[Cryptography] Can crypto implement OS/FS protections ?

Jerry Leichter leichter at lrw.com
Mon Nov 21 21:44:55 EST 2022


> You can create a scheme where the data in memory is only readable if it passes a signature check for the correct public key, and otherwise gets scrambled - the signed data is encrypted, and a variant of signatures with "message recovery" is used to embed the encryption key such that it only can be extracted if the signature validates for the pair of wrapped message/ciphertext & public key. All reads apply this verification & key derivation combination to then decrypt the actual data. If any piece gets substituted then the derived key is wrong and the decryption output is garbage. So a failed ACL check on write doesn't allow insertion of malicious data, only scrambling / erasure. 
Some researchers at Microsoft published a paper a couple of years ago that did something like this.  The goal was to allow you to compute securely while running under a malicious OS.  Seems impossible, no?  Of course, you have to trust *something* - which in this case was the hardware and a special hypervisor.  The basic idea was that all memory was encrypted and signed by the hypervisor, which only decrypted it when the process that owned it had control of the VM.  If the VM switched into the OS, the hypervisor would encrypt the memory before letting the OS run.  So the OS can never see the VM's unencrypted data; and if it tries to blindly modify it, the signature (actually, a cryptographic checksum is sufficient here) will catch it when it tries to give control back to user-land.

Of course, that's a very rough sketch - there are tons of details you have to get right, e.g., to allow the process to do I/O.  But they actually implemented it.  Kind of an interesting reversal of the relationship between hypervisor, OS, and user code, where the user code is in some sense "more privileged" than the OS it runs under.

Microsoft's Azure actually provides what I think are called "sealed VM's" that use cryptography to make the actual code and data in the VM secure even against the operators of the hardware (short of introducing deliberately malicious hardware I suppose, a very challenging undertaking).  Other cloud providers are doing similar things.

The combination of cryptography with hardware and software does let you implement systems with novel security properties.
                                                        -- Jerry



More information about the cryptography mailing list