Xizhe Zhang,Yong Xie,Xuejia Lai,Shensheng Zhang,Zijian Deng

DOI: https://doi.org/10.1007/978-3-540-76843-2_39

2007-01-01

Abstract:This paper presents a unique multi-core security architecture based on EFI. This architecture combines secure EFI environment with insecure OS so that it supports secure and reliable bootstrap, hardware partition, encryption service, as well as real-time security monitoring and inspection. With this architecture, secure EFI environment provides users with a management console to authenticate, monitor and audit insecure OS. Here, an insecure OS is a general purpose OS such as Linux or Windows in which a user can perform ordinary jobs without obvious limitation and performance degradation. This architecture also has a unique capability to protect authentication rules and secure information such as encrypted data even if the security ability of an OS is compromised. A prototype was designed and implemented. Experiment and test results show great performance merits for this new architecture.

谢勇,来学嘉,张熙哲

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.22.061

2008-01-01

Abstract:The Extensible Firmware Interface(EFI)specification provides a standard environment for the program before booting an OS.This paper proposes a Dual-core EFI-based Security Architecture(DESA).EFI is a secure domain that is physically and logically separate,and performs several security components services such as real-time monitoring,co-processing and auditing.A prototype for virtual disk's secure access and real-time monitor is designed and implemented.Experimental results show that DESA can enhance performance and security improvements,and provide security services for OS with low performance cost.

Yajin Zhou,Xiaoguang Wang,Yue Chen,Zhi Wang

DOI: https://doi.org/10.1145/2660267.2660344

2014-01-01

Abstract:Software fault isolation (SFI) is an effective mechanism to confine untrusted modules inside isolated domains to protect their host applications. Since its debut, researchers have proposed different SFI systems for many purposes such as safe execution of untrusted native browser plugins. However, most of these systems focus on the x86 architecture. In recent years, ARM has become the dominant architecture for mobile devices and gains in popularity in data centers. Hence there is a compelling need for an efficient SFI system for the ARM architecture. Unfortunately, existing systems either have prohibitively high performance overhead or place various limitations on the memory layout and instructions of untrusted modules.In this paper, we propose ARMlock, a hardware-based fault isolation for ARM. It uniquely leverages the memory domain support in ARM processors to create multiple sandboxes. Memory accesses by the untrusted module (including read, write, and execution) are strictly confined by the hardware, and instructions running inside the sandbox execute at the same speed as those outside it. ARMlock imposes virtually no structural constraints on untrusted modules. For example, they can use self-modifying code, receive exceptions, and make system calls. Moreover, system calls can be interposed by ARMlock to enforce the policies set by the host. We have implemented a prototype of ARMlock for Linux that supports the popular ARMv6 and ARMv7 sub-architecture. Our security assessment and performance measurement show that ARMlock is practical, effective, and efficient.

XIE Yong,LAI Xue-jia,DENG Zi-jian

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.08.062

2007-01-01

Abstract:In order to solve the limitations and difficulties of traditional PC BIOS, Intel has proposed Extensible Firmware Interface (EFI) Specifications. As the next generation of BIOS, EFI provides a standard environment for booting an OS. This paper gives a brief introduction of EFI, takes a closer look at some security issues in EFI, and analyzes its security architecture. Moreover, some key factors that have to be taken into account in a secure EFI environment are proposed.

Rui Chang,Liehui Jiang,Wenzhi Chen,Yaobin Xie,Zhongyong Lu

DOI: https://doi.org/10.23919/tst.2017.8030534

2017-01-01

Tsinghua Science & Technology

Abstract:The run-time security guarantee is a hotspot in current cyberspace security research, especially on embedded terminals, such as smart hardware as well as wearable and mobile devices. Typically, these devices use universal hardware and software to connect with public networks via the Internet, and are probably open to security threats from Trojan viruses and other malware. As a result, the security of sensitive personal data is threatened and economic interests in the industry are compromised. To address the run-time security problems efficiently, first, a TrustEnclave-based secure architecture is proposed, and the trusted execution environment is constructed by hardware isolation technology. Then the prototype system is implemented on real TrustZone-enabled hardware devices. Finally, both analytical and experimental evaluations are provided. The experimental results demonstrate the effectiveness and feasibility of the proposed security scheme.

Manting Shen,Yinyan Yu,Zhi Tang,Xiaoyu Cui

DOI: https://doi.org/10.1109/compsac.2016.56

2016-01-01

Abstract:Sensitive information leakage in files is one of the biggest concerns in people's life. Considering this situation, people have designed lots of tools to protect sensitive files. However, these specialized tools are not applicable when the user amount is small. This paper proposes a novel light-weight mechanism that provides efficient and fast cryptographic-based file protection to meet the need of small organizations. The highlights are its ability to provide protection for all types of files, and the usage of an efficient access control approach for file sharing. Operations in the directory are monitored in real time and files are protected automatically. Moreover, encryption keys are generated and well preserved by a hierarchical key generation algorithm. For further estimation, we conducted experiments and analyzed the security and performance of our mechanism as well as other file protection software, and then we made a comparison among them. Experimental results show that our mechanism performs well both in security and performance and outperforms those other file protection software when applied in small organizations.

Junqing Wang,Miao Yu,Bingyu Li,Zhengwei Qi,Haibing Guan

DOI: https://doi.org/10.1145/2245276.2232063

2012-01-01

Abstract:One of the most fundamental issues in computer security is protecting sensitive files from unauthorized access. Traditional file protection tools run inside the target operating system, which hosts sensitive files. This makes previous approaches vulnerable in face of a compromised OS. To address this limitation, recent approaches seek for a good isolation by putting file system into a dedicated virtual machine or by using a network file system. However, they suffer a sharp increase in trusted computing base size which degrades their reliability. In this paper, we present Filesafe, a special purpose hy-pervisor aimed at protecting sensitive files in a compromised operating system. It bridges the semantic gap between guest OS and hypervisor by reconstructing file hierarchy from raw data, which incurs no runtime overhead. By enforcing security policies created in hypervisor, Filesafe could prevent sensitive files from unauthorized access even if they have kernel privileges in guest OS. We have implemented a proof-of-concept prototype on Windows XP with FAT32 file system. Furthermore, we evaluate Filesafe's performance and code size to demonstrate it is practical in real world scenarios.

Ofir Shwartz,Yitzhak Birk

DOI: https://doi.org/10.48550/arXiv.1803.03951

2018-03-11

Abstract:In this work we present the Secure Machine, SeM for short, a CPU architecture extension for secure computing. SeM uses a small amount of in-chip additional hardware that monitors key communication channels inside the CPU chip, and only acts when required. SeM provides confidentiality and integrity for a secure program without trusting the platform software or any off-chip hardware. SeM supports existing binaries of single- and multi-threaded applications running on single- or multi-core, multi-CPU. The performance reduction caused by it is only few percent, most of which is due to the memory encryption layer that is commonly used in many secure architectures. We also developed SeM-Prepare, a software tool that automatically instruments existing applications (binaries) with additional instructions so they can be securely executed on our architecture without requiring any programming efforts or the availability of the desired program`s source code. To enable secure data sharing in shared memory environments, we developed Secure Distributed Shared Memory (SDSM), an efficient (time and memory) algorithm for allowing thousands of compute nodes to share data securely while running on an untrusted computing environment. SDSM shows a negligible reduction in performance, and it requires negligible and hardware resources. We developed Distributed Memory Integrity Trees, a method for enhancing single node integrity trees for preserving the integrity of a distributed application running on an untrusted computing environment. We show that our method is applicable to existing single node integrity trees such as Merkle Tree, Bonsai Merkle Tree, and Intel`s SGX memory integrity engine. All these building blocks may be used together to form a practical secure system, and some can be used in conjunction with other secure systems.

Cryptography and Security,Hardware Architecture,Distributed, Parallel, and Cluster Computing,Operating Systems

Yuanyuan Zhang,Dawu Gu,Fangyong Hou,Mengqi Zeng,Tao Cheng

DOI: https://doi.org/10.1080/15501320802575161

IF: 1.938

2009-01-01

International Journal of Distributed Sensor Networks

Abstract:Propose a secure architecture for embedded systems by adding a secure engine to processors. This secure engine provides data confidentiality and integrity, which ensures data cannot be comprehended and modified outside CPU or SoC. Galois/Counter Mode is introduced in our secure engine, which can generate ciphertext and its message authentication code(MAC) simultaneously. Moreover, we introduce several schemes to reduce memory latency and prompt system performance. Evaluation results reveals that our scheme advances in both security and performance than former security architectures for embedded systems.

Mengqi Zeng,Dawu Gu,Fangyong Hou,Yuanyuan Zhang,Tao Cheng

DOI: https://doi.org/10.1109/NAS.2009.70

2009-01-01

Abstract:Self-securing storage devices prevents intruders from undetectably tampering with or permanently deleting stored data. To accomplish this, we design an efficient self-securing disk architecture, which is based on traditional self-securing storage prototype S4: 1) On the confidentiality protection side, authenticated encryption mode GCM is adapted to process disk block in parallel ,and authentication latency is overlapped with disk access latency so that our scheme is more efficient and secure than Windows BitLocker. 2) On the integrity protection side, GHASH proposed in GCM is used to generate MAC which is more efficient than SHA-1, MD5. Moreover, ldquoMinimum Integrity Verification Treerdquo is put forward to decrease performance loss at a maximum. 3) On the access control protection side, we propose a cryptographically featured capability based access control model, which is based on existing OSD access control model. We use hybrid hard drive as an instance to build a self-securing disk prototype which is implemented by simulation. The encryption/authentication overheads are significantly reduced due to buffer techniques and combined GCM/Flash scheme. According to the simulation results, the performance overhead is less than 18%, which is efficient and practical.

Wei Hu,Tianzhou Chen,Zhenjie He,Qingsong Shi

2007-01-01

WSEAS TRANSACTIONS ON INFORMATION SCIENCE AND APPLICATIONS

Abstract:Information security, which covers a wide scope in application and research, has become a mainstream issue to protect the sensitive data. Meanwhile, firmware technology is experiencing a revolution, as the newly emerged EFI is replacing legacy BIOS. This paper gives an introduction to the challenges involved in securing EFI/Tiano framework, and discusses a set of principles as well as a method to design an efficient scalable cryptographic library for cryptographic protocols.

Lei Liu,Mingwei Cao,Yeguo Sun

DOI: https://doi.org/10.1371/journal.pone.0258464

IF: 3.7

2021-12-15

PLoS ONE

Abstract:E-documents are carriers of sensitive data, and their security in the open network environment has always been a common problem with the field of data security. Based on the use of encryption schemes to construct secure access control, this paper proposes a fusion data security protection scheme. This scheme realizes the safe storage of data and keys by designing a hybrid symmetric encryption algorithm, a data security deletion algorithm, and a key separation storage method. The scheme also uses file filter driver technology to design a user operation state monitoring method to realize real-time monitoring of user access behavior. In addition, this paper designs and implements a prototype system. Through the verification and analysis of its usability and security, it is proved that the solution can meet the data security protection requirements of sensitive E-documents in the open network environment.

multidisciplinary sciences

Mei Hong,Hui Guo

DOI: https://doi.org/10.1007/978-3-642-17569-5_36

2010-01-01

Abstract:This paper presents a security design for embedded systems that have a secure on-chip computing environment and an insecure off-chip memory. The design protects the confidentiality and integrity of data at a low cost on performance and memory consumption. We implemented the design based on the SimpleScalar simulation software. Our simulation on a set of benchmarks shows that very little overhead is incurred for on-chip memory, and the average overheads on performance and off-chip memory, are only 7.6% and 6.25%, respectively.

邓子健,来学嘉,何大可

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.01.108

2009-01-01

Abstract:This paper proposed a DRM terminal based on extensible firmware interface and dual-core.This platform could meet most security requirement of DRM,especially preventing the REK and decrypted content object bing leaked to consumer.Under the control of this architecture,shawed the detail of play process.Also gave a download model that protected the right issue from obtaining the sensitive information from the right object generated by content provider in semi-distributed P2P network.Finally,compared a performance of AES between Linux platform and EFI platform.This DRM terminal is a new way to carry out the DRM strategy.

Luo Hui,Guan Haibing,Bai Yingcai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.08.062

2007-01-01

Abstract:Secure network file system can secure the stored data and provide confidence and integrity in opening environment.It should consider such factors as security,performance and convenience when designing a secure file system.The design and implementation of a secure network file system:SecNFS,including its design idea,system architecture,key management,security analysis,share schema and implementation techniques is described.

LIN Hao-xiang,DONG Yuan,ZHANG Wei,ZHANG Su-qin,HU Chang-jun

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.01.026

2007-01-01

Abstract:Recently it has been a focus to protect personal sensitive information. Using cryptographic technique is a promising way. This paper describes the design and implementation of Waycryptic, a versatile cryptographic file system for Linux. By integrating cryptographic technique into file system level, users obtain transparent, dynamic, efficient and secure encryption function without modifying their applications. Encrypted files could be saved on any physical file system which supports extended attributes (XATTR). Waycryptic also permits encrypted files to be shared among multi users and to be easily recovered by designating an account in advance. The results of Iozone and Bonnie benchmarks show that Waycryptic is comparatively efficient and is suitable for personal or multi-user systems which require enhanced security.

genxian liu,xi zhang,dongsheng wang,zhenyu liu,haixia wang

DOI: https://doi.org/10.1007/978-3-662-43908-1_1

2014-01-01

Abstract:Security is a crucial element of information systems. Extensive research for cryptographic algorithms that provide the sound theoretical basis of security. Among them security and integrity of memory has been a longstanding issue in trusted system design. Main memory is a critical component of all computing systems. Most of those systems are vulnerable to memory attacks, in which an attacker gains physical accesses to the unattended hardware, obtains the decryption keys from memory. We propose a method for protecting memory systems against attacks with hardware authentication and full memory encryption. The method is secure against all known type of memory attack. We have tested the method with software simulator and Field Programmable Gate Array (FPGA) platform. The results show that the method can authenticate and encrypt the contents of DRAM with 2.5 % performance penalties.

FU Si-yuan,LIU Gong-shen,LI Jian-hua

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.09.035

2012-01-01

Abstract:Unified Extensible Firmware Interface(UEFI) faces a grim challenges of malicious code attack.The traditional computer security software can not provide security for the firmware and operating system boot process.In order to solve the problem,this paper designs a malicious code defense system based on UEFI firmware.By using the multi-pattern matching algorithm,a signature detecting engine under UEFI environment is implemented,which provides functionally of malicious code detect,boot option analysis and firmware and operating system kernel backup.Experimental results prove that the system can effectively resist malicious code with small code size and low costs to meet the firmware's need of flash size and fast boot.

Roshan G. Ragel,Jude A. Ambrose,Sri Parameswaran

DOI: https://doi.org/10.48550/arXiv.1511.01946

2015-11-06

Abstract:Security of embedded computing systems is becoming of paramount concern as these devices become more ubiquitous, contain personal information and are increasingly used for financial transactions. Security attacks targeting embedded systems illegally gain access to the information in these devices or destroy information. The two most common types of attacks embedded systems encounter are code-injection and power analysis attacks. In the past, a number of countermeasures, both hardware- and software-based, were proposed individually against these two types of attacks. However, no single system exists to counter both of these two prominent attacks in a processor based embedded system. Therefore, this paper, for the first time, proposes a hardware/software based countermeasure against both code-injection attacks and power analysis based side-channel attacks in a dual core embedded system. The proposed processor, named SecureD, has an area overhead of just 3.80% and an average runtime increase of 20.0% when compared to a standard dual processing system. The overhead were measured using a set of industry standard application benchmarks, with two encryption and five other programs.

Hardware Architecture

DAI Xing-ke,SHE Kun,SHANG Qing-hong

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.08.055

2007-01-01

Abstract:A method based on file system filter driver to achieve the security of confidential data storage in the windows environment is proposed. The method can be used for confidential data encryption and decryption, and this process for legitimate users is real-time and transparent. It can be also used to control the visit to the files in detail. All operations on confidential files are logged. Compared with other methods, all of the above are realized in the kernel state. This method is comparatively safe and unrelated to the specific application.