TY - GEN
T1 - TrustGraph
T2 - 25th Annual Computer Conference Security Applications, ACSAC 2009
AU - Okhravi, Hamed
AU - Nicol, David M.
N1 - Copyright:
Copyright 2010 Elsevier B.V., All rights reserved.
PY - 2009
Y1 - 2009
N2 - High assurance MILS and MLS systems require strict limitation of the interactions between different security compartments based on a security policy. Virtualization can be used to provide a high degree of separation in such systems. Even with perfect isolation, however, the I/O devices are shared between different security compartments. Among the I/O controllers, the graphics subsystem is the largest and the most complex. This paper describes the design and implementation of TrustGraph, a trusted graphics subsystem for high assurance systems. First, we explain the threats and attacks possible against an unsecured graphics subsystem. We then describe the design of TrustGraph, the security principles it is built upon, and its implementation. Finally, we verify our implementation through different levels of verification which include functionality testing for simple operations, attack testing for security mechanisms, and formal verification for the critical components of the implementation. An analysis of the graphics API covert channel attack is presented, its channel capacity is measured, and the capacity is reduced using the idea of fuzzy time.
AB - High assurance MILS and MLS systems require strict limitation of the interactions between different security compartments based on a security policy. Virtualization can be used to provide a high degree of separation in such systems. Even with perfect isolation, however, the I/O devices are shared between different security compartments. Among the I/O controllers, the graphics subsystem is the largest and the most complex. This paper describes the design and implementation of TrustGraph, a trusted graphics subsystem for high assurance systems. First, we explain the threats and attacks possible against an unsecured graphics subsystem. We then describe the design of TrustGraph, the security principles it is built upon, and its implementation. Finally, we verify our implementation through different levels of verification which include functionality testing for simple operations, attack testing for security mechanisms, and formal verification for the critical components of the implementation. An analysis of the graphics API covert channel attack is presented, its channel capacity is measured, and the capacity is reduced using the idea of fuzzy time.
KW - Covert channel analysis
KW - Formal verification
KW - Multi-level security
KW - Trusted graphics
KW - Virtualization
UR - http://www.scopus.com/inward/record.url?scp=77950834189&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77950834189&partnerID=8YFLogxK
U2 - 10.1109/ACSAC.2009.31
DO - 10.1109/ACSAC.2009.31
M3 - Conference contribution
AN - SCOPUS:77950834189
SN - 9780769539195
T3 - Proceedings - Annual Computer Security Applications Conference, ACSAC
SP - 254
EP - 265
BT - 25th Annual Computer Conference Security Applications, ACSAC 2009
Y2 - 7 December 2009 through 11 December 2009
ER -