|
07.
06.
2011
jVPFS: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components
Carsten Weinhold
TU Dresden
The Virtual Private File System (VPFS) was built to protect
confidentiality and integrity of application data against strong
attacks. To minimize the trusted computing base (i.e., the attack
surface) it was built as a stacked file system, where a small isolated
component in a microkernel-based system reuses a potentially large and
complex untrusted file system; for example, as provided by a more
vulnerable guest OS in a separate virtual machine. However, its design
ignores robustness issues that come with sudden power loss or crashes
of the untrusted file system.
In this talk, a solution to these issues is presented that maintains
the unique security properties of VPFS. To minimize damage caused by
an unclean shutdown, jVPFS carefully splits a journaling mechanism
between a security-critical trusted core and the untrusted file
system. The journaling approach minimizes the number of writes needed
to maintain consistent information in a Merkle hash tree, which is
stored in the untrusted file system to detect attacks on integrity.
The commonly very complex and error-prone recovery functionality of
legacy file systems (in the order of thousands of lines of code) can
be reused with little increase of complexity in the trusted core: less
than 350 lines of code deal with the security-critical aspects of
crash recovery. jVPFS shows acceptable performance better than its
predecessor VPFS, while providing much better protection against data
loss.
|