DOC

A Separated Domain-Based Kernel Model for Trusted Computing

By Mildred Andrews,2014-01-26 09:56
13 views 0
A Separated Domain-Based Kernel Model for Trusted Computing

A Separated Domain-Based Kernel Model

    for Trusted Computing WUJNSWuhanUniversityJournalofNaturalSciences ArticlelD:10071202(2OO6)06142405

    Vo1.11No.6200614241428

    ASeparatedDomain_BasedKernelModel

    forTrustedComputing

    FANGYanxiang',SHENChangxian~,

    XUJingdongI.WUGongyi"

    1.CollegeofInformationTechnica1Science,Nankai University,Tianjin300071,China;

    2.NavalInstituteofComputingTechnology,Beijing 100841.China

    Abstract:Thispaperfistgivesaninvestigationontrusted computingonmainstreamoperationsystem(OS).Basedon theobservations,itispointedoutthatTrustedComputing cannotbeachievedduetothelaekofseparationmechanismof thecomponentsinmainstreamOS.Inordertoprovideakind ofseparationmechanism,thispaperproposesaseparateddo

    mainbasedkerne1mode1(SDBKM),andthismode1isveri

    fledbynon-interferencetheory.Bymonitoringandsimplify

    ingthetrustdependencebetweendomains.thismode1can solveproblemsintrustmeasurementsuchasdenyofservice (Ek)S)attack,Hostsecurity,andreducetheoverheadof measurement.

    Keywords:noninterferenceteory;separationkernel;trus

    tedcomputing

CLcnumber:TP316

    Receiveddate20060512

    Foundationitem:SupportedbytheNationaIBasicResearchProgram ofChina(Gl999035801)

    Biographv:FAN(;Yanxiang(1975)?male,Ph.ncandidate,re

    searchdirection:systemsecurity.Emall:{angyan)iang2oo3@yahoo.

    cOm.Cn

    Towhomcorrespondenceshouldbeaddressed.Email:liuyil@

    sina,corn

    1424

    0lntrOdUCtiOn

    rustedcomputinggroup(TCG)Elipresentstheconcepts ofChainofTrustandTrustedMeasurementinorderto ?

    ?

    enhancethesecurityofinformationsystem.However,inma instreamoperationsystems,thoughtheintegritymeasurement providestheoperationsystemsstrongtamperproofability againstthemaliciouscode,therearestillsomesevereprob

    lemsE.Duetothelackofseparationmechanismforthecorn

    ponents(suchasprocesses),interferencefromamalicious processcandestroysothercomponents'integritiesinrunning time,andevenitcandepredatethesystem'sinteregritymeas

    urement.

    Byobservingthisproblem,manyeffortshavebeenpro posedtodecreaseinterferencebyestablishingaseparation mechanism.Aseparationvirtualmachinemonitor(VMM) model[.]isproposedwithaformaldescriptiondevelopedfrom proofofseparability[,.Sincetheformaltargetofproofof separabilityisveryabstract,itisdifficulttoimplement.On

theotherhand,itdoesnotforbidcovertchannel,solatentin

    terferencewillstillexists.TrustedVMMconceptisfirstpro posedinRef.[6],butwithoutanyformaldescription,which isessentialforcriticalsystems.Microsoft'sNGSCBE](next? generationsecurecomputingbase)dividestheapplicationsinto twoclasses,legacyapplicationandtrustedapplication,and?

    providesa"trust"environmenttoprotectedtheapplication runningonit.Sinceitsmodelisnotverified,itcannotsolve theproblemoflatentinterferencebetweenlegacyapplications andtrustedapplications.

    Wewillproposeaseparateddomain-basedkernelmodel (SDBKM)whichcanforbidlatentinterferencebymonitoring andsimplifyingthetrustdependencebetweendomains.

1ProblemsinTrustedComputingin

    Obviously.theChainofTrustfitstheSingle-Task OSverywel1.TasksperforminginSingle-TaskOSarein itheveryassuredsequence.Once0netasktransfersthe '

    controlofthesystemtoanother,itshouldquitandnever getbackcontrolanymore.Asanytwotaskscannotrun simultaneously.thedependenceoftrustissimpleand unilateral(onlythelaterdependsontheformer).Sothe mechanismofChainofTrustandTrustMeasurementcan satisfytheremotechallengertoattestthetrustofthe platform.

    However,allthemainstreamoperationsystemsare notsingle-taskbased,andtheyarelackofseparation mechanismofthecomponents.Unlessgettingallcompo

    nents'integritiesinthetargetsystem,thechallenger

    cannotjudgethetrustofacomponent[.However,even ifapplyingthismechanismtoverifyacomponent'strust, therestillexistsomeproblems:

    ?D0Sattacks.Thereispervasivedependenceof trustamongcomponentsinthemainstreamOperation Systems.Therewon'tbeanytrustedcomponentsulti- matelyoncethereisadistrustedcomponent.Alittlehole ofapplicationscanleadthewholesystemtobedistrus

    ted.Forexample,alittlevulnerabilityoftheBrowser candestroythewholesystem'strustseverely. ?Hostsecurity.Ifaremotechallengergainsallthe integritiesofallthecomponentsinhostsystem,itshould havealloftheinformationinhandaboutthehostsystem frombooting.Fromtheinformation,remotechallengercan deducewhatholeandweak.nessthereisinthehostandits applications.Theharmbroughtbytheleakageofprivacy ismoreseverethananyscannersoftware.

    ?Costofexcessivemeasurement.Tothechalleng

    er,theremaybeonlyoneserviceneedtoattestinhost ?system.However,inordertoattesttheservice'strust, thechallengermustvalidatetheintegritiesofallthecom

    ponents'inthehostsystem.Themethodisnotefficient, andthreeproblemsarise:

    ?(stofdatatransfer.

    ?Hugedatabaseforintegrities.

    ?Validationisverytime-consuming.

    ?Incompletevalidation.Thetrustofacomponent isaffectednotonlybythecomponent'sintegrity,butal

    sobytheinputsintoit.Consequently,"inputs"ofcorn

    ponentAcanaffectcomponentB'sstate.So.itisim,

possibletojudgeanapplicationonlybyvalidatingcompo

    nents'integritiesinthehost.

    Inconclusion.iftheterminalOScannotprovide strongseparation,theTrustedComputingonterminal PCcannotbeachieve&SotheseparationisOne0fthe foundationsofTrustedComputingonTerminalPc.In thefollowingsections.wewiUpresentaseparateddo

    main-basedkernelmodelfortrustedcomputing;. 2.1lntroductlonofBasicNonlnterference First,weintroducethebasicNoninterferenceTheo

    rywhichisproposedbyRushby5.

    Def'mition1Asystem(ormachine)Miscomposed of:

    ?AsetSofinfinitestates,withinitialstate?

    S.

    ?AsetAofactions.

    ?Aset0ofoutputs.

    ?Step:SxA0,output(s,a)denotesthenext state0fthesystemwhenactionaisappliedinstate ?Output:S×A?0,output(s,)denotesthere

    sultofactioninstatesbymeansofsystemoutput. ?AsetDofdomains.

    ?Dom:A?D,associatesadomainwitheachac

    tion.

    ~Anequivalencerelationons:(,uED

    Theinterferencerelationshipisdenotedby(),

    whichmeanswhetherthereisinformationflowfromone domaintoanother.()isa

    Theorem1Let()be

    tionedsystemthatsatisfies:

?Outputconsistent:

    reflexiverelationonD×D.

    apolicyandMaview-patti

    s(d0(t--~output(s,a)=output(t,)

    ?Stepconsistent:

    s("t-*-step(s,a)(step(t,a)

    ?Locallyrespects():

    dom(a))s("step(s,a)

    ThenMissecurefor().TheproofisinRef.[9].

    2.2ASeparatedDomaln,.OasodKomolModel AccordingtotheNoninterferenceTheory,wepro posetheSDBKM,whichsupportsaseparationmecha

    nismintheOSkerne1.Withthimechanism.relation. shipsoftrustdependencecanbesimplifiedbyestablishing

    1425

    apolicyofinterference.Baseelementsinthemodelare describedinDefinition2andDefinition3. Definition2Amachinehasastructuredstateif thereexist[:

    ?AsetN{,z1,,,z,,,zlM)(INImeansthe

    sizeofsetN)denotesalltheobjectsinthesystem(ob

    jectincludesfiles,memorypageetc.) ?AsetVofvalues.

    ?Afunctioncontents:S×N+V,contents(s,,z),

    denotesthevalueoftheobject,zinstates. ?Afunctionobserve:口?2N,2?denotesthepow

    ersetofsetN.

    ?Afunctionalter:D2N.

Observe(")denotesthesetoflocationswhoseval

    uescanbeobservedbydomain".

    Alter(")denotesthesetof1ocationswhosevalues canbechangedbydomain".

    Definition3

    ?Afunctionn2dom:ND,n2dom(,z)denotesa

    domainthatobject,zbelongsto.

    ?Afunctionshare:D×D2N,share(",)de

    notesthesetwhosevaluecanbechangedbydomain", andbereadbydomain.

    ?Afunctioninterfere:D?2D,whichdenotesaset

    ofdomainsinthesystemthatinterferedomain".Be

    cause()isareflexiverelation."mustbelongtotheset Interfere(").

    ?AsetVIEWthatdenotesasetofordered,ztup les{U{0})INI.

    ?Afunctionview:S,view(s)equalsto

    <val1,,vali,,vallNI>.valdenotesthevalueofthe object,zinstates.

    ?Afunctionview:2N×SVIEW,view(o,s)

    equalsto<val1,,va1,,vallN>,and

    .

    fcontents(s,,z),if?0

    vail10,otherwise

    ?Afunctiondomview:D×.VIEW,whichde

    notesview(observe(u),s).

    Withabovedefinitions,wecanseethatinSDBKM, adomaincanonlyaccessasubsetofsystemobjects,and anyactionisdeterminedbydomainview.So,theonly wayforthecommunication(orfunctioncalling)between

domainsistouseobjectssharing,bywhichwecande

    creasedependenceoftrust.Forexample,domain"sends messagetodomainbyhavingsomeofitsobjectsshared withdomain,sodoesDomain.

    TheSI)FKMmodelisillustratedinmoredetailsin 1426

    Fig.1.ItisindependentofreferencemonitorL.]whichis themechanismofaccesscontro1.Meanwhile,separation monitorisusedtoholdbackthecommunicationthatdoes notmatchthepolicy(),anditcanprovidesomeAPIsto

    domains.A11objectsinsystemarecontrolledbyobject manager,andalloperationsonthemareimplementedby objectmanager,includingreading,writing,creating,de

    stroying,modifying,andotherspecialoperations.There?

    fore,objectmanagerconsistsofmemorymanager,filesys

    tem,inter-processcommunication(IPC)object(pipe.sig?

    nals),andsomekerneldevicedrivers.

    Domain

    ?

    ,

    /,\\

    (contro1)\\,,//

    Fig,1Aseparateddomain-basedkernelmodel SinceObjectManageris

    modules,theymustconform

    straints:

    madeupofallkindsof

    tothefollowing4con

    Constraint1

    Supposedom_

view(dom(a),s)doraview(dom(a),t),

    itisderivedthat:

    dom_

    view(dom(a),step(s,a))=dom_

    view(dom(a),step

    (,))

    Constraint2

    dom_

    view(dom(a),s)=dom

    view(dom(a),t)-*output

    (s,)output(t,)

    Constraint3nEalter(")"===n2dom(n)

    Constraint4

    "()iff(share(u,)4-)V((wED)"()T..edA硼())

    Intheremainderpartofthissection,wewillprove inSDBKM,ifobjectmanagersatisfiesthesefourcon

    straints,thesepaionpolicymustbesecure? ?

    Lemma1Interfere(u)-*(VwEInterfere(u))liJ. ).Thislemmaisanimmediateconsequenceofcon

    straint4.?

    Infact,Interfere(")includesallthedomainsthat domain"dependson.sodomain"cannotbetrustedun

    tilalldomainsinInterfere(")aretrusted.Byreducing thesetofInterfere("),itiseasytocutdownthecost broughtbytrustmeasurementandtrustvalidation.Fur

    thermore,theproblemoftheleakinessofprivacycanbe solvednaturallyinthisway.

    铀蛹|?

    Insomespecialsituation,thesetofInterfere(u)can bereducedtoincludeonlyoneelementwhichisdomainu itself.Then,onlythedomainandtheOSkernelshould bemeasuredforTrustValidation,whichisverysimilar toSingle-TaskOS.TheworsCaseisthatthesetofIn

    terfere(u)equalstothesetofD,whichturnsbacktothe mainstreamOS.Infact,thisisveryunlikelytohappen ?byestablishingsomestrictpolicyofinterference. Lemma2

    ?(Vn6N)n2dom(n)?dom(a)~

    contents(s,,z)=contents(step(s,n),,z); ProofAssumetheresultisfalse:socontents(s,,z) ?contents(step(s,a),,z)whenn2dom(n)?dom(a),V

    ?N.Then,accordingtothedefinitionofaher(u),we have,z?alter(dom(a)).Butconstraint3showsthat n2dom(n)=dom(a).Thisisacontradiction. 1ma3

    share(dom(a),)=+

    doraview(w,s)=dom_view(w,step(s,n))

    ProofAccordingtothedefinitionofshare

    (dom(a),,wehave:share(dom(a),)=+(Vn6

    w)n2dom(n)?dom(a).Then,byinvokingLemma2,

    wehave:

    (Vn6)contents(s,)=contents(step(s,a),,z) Sotheconclusionfollowsfromthedefinitionofdora_ view

    (,).

    Theorem2SystemMconformingtoabovefour

    constraintsjssecure.

Report this document

For any questions or suggestions please email
cust-service@docsford.com