L4/Nizza and VPFS, its Secure Storage Component

The L4/Nizza security architecture is designed to support security-sensitive applications by drastically reducing the sizes of such applications' Trusted Computing Base (TCB). We achieve this by splitting an application into an untrusted and a security-sensitive part. The untrusted part runs on a legacy operating system in a virtual machine (for example on L4Linux, a paravirtualized implementation of the Linux kernel). The sensitive part relies only on a small set of components that are relevant for its security goals. These components and the sensitive part of the application form the TCB of that application. VPFS, a Virtual Private File System, is the secure storage component of L4/Nizza. Its security goals are confidentiality, integrity (discovery of unauthorized modifications) and recoverability of data. Following L4/Nizza's general approach, VPFS is split into two components. The untrusted component reuses an existing file-system implementation for data storage, whereas a small trusted component protects the data using cryptographic algorithms and some hardware support. If an application needs such secure storage, our VPFS prototype adds less than 5000 lines of code to that application's TCB.