We continue discussing the paper "Shielding applications from an untrusted cloud with Haven,” written by Andrew Baumann, Marcus Peinado, and Galen Hunt. We discussed performance study earlier. Today we discuss trusted computing base and the various issues encountered. The LibOS includes a large subset of Windows. But all the code is in the enclave. Therefore it is all in the user's trusted computing base and its sanctity can be maintained with scanning for malware, code inspection and other such means. This allows the application to move from a private data center to a public cloud. In this regard, Haven addresses two real threats : a malicious employee of the cloud provider with either admin privileges or hardware access and a government subpoena.Finally, Haven also relies on the processors' correctness.
There are some future work planned with Haven. Haven does not currently prevent rollback of filesystem state beyond the enclave's lifetime. It cannot avoid the following attack. the enclave is terminated.( eg, the host fakes a crash) and its in-memory state is lost. A new instance of the enclave accessing the VHD can read consistent data but not the latest. To mitigate such attacks, a non-volatile storage is needed but every write then has a networking communication cost which is way too expensive. However critical writes could be safeguarded this way.
Haven also relies on system time and timeouts by the untrusted host but both these can be changed by a malicious host. Haven plans to mitigate this by ensuring the clock always runs forward and the use of a cycle counter as an alternative time source.
VMs can be saved resumed and migrated. Host has to capture and recreate guest state. However Haven explicitly prevents this. Haven plans to support these in the future with checkpoint and resume at the Drawbridge ABI level. In the simplest form, the host could request the Haven guest to suspend itself which it would do by capturing its own state to an encrypted image. The host can spin off a new enclave to resume execution on another node. Before gaining access to the encrypted image, the new guest would perform an attestation step. This gives it the keys necessary to access the encrypted checkpoint image.
#square fields problem ( covering N points with K squares on XY plane )
Another way to solve this problem would be to generate the permutation of the N points as follows:
Void Permute (List<Point> a, List<Point> b, bool[] used)
{
If ( b.Length == a.Length) { print b.ToString(); return;}
For (int I = 0; I < a.Length ; i++)
{
If (used[i]) continue;
used[i] = true;
B += A[i];
Permute(a, b, used);
B [B.Length – 1] = NULL;
used[i] = false;
}
}
and for each permutation assign them to different squares where squares range from 1 to K and each square can have 1 to N-K+1 points.
List<List<Point>> assignSquares(List<Point> b)
{
int I = 0;
var squares = new List<List<Point>>();
for (int m = 0; m < k; m++) {
// initialize each of the k squares
int count = N-K+1;
var square = new List<Point>(count);
square.AddRange(Enumerable.Repeat(NULL, count));
// assign
for(int t = 0; t < N-K+1; t++){
if ( I == N) continue;
square[t] = b[I];
I++;
}
squares.Add(square);
}
return squares;
}
abc
ab c
ba c
ac b
ca b
bc a
cb a
abcd
abcd
There are some future work planned with Haven. Haven does not currently prevent rollback of filesystem state beyond the enclave's lifetime. It cannot avoid the following attack. the enclave is terminated.( eg, the host fakes a crash) and its in-memory state is lost. A new instance of the enclave accessing the VHD can read consistent data but not the latest. To mitigate such attacks, a non-volatile storage is needed but every write then has a networking communication cost which is way too expensive. However critical writes could be safeguarded this way.
Haven also relies on system time and timeouts by the untrusted host but both these can be changed by a malicious host. Haven plans to mitigate this by ensuring the clock always runs forward and the use of a cycle counter as an alternative time source.
VMs can be saved resumed and migrated. Host has to capture and recreate guest state. However Haven explicitly prevents this. Haven plans to support these in the future with checkpoint and resume at the Drawbridge ABI level. In the simplest form, the host could request the Haven guest to suspend itself which it would do by capturing its own state to an encrypted image. The host can spin off a new enclave to resume execution on another node. Before gaining access to the encrypted image, the new guest would perform an attestation step. This gives it the keys necessary to access the encrypted checkpoint image.
#square fields problem ( covering N points with K squares on XY plane )
Another way to solve this problem would be to generate the permutation of the N points as follows:
Void Permute (List<Point> a, List<Point> b, bool[] used)
{
If ( b.Length == a.Length) { print b.ToString(); return;}
For (int I = 0; I < a.Length ; i++)
{
If (used[i]) continue;
used[i] = true;
B += A[i];
Permute(a, b, used);
B [B.Length – 1] = NULL;
used[i] = false;
}
}
and for each permutation assign them to different squares where squares range from 1 to K and each square can have 1 to N-K+1 points.
List<List<Point>> assignSquares(List<Point> b)
{
int I = 0;
var squares = new List<List<Point>>();
for (int m = 0; m < k; m++) {
// initialize each of the k squares
int count = N-K+1;
var square = new List<Point>(count);
square.AddRange(Enumerable.Repeat(NULL, count));
// assign
for(int t = 0; t < N-K+1; t++){
if ( I == N) continue;
square[t] = b[I];
I++;
}
squares.Add(square);
}
return squares;
}
abc
ab c
ba c
ac b
ca b
bc a
cb a
abcd
abcd
No comments:
Post a Comment