Trusted computing defines how to securely measure, store, and verify the integrity of software controlling a computer. One of the major challenges that make them hard to be applied in practice is the issue with software updates. Specifically, an operating system update causes the integrity violation because it changes the well-known initial state trusted by remote verifiers, such as integrity monitoring systems. Consequently, the integrity monitoring of remote computers becomes unreliable due to the high amount of false positives. We address this problem by adding an extra level of indirection between the operating system and software repositories. We propose a trusted software repository (TSR), a secure proxy that overcomes the shortcomings of previous approaches by sanitizing software packages. Sanitization consists of modifying unsafe installation scripts and adding digital signatures in a way software packages can be installed in the operating system without violating its integrity. TSR leverages shielded execution, i.e., Intel SGX, to achieve confidentiality and integrity guarantees of the sanitization process. TSR is transparent to package managers, and requires no changes in the software packages building and distributing processes. Our evaluation shows that running TSR inside SGX is practical; since it induces only ~1.18X performance overhead during package sanitization compared to the native execution without SGX. TSR supports 99.76% of packages available in the main and community repositories of Alpine Linux while increasing the total repository size by 3.6%.
翻译:受信任的计算机定义了如何安全地测量、储存和核查控制计算机的软件的完整性。使计算机难以实际应用的主要挑战之一是软件更新问题。具体地说,操作系统更新导致违反完整性,因为它改变了由远程核查者信任的众所周知的初始状态,如完整性监测系统。因此,由于大量虚假的阳性,对远程计算机的廉正监测变得不可靠。我们通过在操作系统和软件库之间增加额外的间接影响来解决这一问题。我们提议了一个可靠的软件库(TSR),这是一个安全代用工具,通过对软件包进行防污来克服以往方法的缺陷。 清洁化包括修改不安全的安装脚本,并以某种方式在操作系统中安装软件包,而不违反完整性,从而导致违反完整性。 TSR利用屏蔽式执行,即Intel SGX, 实现安全化过程的保密性和完整性保障。TSR对软件库管理者来说是透明的,不需要修改软件包的建造和分发过程。我们的评价表明,在SINX软件库内运行整个SSR软件库,而不是SLIX主机容量,因为它只是将SIMX软件库的性化为SBA。