Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trusted Computing and SGX

Published byMarjorie Skinner Modified over 8 years ago

Similar presentations

Presentation on theme: "Trusted Computing and SGX"— Presentation transcript:

1 Trusted Computing and SGX
CS155, Spring 2016 Trusted Computing and SGX

2 TCG: Background TCG consortium. Founded in 1999. Lots of companies.
Goals: Hardware protected (encrypted) storage: Only “authorized” software can decrypt data e.g.: protecting key for decrypting file system ⇒ only “authorized” software can boot Attestation: Prove to remote server what software started on my machine.

3 TCG: changes to the PC Extra hardware: Trusted Platform Module (TPM) chip (33Mhz) Available on many laptops Software changes: Hardware layer: BIOS, EFI (UEFI) Software: OS and apps

4 Trusted Computing What is the TPM?

5 Non Volatile Storage (> 1280 bytes)
Components on TPM chip Non Volatile Storage (> 1280 bytes) Other Junk PCR Registers (≥16 registers) I/O Crypto Engine: RSA, SHA256, HMAC, RNG RSA: , bit modulus SHA256: Outputs 32 byte digest

6 Non-volatile storage 1. Endorsement Key (EK) (2048-bit RSA)
Created at manufacturing time. Cannot be changed. Used for “attestation” (described later) 2. Storage Root Key (SRK) (2048-bit RSA) Used for encrypted storage. Created after running TPM_TakeOwnership( OwnerPassword, … ) Can be cleared later with TPM_ForceClear from BIOS 3. OwnerPassword (160 bits) and persistent flags Private: EK, SRK, and OwnerPwd never leave the TPM TPM_ForceClear requires “proof of presence,” namely holding down the Fn key

7 PCR: the heart of the matter
PCR: Platform Configuration Registers Many PCR registers on chip (at least 16) Contents: 32-byte SHA256 digest (+junk) Updating PCR #n : TPM_Extend(n,D): PCR[n] ⟵ SHA256 ( PCR[n] ll D ) TPM_PcrRead(n): returns value(PCR(n)) PCRs initialized to default value (e.g. 0) at boot time TPM_SaveState stores PCR values in NV-RAM

8 Using PCRs: the TCG boot process (SRTM)
On power-up: TPM receives a TPM_Init signal from LPC bus. BIOS boot block executes: Calls TPM_Startup (ST_CLEAR) to initialize PCRs to 0 [can only be called once after TPM_Init] Calls PCR_Extend( n, <BIOS code> ) Then loads and runs BIOS post boot code BIOS executes: Calls PCR_Extend( n, <MBR code> ) Then runs MBR (master boot record), e.g. GRUB. MBR executes: Calls PCR_Extend( n, <OS loader code, config> ) Then runs OS loader … and so on 1. TMP_Startup: does one of three things: (1) deactivates TPM, (2) resets PCRs, or (3) restores PCR values from data created with TPM_SaveState --- used for resume 2. TPM_Startup can only be called once after power-up (sets postInitialise flag to True) 3. Note: MBR is GRUB Stage 1

9 In a diagram After boot, PCRs contain hash chains of booted software
Hardware BIOS boot block OS loader BIOS OS Application Root of trust in integrity measurement measuring TPM Extend PCR Root of trust in integrity reporting After boot, PCRs contain hash chains of booted software Collision resistance of SHA256 ensures commitment Single PCR can identify entire platform

10 Example: Trusted GRUB Credit: IBM 2005 PCR # to use and what to measure is specified in GRUB config file

11 The main point After boot completes, PCR registers measure the entire software stack that booted on the machine: BIOS and hardware configuration Boot loader and its configuration Operating system Running apps

12 What would go wrong if TPM_Startup (ST_CLEAR) could be called at any time after boot?
Malicious OS could reset PCRs post-boot and then set them to a valid OS hash. PCRs would then look as if valid OS loaded.

13 TPM Counters TPM must support at least four hardware counters
Increment rate: every 5 seconds for 7 years. Applications: Provide time stamps on blobs. Supports “music will pay for 30 days” policy.

14 Trusted Computing Using PCRs after boot

15 Using PCRs after boot Application: encrypted (a.k.a sealed) storage.
Setup step 1: TPM_TakeOwnership( OwnerPassword, … ) Creates 2048-bit RSA Storage Root Key (SRK) on TPM Cannot run TPM_TakeOwnership again without OwnerPwd: Ownership Enabled Flag ⟵ False Done once by IT department or laptop owner. (optional) Step 2: TPM_CreateWrapKey / TPM_LoadKey Create more RSA keys on TPM protected by SRK Each key identified by 32-bit keyhandle OwnerPassword can later be used to change owner and remove SRK SRK key handle ID is 0x

16 Implementing Protected Storage
TPM_Seal: Encrypt data using RSA key on TPM. (some) Arguments: keyhandle: which TPM key to encrypt with KeyAuth: Password for using key `keyhandle’ PcrValues: PCRs to embed in encrypted blob (named by PCR num.) data block: at most 256 bytes [e.g. an AES key] Returns encrypted blob. Main point: blob can only be decrypted with TPM_Unseal when PCR-reg-vals = PCR-vals in blob. TPM_Unseal fails otherwise TPM_Seal: allows to specify arbitrary PCR values for unseal.

17 Protected Storage Embedding PCR values in blob ensures that only specific apps can decrypt data. Changing MBR or OS kernel will change PCR values ⇒ data cannot be decrypted

18 Sealed storage: applications
Lock software on machine: Suppose OS and apps are sealed with MBRs PCR value Any changes to MBR will prevent sealed OS from loading Prevents modifying or inspecting OS (or loading other OS) Web server: seal server’s SSL private key Goal: only unmodified Apache can access SSL key Problem: updates to Apache or Apache config

19 Example: BitLocker drive encryption
tpm.msc: utility to manage TPM (e.g TakeOwnership) Auto generates 160-bit OwnerPassword Stored on TPM and in file computer_name.tpm Volume Master Key (VMK) encrypts disk volume key VMK is sealed (encrypted) under TPM SRK using BIOS, extensions, and optional ROM (PCR 0 and 2) Master boot record (MBR) (PCR 4) NTFS Boot Sector and block (PCR 8 and 9) NTFS Boot Manager (PCR 10), and BitLocker Access Control (PCR 11) Configurable PCR policy: user can choose what PCRs to use. The PCRs described above are the default policy.

20 BitLocker Many options for VMK recovery: disk, USB, paper (enc. with pwd) Recovery needed after legitimate system change: Moving disk to a new computer Replacing system board containing TPM Clearing TPM (with TPM_ForceClear) At system boot (before OS boot) Optional: OS loader requests PIN or USB key from user TPM unseals VMK, only if PCR and PIN are correct Dictionary attack mitigation by locking up or slowing down response after several failures.

21 Suppose BIOS code is updated by a firmware update.
How would the system enable access to blobs previously sealed to current BIOS version? Patch process must re-seal all blobs with new PCR values

22 Trusted Computing Security?

23 Security? [Kauer 2007] Attack 1: reset TPM after boot with a wire
Connect LRESET pin to ground -- mimics TPM_Init on LPC bus then extend PCRs arbitrarily Harder in TPM 2.0 due to “locality” Attack 2: block TPM until after boot, then extend PCRs arbitrarily Root of trust: BIOS boot block resets PCRs (calls TPM_Startup) Defeated with one byte change to BIOS boot block !! K’07: Kauer, Usenix Security 2007. Locality: starts at 4, and once decremented can’t be incremented. CPU sends locality with every instruction to TPM. After boot locality is low and therefore CPU cannot extend pre-boot PCRs. But attack is still possible by directly sending commands on LPC bus.

24 Better root of trust DRTM – Dynamic Root of Trust Measurement
AMD: skinit Intel: senter Atomically does: Reset CPU. Reset PCR 17 to 0. Load the given Secure Loader (SL) code into I-cache (locked) Extend PCR 17 with SL Jump to SL BIOS boot loader is no longer root of trust. Processor microcode is. Avoids TPM_Init attack: TPM_Init sets PCR 17 to -1

25 Other problems Roll-back attack on encrypted blobs
Example: undo security patches without being noticed. Can be mitigated using Data Integrity Regs. (DIR) Need OwnerPassword to write DIR, anyone can read Stored in NV-RAM

26 Trusted Computing Attestation

27 Attestation: what it does
Goal: prove to remote party what software loaded on my machine Good applications: Bank allows money transfer only if customer’s machine runs “up-to-date” OS patches Enterprise allows laptop to connect to its network only if laptop runs “authorized” software Gamers can join network only if their game client is unmodified DRM: MusicStore sells content for authorized players only.

28 Attestation: how it works
Recall: EK private key on TPM. Cert for EK public-key issued by TPM vendor. Step 1: Create Attestation Identity Key (AIK) Details not important here AIK Private key known only to TPM AIK public cert issued only if EK cert is valid TPM can store multiple AIKs (for multiple identities)

29 Attestation: how it works
Step 2: sign PCR values (after boot) with TPM_Quote. Arguments: keyhandle: which AIK key to sign with KeyAuth: Password for using key `keyhandle’ PCR List: Which PCRs to sign. Challenge: 20-byte challenge from remote server Prevents replay of old signatures. Userdata: additional data to include in sig. Returns signed data and signature. TPM_Quote actually doesn’t take usedata argument. Instead one could do chal = Hash(chal,user-data)

30 Attestation: how it works
Attestation Request (20-byte challenge) Generate pub/priv key pair TPM_Quote(AIK, PcrList, chal, pub-key) Obtain cert App (SSL) Key Exchange using Cert Validate: Cert issuer, PCR vals in cert OS Communicate with app using SSL tunnel TPM Remote Server PC Attestation typically includes key-exchange App must be isolated from rest of system Focus on interactive applications such as online games and network access control. For non interactive applications (e.g. music distribution) there is no need for an SSL key exchange since pub-key is quoted.

31 What would go wrong if communication between app
What would go wrong if communication between app. and server were done in the clear? User can reboot machine after attestation and run arbitrary software pretending to be app.

32 Attestation: challenges
Trusted Computing Attestation: challenges

33 1. Attesting to Current State
Attestation only attests to what code was loaded. Does not say whether running code has been compromised. Problem: what if Quake vulnerability exploited after attestation took place? Can we attest to the current state of a running system? … or is there a better way?

34 2. Encrypted viruses Suppose malicious music file exploits bug in video player. Video file is encrypted. TCG prevents anyone from getting video file in the clear. Can anti-virus companies study virus without seeing its code in the clear? How would you solve this?

35 3. TPM Compromise Suppose one TPM Endorsement Private Key is exposed
Destroys all attestation infrastructure: Embed private EK in TPM emulator. Now, can attest to anything without running it. ⇒ Certificate Revocation is critical for TCG Attestation.

36 Intel SGX

37 SGX: Goals Extension to Intel processors that support:
Enclaves: running code and memory isolated from the rest of system Attestation: prove to local/remote system what code is running in enclave Minimum TCB: only processor is trusted nothing else: DRAM and peripherals are untrusted ⇒ all writes to memory must be encrypted

38 Applications Server side: Storing a Web server HTTPS secret key
secret key only opened inside of an enclave malware cannot get the key Running a private job in the cloud: job runs in enclave Cloud admin cannot get code or data of job Client side: Hide anti-virus (AV) signatures: AV signatures are only opened inside an enclave not exposed to adversary in the clear

39 An application defines part of itself as an enclave
How does it work? An application defines part of itself as an enclave Untrusted part Application

40 An application defines part of itself as an enclave
How does it work? An application defines part of itself as an enclave Untrusted part Enclave create enclave (isolated memory) Application

41 An application defines part of itself as an enclave
How does it work? An application defines part of itself as an enclave Untrusted part Enclave enclave code runs using enclave data create enclave call TrustedFun 67g35bd954bt Application

42 An application defines part of itself as an enclave
How does it work? An application defines part of itself as an enclave Untrusted part Enclave enclave data only accessible to code in enclave create enclave call TrustedFun 67g35bd954bt Application

43 How does it work? Part of process memory holds the enclave: low
high app code enclave code enclave data OS Process memory

44 Creating an enclave: new instructions
ECREATE: establish memory address for enclave EADD: copies memory pages into enclave EEXTEND: computes hash of enclave contents (256 bytes at a time) EINIT: verifies that hashed content is properly signed if so, initializes enclave (signature = RSA-3072) EENTER: call a function inside enclave EEXIT: return from enclave

45 Provisioning enclave with secrets: attestation
The problem: enclave is in the clear prior to activation (EINIT) How to get secrets into enclave? Remote Attestation (simplified): E(pk, data) report: contains hash(code) pk, sk Intel’s app enclave pk, report enclave data Intel’s quoting enclave cert = [pk, report] validate cert

46 Summary SGX: a powerful architecture for managing secret data
Enables processing of data that cannot be read by anyone, except for code running in enclave Minimal TCB: nothing trusted except for x86 processor Not suitable for legacy applications

47 THE END

Download ppt "Trusted Computing and SGX"

Similar presentations

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Eran Tromer Slides credit: Dan Boneh, Stanford course CS155

Eran Tromer Slides credit: Dan Boneh, Stanford course CS155
Trusted Platform Module

Trusted Platform Module
Rambling on the Private Data Security

Rambling on the Private Data Security
Vpn-info.com.

Vpn-info.com.
Secure storage Papers AES-CBC + Elephant diffuser A Disk Encryption Algorithm for Windows Vista Niels Ferguson, Microsoft,

Secure storage Papers AES-CBC + Elephant diffuser A Disk Encryption Algorithm for Windows Vista Niels Ferguson, Microsoft,
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Eran Tromer Slides credit: Dan Boneh, Stanford

Eran Tromer Slides credit: Dan Boneh, Stanford
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.

Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.

Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.

Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
SEC316: BitLocker™ Drive Encryption

SEC316: BitLocker™ Drive Encryption
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Similar presentations

Ads by Google