1. 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007

2. 2 CPU, RAM TPM, Chipset CPU, RAM TPM, Chipset Trusted Computing Base (TCB) DMA Devices (Network, Disk, USB, etc.) OS App S S 1 … DMA Devices (Network, Disk, USB, etc.) OS App 1 … S S Shim

3. 3 Contributions Isolate security-sensitive code execution from all other code and devices Attest to security-sensitive code and its arguments and nothing else Convince a remote party that security- sensitive code was protected Add < 250 LoC to the software TCB Shim S S Software TCB < 250 LoC

4. 4 TPM Background The Trusted Platform Module (TPM) is a dedicated security chip It can provide an attestation to remote parties –Platform Configuration Registers (PCRs) summarize the computer’s software state –TPM provides a signature over PCR values TPM spec v1.2 includes dynamic PCRs –Values can be reset without a reboot

5. 5 Late Launch Background Supported by new commodity CPUs –SVM for AMD –TXT (formerly LaGrande) for Intel Designed to launch a VMM without a reboot –Hardware-based protections ensure launch integrity New CPU instruction (SKINIT/SENTER) accepts a memory region as input and atomically: –Resets dynamic PCRs –Disables interrupts –Extends a measurement of the region into PCR 17 –Begins executing at the start of the memory region

6. 6 Adversary Capabilities Run arbitrary code with maximum privileges Subvert any DMA- enabled device –E.g., network cards, USB devices, hard drives Perform limited hardware attacks –E.g., power cycle the machine –Excludes physically monitoring/modifying CPU- to-RAM communication CPU, RAM TPM, Chipset DMA Devices (Network, Disk, USB, etc.) OS App 1 … Shim S S

7. 7 Architecture Overview Core technique –Pause current execution environment –Execute security-sensitive code with hardware- enforced isolation –Resume previous execution Extensions –Preserve state securely across invocations –Attest only to code execution and protection –Establish secure communication with remote parties

8. 8 Execution Flow TPM PCRs: K -1 729 … 000 CPU OS App Shim S S Module RAM OS App Module SKINIT Reset Inputs Outputs Module 0h0 0H00 Shim S S 000

9. 9 TPM PCRs: 0 K -1 … TPM PCRs: K -1 … 000 Shim S S Inputs Outputs Attestation

10. 10 TPM PCRs: K -1 … 000 Shim S S Inputs Outputs Attestation What code are you running? Shim S S Inputs Outputs Sign (), K -1 Sign ), K -1 … OS App S S 5 App 5 App 4 App 4 App 3 App 3 App 2 App 2 App 1 App 1 ( Versus

11. 11 Potential Applications Server applications –Password authentication, SSL keys, Certificate Authority (CA), etc. Verifiable distributed computing –SETI@Home, Folding@Home, distcc, etc. Client-side applications –Secure password entry

12. 12 Ongoing Work Extracting security-sensitive code from existing applications Containing malicious or malfunctioning security-sensitive code Coping with slow security-sensitive code Creating a trusted path to the user

13. 13 Related Work Secure coprocessors –Dyad [Yee 1994], IBM 4758 [JiSmiMi 2001] System-wide attestation –Secure Boot [ArFaSm 1997], IMA [SaZhJaDo 2004], Enforcer [MaSmWiStBa 2004] VMM-based isolation –BIND [ShPeDo2005], AppCores [SiPuHaHe 2006], Trustworthy Kiosks [GaCáBeSaDoZh 2006], Proxos [TaLiLi 2006]

14. 14 Conclusions Explore how far an application’s TCB can be minimized Isolate security-sensitive code execution Provide fine-grained attestations Allow application writers to focus on the security of their own code

15. 15 Thank you! parno@cmu.edu