The security of data at rest---widely understood as FDE or Full Drive Encryption---is an important concern among several in modern computer systems. These concerns exist in contention over a set of finite resources. For instance: a device that is battery-constrained must remain within its energy budget which may change over time, e.g. when a device enters "battery-saver mode"; regardless, this device must meet certain performance guarantees or the user experience will suffer; above all, the data on the device must be secure from adversaries; and the device has a finite amount of drive space available. At any given moment we trade battery life for performance, performance for security, security for drive space, and so on. Unfortunately, designing a FDE system that can navigate such treacherous tradeoffs efficiently, effectively, and with respect to performance and security guarantees is entirely non-trivial. This dissertation explores this space of tradeoffs and how we might optimize for one concern without violating another given kernel and/or user space in-context invariants that might shift over time. We address this challenge with StrongBox, a stream cipher based FDE layer that is a drop-in replacement for dm-crypt, the standard Linux FDE module based on AES-XTS. StrongBox introduces a system design and on-drive data structures that exploit certain properties of filesystems to avoid costly rekeying penalties and a counter stored in trusted hardware to protect against attacks. We push the envelope further with SwitchCrypt, a software mechanism that allows us to move beyond merely making stream ciphers available for FDE. SwitchCrypt enables practical navigation of the tradeoff space made by balancing competing security and latency requirements via cipher switching in space or time. We provide empirical results demonstrating the conditions under which different switching strategies are optimal through the exploration of four cases studies. Finally, with HASCHK, we consider the same stream cipher based cryptographic primitives in an alternative domain: data in motion rather than at rest. Specifically: securing data downloads over the internet. Such downloads come with many risks, including the chance that the resource has been corrupted, or that an attacker has replaced your desired resource with a compromised version. The de facto standard for addressing this risk is the use of checksums coupled with a secure transport layer. Problems with this approach include (1) user apathy---for most users, calculating and verifying the checksum is too tedious; and (2) co-hosting---an attacker who compromises a resource can trivially compromise a checksum hosted on the same system. The co-hosting problem remains despite advancements in tools that automate checksum verification and generation. In this dissertation we propose HASCHK, a resource verification protocol expanding on de facto checksum-based integrity protections to defeat co-hosting while automating the tedious parts of checksum verification to secure "data in motion" over the internet. StrongBox, SwitchCrypt, and HASCHK together demonstrate that security is indeed a paramount concern and valid dimension with which to trade off alongside other tier-one concerns without compromising data security or requiring obscene performance sacrifices, all while staying within a shifting energy budget.




Downloads Statistics

Download Full History