学术文献库

High-assurance security systems require strong isolation from the untrusted world to protect the security-sensitive or privacy-sensitive data they process. Existing regulations impose that such systems must execute in a trustworthy operating system (OS) to ensure they are not collocated with untrusted software that might negatively impact their availability or security. However, the existing techniques to attest to the OS integrity fall short due to the cuckoo attack. In this paper, we first show a novel defense mechanism against the cuckoo attack, and we formally prove it. Then, we implement it as part of an integrity monitoring and enforcement framework that attests to the trustworthiness of the OS from 3.7x to 8.5x faster than the existing integrity monitoring systems. We demonstrate its practicality by protecting the execution of a real-world eHealth application, performing micro and macro-benchmarks, and assessing the security risk.