View article

In this paper we present the lessons we learned when developing VPFS, a virtual private file system that is based on both a small amount of trusted storage and an untrusted legacy file system residing on the same machine. VPFS' purpose is to provide secure and reliable storage to highly sensitive applications running on top of a microkernel, which may concurrently execute untrusted software. The confidentiality and integrity guarantees of VPFS do not only apply to file contents, but also to all meta data including integrity of the directory structure.

We explored design alternatives that allow us to securely reuse untrusted infrastructure and thereby minimize the complexity that a file-system implementation adds to the trusted computing base. VPFS is split into two isolated components. A small trusted component implements all security-critical functionality, whereas the untrusted part reuses an existing file-system …