1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno

2 A Travel Story

3 Do you trust… A kiosk computer? A friend’s computer? A relative’s computer? Your own computer? Without trust, you cannot… Check your Pay bills Privately surf the web … How do we bootstrap trust in a computer?

4 Assumptions User has a trusted, mobile device User trusts someone to vouch for the physical security of the computer

5 Bootstrapping Trust Physical Security Trusted Hardware Trusted Software

6 CPU, RAM TPM, Chipset CPU, RAM TPM, Chipset Trusted Software Using Flicker DMA Devices (Network, Disk, USB, etc.) OS App S S 1 … DMA Devices (Network, Disk, USB, etc.) OS App 1 … S S Shim

7 Flicker’s Properties Isolate security-sensitive code execution from all other code and devices Attest to security-sensitive code and its arguments and nothing else Convince a remote party that security- sensitive code was protected Add < 250 LoC to the software TCB Shim S S Software TCB < 250 LoC All relies on bootstrapping trust! Physical Security Trusted Hardware Trusted Software

8 Outline Introduction Background The Cuckoo Attack Potential Solutions Conclusions

9 TPM Background The Trusted Platform Module (TPM) is a dedicated security chip Contains a public/private keypair {K Pub, K Priv } Contains a certificate indicating that K Pub belongs to a legitimate TPM Not tamper-resistant!

10 BIOS Boot Loader OS Kernel conf Module 2 Module 1 TPM PCRs BIOS Boot Loader Hardware Software K Priv Apps App 2 App 1 Apps App 2 App 1 OS Kernel conf Module 2 Module 1 Bootstrapping Trust with a TPM

11 BIOS Boot Loader OS Kernel conf Module 2 Module 1 TPM PCRs K Priv Apps App 2 App 1 Bootstrapping Trust with a TPM Nonce Sign (), K Priv Nonce K Pub Guarantees freshness Guarantees key originated from a real TPM TPM attests to the software Trustworthy!

12 Outline Introduction Background The Cuckoo Attack Potential Solutions Conclusions

13 The Cuckoo Attack Nonce Sign (), K Priv Nonce K Priv Nonce K Pub Guarantees freshness Guarantees key originated from a real TPM TPM attests to the software Trustworthy!

14 What went wrong? An attestation says that a TPM vouches for a software state, but not which TPM Sign (), K Priv Nonce K Pub Sign (), K Priv Nonce K Pub

15 Analyzing the Attack Paper develops a logical framework for bootstrapping trust –Allows precise characterization of the attack Framework identifies which solutions work, and which do not

16 Potential Solutions Remove the network Trust the computer Detect timing deviations Make late-launch data available Add a special- purpose button Employ SiB Employ camera-less SiB Trust the BIOS Trust a third party Use an existing interface Use a special-purpose interface Analyze which work, and which don’t Identify pros and cons of each

17 K Priv An Invalid Solution K Priv Sign (), K Priv Nonce K Pub HWViolation!HWViolation!

18 High-Level Goal Establish a secure channel to the local TPM –Channel must provide authenticity & integrity We can instantiate the channel via: –Cryptography –Hardware

19 K Priv SHA-1(K Pub ) camera… vision… Cryptographic Secure Channels Requires authentic public key (or shared secret) Use Seeing-is-Believing (SiB) [McCune et al., ‘05] –Place a barcode on the PC encoding the TPM’s public key Trust the BIOS –Reboot and trust BIOS to output public key via existing interface

20 Hardware Secure Channels Reuse an existing interface –Existing interfaces do not support direct communication with the TPM Add a special-purpose interface –Reduces opportunities for user error –Makes manufacturers unhappy

21 Choosing a Solution After analyzing 10 potential solutions, none is entirely satisfactory Preferred solutions: –Short-term: Seeing-is-Believing –Long-term: Special-purpose Interface

22 Related Work Device Pairing –Typically assumes both devices are trusted Kiosk Computing [Garriss et al., ‘08] –Even more difficult, since hardware integrity may not be guaranteed Secure Object Identification [Alkassar et al., ‘03], [Brands & Chaum ‘94] –Solutions inappropriate to TPM setting

23 Conclusions Trust in your local computer is critical Due to the cuckoo attack, current techniques cannot bootstrap trust Changes are needed to make useful security guarantees

24 Thanks!

25 A Bit of Ornithology

26 TCG Trusted Platform Module (TPM) RandomNumberGenerator CryptoRSA Non-VolatileStorage (EK, AIK, SRK) KeyGeneration PlatformConfiguration Register (PCR) LPC bus SecureHashSHA-1 I/O DIP Packaging or integrated into SuperIO

27 TPM PCRs: K -1 … 000 Shim S S Inputs Outputs Attestation What code are you running? Shim S S Inputs Outputs Sign (), K -1 Sign ), K -1 … OS App S S 5 App 5 App 4 App 4 App 3 App 3 App 2 App 2 App 1 App 1 ( Versus

28 Basic TPM Functions PCRs store integrity measurement chain –PCR new = SHA-1(PCR old ||measurement) Secure storage for Storage Root Key K -1 SRK Manufacturer certificate, e.g., {K TPM }K -1 IBM Remote attestation (PCRs + AIK) –Attestation Identity Keys (AIKs) for signing PCRs –Attest to value of integrity measurements to remote party Sealed storage (PCRs + SRK) –Protected storage + unlock state under a particular integrity measurement (data portability concern)

29 Platform Attestation TPM can attest to contents of PCRs to remote entity Each TPM has a unique public endorsement key (EK) which is under control of the owner (enable/disable) EK enables machine identification, manufacturer does not keep EK, only certifies it Multiple attestation identity keys (AIK) generated by the TPM, AIK is not tied endorsement key TPM_Quote operation is used to sign a PCR N..M value under a specified AIK I Simplified attestation protocol –Verifier  Platform: Attestation request, nonce –Platform  Verifier: {nonce, PCR N..M } AIK -1

30 A Logical Framework

31 Analyzing the Attack Paper develops a logical framework for bootstrapping trust –Allows precise characterization of the attack Framework identifies which solutions work, and which do not

32 Physical Security Trusted Hardware Trusted Software