Public processes have the expected read-write access to public filesystems. Private processes, on the other hand, are short-lived processes that have temporary secure storage containers. This storage container is allocated only for the lifetime of a private execution and is accessible only to the private process group it is associated with. Each private process group is bound to a private execution key, or PEK, which is the basis for uniquely identifying a privacy context. This PEK is randomly generated at private process creation, protected by the operating system, never stored in non-volatile memory, and never disclosed to the user or any other process. The PEK is used to encrypt all data produced during a private execution before it is written to persistent storage within the secure container. In this way, PRIVEXEC ensures that sensitive data resulting from private process computation cannot be accessed through the filesystem by any process that does not share the associated privacy context. Furthermore, when a private execution
terminates, PRIVEXEC securely wipes its PEK, and hence makes it computationally infeasible to recover the encrypted contents of the associated storage container. Although all new files created by a private process must clearly be stored in its secure container, applications of- ten need to access files that already exist in the normal filesystem in order to function correctly. For instance, most applications load shared libraries and read configuration files as part of their normal operation. The OS needs to ensure that such read requests are directed to the public filesystem. An even more complicated situation arises when a private process attempts to modify existing files. In that case, we need to create a separate private copy of the file in the process’ secure container, and redirect all subsequent read and write requests for that file to the new copy. PRIVEXEC ensures that private processes can only write to the secure storage container while they still have a read-only view of the public filesystems by enforcing the following copy-on- write policy. • For a write operation, – if the destination file does not exist in the filesys- tem or in the secure container, a new file is created in the container; – if the file exists in the filesystem, but not in the container, a new copy of the file is created in the container, and the write is performed on this new copy; – if the file exists in the container, the process directly modifies it regardless of whether it exists in the filesystem. • For a read operation: – if the file exists in the container, it is read from there regardless of whether it also exists in the filesystem; – if the file exists in the filesystem but not in the container, the file is read from the filesystem; – if the file exists neither in the filesystem nor in the container, the read operation fails.