A practical approach for updating an integrity-enforced operating system

A practical approach for updating an
integrity-enforced operating system
Wojciech Ozga

TU Dresden
Do Le Quoc

TU Dresden
Christof Fetzer

TU Dresden
ACM/IFIP Middleware 2020

operating system
• con
fi
guration

• executables

• dynamic libraries

OSOS
integrity

monitoring system
remote 
attestation
operating system
• con
fi
guration

• executables


operating system
• con
fi
guration

• executables

TPM

2.0IMA trusted
boot
integrity

monitoring system
remote 
attestation

OSOS
integrity

monitoring system
remote 
attestation
integrity

violation !
operating system
• con
fi
guration

• executables

TPM

2.0IMA trusted
bootrepository
software update

• con
fi
guration

• executables

• con
fi
guration

• executables

• con
fi
guration

• executables

fi
le contents of executables,  
con
fi
guration, dynamic libraries
-Software

state (C)
 
-
Integrity check by  
monitoring systemverify - Adversary
• con
fi
guration

• executables

software

fi
con
fi
-Software

state (C)
 
-
fi
le (C, H)

C - content

H - hash(C)
 
file1 = file2 ⇔ hash(file1) = hash(file2)

integrity measurement, veri
fi
cation, and enforcement
fi
con
fi
-Software

state (C)
 
-
fi
le (C, H)

C - content

H - hash(C)
 
TPM

2.0IMA trusted
boot

fi
fi
le

(C, H) 
verify H = H correct
fi
con
fi
-Software

state (C)
 
-
no update
fi
le (C, H)

C - content

H - hash(C)

no update
fi
le

(C, H) 
fi
le

(C’’, H’’)
 
verify H = H correct
fi
con
fi
-Software

state (C)
 
-
fi
le (C, H)

C - content

H - hash(C)
 
fi
modi
fi
es  
fi
le’s content

no update
fi
le

(C, H) 
fi
le

(C’’, H’’)
 
verify
verify H’’ ≠ H violation 
(true positive)
H = H correct
fi
con
fi
-Software

state (C)
 
-
fi
le (C, H)

C - content

H - hash(C)
 
fi
modi
fi
es  
fi
le’s content

fi
no update
fi
le

(C, H) 
fi
le

(C’’, H’’)
 
verify
(true positive)
H = H correct
fi
con
fi
-Software

state (C)
 
-
update
fi
le

(C’, H’)
 
fi
le (C, H)

C - content

H - hash(C)
 
modi
fi
es  
fi
le’s content

fi
no update
fi
le

(C, H) 
modi
fi
es  
fi
le’s content
fi
le

(C’’, H’’)
 
verify
(true positive)
H = H correct
fi
con
fi
-Software

state (C)
 
-
update
fi
le

(C’, H’)
 
verify H’ ≠ H violation 
(false positive)
fi
le (C, H)

C - content

H - hash(C)

modi
fi
es  
fi
le’s content
fi
no update
fi
le

(C, H) 
fi
le

(C’’, H’’)
 
verify
verify
H = H correct
H’’ ≠ H violation 
(true positive)
fi
con
fi
-Software

state (C)
 
-
update
fi
le

(C’, H’)
 
verify H’ ≠ H violation 
(false positive)
the problem addressed in this paper
fi
le (C, H)

C - content

H - hash(C)

- sanitization process- data
fl
ow -
fi
lesystem- TSR private signing key - TSR public signing key
repository

fl
ow -
fi
repository
software package:

apache2-2.4.46.apk

fl
ow -
fi
repository
software package:

apache2-2.4.46.apk
OSOS
 
OS
 
OS

OSOS
package manager
 
OS
fl
ow -
fi
repository
install
 
OS
package manager
software package:

apache2-2.4.46.apk

OSOS
package manager
 
OS
fl
ow -
fi
download 
packages
repository
software package:

apache2-2.4.46.apk

OSOS
package manager
 
OS
fl
ow -
fi
repository
install
software package:

apache2-2.4.46.apk

OSOS
package manager
 
OS
fl
ow -
fi
repository
install

OSOS
package manager
 
integrity-enforced OS
fl
ow -
fi
repository
TPM

2.0
extend
measure

OSOS
package manager
 
fl
ow -
fi
repository
install
TPM

2.0
measure
integrity

monitoring system
remote 
attestation
 
TPM

2.0

OSOS
package manager
 
fl
ow -
fi
install
TPM

2.0
measure
integrity

monitoring system
remote 
attestation
Trusted Software

Repository (TSR)
repository
trusted software

repository (TSR)

OSOS
package manager
 
fl
ow -
fi
install
TPM

2.0
measure
integrity

monitoring system
remote 
attestation
Trusted Software

Repository (TSR)
repository
trusted software

repository (TSR)
 
repository

OSOS
package manager
 
fl
ow -
fi
download 
packages
install
TPM

2.0
measure
integrity

monitoring system
remote 
attestation
Trusted Software

Repository (TSR)
repository
trusted software

repository (TSR)
sanitization mechanism

OSOS
package manager
 
fl
ow -
fi
download 
packages
install
TPM

2.0
measure
integrity

monitoring system
remote 
attestation
Trusted Software

Repository (TSR)
Trusted Execution Environment
repository
trusted software

repository (TSR)

OSOS
package manager
 
fl
ow -
fi
download 
packages
install
TPM

2.0
measure
integrity

monitoring system
remote 
attestation
Trusted Software

Repository (TSR)
Trusted Execution Environment
repository
trusted software

repository (TSR)
Intel SGX

OSOS
package manager
 
fl
ow -
fi
download 
packages
install
TPM

2.0
measure
integrity

monitoring system
remote 
attestation
Intel SGX
trusted software

repository (TSR)
mirror #1
mirror #2
mirror #3

OSOS
package manager
 
fl
ow -
fi
download 
packages
install
TPM

2.0
measure
integrity

monitoring system
remote 
attestation
Intel SGX
trusted software

repository (TSR)
mirror #1
software package:

apache-1.0.0.apk
apache-1.0.0
mirror #2
apache2-2.4.46
mirror #3
apache2-2.4.46
replay attack

OSOS
package manager
 
fl
ow -
fi
download 
packages
install
TPM

2.0
measure
integrity

monitoring system
remote 
attestation
Intel SGX
trusted software

repository (TSR)
mirror #1
apache is up to date
apache2-2.4.46
mirror #2
apache3-3.0.1
mirror #3
apache3-3.0.1
freeze attack

OSOS
package manager
 
fl
ow -
fi
download 
packages
install
TPM

2.0
measure
integrity

monitoring system
remote 
attestation
Intel SGX
trusted software

repository (TSR)
quorum
mirror #1
mirror #2
mirror #3
apache-1.0.0
apache2-2.4.46
apache2-2.4.46
software package:

apache2-2.4.46

Sanitization
A mechanism inside TSR that modi
fi
es packages to make them safe to be installed in
the integrity-enforced OS. Sanitization

• modi
fi
es installation scripts

• predicts OS con
fi
guration

• issues digital signatures

software package
package header
package control
package contents
con
fi
guration
fi
les,  
executables, libraries
-
provided by  
software maintainers
provided by OS  
distribution community
- -

software package digital signature: 011011…010101
package header
package control
package contents
con
fi
guration
fi
les,  
-
provided by  
provided by OS  
- -

software package certi
fi
es  
authenticity  
and  
integrity
digital signature: 011011…010101
package header
package control
package contents
meta-information:

name: “package”,

version: “0.1”,

dependencies: “openssl”,

…
pre/post installation & update scripts
con
fi
guration
fi
les,  
-
provided by  
provided by OS  
- -

fi
es  
authenticity  
and  
integrity
meta-information:


version: “0.1”,


hash: ‘c7a9f84bb5ac…987cce’
software-speci
fi
c
fi
les
certi
fi
es  
integrity
package header
package control
package contents
con
fi
guration
fi
les,  
-
provided by  
provided by OS  
- -

con
fi
guration
fi
les,  
-
provided by  
provided by OS  
- -
fi
es  
authenticity  
and  
integrity
meta-information:


version: “0.1”,


certi
fi
es  
integrity
package header
package control
package contents
software-speci
fi
c
fi
lessoftware-speci
fi
c
fi
les

fi
es  
authenticity  
and  
integrity
meta-information:


version: “0.1”,


software-speci
fi
c
fi
les
certi
fi
es  
integrity
package header
package control
package contents
con
fi
guration
fi
les,  
-
provided by  
provided by OS  
- -

Number of packages with and without custom con
fi
guration scripts in Alpine Linux main and community repositories.  
Some packages (Safe= ) contain scripts that break OS integrity

Operations performed by installation scripts located in software packages in Alpine Linux repositories. Some operations (Safe= ) break OS integrity. The last column ("TSR")
indicates which operations are safe after the sanitization. Filesystem changes - add/remove/modify folders, symbolic links, and their permissions. Empty scripts - conditional
checks, display information.

/etc/shadow

root:$6$UmJDHYmY80…18206:0:::::

bin:!::0:::::

daemon:!::0:::::
/etc/passwd

root:x:0:0:root:/root:/bin/ash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/
nologin
/etc/group

root:x:0:root

bin:x:1:root,bin,daemon

daemon:x:2:root,bin,daemon

Sanitization
1 scan all scripts in all packages

Sanitization
2 extract all user/group creation commands

Sanitization
3 predict con
fi
guration after executing all commands

Sanitization
3 predict con
fi
4 issue digital signatures of all
fi
les and predicted con
fi
guration
fi
les

Sanitization
5 modify all scripts so they:
3 predict con
fi
fi
fi
guration
fi
les

Sanitization
5 modify all scripts so they:
5a execute commands in the same order
5b install digital signatures
3 predict con
fi
fi
fi
guration
fi
les

Evaluation
• Time to sanitize a single package
• The performance overhead of tolerating compromised mirrors
• Time to sanitize all packages

• Main factors driving the sanitization time

• Impact of sanitization on the repository size

• Package access latency with pre-caching of sanitized packages

• End-to-end latency of software update

• The performance overhead of executing TSR inside SGX
see the paper 
for more results

101
102
103
104
10−2
10−1
100
101
Sanitization time [s]
Numberoffilesinsidepackage
Exceeds EPC
No Yes
0.1 1 10 100
uncompressed package size [MB]lower is
better
How much time does it take to sanitize a single package?

101
102
103
104
10−2
10−1
100
101
Exceeds EPC
No Yes
0.1 1 10 100
uncompressed package size [MB]
How much time does it take to sanitize a single package?

101
102
103
104
10−2
10−1
100
101
Exceeds EPC
No Yes
0.1 1 10 100

101
102
103
104
10−2
10−1
100
101
Exceeds EPC
No Yes
0.1 1 10 100
percentiles:

95th 
 
75th

50th

25th

5th
percentiles:

5th 25th 50th 75th 95th

101
102
103
104
10−2
10−1
100
101
Exceeds EPC
No Yes
0.1 1 10 100
EPC paging
percentiles:

95th 
 
75th

50th

25th

5th
percentiles:


101
102
103
104
10−2
10−1
100
101
Exceeds EPC
No Yes
0.1 1 10 100
Total time to sanitize all
 
pre-downloaded packages:

 
13 minutes

percentiles:

95th 
 
75th

50th

25th

5th
percentiles:


101
102
103
104
10−2
10−1
100
101
Exceeds EPC
No Yes
0.1 1 10 100
In practice, only a subset of
packages needs to be sanitized
between new update releases

percentiles:

95th 
 
75th

50th

25th

5th
percentiles:


what is the overhead of tolerating compromised mirrors?

Latency of downloading the repository index from TSR. TSR instance is deployed in Europe.
lower is
better

Trusted software repository:

• enables software updates for integrity-enforced OS

• introduces the sanitization process that allows supporting 99.76% of packages
available in the Alpine Linux repository

• tolerates a minority of software repository mirrors exhibiting Byzantine behavior
Summary

Summary
Thank you

wojciech.ozga@tu-dresden.de
Trusted software repository:

• enables software updates for integrity-enforced OS

• introduces the sanitization process that allows supporting 99.76% of packages
available in the Alpine Linux repository

• tolerates a minority of software repository mirrors exhibiting Byzantine behavior

A practical approach for updating an integrity-enforced operating system

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to A practical approach for updating an integrity-enforced operating system

Similar to A practical approach for updating an integrity-enforced operating system (20)

More from LEGATO project

More from LEGATO project (20)

Recently uploaded

Recently uploaded (20)

A practical approach for updating an integrity-enforced operating system