PhD Proposal: Alan Dunn, GDC 6.516

Contact Name: 
Lydia Griffith
Date: 
Dec 3, 2013 11:30am - 1:00pm

PhD Proposal: Alan Dunn

Date: December 3, 2013
Time: 11 am
Place: GDC 6.516
Research Supervisor: Emmett Witchel

Title: Private Environments for Programs

Abstract:
As modern computer systems become progressively more complicated over time, it becomes more difficult to provide privacy guarantees for programs that use them. Each new layer in the system stack provides additional opportunities for data to be leaked.

This thesis presents Suliban and Lacuna, two systems that allow programs to execute privately on commodity hardware. These systems demonstrate different points in a design space wherein stronger privacy guarantees can be traded for greater system usability.

Suliban uses trusted computing technology to create “cloaked” computations in which computation-only code can execute privately. In particular, Suliban is meant to run a malicious computation on a platform in a way that is resistant to analysis. Suliban uses the Trusted Platform Module and processor late-launch to create an execution environment entirely disjoint from normal system software. Suliban uses a remote attestation protocol to demonstrate to a malware distribution platform that the environment has been correctly created before the environment is allowed to receive a malicious payload. Suliban’s execution outside of standard system software allows it to resist attackers with privileged operating system access and those that can perform some forms of physical attack. However, Suliban has no access to system services, and requires extra case-by-case measures to get outside information like the current date or the contents of files on the host. Nonetheless, we demonstrate that Suliban is capable of running computations that would be useful in real malware.

Lacuna instead aims at achieving forensic deniability, which guarantees that an attacker that gains full control of a system after a computation has finished cannot learn the answers to even binary questions (with a few exceptions) about the computation. This relaxation of the guarantees of Suliban allows Lacuna to run full-featured programs concurrently with non-private programs on a system. Lacuna’s key primitive is the ephemeral channel, which allows programs to use peripherals while maintaining their privacy guarantees. This thesis also proposes extensions to the original Lacuna work that enhance its privacy guarantees by empirically finding and eliminating counter-based information leaks and improve system usability by examining the possible removal of virtualization from the system.