« Using Encryption for Authentication in Large Networks of Computers. | Main | Improving the Reliability of Commodity Operating Systems »

Terra: a virtual machine-based platform for trusted computing

Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, and Dan Boneh. Terra: a virtual machine-based platform for trusted computing. In Proceedings of the nineteenth ACM symposium on Operating systems principles, pages 193--206. ACM Press, 2003.

Mini-review due Thursday, 4/14

Comments

1. Summary
The authors introduce a system for trusted computing a Trusted Virtual Memory Monitor (TVMM) called Terra that partitions a tamper-resistant hardware into multiple VMs. The need arose from trying to isolate applications that require different security levels and use the same system. User policies are used for VM management, attestations is done via signatures and the lower layers certify higher ones : TPM-> Firmware->Boot Loader -> TVMM-> VM->Application, each software layer has a unique keypair, certificate revocations is implemented. It was concluded that the closed-box VM abstraction is the basis of general-purpose trusted computing platform.

2. Questions
How does Revocation exactly work? How is hardware platform made tamper resistant?

Summary :The authors in this paper present the idea of trusted computing and also present Terra an implementation of arch based on this idea and trusted virtual machines(TVMM). The issues in commodity systems are poor isolation and absence of trust between application and user. Terra on the other hand is a secure, trusted and is a virtualized computing platform that overcomes these issues. Tamper resistant general purpose platform is partitioned in Terra to facilitate the running of both open-box and closed-box VMs that provides flexibility to applications in terms of their security needs. TVMM provides attestation capabilities and trusted path and in combination with hardware act as a trusted party that facilitate VMs to present the softwares they run to remote entities using cryptographic mechanisms. The authors also evaluate Terra by using a varied range of applications.

Confusion : Attestation process in more detail especially certification signing? Effect of TVMMs on performance?

1. Summary
The paper presents an architecture for trusted computing called Terra which allows applications of different security requirements to run simultaneously.Terra used trusted virtual machine monitors to partition a hardware platform into multiple, isolated virtual machines. This provides the semantics of running on separate dedicated dedicated hardware platform (for closed systems) while running side by side with normal applications (open systems). Terra provides a hardware interface, allowing an application designer to completely specify what software runs inside a VM based on security, compatibility and performance desired.

2. Confusion
What is tamper free hardware? What are the limitations in commodity OS that limit security and isolation? Could you discuss the steps of attestation in detail?

The paper presents a trusted VMM that partitions tamper resistent hardware platform into multiple isolated virtual machines (VM), providing appearance of multiple box on single general purpose platform. This is done to provide two platforms"open" general purpose platform like todays PCs and "closed box" an opaque special purpose platform that protects privacy and integrity of its contents.

COnfusion:
Are VMMs used for mobile devices? Is this approach used in real world?

The paper presents a trusted VMM that partitions tamper resistent hardware platform into multiple isolated virtual machines (VM), providing appearance of multiple box on single general purpose platform. This is done to provide two platforms"open" general purpose platform like todays PCs and "closed box" an opaque special purpose platform that protects privacy and integrity of its contents.

COnfusion:
Are VMMs used for mobile devices? Is this approach used in real world?

Summary
This paper describes Terra that is a flexible architecture for trusted computing. The main aim of Terra is to allow applications with different security requirements to run simultaneously on commodity hardware. Initially, the authors describe the shortcomings of commodity hardware (such as poor isolation, no mechanism to establish trusted paths etc.) to motivate the need for a new solution to achieve the aforementioned goal. The authors then proceed to describe Terra’s architecture (mainly consist of VMM and a Management VM). One of the key features of VMM is the way it provides attestation all the way the software stack via the use of certificate chains. Lastly, the authors come up with a prototype and give details of running applications such as Quake and TAPs.

Confusion
Terra claims to that it’s ability to run an application specific operating system aids in application assurance. However, didn’t any other VMM prior to this work also allow application specific OS? Also, it would be great if we can walk through the attestation process in class.

1. Summary
In this paper the authors present a flexible architecture for trusted computing, called Terra, that allows applications with a wide range of security requirements to run simultaneously on commodity hardware. Terra allows applications to run in isolation virtually as if it were running on a separate, dedicated, tamper-resistant hardware platform, while retaining the ability to run applications side-by-side with other normal applications on a general purpose computing platform. By use of a trusted virtual machine monitor, Terra provides the appearance of multiple boxes on a single, general-purpose platform with the semantics of either an open box, i.e. a general-purpose hardware platform or a closed box, an opaque special-purpose platform.

2.Confusion
* It seems that the security model assumes “trusted” clients (e.g. network cards). How much trust should you export to “trusted” client?
* With the bulky overhead of the TVMM, how feasible is it in today’s systems requiring low latency and high throughput?

Summary:
The paper talks about Terra which is based on a trusted virtual machine monitor (TVMM) and allows applications possessing wide range of security requirements to run simulaneously on commodity hardwares. TVMM partitions hardware platform into multiple isolated virtual machines such that multiple boxes look like on single general purpose platform. TVMM provides two modes of VM: Open box a general purpose hardware platform like today and Closed box which provides specialized platform suited that itself protects the privacy and integrity of its contents. Techqiques like attestation inform the server about the integrity of clients

Confusion:
Could we briefly discuss on the hardware support on Terra ?

Summary Commodity operating systems provide weak isolation guaratees between processes, so it is difficult to provide integrity guarantees about individual applications. The authors present Terra, a virtual machine platform, in which a trusted virtual machine monitor can separate applications by their security requirements; general-purpose systems can run in an open VM, while secure systems with a specialized software stack can run in a "closed-box" VM. Each VM can interact with the TVMM and hardware layer to obtain cryptographically signed attestations to their integrity, to enable validated communications with other parties.

Confusion
Mutable storage is not easily attestable for obvious reasons. However, an attestable VM with unattestable storage has an obvious target for placing a persistent malicious payload. Is this actually a practical concern for Terra?

Summary
This paper describes Terra, a flexible architecture for trusted computing, that allows applications with wide range of security requirements to run simultaneously on commodity hardware. To achieve this, it uses a trusted virtual machine monitor (TVMM) that partitions a tamper-resistant hardware platform into multiple, isolated virtual machines. TVMM provides the semantics of either an “open box” for general purpose hardware platform or a “closed box” for special purpose platforms which provide capabilities like root secure, attestation and trusted path.

Confusion
How attestation works?

Summary
Terra puts forward a trusted computing architecture that leverages virtualization to provide both resource isolation and security through layers of management and TVMM respectively. It partitions a tamper-resistant general-purpose platform to run both open-box and closed-box VMs such that applications can tailor their security needs. Apart from the flexibility and benefits of traditional VMMs, TVMM provides the capabilities of attestation: allows application to authenticate itself and trusted path: secure channel between user and VMs. The hardware and TVMM act as a trusted party to allow closed-box VMs to cryptographically identify the software they run to remote parties. They explore their design in their prototype: Terra and use it to develop and test it with various applications.
Confusion
Is the architecture practical in terms of hashing all the state information of the entire stack? Why does TVMM find it complex to provide similar techniques to secure against device drivers? Will the underlying hardware still be termed as commodity?

1. Summary
The paper presents the design of “Terra”, which uses a trusted virtual machine monitor(TVMM) to provide multiple secure virtual machines( both open box-VMs and closed box-VMs) on a single tamper resistant, general purpose platform. Through a process called attestation, Terra allows a closed-box VM to authenticate itself to the remote parties using a chain of cryptographically signed certificates. It also allows each of its VM to modify its software stack to suit its security needs.

2. Confusions
Are there any real world examples of compromises on hardware private keys as mentioned in “Revocation” section?
What are the examples of poor isolation is OSes?

Summary:
The paper describes the problems in current computing platforms and provides a flexible architecture for trusted computing called Terra. Commodity systems – poor isolation, absence of trust between users and app. Terra - secure, trusted and virtualized computing platform. Applications run on Terra with the sematics of an open-box platform or a closed-box platform on top of a dedicated tamper resistant hardware. TVMM (Trusted Virtual Machine Monitor) virtualizes and isolates the virtual machines on the hardware. TVMM provides attestation and has “root secure”. Applications are flexible to choose their security requirements and software stack on its VM. Management Virtual Machine manages high level resource allocation and mgt.

Confusion:
Where is secure hardware used nowadays? How is the private key stored securely? Management VM in detail?

Summary
This paper presents the design and implementation of Terra- an architecture for trusted computing using trusted virtual machine monitor (TVMM). Given a tamper-resistant physical hardware, Terra can provide an abstraction of a “closed-box” VM that implements the semantics of a closed-box platform, in addition to the general purpose VM abstraction of “open-box”. By introducing new capabilities of secure root, attestation and trusted path, Terra enables a wide range of applications with different security requirements to run simultaneously on the same commodity hardware, where each application can be tailor-made to suit its own specific security, performance or design requirements. 

Confusion
What does signing a certificate mean in the attestation process and how are public/private cryptographic keys used for verification at remote server?

Summary
Terra is a flexible software architecture that attempts to resolve the conflict between the cost of privacy and integrity assurance in a closed box platform to the advantages and rich functionality of a general purpose open box platform though a combination of hardware and operating system mechanisms.By using a Trusted Virtual Machine Monitor(TVMM), Terra partitions a tamper resistant hardware platform to form multiple isolated VMs which enables special purpose standalone applications to run side-by-side with legacy applications.Further, by using attestation and building a certificate chain TVMM allows applications to cryptographically authenticate the software stack to third parties.
Confusion
How are chips and hardware made tamper resistant ? How can an attacker attempt to extract the private key from such a tamper resistant hardware ? Other than revocations , what can be done to prevent/control such attacks ?

1. Summary
This paper describes Terra, a trusted virtual machine monitor with a management VM, that can run either "open" virtual machines, which function like normal, insecure operating systems, or "closed" virtual machines, which protect the integrity and security of the software running in it. "Closed" virtual machines use attestation, which builds a certificate chain from the hardware up to the VM.
4. Confusion
This paper seems to depend on secure hardware. Could you describe how this differs from normal hardware and describe general systems techniques for working with it?

Summary
This paper describes the notion of trust and how it is aggravated on current platforms. The authors describe Terra, a flexible architecture that allows applications with diverse security requirements to run harmoniously on commodity hardware. The system leverages the use of a VMM, adds new capabilities like root-security, attestation and trusted path to build a trusted VMM(TVMM) and exposes both open-box (general purpose) and closed-box (isolated and trusted) VM abstractions which possess different semantics. The paper also describes attestation in great detail to illustrate how trust and identities are established. The authors additionally describe their prototype to demonstrate the features provided by Terra.

Confusion
What are the performance implications associated with this model ?
Details on curtained memory and device-driver domains would help clear some confusion.
More details about SELinux and AppArmor would be interesting.

Summary
This paper talks about a solution to achieving flexible trusted computing by using Trusted Virtual Machine Monitor (TVMM), which gives the virtual machine clients the freedom to implement either open-platform applications to take advantage of existing code base and functionality, or closed-platform applications that do not expose system resource to the users to achieve better security and tamper resistance.
Confusion
Can we go over the steps of attestation and how it achieves confidentiality for closed-form VMs?

1. Summary
The paper discusses the issue of a lack of trusted computing platform with various vendors opting for closed box solutions such as cellphones for applications that require a high degree of assurance and security. These applications are not able to coexist on commodity OS with regular applications due to the lack of isolation between applications. The authors tackle this issue by introducing a Trusted Virtual Machine Monitor (TVMM). This imposes strict strict isolation between application as a traditional VMM along with providing authorization capabilities using tamper proof hardware to provide attestation facilities using a series of signed certificates similar to those used online. The system supports both closed box simplified OSs as well commodity OS executing concurrently on the same platform with minimal overhead. The authors implement a prototype TVMM and build applications such as Quake and Trusted Access points to demonstrate ideal use cases of such a computing platform
2. Confusion
I am not sure how the users privacy can be protected when each processor/computer is stamped with its own private key. The method outlined in the paper is not clear to me.

Summary
The paper presents a flexible architecture, Terra, that allows applications with a wide range of security requirements to run simultaneously. This is achieved through the use of a trusted virtual machine monitor (TVMM). TVMM allows each VM to run in an isolated environment by providing the semantics of an open box or a closed box. Thus, a VM could tailor it's software stack as per it's security requirements with the help of a tampepr-free hardware and TVMM.

Confusion
What is tamper-free hardware all about ?

Summary
What ?
Terra. Flexible architecture for Trusted Computing.
Abstraction provided - Applications get the semantics of running on a dedicated, tamper-resistant hardware platform.
Open box - semantics of a General Purpose hardware platform.
Closed box - opaque special purpose platform.
Software stack in each vm can be tailored for the application from the hardware interface up.
e.g. Thin high perf OS for games, highly secure OS for email
Attestation - can attest to remote peer that VM is protected.
e.g. Quake - modified to allow cheats.. Can be distributed as a closed box VM, with remote attestation to show that it isnt changed.

How ?
Trusted Virtual Machine Monitor (TVMM).
Management VM - User Policies for allocation and managing resources.
Attestation - Signatures
Each layer of software has a keypair.
Lower levels attest higher levels.
Revocation, versions.

Confusion
Real world usage ?
Alternates ?

Summary
The paper presents Terra , a virtual machine based simple and flexible architecture for trusted computing on commodity hardware. Terra allows applications to run in either with the semantics of ana “open box “ general purpose platform like workstations and PC or like those of a specialized “closed box” platform with dedicated tamper resistant hardware like cellular phones, game consoles and ATM. It has a trusted virtual machine monitor TVMM ,which is a high-assurance virtual machine monitor that partitions a single tamper resistant, general purpose platform into multiple isolated virtual machines. Terra allows applications to tailor the software stack in each VM, from the hardware interface, according to their security, compatibility and performance requirements. The TVMM provides basic services like support for running multiple VMs simultaneously while a special VM called the management VM is responsible for higher level resource allocation and management. In Terra, remote parties can identify the software they are running via cryptographic authentication. The paper discusses the prototype implementation of Terra and how it was tested with a closed box version of “Quake II” known as “Trusted Quake”.
Confusions
I could not understand the abstraction of TVMM and how exactly is another VM acting as the management VM.

Summary
This paper talks proposes an architecture called terra to satisfy the need to deploy systems with different security requirement and allow different applications to run on different systems based on their security requirement. The paper starts by explaining the problems with current state of commodity systems (poor isolation, no trusted path between users and applications etc). They then explain its architecture diagram, components and security model. The VMM used here called TVMM supports both open and closed box VMs (enforces security guarantee). TVMM is also responsible to aid in attestation (certificate assigning, removal) and VM identity, i.e. verifying the binary image belongs to correct software and is a valid version. Terra also has a management VM (separate responsibilities) responsible for allocating and managing resources. Finally they explain their experiences in using their prototype on a commercial online game (quake) and trusted access points.

Confusion
Has anyone been able to provide (after the release of the paper) the same level of security without using a chain of certificates? Is there a better method? I did not understand how sealed storage works, how can a coprocessor unseal data which was encrypted by TPM?

Summary
This paper talks proposes an architecture called terra to satisfy the need to deploy systems with different security requirement and allow different applications to run on different systems based on their security requirement. The paper starts by explaining the problems with current state of commodity systems (poor isolation, no trusted path between users and applications etc). They then explain its architecture diagram, components and security model. The VMM used here called TVMM supports both open and closed box VMs (enforces security guarantee). TVMM is also responsible to aid in attestation (certificate assigning, removal) and VM identity, i.e. verifying the binary image belongs to correct software and is a valid version. Terra also has a management VM (separate responsibilities) responsible for allocating and managing resources. Finally they explain their experiences in using their prototype on a commercial online game (quake) and trusted access points.

Confusion
Has anyone been able to provide (after the release of the paper) the same level of security without using a chain of certificates? Is there a better method? I did not understand how sealed storage works, how can a coprocessor unseal data which was encrypted by TPM?

Summary
The paper explains the implementation details of a Trusted Virtual Memory monitor called tera which allows Operating system running in VM’s to decide their security and compatibility where each Vm is isolated from other. The paper explains implementation details of “attestation,” the mechanism used to cryptographically identify the contents of closed-box VMs to remote parties. The paper also provides the details of implementation of a prototype and its testing with gaming application Quake.
Confusion
Could you please explain how does the revocation procedure works?
and where in the industry is it being used ?

Summary
The paper describes Terra, a trusted computing platform that relies on using virtualization to allow applications with differing security requirements to co-exist on the same machine. The Terra architecture relies on the Trusted Virtual Machine Monitor (TVMM) to provide basic services for Virtual Machine (VM) isolation, for running “open-box” VMs for general-purpose applications executing on commodity Operating Systems, and also for running “closed-box” VMs with customized software stacks to meet the strict security requirements of the security-critical applications executing within them. TVMM provides enhanced authentication and security services to closed-box VMs by using the attestation technique and tamper-resistant hardware which allow the applications running in these VMs to reliably identify themselves to remote parties. A management VM is responsible for VM-level resource allocation and management.

Question / confusion
1. The paper initially mentions that it wants both open-box and closed-box VMs to be able to run on a TVMM that runs on general-purpose commodity hardware, but successive sections (especially section 4.6) indicate that Terra would require specialized hardware support in various forms. These hardware support requirements were justified on the claim that commodity hardware would soon incorporate them, or that these features could be easily integrated into commodity hardware. Did this claim turn out to be true? If so, to what extent?

Summary
This paper is about the design of trusted computing platform called Terra, which allows applications of variable security requirements to run together. This is achieved through a trusted virtual machine monitor(TVMM) which facilitates isolation, different security semantics for virtual machines such as 'open box'(general purpose) and 'closed box'(contents protected), and applications to authenticate each other through remote attestations. The authors have developed a prototype called Trusted Quake, an online multiplayer game and evaluated the features of Terra.

Confusions
How do virtualizable hardware platforms minimize the overhead of virtualization and ensure security?

1. Summary
The authors have come up with Trusted VMM (which consists of a VMM layer between the hardware and the VMs) and a management VM. TVMM provides two modes of operation - Closed Box - which gives security similar to running a VM on an isolated machine and Open box mode - analogous to traditional virtual box. Management VM defines policy which TVMM enforces. It also provides techniques such as attestation to inform the server about the integrity of the client. Through their design the authors were able to provide a solution for running trusted and untrusted VMs on the same physical machine.

2. Confusion
I would like to discuss more about scenarios where a VM may interfere with another VM’s security?

Summary
The paper talks about creating a secure computing environment using virtualization. They propose a trusted VMM design called Terra. The idea is to run a trusted application in its own secure VM and one or more open commodity OS VMs. Firstly, this provides isolation to the secure application and gives it the flexibility to run on a specialized OS. Secondly, the design provides a means of authenticating the application to a remote server and a user. Attestation using digital certificates is used to authenticate an application and the underlying system software stack to a remote server. Terra maintains a signed hash of all secure VM images which are verified at boot time. The VMM also provides an attestation interface for additional software in the secure VM. The secures is authenticated to the user by a secure UI interface proposed in the paper. Lastly, TVMM is also secure against root level modifications because the VMM image itself is signed by the tamper proof hardware.
Confusion
How does the system detect tampering to the VMM code? and also in the certificate chain the private keys have to be kept secure, shouldn’t it be possible for someone to discover the VMM keeps the private key? How are device drivers managed?

Summary:
Using a "trusted virtual machine monitor" to divide a single platform into multiple virtual machines, Terra provides both open-box or closed-box platforms for applications. THe TVMM has "root secure" and provides VM isolation as well as preventing any tampering to a closed-box VM. Terra also adds the "attestation" functionality, which allows VM applications to verify themselves to outside parties using a series of certificates and narrow interfaces.

Confusion:
What exactly is the demand for a "root-secure" system? It seems strange that administrators would intentionally lock themselves out from changing certain functions.
What are the performance implications?

1. ​Summary​
This paper talks about Terra, a trusted computing platform. Terra runs a trusted VMM on a tamper proof hardware, providing open box VM and closed box VM which provide security similar to a standard machine and a closed platform respectively. Terra uses attestation for authentication. It provides guarantees using certificate authorization. It talks about creating certificate chains to validate hardware, BIOS, Tera VMM, VM and the application to guarantee that the node communicating has not been tampered with. It also provides a secure path between the user and the application to ensure that the user is communicating to the right VM and vice versa. This ensures an integrity of communication and privacy of data. Finally, even the platform administrator cannot break the basic privacy and isolation guarantees the TVMM provides to closed box VMs. They prove the validity of their system by implementing a closed box version of Quake 2, a popular multiplayer game plagued by tampering and cheating.They also talk about how to only regulate the communication (if the need be) for applications using trusted access points.

2. ​Questions​
1. I did not understand the hardware support for secure I/O?
2. Can we talk about tamper free hardware. What sort of securities does it guarantee. What sort of tampering could it detect?

1. Summary
This paper presents the a system for trusted computing using a Trusted Virtual Memory Monitor (TVMM) called Terra. Terra allows applications to run in an "open box" VM which has the semantics of a normal modern open platform or a "closed box" VM which provides semantics of tamper resistant system. Terra architecture is built on TVMM and a management VM which is used to configure the policies to control the other VMs.

2. Confusion
Can we go over how attestation works? and how do hw vendors make sure that the private key cannot be read? How is the manufacturer's private key used and is it present on the hw itself?

1. Summary
The paper presents a VMM-based flexible architecture for trusted computing, Terra. The authors aim to provide the strong security capabilities of closed systems on general purpose platforms through a combination of hardware and operating system mechanisms. In addition to “open-box” VM mode where software stack (including OS) can be tailored to security needs of the application, “closed-box” VM mode uses tamper-resistant hardware to provide extensive attestation between trusting parties, and a trusted path between user and application.
2. Confusions
* Can you talk about under what circumstances revocation of compromised hardware would be required and the challenges in revocation?
* It is not very clear what the paper discusses about device driver security and what the contribution of Terra on that front is.
* Paper talks about hardware support for secure I/O with an example of splitting device interface. Can you explain this in more detail?
* Requirement, design and usage of Trusted Access Points (TAP) is not very clear. Would like to hear more about it.

1. Summary
The paper presents Trusted Virtual Machine Monitor, Terra which divides tamper-resistant hardware platform into various, isolated virtual machines, providing view of multiple open/closed boxes on single, general purpose system. Terra provide capabilities like isolation, extensibility, efficiency, compatibility and security by guaranteeing root secure, attestation and trusted path. A prototype was implemented preventing application security problems like secure communication, client/server integrity and source forging.
2. Confusion
How would attestation affect software operability? Isn't it required to change device drivers to restrict access to sensitive interfaces? How frequently does the verifier checks for executing application's binary attestation? In which layer does management VM operates or is it granted separate independent VM?

Summary: The authors present Terra, a Trusted VMM that lets multiple OSs run on a single hardware, providing an “open-box”, and a “closed-box” view respectively to systems needing them. The idea is to decouple hardware and OS protection mechanisms, and introduce flexibility via the use of a VMM. In order to provide, security mechanisms like attestation, the authors assume some hardware support like a tamper-resistant hardware (eg. TPM). They illustrate the functionality, and improvement provided by their system by implementing a Trusted Quake game!
Confusion: Even the slightest of a change in hardware, to provide security mechanisms (like introducing extra bits for tamper-resistant memory/ extra privilege levels), would require lots of changes in the OS. How does OSs like Linux handle the TPM module? During attestation, there is always a time period between storing the hashed image, and checking it with an original image, during which an injection attack can occur. This seems to be a recursive problem. How is this handled?

1. Summary
The paper proposes Terra, a virtual machine monitor that can be used by platform owners to provide support for running reliable, trusting VMs on top of it while isolating those VMs from other VMs on the same machine, which could be high security or not. Through this VMM, the system is able to provide root secure, attestation, and trusted path from user to application. As a result of attestation, users can verify whether they are communicating with a valid, secure application.
2. Confusion
Unrelated to the paper’s contribution, but the paper claims that one of the benefits of VMMs is its efficiency. Were TLB misses not a big issue back then (possibly because of large TLB reach) and nowadays TLB misses are a big deal which is why VMMs are much slower and more research is being done?

Summary:
The paper presents a VMM based architecture (Terra) for secure computing. Terra provides attestation to remote parties by verifying the authenticity right from the hardware up to the application running on a secure VM through a chain of certificates. The Trusted VMM in Terra also provides isolation of closed-box VMs that run secure applications by hashing and optionally encrypting their virtual disks and preventing other VMs from accessing memory associated with the closed-box VM.

Confusion:
This seems to be a neat approach for desktops and servers. In today’s context of mobile devices, given that energy is the primary constraint, will this approach still apply? It seems that the very notion of VMMs for mobile devices is not a widely researched topic.

Summary
Terra is a virtual machine monitor that supports both general-purpose VMs and opaque special-purpose VMs like game consoles or ATMs. Running on top of tamper resistant hardware, Terra authenticates applications in a closed VM to remote parties with hashes and certificates.

Confusion
When a subset of patches is allowed, will there be 2^n different hashes?
Background knowledge of certificate revocation and TPCA.

summary
In order to provide flexible secure system, Terra provides the platform which runs application on the trusted virtual machine built on top of VM with tamper-resistant hardware. In addition, attestation provides the assurance. Depending on the level of security a application requires, the application chooses one of the models: open box for general purpose hardware platform and closed box specialized for secure platform.

Confusion
Would you explain about Attestation and Trusted Path? Those part are hard to understand.

Summary

The paper presents Terra - a flexible architecture built on top of a trusted virtual machine monitor(TVMM), that allows applications to run in an open box VM with semantics of a modern open platform or in a closed box VM having a dedicated, tamper-resistant hardware. TVMM mechanisms allow Terra to partition into multiple isolated VM's where each VM can tailor its software stack to its own security and compatibility requirements.

Confusion

Isn't there a performance implication of having TVMM? Wouldn't a specific hardware like TPM devices be better to provide better trusted computing? Where does seL4 microkernel fit in these scenarios which are perceived to be un-hackable?

Post a comment