Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Information Security 0368-3065, Spring 2015 Lecture 9: Low-level platform attacks, Trusted platform, TCP/IP security (1/2) Eran Tromer.

Published byMorris Green Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Information Security 0368-3065, Spring 2015 Lecture 9: Low-level platform attacks, Trusted platform, TCP/IP security (1/2) Eran Tromer."— Presentation transcript:

1 Introduction to Information Security , Spring Lecture 9: Low-level platform attacks, Trusted platform, TCP/IP security (1/2) Eran Tromer Slides credit: Dan Boneh, Stanford Itamar Gilad and Nir Krakowsky and Avishai Wool, Tel Aviv University Steve Weiss, PrivateCore

2 Boot sequence / virtualization
BIOS CIH (1998): CIH virus corrupts system BIOS Heasman (2007): System Management Mode (SMM) “rootkit” via EFI invisible to OS and VMM Sacco, Ortega (2009): infect BIOS LZH decompressor OS loading Master Boot Record / Boot Sector Virtualization: Subvirt, Blue Pill

3 Hardware implants Malware in firmware, persists across OS reinstall
Hard disks Keyboard controllers PCI/PCIe cards Direct Memory Access (DMA) by PCI/PCIe cards and Firewire/Thunderbolt peripherals Countermeasure: IOMMU (e.g., Intel VT-D) Countermeasure: Software Guard Extensions (SGX) encrypts memory All practical and used (leaked “ANT” catalog of the National Security Agency) See talk by Steve Weiss at Black Hat

4 SMM attack

5 Hard disk firmware attack

6 PXIe card attack Intelligent Network Adapter Boots independently of host Exfiltrates data over network

7 Physical memory extraction
Memory bus analyzer Freeze the state of volatile DRAM and read it on a different machine Cold boot attack (literally freeze) Keep power using capacitor

8 DRAM memory bus analyzers

9 Trusted Platforms via Trusted Computing Architecture

10 Background TCG consortium. Founded in 1999 as TCPA.
Main players (promoters): (>200 members) AMD, HP, IBM, Infineon, Intel, Lenovo, Microsoft, Sun Goals: Hardware protected (encrypted) storage: Only “authorized” software can decrypt data e.g.: protecting key for decrypting file system Secure boot: method to “authorize” software Attestation: Prove to remote server what software is running on my machine.

11 TCG: changes to PC Extra hardware: TPM
Trusted Platform Module (TPM) chip Single 33MhZ clock. TPM Chip vendors: (~.3$) Atmel, Infineon, National, STMicro Intel D875GRH motherboard Software changes: BIOS, EFI (UEFI) OS and Apps 7$ for TPM from National Semiconductors (per 1000 units)

12 TPMs in the real world TPMs widely available on laptops, desktops and some servers Software using TPMs: File/disk encryption: BitLocker, IBM, HP, Softex Attestation for enterprise login: Cognizance, Wave Client-side single sign on: IBM, Utimaco, Wave

13 What the TPM does How to use it
TPM Basics What the TPM does How to use it

14 Non Volatile Storage (> 1280 bytes)
Components on TPM chip Non Volatile Storage (> 1280 bytes) Other Junk PCR Registers (16 registers) LPC bus I/O API calls Crypto Engine: RSA, SHA-1, HMAC, RNG RSA: , bit modulus SHA-1: Outputs 20 byte digest

15 Non-volatile storage 1. Endorsement Key (EK) (2048-bit RSA)
Created at manufacturing time. Cannot be changed. Used for “attestation” (described later) 2. Storage Root Key (SRK) (2048-bit RSA) Used for implementing encrypted storage Created after running TPM_TakeOwnership( OwnerPassword, … ) Can be cleared later with TPM_ForceClear from BIOS 3. OwnerPassword (160 bits) and persistent flags Private EK, SRK, and OwnerPwd never leave the TPM TPM_ForceClear requires “proof of presence,” namely holding down the Fn key

16 PCR: the heart of the matter
PCR: Platform Configuration Registers Lots of PCR registers on chip (at least 16) Register contents: 20-byte SHA-1 digest (+junk) Updating PCR #n : TPM_Extend(n,D): PCR[n]  SHA-1 ( PCR[n] || D ) TPM_PcrRead(n): returns value(PCR(n)) PCRs initialized to default value (e.g. 0) at boot time TPM can be told to restore PCR values in NVRAM via TPM_SaveState and TPM_Startup(ST_STATE) for system suspend/resume TPM_SaveState stores PCR values in NV-RAM

17 Using PCRs during the boot process
BIOS boot block executes Calls TPM_Startup (ST_CLEAR) to initialize PCRs to 0 Calls PCR_Extend( n, <BIOS code> ) Then loads and runs BIOS post boot code BIOS executes: Calls PCR_Extend( n, <MBR code> ) Then runs MBR (master boot record), e.g. GRUB. MBR executes: Calls PCR_Extend( n, <OS loader code, config> ) Then runs OS loader … and so on 0. During boot TPM receives a TPM_Init signal from LPC bus 1. TMP_Startup: does one of three things: (1) deactivates TPM, (2) resets PCRs, or (3) restores PCR values from data created with TPM_SaveState --- used for resume 2. TPM_Startup can only be called once after power-up (sets postInitialise flag to True) 3. Note: MBR is GRUB Stage 1

18 Boot process with TPM Hardware BIOS boot block OS loader BIOS MBR Application OS Root of trust in integrity measurement measuring TPM Extend PCR Root of trust in integrity reporting After boot, PCRs contain hash chain of booted software Reliable summary of the current platform, assuming: Every step correctly “measures” the next one (and in particular has no vulnerabilities that circumvent measurement) The BIOS boot block is not compromised The PCR initialized to 0 and is modified only by extending it Collision resistance of SHA-1 Single PCR can identify entire platform

19 Example: Trusted GRUB (IBM’05)
What PCR # to use and what to measure specified in GRUB config file

20 Using PCR values after boot
Application 1: encrypted (a.k.a sealed) storage. Step 1: TPM_TakeOwnership( OwnerPassword, … ) Creates 2048-bit RSA Storage Root Key (SRK) on TPM Cannot run TPM_TakeOwnership again without OwnerPwd: Ownership Enabled Flag  False Done once by IT department or laptop owner. (optional) Step 2: TPM_CreateWrapKey / TPM_LoadKey Create more RSA keys on TPM protected by SRK Each key identified by 32-bit keyhandle OwnerPassword can later be used to change owner and remove SRK SRK key handle ID is 0x

21 Protected Storage Main Step: Encrypt data using RSA key on TPM
TPM_Seal (some) Arguments: keyhandle: which TPM key to encrypt with KeyAuth: Password for using key `keyhandle’ PcrValues: PCRs to embed in encrypted blob data block: at most 256 bytes (2048 bits) Used to encrypt symmetric key (e.g. AES) Returns encrypted blob. Main point: blob can only be decrypted with TPM_Unseal when PCR-reg-vals = PCR-vals in blob. TPM_Unseal will fail othrewise TPM_Seal: allows to specify arbitrary PCR values for unseal.

22 Protected Storage Embedding PCR values in blob ensures that only certain apps can decrypt data. e.g.: Messing with MBR or OS kernel will change PCR values.

23 Sealed storage: applications
Lock software on machine: OS and apps sealed with MBR’s PCR. Any changes to MBR (to load other OS) will prevent locked software from loading. Prevents tampering and reverse engineering Web server: seal server’s SSL private key Goal: only unmodified Apache can access SSL key Problem: updates to Apache or Apache config General problem with software upgrades/patches: Upgrade process must re-seal all blobs with new PCRs

24 Security? Resetting TPM after boot
Attacker can disable TPM until after boot, then extend PCRs arbitrarily (one-byte change to boot block) [Kauer 07] Software attack: send TPM_Init on LPC bus allows calling TPM_Startup again (to reset PCRs) Simple hardware attack: use a wire to connect TPM reset pin to ground Once PCRs are reset, they can be extended to reflect a fake configuration. Rollback attack on encrypted blobs undo security patches Klauser 07: Kauer, Usenix Security 2007. Need owner password to write to DIR. Anyone can read DIR. Stored in NV RAM.

25 Better root of trust Late launch: securely load OS/VMM, even on a potentially-compromised machine DRTM – Dynamic Root of Trust Measurement New CPU instruction: Intel TXT: SENTER AMD: SKINIT Atomically does: Reset CPU. Reset PCR 17 to 0. Load given Secure Loader (SL) code into I-cache Extend PCR 17 with SL Jump to SL BIOS boot loader is no longer root of trust Avoids TPM_Init attack: TPM_Init sets PCR 17 to

26 Protecting code on an untrusted platform
Can we run sensitive code on a potentially-compromised platform, without rebooting/replacing it? Many ways to read and corrupt code! Secure enclave using hardware Possible with SENTER/SKINIT but cumbersome (Flicker project) Intel Software Guard Extensions (SGX) ARM TrustZone Cryptography Fully-homomorphic encryption encryption Succinct zero-knowledge proofs (SNARKs) and Proof-Carrying Data

27 Attestation

28 Attestation: what it does
Goal: prove to remote party what software is running on my machine. Good applications: Bank allows money transfer only if customer’s machine runs “up-to-date” OS patches. Enterprise allows laptop to connect to its network only if laptop runs “authorized” software Quake players can join a Quake network only if their Quake client is unmodified. DRM: MusicStore sells content for authorized players only.

29 Attestation: how it works
Recall: EK private key on TPM. Cert for EK public-key issued by TPM vendor. Step 1: Create Attestation Identity Key (AIK) Involves interaction with a trusted remote issuer to verify EK Generated: AIK private+public keys, and a certificate signed by issuer TPM can store multiple AIKs (for multiple identities)

30 Attestation: how it works
Step 2: sign PCR values (after boot) Call TPM_Quote (some) Arguments: keyhandle: which AIK key to sign with KeyAuth: Password for using key `keyhandle’ PCR List: Which PCRs to sign. Data Challenge string from remote server (prevents replay of old signatures) Additional user data to sign Returns signed data and signature.

31 Using attestation (to establish an SSL tunnel)
Attestation Request (20-byte challenge) Generate pub/priv key pair TPM_Quote(AIK, PcrList, chal, pub-key) Send pub-key and certs App (SSL) Key Exchange using Cert Validate: Certs PCR vals Challenge OS Communicate with app using SSL tunnel Focus on interactive applications such as Quake and network access control. For non interactive applications (e.g. music distribution) there is no need for an SSL key exchange since pub-key is quoted. TPM Remote Server PC Attestation must include key-exchange App must be isolated from rest of system

32 TCP/IP security

33 Internet Infrastructure
Backbone ISP ISP Local and interdomain routing TCP/IP for routing and messaging BGP for routing announcements DNS (Domain Name System DNS) Find IP address from domain name

34 Application message - data
TCP/IP Packets TCP Header Application Application message - data message Transport (TCP, UDP) segment TCP data TCP data TCP data Network (IP) packet IP TCP data Link Layer frame ETH IP TCP data ETF IP Header Link (Ethernet) Header Link (Ethernet) Trailer

35 Inside a LAN: Layer 2 issues - ARP

36 Addressing in Layer 2 / Layer 3
Layer 3 (IP) IP Address 32 bits long Layer 2 (MAC) MAC address 48 bits long How to translate from IP address to MAC address? “Layer 2.5” protocol : ARP

37 ARP (Address Resolution Protocol)
ARP request – broadcast to all stations on LAN Computer A asks the network, "Who has this IP address?“

38 ARP(2) ARP reply Computer B tells Computer A, "I have that IP. My Physical Address is [whatever it is].“

39 Cache Table Every computer stores the translations it knows in a “cache” To view: “arp –a”

40 ARP Poisoning To avoid making an ARP request before sending every IP packet, each host has a local cache. Another trick to avoid excessive ARP requests, is that every host will send a broadcast ARP reply when it comes online / every interval, to let everyone know its MAC address (known as “Gratuitous ARP”) Most implementations are state-less by design, and will happily store ARP replies even if they didn’t issue a request (for reasons stated above) Result – everyone on the local network can impersonate any other host, by sending a malicious ARP reply in their name.

41 ARP Poisoning Simplicity also leads to insecurity Attacks
No Authentication ARP provides no way to verify that the responding device is really who it says it is Stateless protocol Attacks Denial of Service (DoS) Hacker can easily associate an operationally significant IP address to a false MAC address Man-in-the-Middle Intercept network traffic between two devices in your network

42 Man-In-The-Middle: poison #1

43 Man-In-The-Middle: poison #2

44 Man-In-The-Middle: success!

45 Promiscuous mode Normally, the network card will listen to every incoming packet, and discard any packet whose destination MAC address is not its own. When someone is running a sniffer, they’ll want to capture as much information as possible about the network. Network cards can support this by going into what’s called “Promiscuous mode” – where every packet received is sent to the OS for further processing.

46 Detecting Promiscuous Hosts
We want to detect if someone on our network is using a sniffer in promiscuous mode. The trick – Send out a ping request with the wrong destination MAC address, but the right IP target (or broadcast). Regular hosts will discard the packet, but anyone in promiscuous mode will reply, since the IP target was valid

47 Layer 3 issues - IP

48 Internet Protocol Connectionless Notes: IP Unreliable Best effort
Version Header Length Type of Service Total Length Identification Flags Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options Padding IP Data Fragment Offset Connectionless Unreliable Best effort Notes: src and dest ports not parts of IP header

49 IP Routing Typical route uses several hops
Meg Office gateway Source Destination Packet Tom ISP Typical route uses several hops IP: no ordering or delivery guarantees

50 IP Protocol Functions (Summary)
Routing IP host knows location of router (gateway) IP gateway must know route to other networks Fragmentation and reassembly If max-packet-size less than the user-data-size Error reporting ICMP packet to source if packet is dropped TTL field: decremented after every hop Packet dropped if TTL=0. Prevents infinite loops.

51 Basic IP tools

52 “IP spoofing”: no src IP authentication
Client is trusted to embed correct source IP Easy to override using raw sockets SCAPY, libnet: tools for formatting raw packets with arbitrary IP headers Anyone who owns their machine can send packets with arbitrary source IP … response will be sent back to forged source IP Implications: Anonymous DoS attacks Anonymous infection attacks (e.g. slammer worm)

53 Routing Vulnerabilities

54 Autonomous System (AS)
Interdomain Routing earthlink.net Stanford.edu BGP Autonomous System (AS) OSPF: open shortest path first connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain) OSPF

55 Routing Vulnerabilities
Routing protocols: OSPF: used for routing within an AS BGP: routing between ASs Attacker can cause entire Internet to send traffic for a victim IP to attacker’s address. Some examples: 2008: YouTube IP address space redirected to Pakistan (censorship done wrong…) 2010: Chinese IP publishes 37,000 prefixes covering many many major websites OSPF: open shortest path first

56 Whois: IP/Domain/AS information

57 BGP example [D. Wetherall]
3 3 2 7 6 2 7 4 1 2 7 5 2 6 5 8 2 6 5 7 5 6 7

58 BGP Security Issues BGP path attestations are un-authenticated
Attacker can inject advertisements for arbitrary routes Advertisement will propagate everywhere Used for DoS, spam, and eavesdropping Human error problems: Mistakes quickly propagate to the entire Internet Not quite as bad it as it could be because BGP operators are a “closed club” with selective acceptance and some internal sanctions.

Download ppt "Introduction to Information Security 0368-3065, Spring 2015 Lecture 9: Low-level platform attacks, Trusted platform, TCP/IP security (1/2) Eran Tromer."

Similar presentations

Eran Tromer Slides credit: Dan Boneh, Stanford course CS155

Eran Tromer Slides credit: Dan Boneh, Stanford course CS155
Vpn-info.com.

Vpn-info.com.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Eran Tromer Slides credit: Dan Boneh, Stanford

Eran Tromer Slides credit: Dan Boneh, Stanford
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.

Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
Chapter 5 The Network Layer.

Chapter 5 The Network Layer.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
TCG: Trusted Computing Group CS 155 Spring 2007 Dan Boneh.

TCG: Trusted Computing Group CS 155 Spring 2007 Dan Boneh.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

Similar presentations

Ads by Google