Jeffrey Dwoskin

Ph.D. Dissertation -- DRAFT

Title: Securing the Use of Sensitive Data on Remote Devices Using a Hardware-Software Architecture

Adviser: Ruby B. Lee (ELE)

Readers: Margaret Martonosi (ELE), Ed Felten (COS)

Non-readers: Niraj Jha (ELE), Mung Chiang (ELE)

FPO Time: Tuesday, May 4, 2010, 4:00pm ET
FPO Location: Engineering Quad, room J323

Version 2.0 - 4/29/2010

• DwoskinThesis-20100429-v2.0.pdf (5.14MB) - Contains internal colored links.
• DwoskinThesis-20100429-v2.0-print.pdf (4.88MB) - For printing.
• DwoskinThesis-20100429-v2.0-doublespace.pdf (5.00MB) - Double spaced with outlined links (for electronic submission also suitable for printing)

Version 1.53 - 4/26/2010

• DwoskinThesis-20100426-v1.53.pdf (4.94MB) - Contains internal colored links.
• DwoskinThesis-20100426-v1.53-diff.pdf (4.96MB) - Significant changes from version 1.52 are highlighted.

Version 1.52 - 4/18/2010

• DwoskinThesis-20100418-v1.52b.pdf (6.52MB) - Contains internal colored links.
• DwoskinThesis-20100418-v1.52a-diff.pdf (6.43MB) - Significant changes from version 1.51 are highlighted.
• DwoskinThesisOverview-v5.pdf (113KB) - Thesis overview and list of publications

Version 1.51 - 3/26/2010

• DwoskinThesis-20100326-v1.51.pdf (6.50MB) - Contains internal colored links.
• DwoskinThesis-20100326-v1.51-print.pdf (6.24MB) - For printing.

Version 1.5 - 3/25/2010

• DwoskinThesis-20100325-v1.5.pdf (6.49MB) - Contains internal colored links.
• DwoskinThesis-20100325-v1.5-print.pdf (6.24MB) - For printing.
• DwoskinThesisOverview-v3.pdf (110KB) - Thesis overview and list of publications

Change Log

Version 2.0 - 4/29/2010

• Completed Acknowledgements
• Ch 4,5,6: Added footnotes to better acknowledge collaborators
• Ch 7: Added table of modified processor operations for SP, and clarified cache tags for secure instruction lines.
• Minor typographical and formatting changes througout.

Version 1.53 - 4/26/2010

• Ch 4: Clarified security analysis regarding encryption of temporary/pairwise keys, and about adversaries who change the device key.
• Ch 5: Clarified the comparison between our framework and formal verification techniques, and how to use formal methods to develop tests for our framework.
• Ch 6: Clarified the registers necessary to put the emergency state variables in hardware.
• Ch 6: Added new section regarding lessons learned in developing the prototype.
• Ch 7: Expanded on the chapter summary.
• Ch 8: New 'implications' section at the end of the conclusion.
• Re-drew all figures in Chapter 5 to make the style and color scheme consistent. Re-drew the SP architecture figures in Chapters 3, 4 and 7 to make style consistent.
• Minor typographical and formatting changes througout.

Version 1.52 - 4/18/2010

• Ch 1: Rearranged introduction to explain our approach directly and to separate the threat model more clearly from the design description.
• Ch 1: Improved the medical practitioner usage scenario in section 1.1.3 (Usage Scenarios)
• Ch 2: Added a Summary section to Chapter 2 (Related Work)
• Ch 3: Clarified the definition of "transient trust" to make clear that trust in the user is fixed, but the access given as a result of that trust is what is transient.
• Ch 3: Added an intro to section 3.4 (Architecture) to provide an outline of what the section will cover and forward pointers to the next sections.
• Ch 3,4: Quantified performance impact of CEM in Section 3.8.2 (Authority-mode SP - Performance) and of the effectiveness of node capture attacks in Section 4.4.1 (Embedded SP - Attacks on Protected Keys) by summarizing results from related work.
• Ch 4: Clarify that the Expanded architecture can have all hash checking done in ROM without a hardware hashing engine.
• Ch 5: Introduction clarifies that the framework is good for penetration testing and studies of known attacks, but cannot identify other ways clever adversaries might attack the system.
• Ch 5: Added citations for the examples of formal and informal verification techniques.
• Ch 6: Added to introduction that part of the motivation for the design is military use, in addition to crisis-response and that the emergency might be a military operation.
• Ch 6: Section 6.4.2 explains that virtualization allows for multiple emergency partitions, each with their own emergency state.
• Ch 7: Section 7.3, for a combined device, makes clear that a user-TSM process and authority-TSM process can run simultaneously, just not be active in the processor at the same time.
• Ch 7: Section 7.3.1 clarify how an authority communicates securely with the user for initialization.
• Ch 8: Future work cannot actually segregate most user interface code out of TSMs, since user interactions are critical for securely following the user's instructions.
• Ch 8: Section 8.1.2. Separate levels of TSMs can mitigate the damage if there are exploitable bugs and can allow protection of more code without as large of a performance impact.
• Bibliography: Corrected many references that had improper locations specified (for the publisher instead of the conference), and other minor corrections to some references.
• Various minor corrections for grammer, typos, and clarifications.

Version 1.51 - 3/26/2010

• Moved Section 5.8 (TF Implementation Details) to Appendicies (A & B)

Version 1.5 - 3/25/2010

• Made edits based on Ruby Lee's comments to all chapters.

Version 1.2 - 2/11/2010

• First complete draft, proofread