approach to Networking TechnologyIRJET Journal
 
SECURE KEY MANAGEMENT PROTOCOL IN WIMAX
SECURE KEY MANAGEMENT PROTOCOL IN WIMAXSECURE KEY MANAGEMENT PROTOCOL IN WIMAX
SECURE KEY MANAGEMENT PROTOCOL IN WIMAXIJNSA Journal
 
Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Sarod Paichayonrittha
 
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENT
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENTDEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENT
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENTFelipe Prado
 
Ap 06 4_10_simek
Ap 06 4_10_simekAp 06 4_10_simek
Ap 06 4_10_simekNguyen Vinh
 
Implementing nondisruptivedata migrations for UNIX usingTDMF technology.
Implementing nondisruptivedata migrations for UNIX usingTDMF technology.Implementing nondisruptivedata migrations for UNIX usingTDMF technology.
Implementing nondisruptivedata migrations for UNIX usingTDMF technology.IBM India Smarter Computing
 
Microkernel architecture
Microkernel architecture Microkernel architecture
Microkernel architecture RQK Khan
 
Symbian OS - Client Server Framework
Symbian OS - Client Server FrameworkSymbian OS - Client Server Framework
Symbian OS - Client Server FrameworkAndreas Jakl
 

What's hot (17)

SDN: A New Approach to Networking Technology
SDN: A New Approach to Networking TechnologySDN: A New Approach to Networking Technology
SDN: A New Approach to Networking Technology
 
SECURE KEY MANAGEMENT PROTOCOL IN WIMAX
SECURE KEY MANAGEMENT PROTOCOL IN WIMAXSECURE KEY MANAGEMENT PROTOCOL IN WIMAX
SECURE KEY MANAGEMENT PROTOCOL IN WIMAX
 
Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
569 492-500
569 492-500569 492-500
569 492-500
 
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENT
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENTDEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENT
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2 - DOCUMENT
 
D do s
D do sD do s
D do s
 
Ap 06 4_10_simek
Ap 06 4_10_simekAp 06 4_10_simek
Ap 06 4_10_simek
 
Implementing nondisruptivedata migrations for UNIX usingTDMF technology.
Implementing nondisruptivedata migrations for UNIX usingTDMF technology.Implementing nondisruptivedata migrations for UNIX usingTDMF technology.
Implementing nondisruptivedata migrations for UNIX usingTDMF technology.
 
2. microkernel new
2. microkernel new2. microkernel new
2. microkernel new
 
Microkernel architecture
Microkernel architecture Microkernel architecture
Microkernel architecture
 
In a monolithic kerne1
In a monolithic kerne1In a monolithic kerne1
In a monolithic kerne1
 
Unit 2 nms
Unit 2 nmsUnit 2 nms
Unit 2 nms
 
Symbian OS - Client Server Framework
Symbian OS - Client Server FrameworkSymbian OS - Client Server Framework
Symbian OS - Client Server Framework
 
Linux
LinuxLinux
Linux
 
WEB
WEBWEB
WEB
 
OSCh19
OSCh19OSCh19
OSCh19
 

Similar to CT

The enterprise differentiator of mq on zos
The enterprise differentiator of mq on zosThe enterprise differentiator of mq on zos
The enterprise differentiator of mq on zosMatt Leming
 
What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?Priyanka Aash
 
Introduction to Cloud Security.pptx
Introduction to Cloud Security.pptxIntroduction to Cloud Security.pptx
Introduction to Cloud Security.pptxssuser0fc2211
 
Distribution system characterization system
Distribution system characterization systemDistribution system characterization system
Distribution system characterization systemVatsalkumarpatel
 
Dependable Cloud Comuting
Dependable Cloud ComutingDependable Cloud Comuting
Dependable Cloud ComutingKazuhiko Kato
 
Cloud computing challenges and solutions
Cloud computing challenges and solutionsCloud computing challenges and solutions
Cloud computing challenges and solutionsIJCNCJournal
 
middleware in embedded systems
middleware in embedded systemsmiddleware in embedded systems
middleware in embedded systemsAkhil Kumar
 
Distributed Systems- Characterization & Design.ppt
Distributed Systems- Characterization & Design.pptDistributed Systems- Characterization & Design.ppt
Distributed Systems- Characterization & Design.pptSELVAVINAYAGAMG
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 
Microsoft NetMeeting and Windows XP Video Conferencing vs
Microsoft NetMeeting and Windows XP Video Conferencing vsMicrosoft NetMeeting and Windows XP Video Conferencing vs
Microsoft NetMeeting and Windows XP Video Conferencing vsVideoguy
 
distributed os.ppt
distributed os.pptdistributed os.ppt
distributed os.pptbanu236831
 
6th SDN Interest Group Seminar - Session6 (131210)
6th SDN Interest Group Seminar - Session6 (131210)6th SDN Interest Group Seminar - Session6 (131210)
6th SDN Interest Group Seminar - Session6 (131210)NAIM Networks, Inc.
 

Similar to CT (20)

The enterprise differentiator of mq on zos
The enterprise differentiator of mq on zosThe enterprise differentiator of mq on zos
The enterprise differentiator of mq on zos
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?
 
Introduction to Cloud Security.pptx
Introduction to Cloud Security.pptxIntroduction to Cloud Security.pptx
Introduction to Cloud Security.pptx
 
DistributedSystems.ppt
DistributedSystems.pptDistributedSystems.ppt
DistributedSystems.ppt
 
types of DS.ppt
types of DS.ppttypes of DS.ppt
types of DS.ppt
 
Distribution system characterization system
Distribution system characterization systemDistribution system characterization system
Distribution system characterization system
 
Dependable Cloud Comuting
Dependable Cloud ComutingDependable Cloud Comuting
Dependable Cloud Comuting
 
Cloud computing challenges and solutions
Cloud computing challenges and solutionsCloud computing challenges and solutions
Cloud computing challenges and solutions
 
OMA LWM2M overview
OMA LWM2M overviewOMA LWM2M overview
OMA LWM2M overview
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Smart x
Smart xSmart x
Smart x
 
middleware in embedded systems
middleware in embedded systemsmiddleware in embedded systems
middleware in embedded systems
 
Distributed Systems- Characterization & Design.ppt
Distributed Systems- Characterization & Design.pptDistributed Systems- Characterization & Design.ppt
Distributed Systems- Characterization & Design.ppt
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 
Microsoft NetMeeting and Windows XP Video Conferencing vs
Microsoft NetMeeting and Windows XP Video Conferencing vsMicrosoft NetMeeting and Windows XP Video Conferencing vs
Microsoft NetMeeting and Windows XP Video Conferencing vs
 
distributed os.ppt
distributed os.pptdistributed os.ppt
distributed os.ppt
 
Computer Port IT Solutions JNTU Lecture
Computer Port IT Solutions JNTU LectureComputer Port IT Solutions JNTU Lecture
Computer Port IT Solutions JNTU Lecture
 
6th SDN Interest Group Seminar - Session6 (131210)
6th SDN Interest Group Seminar - Session6 (131210)6th SDN Interest Group Seminar - Session6 (131210)
6th SDN Interest Group Seminar - Session6 (131210)
 

CT

  • 1. Lorenzo Martignoni, Pongsin Poosankam, Matei Zaharia, Jun Han, Stephen McCamant, Dawn Song, Vern Paxson, Adrian Perrig, Scott Shenker, and Ion Stoica University of California, Berkeley and Carnegie Mellon University
  • 2. Outline  Introduction  Overview  Secure Thin Terminal  Cloud Rendering Engine  Setup and Session Protocols  Implementation and Evaluation  Related Work  Conclusion 2
  • 3. Introduction(1/3)  Poor of end-to-end information protection  Multiple tiers have many vulnerability  Complexity leads to vulnerabilities  VM for protect sensitive applications  Strong isolation  Heavyweight  TCB(trusted computing base) is too large 3
  • 4. Introduction(2/3)  Cloud Terminal  STT : Simple client side software  Microvisor : a small hypervisor-like layer  Cloud Rendering Engine(CRE) : executes an application, produce/send bitmap to the STT 4
  • 5. Introduction(3/3)  Introduce the Cloud Terminal architecture  Evaluate this architecture with realistic applications 5
  • 6. Overview  Use Cases  Goals and Threat Model  Existing Approaches and Comparison  Architecture 6
  • 7. Use Cases • Applications that require high information security • Not for intensive computation or rendering • public service scenario ○ User access financial services (e.g. online banking) • corporate scenario ○ Employees access data of organizations (e.g. email) 7
  • 8. Goals and Threat model(1/3)  Installable on existing PCs  Not require trust in the host OS  Attest its presence to both ends  Support a wide range of sensitive applications  TCB of the system should be small 8
  • 9. Goals and Threat model(2/3)  Adversary can …  controls the OS  intercept all its network traffic  not have physical access (example)  not infer the user’s input 9
  • 10. Goals and Threat model(3/3)  Prevent viewing and modifying  Protects against some social engineering attacks  A shared secret between the user and STT  use the user’s TPM  Not designed to prevent DoS 10
  • 12. Existing Approaches and Comparison(2/3)  Red/Green VMs  Red for untrusted application and green for trusted ones  Per-APP VMs [ Terra , QubesOS]  one VM for each sensitive application  Browser OS  E.x. Chrome OS  VDI (virtual desktop infrastructure)  Access virtual desktop VMs through thin client software  Flicker  Run small pieces of application logic (PALs) in an isolated, attestable environment 12
  • 13. Existing Approaches and Comparison(3/3)  Cloud Terminal  Small, general client ○ displaying arbitrary remote UI ○ applications are isolated from each other ○ be protected from the untrusted host OS  Microvisor ○ isolates itself from the OS ○ smaller than a full hypervisor ○ not need for managing multiple VMs ○ protect an area of memory from the OS 13
  • 15. Architecture (Secure Thin Terminal)  Runs on a user’s computer  Provides secure access to a remote application  Common graphical terminal functionality  Isolates itself  Lightweight  Using a hardware root of trust 15
  • 16. Architecture (Cloud Rendering Engine)  Contain almost all the application functionality  Isolated instance of the application  Run a minimal software stack  VMs share disk and memory pages  Manage centrally 16
  • 17. Architecture (Cloud Terminal Protocol)  Extends an existing RBP protocol (VNC)  Adding additional levels of security  Using end-to-end encryption 17
  • 18. Architecture (Public Infrastructure Services)  For public service, rather than corporation  Directory service  Provide a list of CREs  Verification service  Check that users installed a genuine STT 18
  • 19. Secure Thin Terminal  Microvisor  Cloud Terminal Client  Securing the Execution of the Client  Untrusted User-Space Helper 19
  • 21. Microvisor(1/2)  Hardware virtualization support (Intel VT)  Intel’s trusted execution extension (TXT) for attestation  Makes its address space inaccessible  Intercepts keystrokes (trap reads to PS/2 port)  Maps the video memory 21
  • 22. Microvisor(2/2)  Installed after the untrusted OS  Complete control of the system  using a similar manner to malicious hypervisors[9,28]  Establish a dynamic root of trust  use code from the Flicker  Ensure the code of installation can’t be temper  stores a measurement (hash) in the TPM  Generates a key pair  private key is kept in volatile RAM 22
  • 23. Cloud Terminal Client  A process  Runs in the context of the microvisor  Interacts only through the microvisor’s API  Encrypts the input arguments  Decrypts the output arguments  Data transmitted using the shared session key  Data stored are encrypted  with a symmetric key  store persistently in the TPM using sealed storage 23
  • 24. Securing the Execution of the Client  Hijack the virtual mapping of the video memory  configure the MMU to redirect accesses to the memory region  Restore the original mapping after Cloud Terminal client is terminated 24
  • 25. Untrusted User-Space Helper  Runs in user-space  Provides basic networking and storage capabilities  Cannot violate data confidentiality or integrity  Share a memory region with microvisor 25
  • 26. Cloud Rendering Engine  CRE Scalability  CRE Security 26
  • 27. CRE Scalability  Spend most of their time waiting for input  Share a high fraction of memory  Key optimizations  Memory sharing  Disk sharing  Stripped-down OS  Reduced timer interrupts 27
  • 28. CRE Security  Accepts only sessions from attested STTs  Network isolation  separate virtual networks behind a NAT  Resource isolation  Restricted user environment  user account with minimal privileges  Still be possible for attacking  Cross-VM information leakage (link) 28
  • 29. Setup and Session Protocols  Cloud Terminal Installation  Session Protocol 29
  • 30. Cloud Terminal Installation  Certifying to the user that installing a genuine STT  verification service  Verify through a secondary channel (a phone)  Stablishing a shared secret between the STT and the user  user select a background image as reverse password  TPM’s private key as a second authentication factor 30
  • 31. Session Protocol(1/2)  UI displays a list of available applications  obtains from a directory service  Store a master public key in STT and application public key for each application  Using TLS-like protocol 31
  • 33. Implementation and Evaluation  Implementation  Applications  Performance Evaluation  Cost Analysis 33
  • 34. Implementation(1/2)  Secure Thin Terminal  All components are available for Linux  not yet support to protect STT from malicious DMAs or SMI handlers  Implement on a Lenovo W510 laptop 34
  • 35. Implementation(2/2)  Cloud Rendering Engine  on Linux, using KVM  KSM daemon to share identical memory pages  Guest OS : Debian GNU/Linux 6 35
  • 36. Applications  Online banking  Wells Fargo  run Firefox in kiosk mode  configure a whitelist for this proxy  Document viewing  Evince, a Linux PDF viewer  Document editing  AbiWord  Secure email  Gmail 36
  • 37. Performance Evaluation  How responsive is the STT as a means for accessing remote applications?  How far can a CRE scale while providing a good user experience?  CRE  16-core server with 2.0 GHz processors  64 GB RAM  STT  300 emulated clients  replayed packet traces  loop a 3–5 minute  23 ms network latency from Berkeley to Seattle 37
  • 38. Performance Evaluation  Qualitative Usability  Client-side Metrics  Server-side Metrics 38
  • 39. Qualitative Usability  Type paragraphs of text comfortably  Scrolling the page is the slowest 39
  • 42. Cost Analysis  CariNet  12core server with 40 GB RAM  100 Mbps connectivity for $1010/month  Overall cost between 1.2 and 2.5 cents per user-hour 42
  • 43. Related Work  Tahoma : browser OS  IBOS : microkernel-based browser OS  Proxos : partitions a system call interface  Tboot : verified bootstrap of an OS or of a hypervisor  TrustVisor : a hypervisor relies on hardware attestation  Bumpy : type a secure attention sequence to encrypt input  Trusted Input Proxy (TIP) : a hypervisor and a separate VM to pop up dialog boxes for sensitive input  Building Verifiable Trusted Path on Commodity x86 Computers  protect trusted I/O paths from device-level attacks 43
  • 44. Conclusion  A small secure thin terminal (STT) on the client  A cloud rendering engine (CRE)  achieves a sweet-spot between security, trusted code size, and generality  Implementable on standard hardware  At a low cost 44
  • 45. End 45