Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trustworthy Computing Trent Jaeger February 18, 2004.

Published byJayson Chambers Modified over 9 years ago

Similar presentations

Presentation on theme: "Trustworthy Computing Trent Jaeger February 18, 2004."— Presentation transcript:

1 Trustworthy Computing Trent Jaeger February 18, 2004

2 Systems View -- Current Hardware (CPU, MMU, I/O devices) Operating System Process 1 Web server Process 2 Mail server Process 3 Java VM

3 Systems View -- Target Hardware (CPU, MMU, I/O devices, TPM) Virtualization Layer Web server System (include OS) Mail server System (include OS) Java VM System (include OS)

4 TC Advantages Authentication: Application  Root of trust Access Control: Process separation  System separation Patches/Attestation: Ad hoc  Identify high integrity apps Hardening: Ad hoc  Identify hardened configs Audit: Integrate in OS  See in VMM (e.g., ReVirt) Intrusion Detection: Open to compromise  Protected

5 Bootstrapping a typical PC What can go wrong before the kernel runs? INIT POST BIOS TPM GRUB Stage1 (MBR) GRUB Stage1 (MBR) SELinux Kernel SELinux Kernel Bootloader GRUB Stage1.5 GRUB Stage1.5 Operating System GRUB Stage2 GRUB Stage2 BIOS Extensions BIOS Extensions Flash memoryDisk

6 Boot Guarantees Secure Boot – Ensure only a secure system is booted – Operating system that is bootstrapped is based on a untampered foundation (integrity guarantee) – Initially not a problem, but nowadays field upgradable FLASH memory is used – Arbaugh et al. [1996] state that the integrity of a layer can only be guaranteed if-and-only-if: Base layer is immutable The integrity of the base layer is verified Transition to higher layer only occurs after valid verification Key points – Computer is stopped if secure boot guarantee is violated – Not provable to remote systems

7 Boot Guarantees (con’t) Trusted (Authenticated) Boot – Measure system during boot for remote verification – Operating system is booted based on a measured system (integrity verifiable) – Enable verification of boot: Base layer is immutable The integrity of the base layer is measured Transition to higher layer only occurs after valid measurement – Remote party can verify measurements to determine integrity Key points – Computer is *not* stopped if secure boot guarantee is violated – Provable to remote systems – Requires root of trust

8 Trusted Computing Group TCG (formerly known as TCPA) goal is to add secure platform primitives to each client (now the focus is also on servers, cell phones, PDAs, etc.) Industry consortium by IBM, Intel, HP, Microsoft, … These secure platform primitives include: – Platform integrity measurements – Measurement attestation – Protected storage These can be used to provide trusted boot (as opposed to secure boot) TCG is considered very controversial, but lets defer that discussion until we understand what it is …

9 TCG Trusted Platform Module (TPM) RandomNumberGenerator CryptoRSA Non-VolatileStorage (EK, AIK, SRK) KeyGeneration PlatformConfiguration Register (PCR) LPC bus SecureHashSHA-1 I/O DIP Packaging or integrated into SuperIO

10 Basic TPM Functions Integrity measurements – Enables measurement of the firmware, bootstrap loaders, operating system – Chains measurements to protect their integrity Remote attestation – Constructs statements for remote verification of these integrity measurements Protected storage – Provide “secure” data storage (think smartcard)

11 Platform Integrity Measurements The TPM contains a set of program configuration registers (PCRs) which record integrity measurements Operations on PCRs: – TPM_Extend(N, S):PCR N = SHA1(PCR N | S) – TPM_Read(N):Return contents of PCR N – (only enabled when TPM ownership is established) Core Root of Trust Measurement is immutable Root of trust measurement is bootstrapped from that PCRs cannot be counterfeited, but can be invalidated

12 Linux Trusted Boot Stages Trusted Boot CRTM GRUB Stage1 (MBR) GRUB Stage1 (MBR) SELinux Kernel SELinux Kernel PCR01-07 POST BIOSBootloader ROT GRUB Stage1.5 GRUB Stage1.5 PCR04-05 TPM Operating System JVM MAC Policy DB GRUB Stage2 GRUB Stage2 PCR08-14 conf

13 Platform Attestation TPM contains the ability to attest the contents of a PCR Each TPM has a unique public endorsement key (EK) which is under control of the owner (enable/disable) EK enables machine authentication, attestation = authentication + integrity Multiple attestation identity keys (AIK) generated by the TPM, AIK may not be tied to an endorsement key TPM_Quote operation is used to sign a PCR N..M value under a specified AIK I

14 Protected Storage TPM holds a storage root key (SRK) which is kept within TPM The SRK is used to wrap keys which are kept outside the TPM and are loaded on demand for crypto or attestation Sealed storage, use certain PCR value to unlock protected storage

15 Problems with Integrity Measurements What is the meaning of these aggregate PCR values? How do you handle all the different firmware versions, patches, kernel builds? What does a PCR mean in this context? The TPM_Extend operation assumes a linear ordered execution sequence (true for bootstrap), but how does that work for the OS where the order in which program are started is non-deterministic? This makes PCRs a good mechanism for the owner to verify the integrity of his system (has the bootstrap loader been modified?) In its current form PCRs are less suitable for attestation of complex execution patterns

16 NGSCB Applications Corporate document prepared by a trustworthy program is accessible to game or virus User’s home finance transactions are vulnerable to a Trojan horse Authenticated transactions may be from a person running a trusted program or a subverted program.

17 NGSCB Digital Rights Management In order for a user to download a media file, the media provider wants to verify – that the environment running such programs is trusted not to subvert the program – that the media player is trusted by the provider not to leak the media – that there is a means to prevent leakage of the media when stored

18 NGSCB – Key mechanisms Sealed storage – built on protected storage – Seal(codeID, data) Creates {sealed data, codeID, sealerID} – Seal(otherCodeID, data) – discretionary mechanism – Unseal(sealed data)  data, sealerID (if authorized) Attestation – built on platform attestation – Quote(string)  {string, codeID} signed by TPM – If string is a certificate, then codeID is associated with a private key – A chain of attestations can attest an entire software stack Partitioning – based on special processor hardware (ring -1) Trusted path – based on special hardware DMA control – based on special hardware

19 NGSCB operation TPM – Root of Trust Normal ModeTrusted Mode Nexus Agent Guest OS Drivers Application Trusted Path quote request attest and download seal store seal retrieve unseal

20 NGSCB Issues Upgrades – reseal secrets for new codeID Generic code identity – Interpreter running script  composite codeID Backup – delegate to OS Privacy – hard to misuse data Privacy – easy to learn everything about the platform  third-party identity service providers Known plaintext – randomize sealed values

21 TCG Controversy TCG is considered very controversial because it potentially allows content providers to control clients (DRM enforcement) This takes away the freedom of the user to use the system as it sees fit (it can be used to lock-out GPL software) – Limit GPL by requiring specific customization – Problem if limited number of trusted roots of integrity are permitted A privacy concern is that TCG can be used to track the user – Anonymous user identity certs from Privacy CA Are these concerns valid?

22 TCG Misconceptions The TCG designers have been very aware of the concerns and the TPM focus is that the owner of the machine is in control (this could be an individual or enterprise). The service or content provide does not control the TPM – Although “extend” is always available TPM does not lock-out software, it merely measures it (if enabled) It does allow a service/content provider to not service the machine if the attestation statement does not meet its requirements. Is this very different from current mechanism where each browser sends browser name, OS, version to the web server ?

23 Improving the TCPA (TCG) Preserve Fair Use Rights – TCG-based implementations should support user copying for personal use – Permit users to define their own trusted root for which delegation of sealed storage is possible Control of root certificates – Need for fair use and to facilitate competition Completely disable it Pseudo-identities – Generate new identities  several open research questions

24 Some Personal Observations TCG 1.2 is the basis for Microsoft NGSCB, but TCG != NGSCB As a secure OS builder I like to have secure boot in addition to trusted boot. I want to stop when the bootstrap is compromised because continuing opens up spoofing attacks. The value proposition for TCG is not easy Attestation needs lots of work (looking for a PhD topic?)

25 Terra Architecture Hardware (including TPM) Trusted Virtualization Layer (TVMM) Web client System (Commodity OS) Online Game (Thin OS) Management VM

26 Virtual Machine Architecture Compatibility – Run unmodified OSs Isolation – Individual VMs in own protection domain Extensibility – Of original hardware Efficiency – Virtualizable hardware – Optimized VMMs

27 Terra Architecture Innovations Open/Closed box VMs – Open: general purpose system – Closed: specialized, proprietary system Management VMs – Resource and access control manager, including VMs Security Goals – Root secure: closed-box VM integrity and secrecy – Attestation: Remote authentication of what’s on the closed box – Trusted Path: TVMM provides a trusted path between user and a VM

28 Attestation Chain from TPM to application VM that identifies all components – Attestable parts: all persistent state of VM – Component’s public key and application data Two chains of trust – TPM  application VM – CA  application image Granularity of measurement is VM

29 Security Arguments Management VM – Limited interaction among VMs can be controlled in centralized location – Limited to VM-level resources Assurance – TVMM is small – Closed VMs can be small Attestation – Is a current measurement only – What static guarantees can be assumed?

30 Security Implementations Storage – Encrypted, integrity checked (see sealed storage) – Attested or not Primary identity: VM Secondary identity: firmware and other immutable state Attestation – Divides entities into blocks – verify lazily (optimistic) – VM descriptor is the hash of all hashes – 4GB entity of 4kB blocks  20MB of hashes

31 Terra Interfaces Attestation – Cert  endorse(cert-req) – cert generation – Hash  get-id() – hash of calling VM – Attestation = (cert, hash) signed Management – Dev-id  create-device(type, params) – Connect(dev1, dev2) – Disconnect(dev1, dev2) – Vm-id  create-vm(config) – Attach(vm1, dev1) – Detach(vm1, dev1)

32 Example – Trusted Quake TVMM  VMWare (experimental) – Attestation – virtual serial device in TVMM – No TCPA Secure Storage – Interpose read/write at TVMM – dynamic preload lib – Ahead-of-time attestation of entire VM files – Optimistic attestation as blocks are read (alignment) Quake – Prevent cheating by altered client, server, or data files Trusted Quake – Closed-box VM – limits programs to trusted ones (e.g., no shell) – User-space IPSec implementation provides attestation/key exchange – Data is protected because only attested programs are run and these are trusted

33 Summary Hardware modifications to enable security are here (or are coming) – TCPA, DMA control, Trusted path Enable system measurement and verification – Attestation, sealed storage, system management Other systems – IBM 4758 – secure boot and trusted boot (Smith, ESORICS 2002) – Linux TCPA – driver and measurement infrastructure (IBM Tech Report)

Download ppt "Trustworthy Computing Trent Jaeger February 18, 2004."

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Peer-to-Peer Access Control Architecture Using Trusted Computing Technology Ravi Sandhu and Xinwen Zhang George Mason University SACMAT05, June 1--3, 2005,

Peer-to-Peer Access Control Architecture Using Trusted Computing Technology Ravi Sandhu and Xinwen Zhang George Mason University SACMAT05, June 1--3, 2005,
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Computing David Grawrock TPM.

Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Computing David Grawrock TPM.
Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.

Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.
Vpn-info.com.

Vpn-info.com.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Operating-System Structures

Operating-System Structures
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.

Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh
Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.

Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.

Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.

Similar presentations

Ads by Google