Security and Trust Architectures for Protecting Sensitive Data on Commodity Computing Platforms

This dissertation investigates how to realize practical security solutions that are able to protect sensitive data on commodity computing platforms. Standard operating systems on commodity platforms are usually insufficient to provide the required protection as they have not been designed with security in mind from the beginning. The main idea of this thesis is to add small trusted components to commodity systems, i.e., a hardware trust anchor and a small trusted software layer. Based on these trusted components, security architectures are built for various application scenarios. Fortunately, the recent incorporation of trusted computing concepts in commodity platforms allows for security functionality embedded directly into the hardware. The Trusted Platform Module (TPM) is one such example. In addition, modern main processors also include support for hardware virtualization. Based on these functionalities as well as recent results in the construction of microkernels, security architectures are designed that end-users can use to protect their systems and their data against a number of threats. The first major contribution of this thesis is the improvement of security architectures that use virtualization. A crucial aspect in this context is the virtualization of hardware security modules like the TPM. The design and implementation of a property-based vTPM is presented, a flexible and privacy-preserving realization of a virtual TPM. It integrates different approaches for measuring the platform's state, which results in enhanced support of both software updates and migration of virtual machines, without losing the required security properties. Another main contribution is the design and implementation of a security architecture against phishing attacks, i.e., attacks that try to steal passwords from users. The key idea is a trusted password wallet (TruWallet) that removes the burden of authentication from users when they login to web sites. TruWallet stores all passwords and automatically performs the login at the server on behalf of the user. In contrast to other approaches against phishing, the combination of the wallet, an underlying security kernel software, and the incorporation of trusted computing functionality provides protection measures against the strongest type of phishing attacks, i.e., phishing malware running on the user's computer. This thesis also presents a security architecture to protect shared information across different computing platforms. This architecture is based on the existing concept of Trusted Virtual Domains (TVDs), which essentially realizes a distributed enforcement of information flow control. This concept is extended beyond its usually proposed usage in data centers to include individual computing platforms of end-users. To address the specific needs of end-users, the thesis presents a design of a transparent cryptographic data protection of mobile storage devices (e.g., USB memory sticks), and a full implementation of the TVD concept on an existing desktop operating system. Finally, the thesis investigates special application scenarios that require a trustworthy platform, but which can be realized without the need for a persistently running trusted software layer. Therefore, the enhanced functionality of modern processors to provide a secure execution environment is leveraged, and the thesis presents the Unidirectional Trusted Path (UTP), i.e., a trusted path from the local user to a remote party. The thesis shows how this can be used as alternative for CAPTCHAs, or to create a secure transaction confirmation for online purchases in e-commerce scenarios. The security architectures presented in this thesis enable the protection of sensitive personal data and the protection of information sharing on commodity computing platforms. The results demonstrate that a secure execution of applications can be practically provided by introducing a small security layer underneath the normal operating environment without losing the feature-richness and compatibility of commodity operating systems.