Leendert van Doorn

Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems

We propose a primitive, called Pioneer, as a first step towards verifiable code execution on untrusted legacy hosts. Pioneer does not require any hardware support such as secure co-processors or CPU-architecture extensions. We implement Pioneer on an Intel Pentium IV Xeon processor. Pioneer can be used as a basic building block to build security systems. We demonstrate this by building a kernel rootkit detector.

Attestation-based policy enforcement for remote access

Intranet access has become an essential function for corporate users. At the same time, corporations security administrators have little ability to control access to corporate data once it is released to remote clients. At present, no confidentiality or integrity guarantees about the remote access clients are made, so it is possible that an attacker may have compromised a client process and is now downloading or modifying corporate data. Even though we have corporate-wide access control over remote users, the access control approach is currently insufficient to stop these malicious processes. We have designed and implemented a novel system that empowers corporations to verify client integrity properties and establish trust upon the client policy enforcement before allowing clients (remote) access to corporate Intranet services. Client integrity is measured using a Trusted Platform Module (TPM), a new security technology that is becoming broadly available on client systems, and our system uses these measurements for access policy decisions enforced upon the clients processes. We have implemented a Linux 2.6 prototype system that utilizes the TPM measurement and attestation, existing Linux network control (Netfilter), and existing corporate policy management tools in the Tivoli Access Manager to control remote client access to corporate data. This prototype illustrates that our solution integrates seamlessly into scalable corporate policy management and introduces only a minor performance overhead.

SCUBA: Secure Code Update By Attestation in sensor networks

This paper presents SCUBA (Secure Code Update By Attestation), for detecting and recovering compromised nodes in sensor networks. The SCUBA protocol enables the design of a sensor network that can detect compromised nodes without false negatives, and either repair them through code updates, or revoke the compromised nodes. The SCUBA protocol represents a promising approach for designing secure sensor networks by proposing a first approach for automatic recovery of compromised sensor nodes. The SCUBA protocol is based on ICE (Indisputable Code Execution), a primitive we introduce to dynamically establish a trusted code base on a remote, untrusted sensor node.

Secure coprocessor-based intrusion detection

The goal of an intrusion detection system (IDS) is to recognize attacks such that their exploitation can be prevented. Since computer systems are complex, there are a variety of places where detection is possible. For example, analysis of network traffic may indicate an attack in progress [11], a compromised daemon may be detected by its abnormal behavior [14, 12, 5, 10, 15], and subsequent attacks may be prevented by the detection of backdoors and stepping stones [16, 17].

Trustworthy and personalized computing on public kiosks

Many people desire ubiquitous access to their personal computing environments. We present a system in which a user leverages a personal mobile device to establish trust in a public computing device, or kiosk, prior to resuming her environment on the kiosk. We have designed a protocol by which the mobile device determines the identity and integrity of all software loaded on the kiosk, in order to inform the user whether the kiosk is trustworthy. Our system exploits emerging hardware security technologies, namely the Trusted Platform Module and new support in x86 processors for establishing a dynamic root of trust. We have demonstrated the viability of our approach by implementing and evaluating our system on commodity hardware. Through a brief survey, we found that respondents are generally willing to endure a delay in exchange for an increased assurance of data privacy, and that the delay incurred by our unoptimized prototype is close to the range tolerable to the respondents. We have focused on allowing the user to personalize a kiosk by running her own virtual machine there. However, our work is generally applicable to establishing trust on public computing devices before revealing any sensitive information to those devices.

Secure bootstrap is not enough: shoring up the trusted computing base

We propose augmenting secure boot with a mechanism to protect against compromises to field-upgradeable devices. In particular, secure boot standards should verify the firmware of all devices in the computer, not just devices that are accessible by the host CPU. Modern computers contain many autonomous processing elements, such as disk controllers, disks, network adapters, and coprocessors, that all have field-upgradeable firmware and are an essential component of the computer systems trust model. Ignoring these devices opens the system to attacks similar to those secure boot was engineered to defeat.

Remote detection of virtual machine monitors with fuzzy benchmarking

We study the remote detection of virtual machine monitors (VMMs) across the Internet, and devise fuzzy benchmarking as an approach that can successfully detect the presence or absence of a VMM on a remote system. Fuzzy benchmarking works by making timing measurements of the execution time of particular code sequences executing on the remote system. The fuzziness comes from heuristics which we employ to learn characteristics of the remote systems hardware and VMM configuration. Our techniques are successful despite uncertainty about the remote machines hardware configuration.

CARMA: a hardware tamper-resistant isolated execution environment on commodity x86 platforms

Much effort has been spent to reduce the software Trusted Computing Base (TCB) of modern systems. However, there remains a large and complex hardware TCB, including memory, peripherals, and system buses. There are many stronger, but still realistic, adversary models where we need to consider that this hardware may be malicious or compromised. Thus, there is a practical need to determine whether we can achieve secure program execution in the presence of not only malicious software, but also malicious hardware.

Externally verifiable code execution

Using hardware- and software-based techniques to realize a primitive for externally verifiable code execution.

Requirements for an integrity-protected hypervisor on the x86 hardware virtualized architecture

Virtualization has been purported to be a panacea for many security problems. We analyze the feasibility of constructing an integrity-protected hypervisor on contemporary x86 hardware that includes virtualization support, observing that without the fundamental property of hypervisor integrity, no secrecy properties can be achieved. Unfortunately, we find that significant issues remain for constructing an integrity-protected hypervisor on such hardware. Based on our analysis, we describe a set of necessary rules that must be followed by hypervisor developers and users to maintain hypervisor integrity. No current hypervisor we are aware of adheres to all the rules. No current x86 hardware platform we are aware of even allows for the construction of an integrity-protected hypervisor. We provide a perspective on secure virtualization and outline a research agenda for achieving truly secure hypervisors.