Journal of Computing Science and Engineering

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지
DOI QR코드

DOI QR Code

Data Firewall: A TPM-based Security Framework for Protecting Data in Thick Client Mobile Environment

  • Park, Woo-Ram (Department of Computer Science and Engineering, Pohang University of Science and Technology (POSTECH)) ;
  • Park, Chan-Ik (Department of Computer Science and Engineering, Pohang University of Science and Technology (POSTECH))
  • Received : 2011.07.16
  • Accepted : 2011.08.26
  • Published : 2011.12.30
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, Virtual Desktop Infrastructure (VDI) has been widely adopted to ensure secure protection of enterprise data and provide users with a centrally managed execution environment. However, user experiences may be restricted due to the limited functionalities of thin clients in VDI. If thick client devices like laptops are used, then data leakage may be possible due to malicious software installed in thick client mobile devices. In this paper, we present Data Firewall, a security framework to manage and protect security-sensitive data in thick client mobile devices. Data Firewall consists of three components: Virtual Machine (VM) image management, client VM integrity attestation, and key management for Protected Storage. There are two types of execution VMs managed by Data Firewall: Normal VM and Secure VM. In Normal VM, a user can execute any applications installed in the laptop in the same manner as before. A user can access security-sensitive data only in the Secure VM, for which the integrity should be checked prior to access being granted. All the security-sensitive data are stored in the space called Protected Storage for which the access keys are managed by Data Firewall. Key management and exchange between client and server are handled via Trusted Platform Module (TPM) in the framework. We have analyzed the security characteristics and built a prototype to show the performance overhead of the proposed framework.

Keywords

References

  1. R. Richardson, CSI Computer Crime and Security Survey 2010/ 2011, New York, NY: Computer Security Institute, 2011.
  2. Citrix Systems Inc., "XenDesktop," http://www.citrix.com/xendesktop.
  3. VMware Inc., "VMware View 5," http://www.vmware.com/products/ view/overview.html.
  4. Microsoft, "Windows Server 2008R2 Remote Desktop Services Features," http://www.microsoft.com/windowsserver2008/en/us/rdsremotefx. aspx.
  5. Boca Research Inc., Citrix ICA Technology Brief, Boca Raton, FL: Boca Research Inc., 1999.
  6. VMware Inc., VMWare View 4 with PCoIP, 2009.
  7. Trusted Computing Group, "Trusted Platform Module," http:// www.trustedcomputinggroup.org/developers/ trusted_platform_module.
  8. B. Kauer, "OSLO: improving the security of trusted computing," Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, Boston, MA, 2007, pp. 1-9.
  9. R. Sailer, X. Zhang, T. Jaeger, and L. Van Doorn, "Design and implementation of a TCG-based integrity measurement architecture," Proceedings of the 13th Conference on USENIX Security Symposium, San Diego, CA, 2004, pp. 16-16.
  10. J. Choi, W. Park, and C. Park, "A framework of secure access to iscsi network storage based on TPM," Proceedings of the 2009 Fall Conference on Korean Institute of Information Scientists and Engineers, Seoul, Korea, 2009, pp. 5-9.
  11. Trusted Computing Group, http://www.trustedcomputinggroup.org/.
  12. "Trusted third party," http://en.wikipedia.org/wiki/Trusted_third_party.
  13. T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh, "Terra: a virtual machine-based platform for trusted computing," ACM SIGOPS Operating Systems Review, vol. 37, no. 5, pp. 193-206, 2003. https://doi.org/10.1145/1165389.945464
  14. VMware Inc., VMware View 3: Virtual Desktop Infrastructure White Paper. Palo Alto, CA: VMware Inc., 2008.
  15. Trusted Computing Group, TCG Mobile Trusted Module Specification Version 0.9 Revision 1, Beaverton, OR: Trusted Computing Group, 2006.
  16. J. E. Ekberg and M. Kylanpaa, Mobile Trusted Module (MTM): An Introduction, Helsinki, Finland: Nokia Research Center, 2007.
  17. A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori, "kvm: the Linux virtual machine monitor," Proceedings of the Linux Symposium, Ottawa, Canada, 2007, pp. 225-230.
  18. "GRUB TCG Patch to support Trusted Boot," http://trousers. sourceforge.net/grub.html.
  19. H. Maruyama, F. Seliger, N. Nagaratnam, T. Ebringer, S. Munetho, S. Yoshihama, and T. Nakamura, Trusted Platform on Demand (TPod). Research Report RT0564, Kanagawa, Japan: IBM Japan, Ltd., 2004.
  20. F. Bellard, "QEMU, a fast and portable dynamic translator," Proceedings of the Annual Conference on USENIX Annual Technical Conference, Anaheim, CA, 2005, pp. 41-46.
  21. I. Habib, "Virtualization with KVM," Linux Journal, no. 166, p. 8, 2008.
  22. Z. Mahkovec, "Bootchart," http://www.bootchart.org/.
  23. J. Sievert, "Iometer: The I/O Performance Analysis Tool for Servers," http://www.intel.com/design/servers/devtools/iometer/index.htm.

Cited by

  1. A Survey on Intrusion-Tolerant System vol.7, pp.4, 2013, https://doi.org/10.5626/JCSE.2013.7.4.242