Software Security Challenges in Computing and ... - AIAA

AIAA 2011-1621

Infotech@Aerospace 2011 29 - 31 March 2011, St. Louis, Missouri

Software Security Challenges in Computing and Communications Environments Fred Briggs* Wyle Aerospace Group, Lexington Park, MD 20653 This paper explores security vulnerabilities in modern computing and communications environments. It is a literature survey of current software security issues and focuses on virtualization technology. It also briefly investigates issues of proactive cryptography and threats to mobile and wireless communications systems. Literature reviewed includes 24 Deadly Sins of Software Security Programming Flaws and How to Fix Them by Howard, M., LeBlanc, D., and Viega, J.; “Intel® Virtualization Technology: Hardware support for efficient processor virtualization” by Neiger, G., Santoni, A., Leung, F., Rodgers D. and Uhlig, R.; “Xen and the Art of Virtualization” by Barham, P. Dragovic, Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., and Warfield, A.; “New Directions in Virtualization Security: How Segmentation Can Strengthen Your Security Posture” by Bawcom, A; and Wireless Security by Chandra, P., et al. I.

Introduction

Developers and managers of aerospace software must be aware of security challenges in both code development and external interfaces. Modern aircraft with millions of lines of software code and satellite communications capabilities are at a much greater risk of cyber attack than ever before. General Keith Alexander, head of the National Security Agency and Commander of the Cyber Command, recently stressed the need for better military cyber security. “DoD [U.S. Department of Defense] is responsible for protecting more than 7 million devices, linked through 15,000 networks, with 21 satellite gateways and 20,000 commercial circuits. Unauthorized users probe DoD‟s networks about 250,000 times an hour or more than 6 million times a day,” Alexander said. 1 Cyber security is becoming a priority at the federal government level as well. At the April 2010 RSA† Conference U.S. Federal Bureau of Investigation Cybersecurity Chief Shawn Henry said, “We are building our lives around cyber networks and we must find ways to protect them.” According to Howard et al in 24 Deadly Sins of Software Security 2003 was termed the invasion of computer “worms” in the cyber community due to a significant increase in malicious software security attacks on the web. Another example of increased cyber information attacks occurred in the 2006 T. J. Maxx case. Cyber thieves stole information from more than 45.7 million credit and debit cards by aiming a telescopic-shaped antenna at a T.J. Maxx store and using a laptop to snatch internally transmitted personal data. Attack rates increased dramatically in 2008, with Verizon Business reporting more personal financial records compromised than the years 2004 through 2007 combined. In 2010, a destructive computer worm called the Stuxnet Worm, infected Iranian nuclear power facilities. It sought to reprogram certain control systems used in oil pipelines, electrical power grids, and nuclear power plants. The worm operates by taking advantage of vulnerabilities in Microsoft Windows to gain access to target networks. It allows malicious software to jump from Windows to Siemens industrial control equipment. The worm obtained two signed digital certificates to make software appear legitimate, then identified and got the exact type of Siemens equipment used by the target. Hackers subsequently reprogrammed the controls, which resulted in physical destruction of affected systems, such as explosion of equipment under high pressure.2 _____________________ *Senior Program Analyst

1 Copyright © 2011 by the American Institute of Aeronautics and Astronautics, Inc. All rights reserved.

II.

Software Security

Software security issues described in 24 Deadly Sins of Software Security Programming Flaws and How to Fix Them by Howard, M., LeBlanc, D., and Viega, J. 3 include: A.

Web application vulnerabilities include SQL and XSS:

Search and Query Language (SQL) injection occurs in e-commerce and databases handling sensitive personal information. An attacker may compromise the database by entering through the Internet and providing malformed data. For example, if the application uses the data to build an SQL statement using string concatenation (operation of joining two character strings end-to-end: e.g. Hello + World equal Hello, World) attackers can then change the semantics of the SQL entry as shown in Figure 1. String concatenation should not be used for Internet data inputs and manipulations.

Web Application Sins Search and Query Language (SQL) Injection 2. Server does not check

input for validity. Uses input to query Database. SQL is string concatenation

vTable 3. SQL uses string concatenation which allows attacker to change semantics, rob/change database

1.User sends malicious code

11

Figure 1. Search and Query Language (SQL) Injection

3

Web Server cross-site scripting (XSS) bugs and client-side XSS issues, whereby attackers compromise clients connecting to web servers, have increased significantly in the past few years. These issues caused 80% of document security attacks in 2007. An example of a compromise includes manipulating a web page (as seen by the user as shown in Figure 2). There are now a number of web-based worms that use XSS vulnerabilities to propagate, where attackers find methods of injecting malicious scripts into web pages. An attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browsers on behalf of the user.

2

Web Application Sins Cross-Site Scripting (XSS) Bugs 0. Developer writes web page with invalidated query string 2. Website sends malicious code/ invalidated query string user’s browser

3. User’s webpage runs malicious code in query string

1.User clicks link with malicious code in query string

13

Figure 2. Cross Site Scripting (XSS)

3

B. Implementation weaknesses include Buffer Overruns and C++ Vulnerabilities: Buffer overruns are the most popular method of security attacks. The basic problem occurs when user data and program control information are collocated for efficiency and performance. There are buffer overruns when a program allows input to write beyond the end of the allocated buffer. The attacker is then able to put malicious code/controls into the main part of the program. The latest approach is by gaining control of pointers to C++ objects. The term “Smashing the Stack” happens when an attacker gains access beyond bounds of the stack (e. g. x86 processors have small number of registers in the stack) and writes control information. The effect of buffer overruns is anything from a crash to the attacker gaining complete control of the application. Ultimately the attacker may gain control of the complete operating system and any users logged on. An example of a buffer overrun is shown below. A program has defined two data items which are adjacent in memory: a seven-byte long string buffer (I), and a two-byte integer (II). Originally I contains nothing but zero bytes, and II contains the number 1979. Characters are one byte wide. Variable name Value Hex value

00

00

I [null string] 00 00 00

II 1979 00

00

07

BB

The program tries to store the null terminated string “oversize” in the I buffer. By failing to check the length of the string (a defect of C/C++, Ada has a range checker), it overwrites the value of II. Variable name Value number formed Hex value

„o‟ 6F

„v‟ 76

„e‟ 65

I „r‟ 72

II „s‟ 73

„i‟ 69

„z‟ 7A

25856 65

00

II‟s number, unknown to the program, has been replaced by a number formed by part of the character number string. In this example, on a big-Edian system that uses ASCII, “e” followed by a zero byte would become the number 25856.4

3

Buffer Overflows NTR

User Data

Program Control Information vTable Registers 1.User clicks link with malicious code in query string 17

Figure 3. Buffer Overflows-Pointers to vTable C++ catastrophes occur because C++ program language tends to contain a lot of function pointers. A class in object oriented programming is a category (e.g. name, place, etc.) to which attributes can be assigned. If a class containing a function pointer can be corrupted, the program flow can be altered. C++ class with one or more virtual methods will contain a virtual function pointer table (vtable). If the contents of the class can be overwritten, the pointer to vtable can be altered and the attacker‟s code can be run. A common building block of vtable is double free condition, or freeing the same memory twice. This allows an attacker to overwrite a properly initialized class in memory.3 C.

Cryptography vulnerabilities include use of weak password systems, using the wrong cryptography, and failing to protect network traffic:3 Password systems suffer from: Compromises which occur when the user is tricked into revealing the password; Phishing attacks from emails convincing people to log into their account, thus collecting the user‟s name and passwords; Weak passwords discovered by brute force guessing, by password iteration (e.g. Welcome1 to Welcome2, up to one third all users), and by systems not requiring password changes; Defaulting which is taking the hardware out of the box, and not changing the password; Replay attacks or obtaining network traffic between user and server and using the same packets to obtain malicious access; Storing passwords instead of password verifiers; Brute force attacks against password verifiers (use straightforward dictionaries, then rainbow table [list of pre-computed hashes or encrypted data]); Revealing whether a failure is due to an incorrect user or password (reduces possibilities); Online attacks (allows repeated failures); and Returning a forgotten password (shouldn‟t send back original for forgotten password). Using wrong cryptography includes: Using home-grown cryptography rather than encryption protocols approved by the cryptography community; Creating a protocol from low-level algorithms when high level protocol will do; Using an electronic codebook; Validating a hash incorrectly;

4

Using the wrong cryptographic primitive and the wrong communication protocol; Failing to use Salt (non-secret random number); Failing to use a random IV (initialization vector); Using a weak key derivation function; Failure to provide an integrity check; and Failure to use an agile encryption. Failing to protect network traffic is usually due to poorly designed email protocols. Many protocols such as Simple Mail Transfer Protocol (SMTP) for mail relay, Internet Message Access Protocol (IMAP) and Post Office Protocol (POP) for mail delivery, and Simple Network Management Protocol (SNMP) and Hypertext Transfer Protocol (HTTP) for web browsing, provide no security at all, or only basic authentication mechanisms that are easily attacked. If attackers are connected on a Local Area Network (LAN) they can see all traffic and intercept it because of poor protocols. If attackers are on a switch, there is a technique called Address Resolution Protocol (ARP) spoofing where attackers mimick a gateway and redirect all traffic to themselves. They can then re-send traffic after processing it. Attackers advertise the network adapter‟s address, (Media Access Control (MAC) address) as the gateway. Subsequently, the machine sees all traffic routed through the attacker‟s gateway. These problems get worse on wireless systems unless using latest wireless security protocols, which require both sides to authenticate to one another. Popular routers are large, complex C/C++ programs, which are susceptible to buffer overflows and other weaknesses that allow attackers to run arbitrary code as a router. The best approach is to assume attackers can get in the middle of all network traffic and modify the traffic. Network attacks include: eavesdropping, where an attacker listens to conversations and records valuable information such as login names and passwords; replay, where an attacker takes existing data and replays it, such as authentication information; and spoofing, where an attacker mimics data as if it came from one of the two parties. Spoofing attacks can be launched against network connections, particularly against virtual connections running over a connectionless transport. Attacks also include: tampering, where an attacker modifies data on the wire; and hijacking, where an attacker waits for an established connection then spoofs one of the parties.

Cryptography NTR Client •Confidentiality •Integrity •Authentication

Server •Confidentiality •Integrity •Authentication 23

Figure 4. Network Security Methods Security for network connections as shown in Figure 4 includes authentication that involves a client to server connection, server to client or both, and ongoing authentication and privacy. Howard recommends using Secure

5

Socket Layer (SSL)/Transport Layer Security (TLS) protocol if possible, or some other well known protocol such as Keberos rather than doing it yourself.3 Security principles are defined as: Confidentiality of access, which means only authorized persons gain access to the information received, processed, stored or published by the system. Integrity of the information received, processed, stored or published, meaning it has not been altered either by defect or malicious tampering. Authentication of those who gain access to the information received, processed, stored or published by the system. Authentication takes confidence to the next level and imposes more specific and rigorous requirements for access. Howard‟s rule number one of software security is, “all input is evil until proven otherwise” and rule number two is, “data must be validated as it crosses the boundary between untrusted and trusted environments.” 3

III. Virtualization Technology Virtualization technology reduces cost and provides performance gains. Virtualization technology consolidates multiple physical servers into a single hypervisor platform. Virtualization Machines (VM) result in higher availability, load balancing, and resource scalability. Fewer systems mean less power requirements, less space, less cabling, and potentially less downtime. VMware is a computer software company founded in 1998 that produces the ESX Server and other virtualization software products.

Figure 5. Security-LANL Infrastructure on

Demand, Virtual Appliances5*

__________________ *

Source:”Building the Cloud at LANL: Infrastructure on Demand”, Anil Karmel, Slide 25, Virtualization, Cloud Computing and Green IT Summit, 26-27 October 2010, Washington, DC.

6

A. VMWare ESX Server Neiger et al6 at Intel indicate complete virtualization of all system resources, including processors, memory and I/O devices, makes it possible to run multiple operating systems (OSs) on a single physical platform by using a new layer of software, called a virtual-machine monitor (VMM). The VMM arbitrates access to the underlying physical host platform resources so these resources can be shared among multiple OSs that are "guests" of the VMM. The VMM provides each guest OS a set of virtual platform interfaces that constitute a virtual machine (VM). VMware ESX Server is software that virtualizes the Intel IA-32 Architecture. VMM size has been reduced and Intel virtualization technology provides protection based on a 2-bit privilege level. Ring deprivileging is a process used by VMMs that runs all guest software at the appropriate privilege level, and uses a minimal amount of guest virtual address space for control structures that manage transitions. Privileged-based protection prevents unprivileged software from accessing certain components of CPU state.6 For an operating system to gain control of the CPU it must operate at a 0 privilege level. Guest OS by ring deprivileging can operate at a privilege level 1 (0/1/3 mode) or at privilege level 3 (0/3/3 mode). VMMs must use a minimum amount of the guest‟s virtual address space for control structures that mange the transitions. These structures are the interrupt descriptor table (IDT) and the global descriptor table (GDT). The VMM must restrict guest OSs from accessing these address spaces and “address space compression” to complete this task. Paravirtualization is a technique that modifies source code to create easier virtualization. Xen is a paravirtualization technique for x86 processors.7 For an unmodified OS, another virtualization technique is binary translation that transforms guest OS binaries on-the-fly to handle virtualization-sensitive operations. The Intel VT-x Architecture was designed to support a broad-range of unmodified OSs at high performance. Some features of the Intel VT-x Architecture include VMX root and non-root operation that supports all privilege levels. A Virtual Machine Control Structure (VMCS) includes a guest state area and a host-state area for loading and saving appropriate data. Processor operation is changed significantly in non-root operation. Many instructions and events cause VM exits. VMCS is referenced with a physical address space eliminating the need to locate VMCS in a guest linear address space. Waldsburger8 introduces several novel ESX Server mechanisms and policies for managing memory. These include: a ballooning technique that reclaims the pages considered least valuable by the operating system running in a virtual machine; an idle memory tax that creates efficient memory utilization; and content-based page sharing and hot I/O page remapping that uses transparent page remapping to eliminate redundancy and reduce copying overheads. These are combined to create a more efficient memory storage capacity.

IV.

Virtualization Security

Virtualization technologies require increased levels of security. VMware vShield is a hypervisor-based application-aware firewall solution. The VMware vShield application installs on each VMware vShpere host, as can be seen on Figure 5, and controls and monitors all traffic between business-relevant virtual machines. The hypervisor firewall ensures proper segmentation, and trust zones are enforced for all applications. VMsafe is a new low-level, application programming interface (API) from VMware which allows designers to intercept and inspect memory, CPU, and network traffic for a virtual machine without requiring an agent to run inside the machine. VMsafe permits a small kernel to run inside the ESX hypervisor, which intercepts traffic between the virtual network interface of a VM and virtual switch.9 VMsafe supports vMotion, which allows the security policy of a virtual machine to move with the VM if it moves to a new physical host within a cluster.

7

V. Wireless Security Chandra et al10 explains in traditional wireless networks (TWNs), like the Advanced Mobile Phone System (AMPS), the radio interface is analog and uses no encryption. A radio hobbyist can easily intercept cellular telephone conversations using a police scanner. He or she can also easily intercept an Electronic Serial Number (ESN) and clone another cellular phone making calls with it. Second generation TWNs use digital systems and speech coding algorithms, Gaussian Minimum Shift Keying (GMSK), digital modulation, slow frequency hopping and Time Division Multiplexed Access (TDMA). For Global System for Mobile Communications (GSM), which is a cellular phone technology, a 128-bit pre-shared secret key (Kj) and elaborate authentication is used for securing interfaces. Each subscriber has a unique secret key. The A5 algorithm is used for encrypting packets over the air interface. It‟s a stream cipher, which generates a unique key stream for every packet by using a 64-bit session key and the sequence number of the frame as the input. The ciphering key can be changed at regular intervals (proactive security) or as provided by the service provider. The biggest vulnerability of a GSM network is that there is no provision for any integrity protection of data or messages. Authentication and confidentiality are accounted for, but not integrity. This means the receiver cannot verify that a message was not tampered with. Other vulnerabilities in GSM security architecture are limited encryption scope (only main interface secured) and the use of one-way authentication. A network verifies identity of a subscriber. This allows the possibility that an attacker can simulate part of the network. GSM security architecture is designed only to secure the last interface to the network. The rest of the network is assumed to be secured by the service provider.10 With growth of the Internet, 2G service providers upgraded their networks to 2.5G networks to provide data services to their subscribers. In the wired network, Internet applications use Hyper Text Transfer Protocol (HTTP) and Hyper Text Markup Language (HTML) to access and retrieve data from web servers. HTTP and HTML are replaced by Wireless Application Protocol (WAP) in the wireless bandwidth-constrained, memory constrained, CPU constrained and screen-size constrained wireless environment. WAP protocol stack is designed for minimizing bandwidth. For security most applets are signed by Certification Authorities (CAs) (Public Key Infrastructure (PKI)). If the subscriber trusts the CA, it can let the applet execute. In 3G networks security is again provided by authentication, confidentiality and integrity. The difference in authentication from the GSM network is now not only does the network authenticate the subscriber but the subscriber also authenticates the network. Confidentiality adds more security by using increased key lengths. An integrity protection mechanism is added by using the 128-bit integrity key (IK) established as part of the authentication process. Local Area Networks use the IEEE 802.3 standard for security architecture and protocol in wired networks. Wireless networks use the IEEE 802.11 standard (Wired Equivalent Privacy (WEP)). One major problem is there is no key establishment protocol and preshared keys are used. Subscribers can use keys like abcd1234, or 87654321, or 6666666. WEP has many other vulnerabilities.10

VI.

Satellite Security

Research conducted by Roy-Chowdhury et al,11 discusses security in networks with a satellite node. Satellites are single point failures and since they broadcast wireless, they can be picked up by an attacker with the right equipment on the ground unless properly encrypted. The amount of authentication depends on the level of security required. Attackers can send commands to jam or disrupt communication. A Denial of Service (DoS) attack is when software message-integrity checks, or authentication checks, become overloaded. Satellite channels have large bandwidth (as high as 90 MB/s) but also have long propagation delays (as high as 0.5 seconds) compared to terrestrial networks.

8

Network Operation Control Center

Internet Web Server 37

Figure 6. Hybrid Satellite Network Architecture Roy-Chowdhury points out two security protocols used in satellite networks – SSL and IPSec. Secure Socket Layer (SSL) secures the web-browsing connection (HTTPS Secure Hyper Text Transfer Protocol) and encrypts the application layer HTTP data completely between client and server. Independent of SSL is Internet Protocol security, or IPSec, which creates an end-to end encrypted tunnel at the network layer for secure transfer of traffic. Security is by IP-security Encapsulating Security Payload (IPSec ESP) which provides both data encryption and authentication. IPSec provides strong security for data confidentiality and authentication but adds 10 bytes of overhead to header and trailer. If authentication is used, it adds 16 bytes or more for integrity checks and possibly another 8 bytes or more of initialization vector if the encryption algorithm uses IV. In tunnel mode the entire IP packet is encrypted and a new IP and ESP header is created and attached to the IP packet which adds another high cost 20 bytes of overhead. Roy-Chowdhury survey several solutions to resolve SSL and IPSec performance problems, show their advantages and disadvantages and propose a solution of their own. They describe a hierarchical approach to key management for data security in hybrid networks. They propose to ensure data confidentiality by distributing cryptographic keys. Key management framework is built on top of multicast routing architecture using asynchronous transfer mode (ATM) point to multipoint virtual connection. This allows for efficient multicast trees with low control and data overhead. They divide the network into two levels. Lower LAN where the terrestrial network users are located and the higher level where the satellite, network operating center and the satellite gateways are located. Key management is implemented separately by each level. They show that resource savings on the satellite is considerable when the tiered tree scheme is used versus flat key-management hierarchy. Sun et al12 also discuss IP security issues (e. g. 20 bytes large overhead for satellite systems) and IP multicast security issues (e.g. ensure key management is scalable to large groups).

VI.

Conclusion

This paper surveys software security challenges in computing and communications environments and provides a brief overview of software web vulnerabilities such as Search and Query Language (SQL) Injection, Web Server cross-site scripting (XSS) bugs, and buffer overruns It also discusses some of the pitfalls in using cryptology and some of the benefits and security risks of virtualization technology. Wireless securities increased vulnerabilities are also discussed in relationship to the authentication, confidentiality, and integrity security principles. Finally, security

9

issues such as performance degradation in networks with a satellite node are described. Developers and managers of aerospace software must be aware of these security challenges in both code development and external interfaces.

Acknowledgements The author would like to thank Anna Zelinski at the Naval Air Station Patuxent River Maryland for her patience and tireless efforts obtaining research material for this paper through inter-library loans and Cindy Held at Wyle for her insightful questions and thoughtful edits of the many drafts of this paper.

10

References 1

Bain, B., “Alexander Stresses Need for Network Situational Awareness”, Defense Systems, Vol 4, Number 6, July 2010. 2

Federal Computer Week, October 11, 2010.

3

Howard, M., LeBlanc, D., and Viega, J., 24 Deadly Sins of Software Security, Programming Flaws and How to Fix Them, The McGraw Hill Companies, 2010. 4

Wikipedia, “Buffer Overruns” downloaded 30 January 2011.

5

Karmel, A., “Building the Cloud at LANL: Infrastructure on Demand”, Virtualization, Cloud Computing and Green IT Summit, 26-27 October 2010, Washington, DC. 6

Neiger, G., Santoni, A., Leung, F., Rodgers D. and Uhlig, R., “Intel® Virtualization Technology: Hardware support for efficient processor virtualization”, Intel® Technology Journal, Volume 10, issue 03, August 10, 2006. 7

Barham, P. Dragovic, Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., and Warfield, A., “Xen and the Art of Virtualization”. SOSP ‟03, October 19-22, 2003, Bolton Landing, NY, copyright ACM 2003. 8

Waldspurger, C. “Memory Resource Management in VMware ESX Server”, In Proceedings Fifth Symposium on Operating Systems Design and Implementation (OSDI ‟02), Dec. 2002. 9

Bawcom, A., “New Directions in Virtualization Security: How Segmentation Can Strengthen Your Security Posture”, 2009. 10

Chandra, P., Bensky, A., Bradley, T., Hurley, C., Rackley, S., Rittinghouse, J., Ransome, J., Stapko, T., Stefanek, G., Thorton, F. and Wilson, J., Wireless Security, 2009, Elsevier Inc. 11

Roy-Chowdhury, A., Baras, J., Hadjitheodosiou, M., and Papademetriou, S., “Security Issues in Hybrid Networks with a Satellite Component”, IEEE Wireless Communications, December 2005. 12

Sun, Z., Horwarth, M., Cruickshank, and Iyengar, S., “Networking Issues in IP Multicast over Satellite”, International Journal of Satellite Communications and Networking 2003, 21:489-507.

11

Bibliography Akyildiz, I., and Wang, X., “A Survey on Wireless Mesh Networks”, IEEE Radio Communications, September 2005. Colberg, C., and Thomborson, C. “Watermarking, Tamperproofing, and Obfuscation, Tools for Software Protection”, 2002. Hertzberg, A., Jarecki, S. Krawczyk, H., and Yung, M. “Proactive Secret Sharing Or; How To Cope With Perpetual Leakage”, 1995. Frankel, Y., Gemmell, P. MacKenzie, P. and Yung, M. “Optimal-Resilience Proactive Public-Key Cryptosystems”, Symposium on Foundations of Computer Science 1997; Miami Beach, FL, 1997. Hillary, N., “Bullet-proofing your software design”, Embedded System Design, May 2010. Hogland, G., and McGraw, G. Exploiting Software: How To Break Code, Addison Wesley, Feb 17, 2004. Hollis, D. LT. COL, and Hollis, K., “Cyberspace policies we need”, Armed forces Journal, June 2010. Howard, M., “Becoming a Security Expert”, IEEE Computer Society, 2007. Howard, M., and LeBlanc, D., Writing Secure Code, Microsoft Corporation, 2003. Hu, F., and Sharma, N., “Security considerations in ad hoc sensor networks”, Elsevier B. V. 2003. Kong, J., Luo, H., Gu D., Gerla, M., and Lu, S., “Adaptive Security For Multi-layer Ad-hoc Networks”, Citeseer, 2002. Pincus W., “A new push on cybersecurity”, Washington Post, 22 Jun 2010. Ramanathan, R. and Redi, J., „A brief overview of Ad Hoc Networks: Challenges and Directions”, IEEE Communications Magazine, 50th Anniversary Commemorative Issue/May2002. Stinson, D. R., Cryptography, Theory and Practice, Third Edition, Chapman and Hall/CRC, 2006 by Taylor & Francis Group, LLC. Shultz, D., Liskov B., and Liskov, M. “Brief Announcement; Mobile Proactive Secret Sharing”, PODC‟08, August 18-21, 2008 Toronto, Ontario, Canada, ACM 978-1-59593-989-0/08/08. Sousa, P., Neves, N., and Verissimo, P., “Hidden Problems of Asynchronous Proactive Recovery”, 2006. Sugerman, J., Venkitachalam, and Lim, B., “Vitualizing I/O Devices on VMware Workstation‟s Hosted Virtual Machine Monitor”, Proceedings of the 2001 USENIX Annual Technical Conference, Boston Massachusetts, June 25-30, 2001. Viega, J., and McGraw, G., Building Secure Software, Addison-Wesley, 2002. Waldspurger, C., “Memory Resource Management in VMware ESX Server”, In Proceedings Fifth Symposium on Operating Systems Design and Implementation (OSDI ‟02), Dec 2002.

12