10,704 research outputs found
Time Protection: the Missing OS Abstraction
Timing channels enable data leakage that threatens the security of computer
systems, from cloud platforms to smartphones and browsers executing untrusted
third-party code. Preventing unauthorised information flow is a core duty of
the operating system, however, present OSes are unable to prevent timing
channels. We argue that OSes must provide time protection in addition to the
established memory protection. We examine the requirements of time protection,
present a design and its implementation in the seL4 microkernel, and evaluate
its efficacy as well as performance overhead on Arm and x86 processors
SGXIO: Generic Trusted I/O Path for Intel SGX
Application security traditionally strongly relies upon security of the
underlying operating system. However, operating systems often fall victim to
software attacks, compromising security of applications as well. To overcome
this dependency, Intel introduced SGX, which allows to protect application code
against a subverted or malicious OS by running it in a hardware-protected
enclave. However, SGX lacks support for generic trusted I/O paths to protect
user input and output between enclaves and I/O devices.
This work presents SGXIO, a generic trusted path architecture for SGX,
allowing user applications to run securely on top of an untrusted OS, while at
the same time supporting trusted paths to generic I/O devices. To achieve this,
SGXIO combines the benefits of SGX's easy programming model with traditional
hypervisor-based trusted path architectures. Moreover, SGXIO can tweak insecure
debug enclaves to behave like secure production enclaves. SGXIO surpasses
traditional use cases in cloud computing and makes SGX technology usable for
protecting user-centric, local applications against kernel-level keyloggers and
likewise. It is compatible to unmodified operating systems and works on a
modern commodity notebook out of the box. Hence, SGXIO is particularly
promising for the broad x86 community to which SGX is readily available.Comment: To appear in CODASPY'1
UniquID: A Quest to Reconcile Identity Access Management and the Internet of Things
The Internet of Things (IoT) has caused a revolutionary paradigm shift in
computer networking. After decades of human-centered routines, where devices
were merely tools that enabled human beings to authenticate themselves and
perform activities, we are now dealing with a device-centered paradigm: the
devices themselves are actors, not just tools for people. Conventional identity
access management (IAM) frameworks were not designed to handle the challenges
of IoT. Trying to use traditional IAM systems to reconcile heterogeneous
devices and complex federations of online services (e.g., IoT sensors and cloud
computing solutions) adds a cumbersome architectural layer that can become hard
to maintain and act as a single point of failure. In this paper, we propose
UniquID, a blockchain-based solution that overcomes the need for centralized
IAM architectures while providing scalability and robustness. We also present
the experimental results of a proof-of-concept UniquID enrolment network, and
we discuss two different use-cases that show the considerable value of a
blockchain-based IAM.Comment: 15 pages, 10 figure
- …