Betriebssysteme · Institut für Systemarchitektur · Fakultät Informatik · TU Dresden



07. 06. 2011

jVPFS: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components


Carsten Weinhold

TU Dresden


The Virtual Private File System (VPFS) was built to protect confidentiality and integrity of application data against strong attacks. To minimize the trusted computing base (i.e., the attack surface) it was built as a stacked file system, where a small isolated component in a microkernel-based system reuses a potentially large and complex untrusted file system; for example, as provided by a more vulnerable guest OS in a separate virtual machine. However, its design ignores robustness issues that come with sudden power loss or crashes of the untrusted file system.

In this talk, a solution to these issues is presented that maintains the unique security properties of VPFS. To minimize damage caused by an unclean shutdown, jVPFS carefully splits a journaling mechanism between a security-critical trusted core and the untrusted file system. The journaling approach minimizes the number of writes needed to maintain consistent information in a Merkle hash tree, which is stored in the untrusted file system to detect attacks on integrity. The commonly very complex and error-prone recovery functionality of legacy file systems (in the order of thousands of lines of code) can be reused with little increase of complexity in the trusted core: less than 350 lines of code deal with the security-critical aspects of crash recovery. jVPFS shows acceptable performance better than its predecessor VPFS, while providing much better protection against data loss.
18. Apr 2018
· Copyright © 2001-2010 Operating Systems Group, TU Dresden | Impressum ·