Trust Extension as a Mechanism for Secure Code Execution on Commodity Computers (dissertation, updated version)

ACM Books Pub Date : 2014-06-01 DOI:10.1145/2611399

Bryan Parno

{"title":"Trust Extension as a Mechanism for Secure Code Execution on Commodity Computers (dissertation, updated version)","authors":"Bryan Parno","doi":"10.1145/2611399","DOIUrl":null,"url":null,"abstract":"From the Preface \n \nAs society rushes to digitize sensitive information and services, it is imperative that we adopt adequate security protections. However, such protections fundamentally conflict with the benefits we expect from commodity computers. In other words, consumers and businesses value commodity computers because they provide good performance and an abundance of features at relatively low costs. Meanwhile, attempts to build secure systems from the ground up typically abandon such goals, and hence are seldom adopted [Karger et al. 1991, Gold et al. 1984, Ames 1981]. \n \nIn this book, a revised version of my doctoral dissertation, originally written while studying at Carnegie Mellon University, I argue that we can resolve the tension between security and features by leveraging the trust a user has in one device to enable her to securely use another commodity device or service, without sacrificing the performance and features expected of commodity systems.We support this premise over the course of the following chapters. \n \n \nIntroduction. This chapter introduces the notion of bootstrapping trust from one device or service to another and gives an overview of how the subsequent chapters fit together. \nBackground and related work. This chapter focuses on existing techniques for bootstrapping trust in commodity computers, specifically by conveying information about a computer's current execution environment to an interested party. This would, for example, enable a user to verify that her computer is free of malware, or that a remote web server will handle her data responsibly. \nBootstrapping trust in a commodity computer. At a high level, this chapter develops techniques to allow a user to employ a small, trusted, portable device to securely learn what code is executing on her local computer. While the problem is simply stated, finding a solution that is both secure and usable with existing hardware proves quite difficult. \nOn-demand secure code execution. Rather than entrusting a user's data to the mountain of buggy code likely running on her computer, in this chapter, we construct an on-demand secure execution environment which can perform security sensitive tasks and handle private data in complete isolation from all other software (and most hardware) on the system. Meanwhile, non-security-sensitive software retains the same abundance of features and performance it enjoys today. \nUsing trustworthy host data in the network. Having established an environment for secure code execution on an individual computer, this chapter shows how to extend trust in this environment to network elements in a secure and efficient manner. This allows us to reexamine the design of network protocols and defenses, since we can now execute code on end hosts and trust the results within the network. \nSecure code execution on untrusted hardware. Lastly, this chapter extends the user's trust one more step to encompass computations performed on a remote host (e.g., in the cloud).We design, analyze, and prove secure a protocol that allows a user to outsource arbitrary computations to commodity computers run by an untrusted remote party (or parties) who may subject the computers to both software and hardware attacks. Our protocol guarantees that the user can both verify that the results returned are indeed the correct results of the specified computations on the inputs provided, and protect the secrecy of both the inputs and outputs of the computations. These guarantees are provided in a non-interactive, asymptotically optimal (with respect to CPU and bandwidth) manner. \n \n \n \nThus, extending a user's trust, via software, hardware, and cryptographic techniques, allows us to provide strong security protections for both local and remote computations on sensitive data, while still preserving the performance and features of commodity computers.","PeriodicalId":333250,"journal":{"name":"ACM Books","volume":"5 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Books","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2611399","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

From the Preface As society rushes to digitize sensitive information and services, it is imperative that we adopt adequate security protections. However, such protections fundamentally conflict with the benefits we expect from commodity computers. In other words, consumers and businesses value commodity computers because they provide good performance and an abundance of features at relatively low costs. Meanwhile, attempts to build secure systems from the ground up typically abandon such goals, and hence are seldom adopted [Karger et al. 1991, Gold et al. 1984, Ames 1981]. In this book, a revised version of my doctoral dissertation, originally written while studying at Carnegie Mellon University, I argue that we can resolve the tension between security and features by leveraging the trust a user has in one device to enable her to securely use another commodity device or service, without sacrificing the performance and features expected of commodity systems.We support this premise over the course of the following chapters. Introduction. This chapter introduces the notion of bootstrapping trust from one device or service to another and gives an overview of how the subsequent chapters fit together. Background and related work. This chapter focuses on existing techniques for bootstrapping trust in commodity computers, specifically by conveying information about a computer's current execution environment to an interested party. This would, for example, enable a user to verify that her computer is free of malware, or that a remote web server will handle her data responsibly. Bootstrapping trust in a commodity computer. At a high level, this chapter develops techniques to allow a user to employ a small, trusted, portable device to securely learn what code is executing on her local computer. While the problem is simply stated, finding a solution that is both secure and usable with existing hardware proves quite difficult. On-demand secure code execution. Rather than entrusting a user's data to the mountain of buggy code likely running on her computer, in this chapter, we construct an on-demand secure execution environment which can perform security sensitive tasks and handle private data in complete isolation from all other software (and most hardware) on the system. Meanwhile, non-security-sensitive software retains the same abundance of features and performance it enjoys today. Using trustworthy host data in the network. Having established an environment for secure code execution on an individual computer, this chapter shows how to extend trust in this environment to network elements in a secure and efficient manner. This allows us to reexamine the design of network protocols and defenses, since we can now execute code on end hosts and trust the results within the network. Secure code execution on untrusted hardware. Lastly, this chapter extends the user's trust one more step to encompass computations performed on a remote host (e.g., in the cloud).We design, analyze, and prove secure a protocol that allows a user to outsource arbitrary computations to commodity computers run by an untrusted remote party (or parties) who may subject the computers to both software and hardware attacks. Our protocol guarantees that the user can both verify that the results returned are indeed the correct results of the specified computations on the inputs provided, and protect the secrecy of both the inputs and outputs of the computations. These guarantees are provided in a non-interactive, asymptotically optimal (with respect to CPU and bandwidth) manner. Thus, extending a user's trust, via software, hardware, and cryptographic techniques, allows us to provide strong security protections for both local and remote computations on sensitive data, while still preserving the performance and features of commodity computers.

查看原文本刊更多论文

基于信任扩展的商品计算机安全代码执行机制(论文，更新版本)

随着社会对敏感信息和服务的数字化，我们必须采取适当的安全保护措施。然而，这种保护从根本上与我们期望从商品计算机中获得的好处相冲突。换句话说，消费者和企业看重商品计算机，因为它们以相对较低的成本提供了良好的性能和丰富的功能。与此同时，从头开始构建安全系统的尝试通常会放弃这些目标，因此很少被采用[kanger等人1991,Gold等人1984,Ames 1981]。在这本书中，是我在卡内基梅隆大学学习期间撰写的博士论文的修订版，我认为我们可以通过利用用户对一个设备的信任来解决安全性和功能之间的紧张关系，使她能够安全地使用另一个商品设备或服务，而不会牺牲商品系统的预期性能和功能。我们将在接下来的章节中支持这个前提。介绍。本章介绍了从一个设备或服务到另一个设备或服务的自引导信任的概念，并概述了后续章节如何配合。背景及相关工作。本章着重于在商品计算机中引导信任的现有技术，特别是通过向相关方传递有关计算机当前执行环境的信息。例如，这将使用户能够验证她的计算机是否没有恶意软件，或者远程web服务器将负责处理她的数据。在商用计算机中引导信任。在高层次上，本章开发了一种技术，允许用户使用一个小的、可信的、可移植的设备来安全地了解什么代码正在她的本地计算机上执行。虽然问题很简单，但要找到既安全又可用于现有硬件的解决方案是相当困难的。按需安全代码执行。在本章中，我们不是将用户的数据委托给可能在其计算机上运行的大量错误代码，而是构建一个按需安全执行环境，该环境可以执行安全敏感任务，并在与系统上所有其他软件(和大多数硬件)完全隔离的情况下处理私有数据。与此同时，非安全敏感软件保留了与今天一样丰富的功能和性能。在网络中使用可信的主机数据。在建立了在单个计算机上执行安全代码的环境之后，本章展示了如何以安全有效的方式将信任扩展到这个环境中的网络元素。这允许我们重新检查网络协议和防御的设计，因为我们现在可以在终端主机上执行代码并信任网络中的结果。在不受信任的硬件上安全执行代码。最后，本章进一步扩展了用户的信任，以涵盖在远程主机上执行的计算(例如，在云中)。我们设计、分析并证明了一个协议的安全性，该协议允许用户将任意计算外包给由不受信任的远程方(或多方)运行的商用计算机，这些远程方可能使计算机遭受软件和硬件攻击。我们的协议保证用户既可以验证返回的结果确实是所提供输入的指定计算的正确结果，又可以保护计算的输入和输出的保密性。这些保证以一种非交互的、渐近最优(相对于CPU和带宽)的方式提供。因此，通过软件、硬件和加密技术扩展用户的信任，使我们能够为敏感数据的本地和远程计算提供强大的安全保护，同时仍然保持商用计算机的性能和特性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Books

自引率

0.00%

发文量