P Protecting Confidential Data on i C fid i l D Personal - - PowerPoint PPT Presentation

P i C fid i l D Protecting Confidential Data on Personal Computers with S torage p g Capsules

Kevin Borders, Eric Vander Weele, Billy Lau, and Atul Prakash

Problem: Malicious S

• ftware
• Computing becomes pervasive, so is malware

▫ Over 23 million computers cleansed in 2008 [1]

• Consequences are severe:

Fi i l l ▫ Financial loss ▫ Identity theft ▫ Fraud ▫ Fraud

[1] Microsoft Security Intelligence Report Volume 5

S cenario

• Tasks that require confidentiality protection

▫ Perform financial analysis of credit card expenditure ▫ Writing journal containing controversial political beliefs beliefs ▫ Writing business proposal

Goals

Internet Provide confidentiality for local sensitive files against li i f malicious software

Related Work: Trusted Boot

Documents

• Not 100% safe
• Need to verify all

Applications

Need to verify all software prior to installation

Boot Loader Kernel

▫ Hard

• Verify documents

Boot Loader BIOS

▫ Even harder!!

Related Work: S trict Inter-Process Flow Related Work: S trict Inter Process Flow Control

Internet Internet Internet

X X X X

M d t A C t l ith t i t t l

Mandatory Access Control A Mandatory Access Control B Air Gap

• Mandatory Access Control with strict control

flow policy = Limited Usability

• Air gap greatly limits utility
• Air gap greatly limits utility

Contribution – S torage Capsules

• A system that can securely access confidential

information from a compromised commodity OS information from a compromised commodity OS

Approach

• Allow normal OS and standard applications to

access sensitive data access sensitive data

• Two modes of operation:

Norm al Mode Secure Mode Norm al Mode Secure Mode

• No restrictions
• Prevent network output
• Perform non-sensitive
• Edit sensitive documents

Perform non sensitive

• perations

Edit sensitive documents

• No storage protection
• Encrypt changes to Storage

C l Capsules

From the User’s Perspective

• 1. Open Container
• 2. Edit Document
• 3. Close Container

Similar to TrueCrypt but contents safe when open Similar to TrueCrypt, but contents safe when open

Capsule Architecture

Primary VM Capsule VM

Standard Programs Vi l D i Primary OS Standard OS Vi t l D i

• g a

s

Green = Trusted Computing Red = Not Trusted

Virtual Drivers

VMM

Virtual Drivers

Computing Base Not Trusted

Physical Device Drivers VMM OS Hardware

Threat Model

• We trust:
• We trust:

▫ The user, ▫ The capsule VM, and The capsule VM, and ▫ The VMM

• Do not trust:

▫ The primary OS ▫ Applications

• Covert Channels

▫ Channels within the primary VM are blocked Ch l i C l VM VMM d h d ▫ Channels in Capsule VM, VMM, and hardware may not be blocked

Opening a S torage Capsule

Opening a S torage Capsule

Opening a S torage Capsule

Opening a S torage Capsule

Accessing a S torage Capsule

Closing a S torage Capsule

Closing a S torage Capsule

Covert Channels Illustrated

Primary VM Capsule VM

Capsule Viewer Capsule Server Vi l D i Primary OS Standard OS V ewe Vi t l D i Se ve Virtual Drivers

VMM

Virtual Drivers Capsule VMM Module Physical Device Drivers VMM OS Hardware

Attacks – Covert Channels

• Primary OS and Capsule could be manipulated,

but we: but we:

▫ Fix the file store size ▫ Re-encrypt the store before every export Re encrypt the store before every export ▫ The user controls transition timing with a secure key escape sequence

• External Devices – store data on floppy, CD-

ROM, USB, SCSI, etc.

D i i di bl d i d ▫ Device output is disabled in secure mode

Attacks – Covert Channels (pt. 2)

• VMM – manipulate memory utilization and

layout, store information in virtual network y

▫ VMM does not over-commit memory and uses fixed layout ▫ Restart the virtual network during transition to ▫ Restart the virtual network during transition to normal mode

• Hardware – store data in CPU or disk cache

▫ Restoration code adds noise to CPU, full reset would completely clear CPU ▫ Would need to clear all disk caches or move all Would need to clear all disk caches or move all files to block disk covert channels

Attacks – S ecure Mode Forgery

• Malware could fake secure mode UI

To be safe users are only required to:

• To be safe, users are only required to:

▫ Remember that they are supposed to enter a key escape sequence (like ctrl+alt+del) to enter secure escape sequence (like ctrl+alt+del) to enter secure mode ▫ Heed warnings

Performance –Transitions

9 10 300 90 100 300 4 5 6 7 8 Seconds 100 150 200 250 Seconds Snapshot Mount Capsule Disable 30 40 50 60 70 80 Seconds 100 150 200 250 Seconds Restore Reset VM Flush Disk 1 2 3 256 512 1024 VM M (MB) 50 100 256 512 1024 VM M (MB) Disable Netw ork 10 20 30 256 512 1024 VM Memory (MB) 50 100 256 512 1024 VM Memory (MB) VM Memory (MB) VM Memory (MB) VM Memory (MB) VM Memory (MB)

To Secure Mode To Normal Mode

w/ background snapshot w/ background snapshot w/o background snapshot w/o background snapshot

To Secure Mode To Normal Mode

Disk Performance – S ecure Mode

350 400 450

s)

100 150 200 250 300

Time (seconds Remove Build Unpack

50 100 Native VM VM + TC Capsule

Configuration

• For Apache build:

▫ Storage Capsules 38% slower than native system Storage Capsules 38% slower than native system ▫ Only 5.1% slower than running TrueCrypt in VM

Limitations

• Changes made outside Capsules in secure mode

are lost are lost

▫ Background computations

• Network connections are lost in secure mode

Network connections are lost in secure mode

▫ Downloads, services, etc.

• Short-lived sessions are impractical due to

p transition time

Conclusion

• Introduced Storage Capsules, a new mechanism

for securing files on personal computers for securing files on personal computers

▫ Similar to existing file encryption software ▫ Provide better protection and usability Provide better protection and usability ▫ Works in the face of a compromised OS

• Covert channel analysis

▫ Explores covert channels on many layers

Questions

? ¿ ? ¿