Starts at: April 29, 2014 10:00 AM
Ends at: 1:00 PM
Location: CIC 2101
Today large software systems (i.e., giants) thrive in commodity markets, but are untrustworthy. Their large and complicated code base and diverse-origin components with uncertain security properties inevitably lead to incomplete and incorrect adversary definitions and give persistent advantages to the adversary against defenders. Thus, the best hope of security is that some small, simple, and trustworthy soft- ware components (i.e., wimps) can be protected from attacks launched by adversary- controlled giants. However, wimps in isolation typically give up a variety of basic services (e.g., file system, networking, device I/O), trading usefulness and viability with security.
This thesis aims to address this giant-wimp dilemma by proposing a new security architecture to provide high-assurance services to isolated wimps. Instead of re- structuring the giants or bloating the Trusted Computing Base (TCB) that underpins wimp-giant isolation, this thesis presents a trusted add-on component called wimpy kernel to provide I/O services to wimps. The wimpy kernel securely composes with the commodity giant; i.e., relies on the giants services but only after efficiently verifying their results. This helps to significantly reduce the size and complexity of the wimpy kernel for high security assurance. The wimpy kernel also composes with the underlying TCB, by retaining its code size, complexity and security properties.
Among the basic services needed by wimps, we focuses specifically on isolated I/O channels, with which isolated wimps can transfer I/O data from/to commodity peripheral devices and the data secrecy and authenticity are protected from the giants (e.g., untrusted OS, other applications and devices). Though being a fundamental primitive for a myriad of application scenarios (e.g., secure user interface, remote device control), isolated I/O has remained an unmet challenge over the past three decades.
To address this challenge, this thesis proposes a unique on-demand I/O isolation model in which the wimpy kernel dynamically takes control of the devices managed by a commodity OS, connects them to the isolated wimps, and relinquishes controls to the OS when done. This model creates ample opportunities for the wimpy kernel to outsource I/O subsystem functions to the untrusted OS and verify their results. The wimpy kernel further exports device drivers and I/O subsystem code to wimps and mediates the operations of the exported code. Using the popular and complex USB subsystem as a case study, this thesis illustrates the dramatic reduction of the wimpy kernel; i.e., over 99% of the Linux USB code base is removed.