A Nitpicker's guide to a minimal-complexity secure GUI
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors
Proceedings of the 11th workshop on ACM SIGOPS European workshop
Linking remote attestation to secure tunnel endpoints
Proceedings of the first ACM workshop on Scalable trusted computing
Reducing TCB complexity for security-sensitive applications: three case studies
Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
How to build a trusted database system on untrusted storage
OSDI'00 Proceedings of the 4th conference on Symposium on Operating System Design & Implementation - Volume 4
Secure untrusted data repository (SUNDR)
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Splitting interfaces: making trust between applications and operating systems configurable
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
Secure file system versioning at the block level
Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007
Generalized file system dependencies
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
IEEE Transactions on Software Engineering
Encrypted watermarks and linux laptop security
WISA'04 Proceedings of the 5th international conference on Information Security Applications
Proceedings of the 1st ACM workshop on Virtual machine security
Towards application security on untrusted operating systems
HOTSEC'08 Proceedings of the 3rd conference on Hot topics in security
Taming subsystems: capabilities as universal resource access control in L4
Proceedings of the Second Workshop on Isolation and Integration in Embedded Systems
Application containers without virtual machines
Proceedings of the 1st ACM workshop on Virtual machine security
Capability wrangling made easy: debugging on a microkernel with valgrind
Proceedings of the 6th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Transparent mobile storage protection in trusted virtual domains
LISA'09 Proceedings of the 23rd conference on Large installation system administration
jVPFS: adding robustness to a secure stacked file system with untrusted local storage components
USENIXATC'11 Proceedings of the 2011 USENIX conference on USENIX annual technical conference
Logical attestation: an authorization architecture for trustworthy computing
SOSP '11 Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
File system virtual appliances: Portable file system implementations
ACM Transactions on Storage (TOS)
| Hi-index | 0.00 |
In this paper we present the lessons we learned when developing VPFS, a virtual private file system that is based on both a small amount of trusted storage and an untrusted legacy file system residing on the same machine. VPFS' purpose is to provide secure and reliable storage to highly sensitive applications running on top of a microkernel, which may concurrently execute untrusted software. The confidentiality and integrity guarantees of VPFS do not only apply to file contents, but also to all meta data including integrity of the directory structure. We explored design alternatives that allow us to securely reuse untrusted infrastructure and thereby minimize the complexity that a file-system implementation adds to the trusted computing base. VPFS is split into two isolated components. A small trusted component implements all security-critical functionality, whereas the untrusted part reuses an existing file-system implementation provided by a virtualized legacy operating system that can be untrusted. In our VPFS prototype, alternative configurations of the trusted component comprise only between 4,000 and 4,600 lines of code, which is at least an order of magnitude smaller than existing commodity file-system stacks.