P Protecting Confidential Data on i C fid i l D Personal - PowerPoint PPT Presentation

P Protecting Confidential Data on i C fid i l D Personal Computers with S p torage g Capsules Kevin Borders, Eric Vander Weele, Billy Lau, and Atul Prakash

Problem: Malicious S oftware • Computing becomes pervasive, so is malware ▫ Over 23 million computers cleansed in 2008 [1] • Consequences are severe: ▫ Financial loss Fi i l l ▫ Identity theft ▫ Fraud ▫ Fraud [ 1 ] Microsoft Security Intelligence Report Volume 5

S cenario • Tasks that require confidentiality protection ▫ Perform financial analysis of credit card expenditure ▫ Writing journal containing controversial political beliefs beliefs ▫ Writing business proposal

Goals Internet Provide confidentiality for local sensitive files against malicious software li i f

Related Work: Trusted Boot • Not 100% safe Documents • Need to verify all Need to verify all software prior to Applications installation ▫ Hard Kernel • Verify documents Boot Loader Boot Loader ▫ Even harder!! BIOS

Related Work: S Related Work: S trict Inter Process Flow trict Inter-Process Flow Control Internet Internet Internet X X X X Mandatory Access Mandatory Access Air Gap Control A Control B • Mandatory Access Control with strict control M d t A C t l ith t i t t l flow policy = Limited Usability • Air gap greatly limits utility • Air gap greatly limits utility

Contribution – S torage Capsules • A system that can securely access confidential information from a compromised commodity OS information from a compromised commodity OS

Approach • Allow normal OS and standard applications to access sensitive data access sensitive data • Two modes of operation: Norm al Mode Norm al Mode Secure Mode Secure Mode • No restrictions • Prevent network output • Perform non-sensitive Perform non sensitive • Edit sensitive documents Edit sensitive documents operations • No storage protection • Encrypt changes to Storage C Capsules l

From the User’s Perspective 1. Open Container 2. Edit Document 3. Close Container Similar to TrueCrypt but contents safe when open Similar to TrueCrypt, but contents safe when open

Capsule Architecture Primary VM Capsule VM Standard Programs og a s Green Red = Standard OS Primary OS = Trusted Not Trusted Not Trusted Computing Computing Virtual Drivers Vi t l D i Virtual Drivers Vi l D i Base VMM VMM OS Physical Device Drivers Hardware

Threat Model • We trust: • We trust: ▫ The user, ▫ The capsule VM, and The capsule VM, and ▫ The VMM • Do not trust: ▫ The primary OS ▫ Applications • Covert Channels ▫ Channels within the primary VM are blocked ▫ Channels in Capsule VM, VMM, and hardware Ch l i C l VM VMM d h d may not be blocked

torage Capsule Opening a S

torage Capsule Opening a S

torage Capsule Opening a S

torage Capsule Opening a S

torage Capsule Accessing a S

torage Capsule Closing a S

torage Capsule Closing a S

Covert Channels Illustrated Primary VM Capsule VM Capsule Capsule Se ve Server V ewe Viewer Standard OS Primary OS Vi t Virtual Drivers l D i Vi Virtual Drivers l D i VMM Capsule VMM Module VMM OS Physical Device Drivers Hardware

Attacks – Covert Channels • Primary OS and Capsule could be manipulated, but we: but we: ▫ Fix the file store size ▫ Re-encrypt the store before every export Re encrypt the store before every export ▫ The user controls transition timing with a secure key escape sequence • External Devices – store data on floppy, CD- ROM, USB, SCSI, etc. ▫ Device output is disabled in secure mode D i i di bl d i d

Attacks – Covert Channels (pt. 2) • VMM – manipulate memory utilization and layout, store information in virtual network y ▫ VMM does not over-commit memory and uses fixed layout ▫ Restart the virtual network during transition to ▫ Restart the virtual network during transition to normal mode • Hardware – store data in CPU or disk cache ▫ Restoration code adds noise to CPU, full reset would completely clear CPU ▫ Would need to clear all disk caches or move all Would need to clear all disk caches or move all files to block disk covert channels

Attacks – S ecure Mode Forgery • Malware could fake secure mode UI • To be safe, users are only required to: To be safe users are only required to: ▫ Remember that they are supposed to enter a key escape sequence (like ctrl+alt+del) to enter secure escape sequence (like ctrl+alt+del) to enter secure mode ▫ Heed warnings

Performance –Transitions 100 300 10 300 90 9 250 250 80 8 Snapshot 70 7 200 200 Seconds Restore Seconds Seconds 60 6 Seconds Mount 50 150 Reset VM 5 150 Capsule 40 4 Flush Disk 100 100 100 100 Disable Disable 30 30 3 Netw ork 20 2 50 50 10 1 0 0 0 0 256 512 1024 256 512 1024 256 512 1024 256 512 1024 VM Memory (MB) VM Memory (MB) VM Memory (MB) VM Memory (MB) VM M VM Memory (MB) (MB) VM M VM Memory (MB) (MB) w/ background w/o background w/ background w/o background snapshot snapshot snapshot snapshot To Secure Mode To Secure Mode To Normal Mode To Normal Mode

Disk Performance – S ecure Mode 450 400 350 s) Time (seconds 300 Remove 250 Build 200 Unpack 150 100 100 50 0 Native VM VM + TC Capsule Configuration • For Apache build: ▫ Storage Capsules 38% slower than native system Storage Capsules 38% slower than native system ▫ Only 5.1% slower than running TrueCrypt in VM

Limitations • Changes made outside Capsules in secure mode are lost are lost ▫ Background computations • Network connections are lost in secure mode Network connections are lost in secure mode ▫ Downloads, services, etc. • Short-lived sessions are impractical due to p transition time

Conclusion • Introduced Storage Capsules, a new mechanism for securing files on personal computers for securing files on personal computers ▫ Similar to existing file encryption software ▫ Provide better protection and usability Provide better protection and usability ▫ Works in the face of a compromised OS • Covert channel analysis ▫ Explores covert channels on many layers

Questions ? ¿ ? ¿