Lightweight Attestation and Secure Code Update for Multiple Separated Microkernel Tasks

  • Steffen WagnerEmail author
  • Christoph Krauß
  • Claudia Eckert
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7807)


By implementing all non-essential operating system services as user space tasks and strictly separating those tasks, a microkernel can effectively increase system security. However, the isolation of tasks does not necessarily imply their trustworthiness. In this paper, we propose a microkernel-based system architecture enhanced with a multi-context hardware security module (HSM) that enables an integrity verification, anomaly detection, and efficient lightweight attestation of multiple separated tasks. Our attestation protocol, which we formally verified using the automated reasoning tool ProVerif, implicitly proves the integrity of multiple tasks, efficiently communicates the result to a remote verifier, and enables a secure update protocol without the need for digital signatures that require computationally expensive operations.


Lightweight attestation Microkernel tasks Multi-context hardware security module Trusted platform module 



Parts of this work were funded by the HIVE project (GN: 01BY1200A) of the German Federal Ministry of Education and Research.

Supplementary material


  1. 1.
    Berger, S., Cáceres, R., Goldman, K.A., Perez, R., Sailer, R., Doorn, L.: vTPM: virtualizing the Trusted Platform Module. In: Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15 (2006)Google Scholar
  2. 2.
    Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of the 14th IEEE Workshop on Computer Security Foundations, CSFW 2001. IEEE Computer Society, Washington, DC (2001)Google Scholar
  3. 3.
    England, P., Loeser, J.: Para-virtualized TPM sharing. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 119–132. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  4. 4.
    Feller, T., Malipatlolla, S., Kasper, M., Huss, S.A.: dctpm: a generic architecture for dynamic context management. In: Athanas, P.M., Becker, J., Cumplido, R. (eds.) ReConFig, pp. 211–216. IEEE Computer Society (2011)Google Scholar
  5. 5.
    Haldar, V., Chandra, D., Franz, M.: Semantic remote attestation: a virtual machine directed approach to trusted computing. In: Proceedings of the 3rd Conference on Virtual Machine Research and Technology Symposium, Berkeley, CA, USA (2004)Google Scholar
  6. 6.
    Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009)CrossRefGoogle Scholar
  7. 7.
    Liedtke, J.: Microkernels must and can be small. In: Proceedings of the 5th IEEE International Workshop on Object-Orientation in Operating Systems (IWOOOS), Seattle, WA, October 1996.
  8. 8.
    Sadeghi, A.R., Stüble, C.: Property-based attestation for computing platforms: caring about properties, not mechanisms. In: Proceedings of the 2004 Workshop on New Security Paradigms, NSPW 2004, pp. 67–77. ACM, New York (2004)Google Scholar
  9. 9.
    Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: Proceedings of the 13th Conference on USENIX Security Symposium, vol. 13, Berkeley, CA, USA (2004)Google Scholar
  10. 10.
    Schiffman, J., Vijayakumar, H., Jaeger, T.: Verifying system integrity by proxy. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 179–200. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  11. 11.
    Sirer, E.G., de Bruijn, W., Reynolds, P., Shieh, A., Walsh, K., Williams, D., Schneider, F.B.: Logical attestation: an authorization architecture for trustworthy computing. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP 2011, pp. 249–264. ACM, New York (2011)Google Scholar
  12. 12.
    Stumpf, F., Eckert, C.: Enhancing trusted platform modules with hardware-based virtualization techniques. In: Emerging Security Information, Systems and Technologies, pp. 1–9 (2008)Google Scholar
  13. 13.
    SYSGO AG: PikeOS.
  14. 14.
    Trusted Computing Group: TPM Main Specification Version 1.2 rev. 116 (2011).
  15. 15.
    Wagner, S., Wessel, S., Stumpf, F.: Attestation of mobile baseband stacks. In: Xu, L., Bertino, E., Mu, Y. (eds.) NSS 2012. LNCS, vol. 7645, pp. 29–43. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  16. 16.
    Winter, J., Dietrich, K.: A Hijacker’s guide to the LPC bus. In: Petkova-Nikova, S., Pashalidis, A., Pernul, G. (eds.) EuroPKI 2011. LNCS, vol. 7163, pp. 176–193. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  17. 17.
    Xiao, H., Eckert, C.: Lazy Gaussian process committee for real-time online regression. In: 27th AAAI Conference on Artificial Intelligence, AAAI 2013. AAAI Press, Washington, July 2013Google Scholar
  18. 18.
    Xiao, H., Xiao, H., Eckert, C.: Learning from multiple observers with unknown expertise. In: Pei, J., Tseng, V.S., Cao, L., Motoda, H., Xu, G. (eds.) PAKDD 2013, Part I. LNCS, vol. 7818, pp. 595–606. Springer, Heidelberg (2013) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Steffen Wagner
    • 1
    Email author
  • Christoph Krauß
    • 1
  • Claudia Eckert
    • 1
  1. 1.Fraunhofer Institute AISECMunichGermany

Personalised recommendations