preisacm
/
masterthesis
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

added spreadsheet and gnuplot graphs

master
Michael Preisach 4 years ago
parent
65f1750de0
commit
98311a98f4
13 changed files with 20142 additions and 49 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 16
      resources/plots/amd1-ima-enf.gnuplot
  2. BIN
      resources/plots/amd1-ima-enf.png
  3. 16
      resources/plots/amd1-ima-fix.gnuplot
  4. BIN
      resources/plots/amd1-ima-fix.png
  5. 10001
      resources/plots/intel2-ima-enf.dat
  6. 16
      resources/plots/intel2-ima-enf.gnuplot
  7. BIN
      resources/plots/intel2-ima-enf.png
  8. 10001
      resources/plots/intel2-ima-fix.dat
  9. 16
      resources/plots/intel2-ima-fix.gnuplot
  10. BIN
      resources/plots/intel2-ima-fix.png
  11. BIN
      resources/plots/stats.ods
  12. 125
      thesis/05_testing.tex
  13. BIN
      thesis/MAIN.pdf

16
resources/plots/amd1-ima-enf.gnuplot
View File

@ -0,0 +1,16 @@
set terminal pngcairo transparent enhanced font "roboto sans,20" fontscale 2.0 size 1600, 1200
set output 'amd1-ima-enf.png'
set style fill solid 1.00 border lt -1
set key fixed left top vertical Left noreverse noenhanced autotitle nobox
set xtics border in scale 0,0 nomirror autojustify
set xtics norangelimit
set xtics 2000
set ytics 1
set ylabel "seconds"
set xrange [ * : * ] noreverse writeback
set yrange [ 0.00000 : 12. ] noreverse writeback
set title "System 1 IMA enforce" font "roboto sans,25"
plot 'amd1-ima-enf.dat' using 1:5 t "Sensor send" w filledcurves x1 linestyle 5, \
'amd1-ima-enf.dat' using 1:4 t "Sensor collect" w filledcurves x1 linestyle 4, \
'amd1-ima-enf.dat' using 1:3 t "Sensor embed" w filledcurves x1 linestyle 3, \
'amd1-ima-enf.dat' using 1:2 t "Sensor capture" w filledcurves x1 linestyle 2

BIN
resources/plots/amd1-ima-enf.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 129 KiB

16
resources/plots/amd1-ima-fix.gnuplot
View File

@ -0,0 +1,16 @@
set terminal pngcairo transparent enhanced font "roboto sans,20" fontscale 2.0 size 1600, 1200
set output 'amd1-ima-fix.png'
set style fill solid 1.00 border lt -1
set key fixed left top vertical Left noreverse noenhanced autotitle nobox
set xtics border in scale 0,0 nomirror autojustify
set xtics norangelimit
set xtics 2000
set ytics 1
set ylabel "seconds"
set xrange [ * : * ] noreverse writeback
set yrange [ 0.00000 : 12. ] noreverse writeback
set title "System 1 IMA fix" font "roboto sans,25"
plot 'amd1-ima-fix.dat' using 1:5 t "Sensor send" w filledcurves x1 linestyle 5, \
'amd1-ima-fix.dat' using 1:4 t "Sensor collect" w filledcurves x1 linestyle 4, \
'amd1-ima-fix.dat' using 1:3 t "Sensor embed" w filledcurves x1 linestyle 3, \
'amd1-ima-fix.dat' using 1:2 t "Sensor capture" w filledcurves x1 linestyle 2

BIN
resources/plots/amd1-ima-fix.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 191 KiB

10001
resources/plots/intel2-ima-enf.dat
View File

File diff suppressed because it is too large

16
resources/plots/intel2-ima-enf.gnuplot
View File

@ -0,0 +1,16 @@
set terminal pngcairo transparent enhanced font "roboto sans,20" fontscale 2.0 size 1600, 1200
set output 'intel2-ima-enf.png'
set style fill solid 1.00 border lt -1
set key fixed left top vertical Left noreverse noenhanced autotitle nobox
set xtics border in scale 0,0 nomirror autojustify
set xtics norangelimit
set xtics 2000
set ytics 1
set ylabel "seconds"
set xrange [ * : * ] noreverse writeback
set yrange [ 0.00000 : 12. ] noreverse writeback
set title "System 3 IMA enf" font "roboto sans,25"
plot 'intel2-ima-enf.dat' using 1:5 t "Sensor send" w filledcurves x1 linestyle 5, \
'intel2-ima-enf.dat' using 1:4 t "Sensor collect" w filledcurves x1 linestyle 4, \
'intel2-ima-enf.dat' using 1:3 t "Sensor embed" w filledcurves x1 linestyle 3, \
'intel2-ima-enf.dat' using 1:2 t "Sensor capture" w filledcurves x1 linestyle 2

BIN
resources/plots/intel2-ima-enf.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 129 KiB

10001
resources/plots/intel2-ima-fix.dat
View File

File diff suppressed because it is too large

16
resources/plots/intel2-ima-fix.gnuplot
View File

@ -0,0 +1,16 @@
set terminal pngcairo transparent enhanced font "roboto sans,20" fontscale 2.0 size 1600, 1200
set output 'intel2-ima-fix.png'
set style fill solid 1.00 border lt -1
set key fixed left top vertical Left noreverse noenhanced autotitle nobox
set xtics border in scale 0,0 nomirror autojustify
set xtics norangelimit
set xtics 2000
set ytics 1
set ylabel "seconds"
set xrange [ * : * ] noreverse writeback
set yrange [ 0.00000 : 12. ] noreverse writeback
set title "System 3 IMA fix" font "roboto sans,25"
plot 'intel2-ima-fix.dat' using 1:5 t "Sensor send" w filledcurves x1 linestyle 5, \
'intel2-ima-fix.dat' using 1:4 t "Sensor collect" w filledcurves x1 linestyle 4, \
'intel2-ima-fix.dat' using 1:3 t "Sensor embed" w filledcurves x1 linestyle 3, \
'intel2-ima-fix.dat' using 1:2 t "Sensor capture" w filledcurves x1 linestyle 2

BIN
resources/plots/intel2-ima-fix.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 191 KiB

BIN
resources/plots/stats.ods
View File

Binary file not shown.

125
thesis/05_testing.tex
View File

@ -95,35 +95,50 @@ Revocation lists and group management are not implemented yet, although the ECDA
Similarly, the DAA verifier only checks the signature. Similarly, the DAA verifier only checks the signature.
In production use, both entities must hold the revocation list and perform further checks to trust the DAA member. In production use, both entities must hold the revocation list and perform further checks to trust the DAA member.
We split the tasks of a Digidow sensor in several parts to document the conrtibution of each.
\begin{itemize}
\item \emph{DAA TPM key generation}: Clear the TPM, generate a new EK and DAA key pair and persist the DAA key in the TPM's NVRAM
\item \emph{DAA TPM join w/o keygen}: Use the DAA key which is already in place and negotiate a group membership with the DAA issuer.
\item \emph{DAA TPM keygen \& join}: This combines the two steps above to give comparable time measurements to the join procedure without TPM.
\item \emph{DAA keygen \& join}: Generate the DAA keypair and save it to disk.
Join the DAA group by negotiating a secret with the DAA issuer.
\item \emph{Digidow sensor capture}: Create an image using \texttt{bs-capture} and save it to disk.
\item \emph{Digidow sensor embed}: Extract a face embedding using the tensorflow application \texttt{img2emb}.
\item \emph{Digidow sensor collect}: Collect the IMA log and save it to disk.
Create a sha512sum of the file and put it together with all PCRs and the face embedding data into one message.
Calculate another sha512sum from the message itself.
\item \emph{Digidow sensor send}: Sign the message's hash with the TPM DAA key and send it together with the message to the DAA verifier.
The verifier saves message and hash for further procedures on its disk.
\end{itemize}
The application's memory usage is measured with \texttt{valgrind}. The application's memory usage is measured with \texttt{valgrind}.
It measures the allocated heap space in memory which is shown in \autoref{tab:memoryusage}. It measures the allocated heap space in memory which is shown in \autoref{tab:memoryusage}.
\begin{table} \begin{table}
\renewcommand{\arraystretch}{1.2} \renewcommand{\arraystretch}{1.2}
\centering \centering
\caption{Memory usage measured with Valgrind} \caption{Memory usage measured with Valgrind}
\label{tab:memoryusage} \label{tab:memoryusage}
\begin{tabular}{rrr} \begin{tabular}{lrr}
\toprule \toprule
\textit{Task} &\textit{System 1} &\textit{System 3} \\ \textit{Task} &\textit{System 1} &\textit{System 3} \\
\midrule \midrule
{DAA TPM key generation} &10,160 &10,160 \\ {DAA TPM key generation} &10,160 &10,160 \\
{DAA TPM join} &23,864 &23,864 \\ {DAA TPM join w/o keygen} &23,864 &23,864 \\
{DAA join without TPM} &19,296 &19,296 \\ {DAA keygen \& join} &19,296 &19,296 \\
{Image capturing} &93,703 &93,703 \\ {Digidow sensor capture} &93,703 &93,703 \\
{Image processing} &1,318,722,747 &1,385,416,573\\ {Digidow sensor embed} &1,318,722,747 &1,385,416,573\\
{Compiling DAA message} &1,115,639 &1,115,597 \\ {Digidow sensor collect} &1,115,639 &1,115,597 \\
{Sending DAA message} &36,072 &36,072 \\ {Digidow sensor send} &36,072 &36,072 \\
\bottomrule \bottomrule
\end{tabular} \end{tabular}
\end{table} \end{table}
The memory usage is constant over all procedures but creating the DAA message. The memory usage is constant over all procedures but creating the DAA message itself.
This step depends on the size of the files which it summarizes, especially when taking the IMA log into account. This step's memory footprint depends on the size of the files which it summarizes, especially when taking the IMA log into account.
Therefore the memory usage is measured while IMA is set off, representing a lower bound of memory usage for this part. In this case the memory usage is measured while IMA is off, representing a lower bound of memory usage for this part.
Besides calculating the face embedding of the captured image, the whole transaction can be executed using less than 100 Kilobytes of heap memory. Besides calculating the face embedding of the captured image, the whole transaction can be executed using about 1\,MB of heap memory.
This would be affordable even for embedded devices with respect to memory consumption. This would be fit on most embedded devices running a Linux kernel.
On the other side, the face embedding algorithm uses over 1.3\,GB. However, the face embedding algorithm uses over 1.3\,GB and requres the majority of the computation time as shown below.
The slight difference between the two systems at the processing part seems to be consistent over several runs, whereas the result at compiling the message may result of slight differences in the input file. The slight difference between the two systems at the processing part seems to be consistent over several runs.
\autoref{tab:wholeperformance} shows each relevant step for the Digidow sensor. \autoref{tab:wholeperformance} shows each relevant step for the Digidow sensor.
\begin{table} \begin{table}
@ -135,43 +150,55 @@ The slight difference between the two systems at the processing part seems to be
\multicolumn{2}{r|}{\textit{Task}} &\multicolumn{3}{c|}{\textit{System 1}} &\multicolumn{3}{c}{\textit{System 3}} \\ \multicolumn{2}{r|}{\textit{Task}} &\multicolumn{3}{c|}{\textit{System 1}} &\multicolumn{3}{c}{\textit{System 3}} \\
&&\rotatebox{90}{IMA off} &\rotatebox{90}{IMA fix} &\rotatebox{90}{IMA enf} &\rotatebox{90}{IMA off} &\rotatebox{90}{IMA fix} &\rotatebox{90}{IMA enf}\\ &&\rotatebox{90}{IMA off} &\rotatebox{90}{IMA fix} &\rotatebox{90}{IMA enf} &\rotatebox{90}{IMA off} &\rotatebox{90}{IMA fix} &\rotatebox{90}{IMA enf}\\
\midrule \midrule
\textit{Join without TPM} [s] &min & & & &0.03 &0.03 & \\ \textit{DAA keygen \& join} [s] &min &0.03 & & &0.03 &0.03 &0.03 \\
&avg & & & &0.03 &0.03 & \\ &avg &0.05 & & &0.03 &0.03 &0.03 \\
&max & & & &0.06 &0.06 & \\ &max &0.07 & & &0.06 &0.06 &0.28 \\
&first & & & &0.04 &0.13 & \\\hline &first &0.04 & & &0.04 &0.13 &0.04 \\\hline
\textit{Join with TPM} [s] &min & & & &0.35 &0.35 & \\ \textit{DAA TPM keygen \& join} [s] &min &0.33 & & &0.35 &0.35 &0.35 \\
&avg & & & &0.37 &0.37 & \\ &avg &0.34 & & &0.37 &0.37 &0.37 \\
&max & & & &0.37 &0.41 & \\ &max &0.34 & & &0.37 &0.41 &0.40 \\
&first & & & &0.40 &0.42 & \\\hline\hline &first &0.37 & & &0.40 &0.42 &0.35 \\\hline\hline
\textit{Capture} [s] &min & & & &0.91 &0.91 & \\ \textit{Digidow sensor capture} [s] &min &0.92 & & &0.91 &0.91 &0.91 \\
&avg & & & &1.06 &1.06 & \\ &avg &1.07 & & &1.06 &1.06 &1.06 \\
&max & & & &1.12 &12.48 & \\ &max &1.14 & & &1.12 &12.48 &1.12 \\
&first & & & &1.34 &1.46 & \\\hline &first &1.36 & & &1.34 &1.46 &1.45 \\\hline
\textit{Process embedding} [s] &min & & & &4.07 &4.09 & \\ \textit{Digidow sensor embed} [s] &min &3.48 & & &4.07 &4.09 &4.10 \\
&avg & & & &4.12 &4.14 & \\ &avg &3.53 & & &4.12 &4.14 &4.14 \\
&max & & & &4.74 &4.46 & \\ &max &4.11 & & &4.74 &4.46 &4.53 \\
&first & & & &5.99 &40.21 & \\\hline &first &5.41 & & &5.99 &40.21 &40.23 \\\hline
\textit{Collect} [s] &min & & & &0.09 &0.19 & \\ \textit{Digidow sensor collect} [s] &min &0.07 & & &0.09 &0.19 &0.19 \\
&avg & & & &0.10 &n/a &n/a \\ &avg &0.08 & & &0.10 &n/a &n/a \\
&max & & & &0.11 &n/a &n/a \\ &max &0.09 & & &0.11 &n/a &n/a \\
&first & & & &0.11 &0.24 & \\\hline &first &0.09 & & &0.11 &0.24 &0.25 \\\hline
\textit{Send with TPM} [s] &min & & & &0.26 &0.27 & \\ \textit{Digidow sensor send} [s] &min &0.25 & & &0.26 &0.27 &0.27 \\
&avg & & & &0.28 &0.27 & \\ &avg &0.25 & & &0.28 &0.27 &0.28 \\
&max & & & &0.28 &0.29 & \\ &max &0.26 & & &0.28 &0.29 &0.29 \\
&first & & & &0.28 &0.40 & \\\hline\hline &first &0.26 & & &0.28 &0.40 &0.40 \\\hline\hline
\textit{Transaction sum} [s] &min & & & &5.38 &5.50 & \\ \textit{Digidow sensor transaction} [s] &min &4.75 & & &5.38 &5.50 &5.49 \\
&avg & & & &5.56 &n/a &n/a \\ &avg &4.92 & & &5.56 &n/a &n/a \\
&max & & & &6.14 &n/a &n/a \\ &max &5.52 & & &6.14 &n/a &n/a \\
&first & & & &7.72 &42.31 & \\ &first &7.12 & & &7.72 &42.31 &42.33 \\
\bottomrule \bottomrule
\end{tabular} \end{tabular}
\end{table} \end{table}
Each part shows the time of execution of the first attempt and a basic statistical numbers of the 9999 remaining executions. Each part shows the time of execution of the first attempt and minimum, average and maxmum time consumption of the 9999 remaining executions.
The first two blocks represent generating the private key of the sensor and executing the DAA join handshake over the local network. This first execution is done directly after a system reboot.
The difference between these two programs is not only the usage of the TPM. Therefore all resources besides the program itself must be loaded into main memory.
Joining the DAA group using a TPM is in this test a two-step job. Depending on the number of resources a single step needs, the overtime might be smaller or larger.
The first step creates key within the TPM whereas the second step uses the join protocol.
This is not required in the other case since the private key is created on the fly at the beginning of the join handshake. When IMA is enabled, the kernel has to check the hash of each file accessed for reading.
This hash must be extended into PCR 10 which makes the first run of each part significantly longer.
Especially the tensorflow application requires about 35\,s more time for the first run.
\begin{figure}
\centering
\includegraphics[width=0.48\textwidth]{../resources/plots/amd1-ima-fix.png}
\includegraphics[width=0.48\textwidth]{../resources/plots/amd1-ima-enf.png}
\includegraphics[width=0.48\textwidth]{../resources/plots/intel2-ima-fix.png}
\includegraphics[width=0.48\textwidth]{../resources/plots/intel2-ima-enf.png}
\caption{Time consumption of a Digidow transaction on the tested systems}
\label{fig:time-digidow-transaction}
\end{figure}
The following 4 blocks represent the 4 steps for starting the Digidow transaction. The following 4 blocks represent the 4 steps for starting the Digidow transaction.
Capture takes a picture of the user Capture takes a picture of the user

BIN
thesis/MAIN.pdf
View File

Binary file not shown.
Write Preview
Loading…
Cancel
Save