Professional Documents
Culture Documents
Osdi12 Final 51
Osdi12 Final 51
Ramakrishna Kotla Tom Rodeheffer Indrajit Roy∗ Patrick Stuedi∗ Benjamin Wester∗
Microsoft Research Microsoft Research HP Labs IBM Research Facebook
Silicon Valley Silicon Valley Palo Alto Zurich Menlo Park
USENIX Association 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12) 321
form of Trusted Platform Modules (TPMs) [51] and se- access using commodity trusted hardware. We wrote a
cure execution mode (SEM) extensions (Intel’s TXT [22] formal specification [40] of Pasture and its safety proofs
and AMD’s SVM [1] technology) in many modern day in TLA+, checked the specification with the TLC model
laptops, tablets, and PCs [17]. checker [27], and mechanically verified the proofs using
Secure offline data access using trusted hardware. the TLA+ proof system. Our evaluation of a Pasture pro-
We present Pasture, a secure messaging and logging totype shows that common case Pasture operations such
library, that leverages commodity trusted hardware to as offline data access takes about 470 ms (mainly due to
overcome the above problems by providing following the TPM decryption overhead) while offline revocation
safety properties: can be as fast as 20 ms.
• Access undeniability: If a user obtains access to data Second, we demonstrate the benefits of Pasture by (a)
received from a correct sender, the user cannot lie providing rich offline experiences in video/book rental
about it without failing an audit. (Destruction or loss services, (b) providing secure logging and revocation in
of the user device automatically fails an audit.) healthcare applications to better handle offline accesses
• Verifiable revocation: If a user revokes access to unac- to sensitive patient health information, and (c) improving
cessed data received from a correct sender and gener- consistency in decentralized data sharing applications [2,
ates a verifiable proof of revocation, then the user did 31, 50] by preventing read-denial attacks.
not and cannot ever access the data. 2 Overview and Approach
Pasture uses a simple yet powerful bound key TPM The goal of Pasture is to improve mobility, availabil-
primitive to provide its safety properties. This primitive ity, and functionality in applications and services by al-
ensures access undeniability by releasing the data de- lowing untrusted users to download data when online
cryption key only after the access operation is logged and make secure offline accesses to data. In this section,
in the TPM. It provides verifiable revocation by perma- we state our requirements, review features of commodity
nently destroying access to the decryption key and gener- trusted hardware, define our adversary, and present our
ating a verifiable proof of revocation if a delete operation approach.
is logged in the TPM instead.
Making secure offline data access practical. 2.1 Requirements
Flicker [34] and Memoir [37] have demonstrated the (1) Access undeniability. The access-undeniability
use of TPMs and SEM to run trusted application code property prevents an untrusted node1 from lying about
on untrusted devices in isolation from the OS and hy- offline accesses to data sent by correct nodes. It is be-
pervisor. However, using SEM requires disabling inter- yond the scope of this paper to address a more general
rupts and suspending all but one core, which can result in problem of detecting or preventing data exchanges be-
poor user responsiveness, resource underutilization, and tween colluding, malicious nodes. (For example, a mali-
higher overhead. Furthermore, these systems are vulner- cious user could leak data to another malicious user dur-
able to memory and bus snooping attacks [16, 21]. Pas- ing an unmonitored phone conversation.)
ture avoids these drawbacks by carefully using trusted (2) Verifiable revocation. While access undeniability
hardware operations to ensure practicality without com- prevents users from lying about past data accesses, the
promising on safety. verifiable-revocation property allows a user to perma-
First, unlike Flicker and Memoir, Pasture does not use nently revoke access to unaccessed data. Furthermore,
SEM for the common case data access operations, and the user can supply a proof that its access was indeed
thus provides better user interaction and improved con- securely revoked. The user will not be able to decrypt
currency by enabling interrupts and cores. Perhaps sur- and read the data at a later time even if he keeps a secret
prisingly, we found that Pasture could maintain its safety copy of the encrypted data.
properties even though SEM is limited to the uncommon (3) Minimal trusted computing base (TCB). To de-
operations of recovery and checkpoint. fend against an adversary who has full physical access
Second, similar to Memoir, we significantly reduce to the device when offline, we want to have a small TCB.
overhead and improve durability by limiting NVRAM Hence, we do not trust the hypervisor, OS, or the appli-
and non-volatile monotonic counter update operations cation to provide Pasture’s safety properties. We do not
(which are as slow as 500 ms and have limited lifetime want to trust the bus or memory to not leak any informa-
write cycles [37]) to uncommon routines and not using tion as hardware snooping attacks [16,21] are possible in
them during the regular data access operations. our setting. However, we have to trust something, since
Contributions. We make two key contributions in this it is impossible to track a user’s offline actions without
paper. First, we present the design and implementation trusting anything on the receiver device.
of Pasture, providing secure and practical offline data 1 We use the terms “node” and “user” interchangeably to refer to an
322 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12) USENIX Association
(4) Low cost. We want to keep the costs low by using gion of NVRAM can be allocated and protected so that it
only commodity hardware components. can be accessed only when specified PCRs contain spec-
ified values. TPMs also provide non-volatile monotonic
2.2 Commodity trusted hardware
Pasture exploits commodity trusted hardware to meet counters which can be updated only by an increment op-
its requirements. Here we explain some of the key fea- eration (TPM IncrementCounter).
tures we use and refer readers to the textbook [5] for Secure Execution Mode (SEM). AMD and Intel pro-
details. TPMs [51] are commodity cryptographic co- cessors provide special processor instructions to securely
processors already shipped in more than 200 million launch and run trusted code in isolation from DMA de-
PCs, tablets and laptops [17]. TPMs are designed to vices, the hypervisor and the OS. Roughly speaking, the
be tamper-resistant and cannot be compromised with- processor sets DMA memory protection so that DMA de-
out employing sophisticated and costly hardware attacks. vices cannot access the trusted code, disables interrupts
TPMs are currently used for secure disk encryption [4] and other cores to prevent other software from taking
and secure boot [8] in commodity OS. control or accessing the trusted code, resets and extends
Keys and security. Each TPM has a unique identity and a special PCRSEM register with the SHA1 hash of the
a certificate from the manufacturer (Infineon for exam- trusted code, and then starts executing the trusted code.
ple) that binds the identity of the TPM to the public part The AMD and Intel details are different, but in each
of a unique endorsement key (EK). The private part of case the reset of PCRSEM produces a value that is not the
EK is securely stored within the TPM and never released same as the initial value produced by a reboot, and hence
outside. For privacy, TPMs use internally generated At- the result obtained by extending PCRSEM by the SHA1
testation Identity Keys (AIKs) for attestations and AIKs hash of the trusted code is cryptographically impossible
are certified by trusted privacy CAs after confirming that to produce in any other way. This PCR value can be spec-
they are generated by valid TPMs with proper EK cer- ified to restrict access to secrets (that are encrypted by
tificates. It is cryptographically impossible to spoof hard- bound keys) or NVRAM locations to the trusted code
ware TPM attestations and emulate it in software. TPMs only.
can securely generate and store other keys, make attes- When the trusted application finishes its execution,
tations of internal state, sign messages, and decrypt and the SEM exit code extends PCRSEM to yield access
encrypt data. privileges, scrubs memory of any secrets it wants to
Registers and remote attestation. TPMs have volatile hide, then reenables DMA, interrupts, and other cores.
registers called Platform Configuration Registers (PCRs) Flicker [34] demonstrated how to use SEM to execute
which can be updated only via the TPM Extend opera- arbitrary trusted code.
tion, which concatenates a value to the current value, and 2.3 Adversary model
then overwrites the PCR with a SHA1 hash of the con- The adversary’s goal is to violate safety. We do not
catenated value. Intuitively, a PCR serves as a chained consider violations of liveness, since the adversary could
SHA1 hash of events in a log. TPMs also support remote always conduct a denial-of-service attack by simply de-
attestation using a TPM Quote operation which returns stroying the device. Violating safety means to violate ei-
the signed contents of one or more PCRs along with a ther access undeniability or verifiable revocation. The ad-
specified nonce. TPMs (v1.2) typically have 24 PCRs versary wins if he can obtain access to data from a cor-
and we refer interested readers to other sources [5, 51] rect sender and then subsequently survive an audit while
for details. claiming that access was never obtained. The adversary
Bound keys. TPMs provide a TPM CreateWrapkey also wins if he can produce a valid, verifiable proof of
operation that creates a bound public-private key pair. revocation for data from a correct sender and yet at some
The encryption key can be used anywhere but the cor- time, either before or after producing the proof, obtain
responding decryption key is shielded and can be used access to the data.
only in the TPM when specified PCRs contain specified The adversary can run arbitrary code in the OS, hyper-
values. visor, or application. The adversary controls power to the
Transport sessions. TPMs support a form of attested device and consequently can cause reboots at arbitrary
execution using TPM transport sessions. Operations points in time, even when the processor is executing in
within a transport session are logged and signed so that secure execution mode. As opposed to Memoir [37], we
a verifier can securely verify that a given TPM executed assume that the adversary can perform hardware snoop-
a specified sequence of TPM operations with specified ing attacks on the main memory [16] or CPU-memory
inputs and outputs. bus [21] to deduce the contents of main memory at any
Non-volatile memory and counters. TPMs provide time. We also assume that the adversary can snoop on the
a limited amount of non-volatile memory (NVRAM) CPU-TPM bus.
which can be used to persist state across reboots. A re- However, we assume that the adversary cannot extract
USENIX Association 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12) 323
secrets from or violate the tamper-resistant TPM and
compromise the processor’s SEM functionality. We also Pasture API
assume that the adversary cannot break cryptographic Create Verify
bound bound Obtain Revoke Audit
secrets or find collisions or preimages of cryptographic key key access access
hashes. We assume the correctness of processor’s CPU
and the trusted Pasture code that runs in SEM.
In Pasture, we ensure that a sender’s data is accessed
securely on a receiver node, and it is not our goal to keep Tamper-evident log
Summary
NV RAM
track of who accessed the data or for what purpose. Other register
techniques [33, 34, 55] can be used to provide isolation Kpub Monotonic 1 , 2 , …
counter
across various entities on the receiver node based on the Kpriv
receiver’s trust assumptions. Pasture’s safety guarantees Key generation & signing
are for the sender and are independent of the receiver’s
TPM Untrusted storage
trust assumptions.
Since an audit is possible only when the receiver is Figure 1: Pasture architecture.
online, the adversary can prevent an audit by disconnect-
Memoir prevents this attack by incorporating a se-
ing or destroying the device. We let applications decide
cret into each PCR extension. The adversary cannot per-
how to deal with long disconnections and device failures.
form re-extensions without knowing the secret, which
In the offline video rental scenario, for example, the fact
is shielded so that it is accessible only to the Memoir
that a node might have been disconnected for a long time
trusted code running in SEM. This is a reasonable ap-
is irrelevant, because the user has already paid for the
proach in Memoir, which handles general applications
movies and can get refunds only by providing verifiable
and runs every operation in SEM. But since we grant the
proofs of revocation.
adversary the power to snoop on hardware busses, this
To be conservative, an application cannot assume that
defense is insufficient for Pasture.
data has been destroyed in a device failure or lost dur-
Pasture prevents this attack by exploiting the fact that
ing a long network disconnection. In such situations it is
SEM is not needed for normal operations. Instead of
impossible to tell comprehensively what data has been
making the required contents of PCRAPP impossible for
accessed. In spite of this, we guarantee that if there is a
the adversary to reproduce, Pasture conjoins a require-
valid, verifiable proof of revocation of data received from
ment that PCRSEM contain a value that is cryptograph-
a correct sender, then the adversary can never access that
ically impossible to produce except by executing Pas-
data.
ture’s trusted reboot recovery routine and verifying that
2.4 Pasture’s approach PCRAPP has been restored to the latest value.
We carefully use TPM and SEM operations to provide Pasture uses Memoir’s approach of saving the latest
secure offline data access to meet Pasture’s requirements. value of PCRAPP in protected NVRAM on shutdown so
(1) Summary log state in a PCR. Pasture uses a Plat- that its correct restoration can be verified on the subse-
form Configuration Register PCRAPP to capture a cryp- quent reboot.
tographic summary of all decisions to obtain access or re-
voke access to data. Since a PCR can be updated only via 3 Pasture Design
the TPM Extend operation, it is cryptographically im- Figure 1 shows the high-level architecture of Pasture.
possible to produce a specified value in a PCR in any Each node runs a Pasture instance which is uniquely
other way than by a specified sequence of extensions. identified by a public/private key pair securely generated
(2) Minimal use of SEM and NV operations. By care- and certified (using AIK) by its corresponding TPM. All
fully mapping the process of obtaining and revoking ac- proofs and messages generated by a Pasture instance are
cess onto TPM primitives, Pasture avoids using SEM or signed using the private part. Receivers verify signatures
NV updates during normal operation and limits their use using the public part. Since the private part of the key is
to bootup and shutdown. protected inside the TPM, it is impossible for an adver-
(3) Prevent rollback and hardware snooping attacks. sary to spoof Pasture’s proofs or messages.
Since Pasture state is stored in a volatile PCR, an adver- Each Pasture instance maintains a tamper-evident
sary could launch a rollback attack [37] to attempt to re- append-only log of decisions ∆1 , ∆2 , . . . about offline
tract past offline actions. The rollback attack would pro- decisions to access or revoke a key. The full log is kept
ceed by rebooting the system, which resets PCRAPP to in the node’s untrusted storage and a cryptographic sum-
its initial value, followed by re-extending PCRAPP to a mary of the log is maintained inside the TPM on a PCR.
valid, but older state. The adversary would truncate the The application running on a Pasture instance uses the
full (untrusted) log to match the state in PCRAPP . Pasture API to Create and Verify bound encryption keys
324 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12) USENIX Association
Sender Receiver log state CreateBoundKey(hM):
Online message exchange protocol Rt TPM_Read(PCRAPP)
Message: M; hM h(M) Rt+1 SHA1(Rt || hM)
1. send: “getKey”, hM S
E TPM_CreateWrapKey({
BINDKEY
transport
2. E, EP CreateBoundKey(hM) Lt
session
Encrypt key: E Proof: EP PCRAPP = Rt+1 &&
3. send: “encKey”, hM, E, EP R PCRSEM = SemHappy })
4. VerifyBoundKey(hM, E, EP) EP “CreateBoundKey”, hM, Rt, Rt+1, E,
5. EM Encrypt(M, E)
6. send: “encMsg”, hM, E, EP, EMS VerifyBoundKey(hM, Rt, Rt+1, E, ):
7. Verify encMsg and store EM Rt+1 = SHA1(Rt || hM) && ValidBINDKEY(, Rt+1, E)
during the data transfer protocol, to Obtain and Revoke along withRPthe original hash,hM,
“RevokeAccess”, Rt, R’t+1
the, S’encryption
t+1, key E,
access to the corresponding decryption keys based on and the receiver’s proof EP.
Audit(nonce):
offline decisions, and to respond to an Audit. In step R7,t, Safter
t, receiving
TPM_Quote(PCR “encMsg”
APP, PCRSEM and verifying that
, nonce)
AP signed
it is properly full log,
“Audit”, by the Rsender,
t, St, nonce,the receiver checks
Many of the following subsections contain implemen-
tation details. Skipping these details on the first reading that hM, E, and EP match with the corresponding values
Recover():
it sent in its EACH entry on
FOR“encKey” full log: TPM_Extend(PCR
message. Then the receiver APP, ) stores
may help the reader.
secure execution mode
the “encMsg” with &&
IF nv.current thenv.R
encrypted
= TPM_Read(PCRdata APPEM) on its local
3.1 Data transfer protocol storage. TheTHEN
receiver can later make an offline decision
nv.current FALSE
Figure 2 shows the secure data transfer protocol used to obtain access to the bound
TPM_Extend(PCR decryption key (and thus
SEM, Happy)
by a sender to transfer encrypted data to a receiver. When ELSE
obtain access to the sender’s data) or to revoke access.
TPM_Extend(PCRSEM, Unhappy)
a sender wants to send data M to a receiver, the sender In case of communication failures, neither the sender
gets an (asymmetric) encryption key E generated by the nor the receiver need to block because they can always
Checkpoint():
receiver’s TPM and sends the encrypted data EM. The discard their current state and restart.
Rt TPM_Read(PCR APP)
transport
receiver then can make offline decision to access the data Implementation details. ForSEM
St TPM_Read(PCR simplicity,
) we described
session
SEAL
USENIX Association 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12) 325
E TPM_CreateWrapKey({
BINDKE
session
transpo
PCRAPP = Rt+1 && RevokeAccess():
PCRSEM = SemHappy })
Rt TPM_Read(PCRAPP)
EP “CreateBoundKey”, hM, Rt, Rt+1, E, append to full log
TPM_Extend(PCRAPP, )
VerifyBoundKey(hM, Rt, Rt+1, E, ): R’t+1, S’t+1, TPM_Quote(PCRAPP, PCRSEM)
Rt+1 = SHA1(Rt || hM) && ValidBINDKEY(, Rt+1, E) RP “RevokeAccess”, , Rt, R’t+1, S’t+1,
ObtainAccess(hM, EM): Audit(nonce):
append hM to full log Rt, St, TPM_Quote(PCRAPP, PCRSEM, nonce)
TPM_Extend(PCRAPP, hM) AP “Audit”, full log, Rt, St, nonce,
DM TPM_Unbind(EM)
Recover(): Figure 5: Audit operation.
RevokeAccess(): FOR EACH entry on full log: TPM_Extend(PCRAPP, )
Rt TPM_Read(PCRAPP) summary IFmaintained
nv.current &&innv.R PCR APP . Since PCR APP now
transport
Recover(): St TPM_Read(PCR
session
SEAL
SEM
TPM CreateWrapKey
FOR EACH entry onisfullinvoked inside a TPM
log: TPM_Extend(PCR APP, ) trans-
cryptographically Ct impossible to determine any way of
TPM_ReadCounter(CTR)
port session, which && provides an attestation signed by reaching Rt+1 TPM_Extend(PCR
except extending SEM, Unhappy)
from Rt by hM, this ren-
secure execution mode
TPM_Read(PCR )
session
SEAL
SEM
Ct TPM_ReadCounter(CTR)
is cryptographically impossible to find any other value Access can be optimized. First, Pasture can skip the
TPM_Extend(PCRSEM, Unhappy)
from which an extension by hM would produce Rt+1 . TPM Read operation by tracking updates to PCRAPP
nv.R Rt with the CPU. Second, if the proof of revocation is
secure execution mode
3.2 Secure
IF Validoffline
SEAL(, Rt, access
St, Ct) &&and revocation
St = SemHappy
not needed immediately, Pasture can delay executing the
t && C = TPM_ReadCounter(CTR)
To obtain
THENaccess, as shown in step 7a of Figure 2, the TPM Quote until some later time, possibly coalescing it
receiver irrevocably extends its log by hM. The TPM
TPM_IncrementCounter(CTR)
with a subsequent TPM Quote. A multi-step sequence
now permits nv.current TRUE
decryption using the bound key, and the de-
TPM_Extend(PCRSEM, Unhappy) of extensions from Rt to the current attested value of
crypted message DM can be obtained. A faulty sender PCRAPP , in which the first step differs from the bound
could play a bait-and-switch trick by sending an en- key value Rt+1 , is cryptographically just as valid as a
crypted text for a different data than initially referenced proof of revocation as a single-step sequence. Coalescing
in its “getKey” message, but the receiver can catch this is a good idea, since TPM Quote involves an attestation
by noticing that hM = h(DM). If the sender is faulty, the and hence is fairly slow as TPM operations go.
receiver can form a proof of misbehavior by exhibiting
DM and the sender’s signed “encMsg” message, which 3.3 Audit
includes hM, E, EP, and EM. Any correct verifier first A verifier can audit a receiver to determine what de-
verifies that the receiver is not faulty by checking that cisions the receiver has made. The receiver produces a
Encrypt(DM, E) = EM. Then the verifier checks that copy of its full log along with a proof signed by the TPM
hM = h(DM), which proves that the sender is faulty. that the copy is current and correct. Hence, a faulty re-
In this way a correct receiver can protect itself against a ceiver cannot lie about its past offline actions.
malicious sender. Implementation details. Figure 5 shows the imple-
To revoke access, in step 7b, the receiver irrevocably mentation of the Audit operation, which computes the
extends its log by δ, a value different from hM. This response AP to an audit request. AP contains a copy of
makes it cryptographically impossible ever to attain the the entire log along with an attestation α of the cur-
state in which the TPM would permit decryption using rent summary value Rt contained in PCRAPP . The at-
the bound key. In effect, the bound decryption key has testation also includes the nonce sent by the auditor to
been revoked and the receiver will never be able to de- guarantee freshness. (The simultaneous attestation that
crypt EM. Pasture constructs a proof RP of this revoca- PCRSEM contains St is discussed in §3.4.) Any correct
tion, which any correct verifier can verify. verifier can check the attestation and check that Rt is the
Implementation details. Figure 4 shows the imple- correct cryptographic summary value for the purported
mentation of the ObtainAccess and RevokeAccess log contents, and thereby determine exactly what deci-
operations. Step 7a calls ObtainAccess to obtain off- sions ∆1 , ∆2 , . . . the audited node has made.
line data access. ObtainAccess appends hM to the full
log on untrusted storage and extends the cryptographic
326 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12) USENIX Association
append to full log
TPM_Extend(PCRAPP, )
R’t+1, S’t+1, TPM_Quote(PCRAPP, PCRSEM)
RP “RevokeAccess”, , Rt, R’t+1, S’t+1,
Audit(nonce):
Rt, St, TPM_Quote(PCRAPP, PCRSEM, nonce)
AP “Audit”, full log, Rt, St, nonce,
transport
St TPM_Read(PCRSEM)
session
Pasture’s solution is inspired by Memoir-Opt [37] and
SEAL
Ct TPM_ReadCounter(CTR)
in §2.4 we outlined the novel aspects of our approach. TPM_Extend(PCRSEM, Unhappy)
Since PCRAPP is volatile, an adversarial reboot will
nv.R Rt
USENIX Association 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12) 327
SemHappy = SHA1(SemProtected||Happy), which is 3.5 Log truncation
the value that PCRSEM will contain if the recovery is Pasture allows applications to truncate logs in order to
correct. Since PCRs are volatile, any adversarial attempt reduce storage, auditing, and recovery overheads. Trun-
to reboot the node and reinitialize PCRAPP will also cation proceeds in several steps. (1) The subject node re-
reinitialize PCRSEM . Pasture maintains the invariant that quests a trusted auditor to perform an audit and sign a
whenever PCRSEM = SemHappy, PCRAPP contains certificate attesting to the subject node’s current crypto-
the correct cryptographic summary of the log and deci- graphic log summary. The auditor has to be available at
sions to obtain access or revoke access can be made. (Of this time but an application could arrange for any desired
course, adversarial entries in the log are permitted, but number of trusted auditors. For example, the video ser-
they cannot be rolled back.) vice provider could act as an auditor for the offline video
Since CreateBoundKey binds the key to require application. (2) The certificate is returned to the subject
both PCRAPP = Rt+1 and PCRSEM = SemHappy, node, which discards all entries in its full log, creates a
the decryption key will only be useable if PCRAPP single log entry containing the certificate, and then per-
was correctly restored on the most recent reboot. forms a version of Checkpoint that verifies the certifi-
Since RevokeAccess and Audit include PCRSEM in cate is current and if so saves the cryptographic summary
their TPM Quote, a verifier can verify that the quoted of the new log in the NVRAM. (3) Then the subject node
PCRAPP could only have been extended from a value reboots to reinitialize PCRAPP .
that was correctly restored on the most recent reboot. Observe that truncating the log implicitly revokes ac-
Checkpoint uses SEM to save the current value of cess to a decryption key whose decision was pending.
PCRAPP in the NVRAM and set current to TRUE. However, since in such a case no explicit decision was
However, there is a difficulty. Before Checkpoint saves made to revoke access, the normal way of obtaining a
the current value of PCRAPP , it needs to know that proof of revocation is not available. If such proofs are
PCRAPP was correctly restored on the most recent re- important to the application, it should make explicit re-
boot; otherwise Checkpoint itself would be vulnera- vocation decisions before truncating the log.
ble to a rollback attack. Checkpoint has to perform its 3.6 Handling concurrent messages
checking and saving activities in SEM, so that the ad- The basic protocol (§3.1) constrains the receiver to
versary cannot tamper with them. But the way of know- handle one sender’s message at a time. Here we describe
ing that PCRAPP was correctly restored is to check how to support multiple outstanding messages.
PCRSEM = SemHappy, and this information is erased First, it is easy to extend the design to employ multiple
by entering SEM. PCRs. Current TPMs support 13 unreserved PCRs that
The solution is to get a simultaneous attestation Pasture can use. The design is modified to track the usage
α of PCRAPP and PCRSEM before entering SEM. of these PCRs, allocating a free one in CreateBound-
Then, once in SEM, α can be checked, which proves Key, passing it through the protocol in the “encKey” and
that PCRAPP contained Rt when PCRSEM contained “encMsg” messages, and freeing it after the decision is
SemHappy. made to obtain or revoke access. Logically, a separate
Unfortunately, there is another vulnerability: how do log is used for each PCR. Audit is extended to copy all
we know this is the most recent such α, and not some the logs and quote all of the PCRs.
earlier one from the adversary. In defense, Checkpoint Second, in situations where the number of PCRs is in-
uses a TPM counter CTR whose value is read into α and sufficient, there is nothing to prevent a receiver from per-
then incremented in SEM once α is accepted as valid and forming steps 2-3 in parallel with any number of senders
current. This prevents any earlier α from being accepted. using the same PCR, creating keys bound to different val-
There is yet a final vulnerability: how do we know that ues of the next state. Of course, with the same PCR, only
the adversary did not do anything bad between the time α one sender’s message can be accessed at step 7a. The
was made and SEM was entered. For example, the adver- other messages effectively are revoked. The receiver can
sary could make α, then extend PCRAPP to obtain ac- ask those senders to retry using a new bound key.
cess to a decryption key, then crash and reboot, re-extend Given multiple concurrent “getKey” requests and only
PCRAPP back to where it was when α was made, and one available PCR, the receiver could form a speculative
then finally enter SEM in Checkpoint. To prevent this, decision tree multiple steps into the future. For each mes-
Checkpoint extends PCRSEM inside α, which erases sage, the receiver would generate multiple keys, binding
SemHappy, which makes PCRAPP useless for any at- each key to a different sequence of possible prior deci-
tempt to obtain or revoke access until the next successful sions. Each sender encrypts its message (actually, just its
recovery. The above steps are performed in a transport message’s symmetric key) with all the keys so that the re-
session in the SEAL subroutine as shown in Figure 6. ceiver can decide offline about access to the messages in
any order it desired. So that the receiver can prove that a
328 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12) USENIX Association
key was revoked because the receiver failed to follow the movies, (b) provide better security and mobility in a
speculated sequence of decisions, each key’s revocation healthcare setting by allowing secure logging of off-
proof RP would have to show the entire sequence start- line accesses as required by HIPAA regulations, and
ing from the receiver’s current log state. Of course, the (c) improve consistency in a decentralized storage sys-
number of keys per message explode with the number of tem [2, 31, 50] by preventing read-denial attacks.
pending decisions, so this approach would be viable for
4.1 Video rental and healthcare
only a very small number of outstanding messages. For wider deployability, we extended an email client
3.7 Correctness application with Pasture to provide secure offline data ac-
Using the TLA+ language and proof system [6,27], we cess, and used the secure email as a transport and user in-
wrote a formal specification of Pasture and mechanically terface mechanism to implement offline video rental and
verified a proof of correctness [40]. The correctness of healthcare mockup application prototypes on top.
Pasture when there are no reboots is trivial as it follows We implemented a generic Pasture add-in for Mi-
from the properties of bound keys and PCRs. Preventing crosoft’s Outlook email client [36]. Our video rental and
rollback attacks in the presence of reboots is critical. The health care applications are built on top of this secure
following invariants ensure correctness: email prototype to transfer data opportunistically to re-
ceivers when they are online, allow offline access to data,
• If PCRSEM = SemHappy then current = FALSE,
and permit remote auditing. The add-in calls the Pasture
PCRAPP contains the current log summary value, and
API (§3) to interact with the TPM.
there exists no acceptable SEAL attestation.
The Pasture add-in allows senders to selectively en-
• If current = TRUE then PCRSEM = SemHappy, the crypt sensitive attachments using the Pasture protocol.
NVRAM contains the current log summary value, and Users can choose messages that need the enhanced secu-
there exists no acceptable SEAL attestation. rity properties while not paying overhead for the others.
• There exists at most one acceptable SEAL attestation. The add-in internally uses email to exchange Pasture pro-
These invariants are maintained by the use of current, the tocol messages and acquires the encryption key from the
way PCRSEM is extended, and the reboot counter CTR. receiver before sending the encrypted message.
Some comments on our methodology may be illumi- On receiving a Pasture encrypted message, the user
nating. After formulating a proof sketch to assure our- is given the option to access the attachment or delete it
selves that Pasture was correct, we wrote a 19-page without accessing it. The user can use context (for ex-
TLA+ specification. Several CPU-months spent on a ample, the movie title, cast and a short description) in-
large many-core server model-checking various config- cluded in the email body to make the decision. We as-
urations of this specification found no errors. To increase sume that the sender is correct and motivated to include
our confidence that we would have found errors if there correct context. This assumption is reasonable for video
were any, we then intentionally introduced some bugs rental and healthcare service providers. We also assume
and the resulting safety violations were easily detected. that the emails are signed to prevent spoofing attacks.
Armed with confidence in the correctness of the spec- The user’s decision to access or delete the attachment
ification, we then spent about two man-weeks writing a is permanently logged by Pasture. The Pasture add-in
68-page formal proof. The proof followed the reason- also provides an audit and truncate interface that a trusted
ing of our original proof sketch, although with excruciat- entity can use to audit and truncate user logs
ing attention to detail, containing 1505 proof obligations. The Pasture-enhanced video rental service works as
The TLA+ proof system checks them in half an hour. follows. When the user surfs the video rental service and
Subsequently, we made a slight optimization to Pas- selects movies for offline watching, he receives emails
ture’s operations, arriving at the version of Pasture de- with encrypted symmetric keys as attachments. The en-
scribed in this paper. It took only a few hours to revise the crypted movies are downloaded via https, which avoids
initial formal specification and proof to account for the sending the entire movie as an attachment. The user can
optimization. The hierarchical structure of TLA+ proofs watch movies offline by decrypting the attachments to
was a great benefit here, because the proof system high- extract the keys and then decrypting the movies. The
lighted precisely those few proof obligations that had to user can revoke any movies not accessed. When the user
be revised in order to make the proof go through. comes back online, the video rental service provider au-
dits the Pasture log to determine which movies were re-
4 Applications voked and refunds the user accordingly.
We use Pasture to prototype three applications with Regulations [18, 48] in the healthcare industry impose
secure offline data access to (a) improve experience in a fines [20] on healthcare providers if they allow unautho-
video rental service by allowing offline access to down- rized access to sensitive patient health information and
loaded movies while enabling refunds for unwatched they mandate that all accesses be logged securely. We
USENIX Association 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12) 329
used the Pasture email add-in to provide secure offline
cores, interrupts
No disabling of
Invulnerable to
No NV update
Isolation from
access to medical records, for example, when a nurse
malicious OS
per operation
per operation
snoop attack
operations
Protected
goes for a home visit.
resilience
Crash
Access undeniability ensures that offline accesses by
the nurse are securely logged. Verifiable revocation al- System
lows the nurse to securely delete unaccessed records and Flicker × × × general
prove it to the hospital. Verifiable revocation also helps Memoir × × general
hospitals in assessing and mitigating damages due to ac- TrInc × attest
access
cidental disclosures [13, 23] by allowing them to retract Pasture revoke
attest
emails after they are sent to unintended recipients by ask-
Table 1: Comparison of trusted hardware based systems.
ing the receivers to delete the confidential email and send
them back the proof of revocation. 5.1 Qualitative analysis
Table 1 compares Pasture against some recent sys-
4.2 Decentralized storage systems
tems that use trusted hardware to protect the execution
Decentralized storage systems (such as Bayou [50] of application operations. Flicker [34] and Memoir [37]
and Practi [2]) provide high availability by allowing use SEM and TPMs to provide protected execution of
nodes to perform disconnected update operations on lo- trusted modules on untrusted devices. TrInc [28] uses
cal state when they are offline, send updates to other trusted smart cards to securely attest messages and pre-
nodes opportunistically when there is connectivity, and vent equivocation attacks in distributed systems. Pas-
read received updates from other nodes. Depot [31] ture provides secure offline data access using SEM and
builds upon Practi to provide a storage system that toler- TPMs. (We discuss additional related work in §7.)
ates any number of malicious nodes at the cost of weak- All of these systems provide isolation from a mali-
ening the consistency guarantee. One attack Depot can- cious OS, hypervisor, or other application code. Flicker
not prevent is a read-denial attack, in which a malicious provides a general abstraction but it is vulnerable to
node denies reading updates from correct nodes before snoop attacks and does not provide crash resilience [37],
making its own updates. and thus fails to ensure state continuity across crashes.
We used Pasture to build a decentralized storage sys- Furthermore, its use of SEM disables cores and inter-
tem that prevents read-denial attacks, and thereby pro- rupts for every operation. Memoir suffers from the same
vides stronger consistency than Depot. Preventing read- drawbacks as Flicker except that it is resilient to crashes.
denial is a simple consequence of access undeniability. TrInc is crash resilient but provides limited functional-
In addition, where Depot detects equivocation [7, 28], in ity of secure attestation, and it is less durable due to NV
which a malicious node sends conflicting updates, Pas- updates on attest operations. Pasture provides offline ac-
ture prevents equivocation by attesting updates using the cess, revocation, and attestation without needing SEM or
Pasture log (the same approach as A2M [7]). Formalizing NV writes with each operation while providing crash re-
our consistency guarantee is an avenue of future work. silience and defending against snoop attacks.
Minimal TCB. Pasture trusts just the Checkpoint
5 Evaluation
and Recover routines which run during bootup and shut-
We implemented Pasture in Windows 7 and evaluated
down, and it does not trust any software during the com-
the system on three different computers: an HP xw4600
mon case data access operations. Pasture achieves this by
3GHz Intel Core2 Duo with a Broadcom TPM, an HP
exploiting the TPM primitives.
Z400 2.67GHz Intel Quad Core with an Infineon TPM,
and a Lenovo X300 1.2Ghz Intel Core2 Duo laptop with 5.2 Pasture microbenchmarks
an Atmel TPM. We implemented everything except we 5.2.1 Computational overhead
were unable to port Flicker [34] and get SEM work on the Our first experiment measures the computational over-
HP machines because the HP BIOS disables the SEN- heads imposed by TPM operations on Infineon, Broad-
TER instruction, and we haven’t completely ported Pas- com and Atmel TPM chips. Figure 7(a) plots the execu-
ture to run on Atmel TPM although we ran some TPM tion time of register and NV operations; Figure 7(b) plots
microbenchmarks on it. Missing functionality of SEM the execution time of TPM cryptographic operations to
does not affect our evaluation or conclusions because create and load a key, sign data, unbind a key, release a
SEM is not needed for the common case data access transport session, and quote PCR state; and Figure 7(c)
operations. Furthermore, for the Pasture operations that plots the execution time of Pasture operations that build
would use SEM, as we show later, our measured over- upon the TPM operations. We use 1024 bit RSA keys for
heads are already significantly greater than the cost of our experiments. We make the following observations.
setting up the SEM environment [34, 37]. Slow NV updates. Incrementing an NV counter or
writing NVRAM is far slower than reading or extending
330 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12) USENIX Association
0.5 5
4.4 s
7
Infineon
3.8 s
0.4 6
Broadcom Broadcom 4
0.35 5 3.5
0.3 Atmel Atmel Broadcom
3
4
0.25 2.5
3
1060 ms
0.2
860 ms
2
572 ms
589 ms
543 ms
0.15 1.5
464 ms
470 ms
584 ms
2
436 ms
346 ms
0.1 1
50 ms
1
21 ms
0.05 0.5
0 0 0
(a) TPM register/NV ops (b) TPM crypto ops (c) Pasture operations
Figure 7: Computational overhead. Error bars represent one standard deviation of uncertainty over 10 samples.
a PCR. This supports our decision to avoid NV updates high, modern operating systems already take tens to hun-
during common case operations. dreds of seconds to boot up.
Data exchange protocol. Creating a key in TPMs is Audit. Pasture takes about 400 ms to generate a proof
enormously expensive, and it takes about 2.8 s (Atmel of revocation or a response to an audit request. Given that
TPM) to 4 s (Broadcom TPM). This overhead accounts this operation is usually performed in the background, it
for almost all of Pasture’s CreateBoundKey execution does not much affect the user experience.
time. Key creation also has a huge variance. We study the
impact of this overhead on perceived latencies to the end 5.2.2 Network and storage overheads
user in §5.3.1. Pasture incurs network and storage overhead due to (1)
Offline operations. The offline operations to obtain additional messages exchanged for fetching keys and (2)
or revoke access have acceptable performance. Revok- inclusion of an attested proof of execution in the proto-
ing access is fast (21 ms) because it just requires a PCR col messages and the log. With 1024 bit encryption keys,
extension (using the optimization discussed in §3.2 to de- Pasture exchanges about 1732 bytes of additional data in
fer the proof of revocation). Obtaining access, however, the data transfer protocol, and stores less than 540 bytes
takes much longer (470 ms) as almost all of its time is of data on disk for logging each operation.
spent in TPM Unbind to decrypt and extract the sym- Pasture’s proofs contain hashes of messages instead
metric key, which is fairly slow. We cannot hide this la- of raw messages. Hence, network and storage overheads
tency because the symmetric key is needed to decrypt the do not increase with data size. Pasture imposes consid-
data. While the latency may be acceptable for an offline erable overhead when the message sizes are smaller but
video or email application, our throughput is limited by the overhead becomes insignificant for large messages.
these overheads. For some applications, batching can be 5.3 Pasture applications
used to amortize overheads across multiple data items as Pasture uses various optimizations—that hide latency
shown in §5.3.2. and batch operations—to reduce overheads. Here we
Note that we hide the TPM overhead of LoadKey evaluate the end-to-end performance of the latency-
by loading it in the background while the data is being oriented (offline video and healthcare) and throughput-
fetched from the sender and before the data is accessed oriented (shared folder application) applications.
offline.
Checkpoint and recover operations. (Note that our 5.3.1 Secure email transport
microbenchmarks do not include the 100 ms to 200 ms Our offline video rental and health care applications
overhead required to set up the SEM environment [34].) use Pasture-based secure email to allow secure offline ac-
Checkpoint takes about 1600 ms to seal and copy cesses. For evaluating the overheads added by the Pasture
volatile state to the NVRAM, which is reasonable for a system, we compare our applications with that of the cor-
battery-backup shutdown routine. Recover takes about responding applications that use regular email transport
600 ms to check the correctness of PCRAPP when the mechanism to send data (patient health records or the de-
system is booting up. Furthermore, before correctness cryption key of the movie) but without secure offline data
is checked, Recover must read Pasture’s log from the access guarantees.
disk and extend PCRAPP to its pre-shutdown state. Each Our Pasture-based applications incur an additional
TPM Extend takes about 20 ms, so the additional over- overhead in establishing encryption keys (one round trip
head depends on the number of entries, which can be delay) and generating keys in the receiver’s TPM. As-
kept low by periodically truncating the log. If the log is suming there will be some read slack time between when
truncated every 128 entries, at most 3 s would be spent an email is received in a user’s inbox and when the user
extending PCRAPP . While the total overhead may seem reads it, Pasture hides its latency by executing its pro-
USENIX Association 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12) 331
1 when they are disconnected (similar to other weakly-
Cumulative Fraction connected decentralized storage systems [31,39,50]), at-
0.8 (a) (b) test updated files, and share file updates with other peers
0.6
opportunistically when they are connected.
Scalable throughput using batching. Given that
0.4 nodes are expected to read all the received updates, the
Pasture shared folder application amortizes overheads
0.2 All by batching and performing secure attestation of up-
Working Hours
0 dates, message exchange protocol operations, and read
1 10 100 1000 10000 100000 operations on an entire batch of received updates. Pas-
Read Slack (seconds) ture scales linearly to about 1000 requests/sec (with a
Figure 8: CDF of email read slack times. batch size of 460) because the overheads to attest updates
Line (a) shows minimum Pasture overhead of 4s. Line (b) shows the total
overhead of 24s including email server queuing and network delays. Only (430 ms) and read (460 ms) received updates are inde-
emails to the left of the lines are affected by Pasture. pendent of the batch size. This is because Pasture uses
a constant-size hash of the message when performing an
tocol in the background. We evaluated the effectiveness attest or read operation. We conclude that Pasture pro-
of this approach via a small scale user study involving 5 vides scalable throughput for applications where nodes
users in a corporate setting. We logged the receive time have the opportunity to batch updates. Batching also re-
and read time of the emails received over a period of one duces the recovery response time as we amortize the PCR
week for these users. To be conservative, we omitted un- extensions across multiple updates.
read emails. High durability. Pasture does not perform NVRAM
Figure 8 shows the cumulative distribution of the read writes or counter increments during common case oper-
slack time of all the emails. We also include a separate ations. Only two NVRAM writes and one counter incre-
line that considers only the emails that are received dur- ment are required for each reboot cycle. Hence, assum-
ing work hours on a weekday. This removes any bias due ing only one reboot per day, it would take Pasture more
to inactivity after work hours and over the weekend. For than 130 years to exhaust the 100K lifetime NVRAM and
comparison, we measured the latency introduced by Pas- counter update limit of current TPMs [37]. Conversely,
ture. The average additional latency introduced by Pas- if a 5 year lifetime is acceptable, Pasture can perform a
ture was 24 s, with 4 s spent generating the encryption reboot cycle on an hourly basis and truncate the log to
key at the receiver and about 20 s of network delay in- reduce audit and recover times.
troduced by the processing queues of intermediate mail
servers (the WAN network latencies to the mail servers 6 Discussion
was negligible, on the order of 40 ms). Pasture effectively hides and amortizes TPM over-
We plot two vertical lines to show what fraction of heads for applications with low concurrency. However,
emails are affected by the Pasture overhead. The affected TPM’s limited resources and high overheads hurt the
emails are the ones whose recipients would have to wait. scalability of Pasture with increasing concurrent re-
As shown in the figure, about 75% of emails are not af- quests. We discuss three key limitations and suggest
fected by the total overhead introduced by Pasture, as improvements through modest enhancements in future
their recipients checked their inbox more than 24 s after TPMs.
the email arrived. Even in the remaining 25% of emails First, Pasture’s concurrency is limited by the number
which are affected, the Pasture protocol adds a delay of of available PCRs (13 or fewer) for binding keys. In-
15 s on average. If the processing and queuing delays at creasing the number of PCRs would improve Pasture’s
the mail servers are to be discounted, more than 90% ability to bind more keys to PCRs and have more requests
(and 95% during the work time) of the emails are unaf- in flight to support applications with high concurrency.
fected, and the rest experience an average delay of only Second, Pasture spends a significant amount of time
1 s. We conclude that Pasture can exploit the slack time in TPM CreateWrapKey to generate keys. This overhead
of users to effectively hide the additional latency intro- could be reduced by simply separating key generation
duced for security. Furthermore, in the video rental ap- from the operation of key binding. For example, TPMs
plication, Pasture latencies incurred can also be hidden could generate keys whenever they are idle (or in paral-
while the encrypted movie downloads. lel with other operations) and store them in an internal
5.3.2 Decentralized storage system buffer for future use.
Third, TPMs allow storage of only a few keys, and we
We implemented a shared folder application on top
have to pay significant overheads to load a key (around
of the Pasture decentralized storage system. The shared
1 s) if it has to be brought from the stable storage ev-
folder application allows nodes to update files locally
332 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12) USENIX Association
ery time. Increasing the buffer space to hold more keys PeerReview [15], Nysiad [19], and other log-based repli-
would significantly reduce the overhead for highly con- cation systems [29, 31, 54] detect equivocation attacks
current applications. without trusted hardware by using witness nodes and
signed message logs. However, these systems do not pre-
7 Related work vent nor detect offline read-denial attacks.
Pasture builds upon related work in the areas of secure
decentralized systems and trusted hardware. 8 Conclusion
Custom hardware. Many custom hardware architec- Mobile user experiences are enriched by applications
tures [30, 38, 46, 47, 53] have been proposed to protect that support disconnected operations to provide better
trusted code from untrusted entities. These proposals mobility, availability, and response time. However, off-
have not gained widespread acceptance due to the high line data access is at odds with security when the user
deployment cost and unavailability of custom hardware. is not trusted, especially in the case of mobile devices,
OS and VMM based approaches. A number of which must be assumed to be under the full control of
OS [26, 45, 49, 55], microkernel [25, 44] and VMM [11, the user.
56] based approaches improve isolation and security by Pasture provides secure disconnected access to data,
significantly reducing the TCB. A recent paper [45] pro- enabling the untrusted user to obtain or revoke access to
vides an in depth review of the state of the art in this area. (previously downloaded) data and have his actions se-
HiStar [55], Asbestos [52], and Flume [26] provide sys- curely logged for later auditing. We implement Pasture
temwide data confidentiality and integrity using decen- using commodity trusted hardware, providing its secu-
tralized information flow control techniques. Nexus [45] rity guarantees with an acceptable overhead using a small
implements NAL logic [42] to provide general trustwor- trusted computing base.
thy assurances about the dynamic state of the system.
Acknowledgements
While these systems provide powerful and general secu-
We thank Doug Terry, Ted Wobber, and Peter Haynes
rity primitives, they are vulnerable to hardware-snooping
for providing considerable suggestions to the Pasture
physical attacks [16, 21].
project, and the anonymous OSDI reviewers for their de-
Commodity trusted hardware. Flicker [34] spurred
tailed reviews and excellent feedback. We thank Mar-
research in secure execution by demonstrating how
tin Abadi, Rama Ramasubramanian, Jay Lorch, Dahlia
TPMs and SEM can be used to run trusted application
Malkhi, JP Martin, and Marcos Aguilera for their feed-
code in isolation from the OS or hypervisor. TrustVi-
back on earlier drafts of this paper. We are grateful to Ste-
sor [33] builds upon Flicker to protect sensitive applica-
fan Thom for helping us with the Windows code base.
tion code in a single legacy guest VM. Memoir [37] pre-
vents rollback attacks as described in §2.4. While these References
approaches provide strong isolation, they are vulnerable [1] Advanced Micro Devices. AMD64 virtualization: Secure virtual
to hardware snooping attacks and also require frequent machine architecture reference manual, 3.01 edition, 2005.
[2] N. Belaramani, M. Dahlin, L. Gao, A. Nayate, A. Venkataramani,
use of SEM, which can result in poor user responsive- P. Yalagandula, and J. Zheng. PRACTI replication. In NSDI,
ness, resource underutilization and higher overhead. 2006.
Trusted hardware has been used to reduce email [3] S. Berger, R. Cáceres, K. A. Goldman, R. Perez, R. Sailer, and
spam [14], in secure databases [32], for reasoning about L. Doorn. vTPM: Virtualizing the trusted platform module. In
USENIX Security, 2006.
network properties [43], for cloaked computation [9] by
[4] BitLocker Drive Encryption Overview. http://windows.microsoft.
malware, and to provide trusted path [57] between a com/en-US/windows-vista/BitLocker-Drive-Encryption-Overview.
user’s I/O device and trusted application code with mini- Aug 31, 2012.
mal TCB. Recent approaches [3, 10] address an orthogo- [5] D. Challener, K. Yoder, R. Catherman, D. Safford, and
nal issue of sharing TPM resources securely across mul- L. Van Doorn. A Practical Guide to Trusted Computing. IBM
Press, Jan 2008.
tiple VMs. It is an avenue for future research to apply
[6] K. Chaudhuri, D. Doligez, L. Lamport, and S. Merz. Verifying
their approach to Pasture to share TPM resources across safety properties with the TLA+ proof system. In IJCAR, 2010.
multiple receiver applications. [7] B. Chun, P. Maniatis, S. Shenker, and J. Kubiatowicz. Attested
Preventing attacks in decentralized systems. Key- append-only memory: Making adversaries stick to their word. In
pad [12] provides a simple online security mechanism SOSP, 2007.
for theft-prone devices by storing decryption keys at a [8] Delivering a secure and fast boot experience with UEFI. http:
//channel9.msdn.com/events/BUILD/BUILD2011/HW-457T. Aug
server that client devices consult on every access attempt. 31, 2012.
A2M [7] prevents equivocation attacks [28, 29] by forc- [9] A. M. Dunn, O. S. Hofmann, B. Waters, and E. Witchel. Cloak-
ing attestation of updates into an append-only log us- ing malware with the trusted platform module. In Proceedings
ing trusted hardware. TrInc [28] improves upon A2M by of the 20th USENIX conference on Security.
[10] P. England and J. Loeser. Para-virtualized TPM sharing. In
reducing the TCB to a trusted monotonic counter [41].
TRUST, 2008.
USENIX Association 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12) 333
[11] T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Applications). CRC Press, Dec. 1996.
Terra: A VM-based platform for trusted computing. In SOSP, [36] Microsoft Outlook 2012. http://office.microsoft.com/en-us/
2003. outlook/. Aug 31, 2012.
[12] R. Geambasu, J. P. John, S. D. Gribble, T. Kohno, and H. M. [37] B. Parno, J. R. Lorch, J. R. Douceur, J. Mickens, and J. M. Mc-
Levy. Keypad: An auditing file system for theft-prone devices. Cune. Memoir: Practical state continuity for protected modules.
In EuroSys, 2011. In IEEE Symposium on Security and Privacy, 2011.
[13] Gmail delivery errors divulge confidential information. http:// [38] A. Perrig, S. Smith, D. Song, and J. D. Tygar. SAM: A flexi-
news.cnet.com/8301-13880 3-10438580-68.htm. Aug 31, 2012. ble and secure auction architecture using trusted hardware. In
[14] R. Gummadi, H. Balakrishnan, P. Maniatis, and S. Ratnasamy. IPDPS, 1991.
Not-a-Bot: Improving service availability in the face of botnet [39] V. Ramasubramanian, T. L. Rodeheffer, D. B. Terry, M. Walraed-
attacks. In NSDI, 2009. Sullivan, T. Wobber, C. C. Marshall, and A. Vahdat. Cimbiosys:
[15] A. Haeberlen, P. Kouznetsov, and P. Druschel. PeerReview: Prac- A platform for content-based partial replication. In NSDI, 2009.
tical accountability for distributed systems. In SOSP, 2007. [40] T. L. Rodeheffer and R. Kotla. Pasture node state specification.
[16] J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, Technical Report MSR-TR-2012-84, Microsoft Research, Aug
W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and 2012.
E. W. Felten. Lest we remember: Cold boot attacks on encryp- [41] L. F. G. Sarmenta, M. van Dijk, C. W. O’Donnell, J. Rhodes,
tion keys. In USENIX Security Symposium, 2008. and S. Devadas. Virtual monotonic counters and count-limited
[17] T. Hardjono and G. Kazmierczak. Overview of the TPM Key objects using a TPM without a trusted OS. In ACM Workshop on
Management Standard. http://www.trustedcomputinggroup.org/ Scalable Trusted Computing, 2006.
files/resource files/ABEDDF95-1D09-3519-AD65431FC12992B4/ [42] F. B. Schneider, K. Walsh, and E. G. Sirer. Nexus authorization
Kazmierczak20Greg20-20TPM Key Management KMS2008 logic (NAL): Design rationale and applications. ACM Trans. Inf.
v003.pdf. Aug 31, 2012. Syst. Secur., 14(1):8:1–8:28, June 2011.
[18] Health Information Technology for Economic and Clinical [43] A. Shieh, E. G. Sirer, and F. B. Schneider. NetQuery: A knowl-
Health Act. http://en.wikipedia.org/wiki/HITECH Act. Aug 31, edge plane for reasoning about network properties. SIGCOMM
2012. Comput. Commun. Rev., 41(4):278–289, Aug. 2011.
[19] C. Ho, R. van Renesse, M. Bickford, and D. Dolev. Nysiad: [44] L. Singaravelu, C. Pu, H. Härtig, and C. Helmuth. Reducing
Practical protocol transformation to tolerate Byzantine failures. TCB complexity for security-sensitive applications: Three case
In NSDI, 2008. studies. In EuroSys, 2006.
[20] Hospital fined over privacy breaches in days after deaths of Jack- [45] E. G. Sirer, W. de Bruijn, P. Reynolds, A. Shieh, K. Walsh,
son, Fawcett. http://www.phiprivacy.net/?p=2888. Aug 31, 2012. D. Williams, and F. B. Schneider. Logical attestation: an autho-
[21] A. Huang. Hacking the XBOX: An Introduction to Reverse Engi- rization architecture for trustworthy computing. In SOSP, 2011.
neering. No Starch Press, 2003. [46] S. W. Smith and J. D. Tygar. Security and privacy for partial
[22] Intel Corporation. LaGrande technology preliminary architec- order time. In PDCS, 1994.
ture specification., d52212 edition, 2006. [47] G. E. Suh, C. W. O’Donnell, I. Sachdev, and S. Devadas. Design
[23] Johns Hopkins University e-mail attachment error exposed per- and implementation of the AEGIS single-chip secure processor.
sonal info. http://www.phiprivacy.net/?p=4583. Aug 31, 2012. SIGARCH Comput. Archit. News, 33(2):25–36, 2005.
[24] J. J. Kistler and M. Satyanarayanan. Disconnected operation in [48] Summary of the HIPPA Security Rule. http://www.hhs.gov/ocr/
the Coda file system. ACM Trans. Comput. Syst., 10:3–25, 1992. privacy/hipaa/understanding/srsummary.html. Aug 31, 2012.
[25] G. Klein et al. seL4: formal verification of an OS kernel. In [49] R. Ta-min, L. Litty, and D. Lie. Splitting interfaces: Making
SOSP, 2009. trust between applications and operating systems configurable.
[26] M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, In OSDI, 2006.
E. Kohler, and R. Morris. Information flow control for standard [50] D. B. Terry, M. M. Theimer, K. Petersen, A. J. Demers, M. J.
OS abstractions. In SOSP, 2007. Spreitzer, and C. H. Hauser. Managing update conflicts in Bayou,
[27] L. Lamport. Specifying Systems: The TLA+ Language and Tools a weakly connected replicated storage system. In SOSP, 1995.
for Hardware and Software Engineers. Addison-Wesley, 2002. [51] TPM Main Specification Level 2 Version 1.2, Revision
[28] D. Levin, J. R. Douceur, J. R. Lorch, and T. Moscibroda. TrInc: 116. http://www.trustedcomputinggroup.org/resources/tpm main
Small trusted hardware for large distributed systems. In NSDI, specification. Aug 31, 2012.
2009. [52] S. Vandebogart, P. Efstathopoulos, E. Kohler, M. Krohn, C. Frey,
[29] J. Li, M. Krohn, D. Mazières, and D. Shasha. Secure untrusted D. Ziegler, F. Kaashoek, R. Morris, and D. Mazières. Labels and
data repository (SUNDR). In OSDI, 2004. event processes in the Asbestos operating system. ACM Trans.
[30] D. Lie, C. A. Thekkath, and M. Horowitz. Implementing an un- Comput. Syst., 25(4), Dec. 2007.
trusted operating system on trusted hardware. In SOSP, 2003. [53] B. Yee and J. D. Tygar. Secure coprocessors in electronic com-
[31] P. Mahajan, S. Setty, S. Lee, A. Clement, L. Alvisi, M. Dahlin, merce applications. In USENIX Workshop on Electronic Com-
and M. Walfish. Depot: Cloud storage with minimal trust. In merce, 1995.
OSDI, 2010. [54] A. R. Yumerefendi and J. S. Chase. Strong accountability for
[32] U. Maheshwari, R. Vingralek, and W. Shapiro. How to build a network storage. IIEEE Trans. on Storage, 3(3), 2007.
trusted database system on untrusted storage. In OSDI, 2000. [55] N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières.
[33] J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and Making information flow explicit in HiStar. In OSDI, 2006.
A. Perrig. TrustVisor: Efficient TCB reduction and attestation. [56] F. Zhang, J. Chen, H. Chen, and B. Zang. CloudVisor:
In IEEE Symposium on Security and Privacy, 2010. Retrofitting protection of virtual machines in multi-tenant cloud
[34] J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and with nested virtualization. In SOSP, 2011.
H. Isozaki. Flicker: An execution infrastructure for TCB min- [57] Z. Zhou, V. D. Gligor, J. Newsome, and J. M. McCune. Building
imization. In EuroSys, 2008. verifiable trusted path on commodity x86 computers. In Pro-
[35] A. Menezes, P. van Oorschot, and S. Vanstone, editors. Hand- ceedings of the IEEE Symposium on Security and Privacy, May
book of Applied Cryptography (Discrete Mathematics and Its 2012.
334 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12) USENIX Association