Lecture Embedded System Security Introduction to Trusted Computing

Transcription

1 1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Summer Term 2015

2 Roadmap: Trusted Computing Motivation Notion of trust Trusted Computing Chain of trust Integrity measurements Slide Nr. 2, Embedded System Security, SS 2015

3 The Big Picture Trustworthiness in distributed IT systems Different parties with potentially conflicting requirements involved Cryptographic methods are of limited help The challenges How to define trustworthiness? How to determine/verify trustworthiness? How could common computing platforms support such functionality? Even a secure OS cannot verify own integrity The role of Trusted Computing Enable the reasoning about trustworthiness of own and other IT systems Slide Nr. 3, Embedded System Security, SS 2015

4 Demand for Trusted Computing Increasing threats for IT systems Malware, phishing, targeted attacks, etc. Inflexibility of traditional secure systems Example: reference monitors Improve security of existing IT systems and infrastructures Servers, PCs, mobile phones, embedded systems, VPN, etc. Enable new applications with sophisticated (security) requirements Slide Nr. 4, Embedded System Security, SS 2015

5 Use-Cases Electronic services Government (e.g., e-voting integrity) Health (e.g., confidentiality of sensitive medical records) Commerce (e.g., enforceability of digital signatures) Online banking Digital/enterprise rights management. Slide Nr. 5, Embedded System Security, SS 2015

6 Roadmap: Trusted Computing Motivation Notion of trust Trusted Computing Chain of trust Integrity measurements Slide Nr. 6, Embedded System Security, SS 2015

7 Notions of Trust

8 Trust Complicated notion Studied and debated in different areas (social sciences, philosophy, psychology, computer science, ) Notion relating to belief in honesty, truthfulness, competence, reliability, etc. of the trusted entity Social trust Belief in the safety or goodness of something because of reputation, association, recommendation, perceived benefit, etc. Slide Nr. 8, Embedded System Security, SS 2015

9 Secure, Trusted, Trustworthy Secure: System or component will not fail with respect to security goals Trusted: System or component whose failure can break the (security) policy (Trusted Computing Base, TCB) Trusted Computing Group (TCG) defines a system as trusted if it always behaves in the expected manner for the intended purpose Trustworthy: Degree to which behavior of a component or system is demonstrably compliant with its stated functionality Slide Nr. 9, Embedded System Security, SS 2015

10 Roadmap: Trusted Computing Motivation Notion of trust Trusted Computing Chain of trust Integrity measurements Slide Nr. 10, Embedded System Security, SS 2015

11 Trusted Platform (Basic Idea) Has trusted components in hardware and software Provides a variety of trusted functions In particular a set of cryptographic and security functions Ideally creates a foundation of trust for software Provides hardware protection for sensitive data Examples: Keys, counters, etc. Desired goals in practice Trusted Computing Base (TCB) should be minimized Compatibility to commodity systems Application Application Application Application Operating System (OS) Hardware OS Hardware Trusted Component Trusted Component Conventional Platform Slide Nr. 11, Embedded System Security, SS 2015 Trusted Platform

12 Problems of Existing IT Systems Insufficient protection in software and hardware of existing computing platforms Malicious code (e.g., viruses, Trojan horses) Runtime attacks (e.g., return-oriented programming) DMA (Direct Memory Access) No secure storage Main reasons High complexity and poor fault isolation of existing operating systems Lack of protection mechanisms in hardware User unawareness and poor usable security Slide Nr. 13, Embedded System Security, SS 2015

13 Primary Goals of TC in Practice Improve security of (existing) computing platforms Reuse existing modules GUI, common OS, etc. Applicable to different operating systems No monopoly, room for innovation Open architecture Use open standards and open source components Trustworthiness, costs, reliability, compatibility Efficient portability New applications/business models Providing security needed for underlying applications (based on various sets of assumptions and trust relations) Avoid potential misuse of trusted computing Slide Nr. 14, Embedded System Security, SS 2015

14 Desired Primitives and Tools 1. Metric for code configuration/identity I/O behavior of machine determined by its code Example of a simple metric: Hash value of binary code Problematic when code functionality depends on other code not included in hash digest (e.g., shared or dynamically linked libraries) 2. Integrity verification (Attestation) Allows computing platform to export verifiable information about its properties (e.g., identity and initial state) Comes from the requirement of assuring the code configuration and execution environment of an application located on a remote computing platform Slide Nr. 15, Embedded System Security, SS 2015

15 Desired Primitives and Tools (ctd.) 3. Secure storage Securely stores data on untrusted storage (e.g. hard disks) Encrypts data and assures that no other entity can decrypt it 4. Strong process isolation Assures process (memory space) separation Prevents a process from reading or modifying the memory used by another process 5. Secure I/O Allows applications to assure the endpoints of input and output operations Assures to the user that he securely interacts with the intended application Slide Nr. 16, Embedded System Security, SS 2015

16 Need for Secure Hardware and Software Need for secure hardware Even a secure operating system cannot verify its own integrity Another party is needed Secure storage (e.g., for cryptographic keys) Isolation of security-critical programs (e.g., by DMA control) Hardware-based random numbers Fundamental to cryptography Need for secure software (operating systems) Hardening Still too complex and too large TCB (Trusted Computing Base) Complete new design Compatibility problem, low market acceptance Secure virtual machine monitors Allow reuse of legacy software (operating system and applications) Slide Nr. 17, Embedded System Security, SS 2015

17 Trusted Computing Group (TCG) Consortium of many IT-Enterprises Founded in April Focus development of hardware-enabled trusted computing and security technologies across multiple platforms/devices Publications Various specifications on Trusted Platforms and Infrastructures Slide Nr. 18, Embedded System Security, SS 2015

18 TCG Main Specifications Trusted Platform Module (TPM) Provides a set of immutable cryptographic and security functions Trusted Software Stack (TSS) Issues low-level TPM requests and receives low-level TPM responses on behalf of higher-level applications Slide Nr. 19, Embedded System Security, SS 2015

19 Roadmap: Trusted Computing Motivation Notion of trust Trusted Computing Chain of trust Integrity measurements Slide Nr. 20, Embedded System Security, SS 2015

20 Main TCG Concept: Chain of Trust Consider Entities E 0,, E n Goal is to gain trust in entity E n Operational standpoint: E 0 launches E 1, E 1 launches E 2, etc. To trust E n one must trust E n 1 The sequence E 0, E 1 to E n creates a chain of trust Transitive trust from E 0 to E 1 to E 2, etc. Trusting E 2 requires one to trust E 0 and E 1 However: Trusting E 0 does not imply that one trusts E 2 Entity E 0 Entity E 1 Entity E 2 Entity E n Slide Nr. 21, Embedded System Security, SS 2015

21 Chain Measurement What is needed to trust the chain? The identity of each entity E i in the chain Identity = measurement (according to TCG definition) Example: Hash digest of the binary code of E i Generic flow: Each E i measures E i+1 before passing control to it Who measures E 0? E 0 must be trusted, no mechanism to measure E 0 E 0 is called Root of Trust for Measurement (RTM) RTM Entity E 0 Entity E 1 Entity E 2 Entity E n Slide Nr. 22, Embedded System Security, SS 2015

22 Root of Trust for Measurement (RTM) Immutable portion of trusted platform s initialization code executed on every platform boot Trust in all integrity measurements based on integrity of RTM Slide Nr. 23, Embedded System Security, SS 2015

23 Performing Integrity Measurements RTM 3. SM (Security Module) Registers Entity E Event Log One Event Structure per measurement Event Structure Extend Value (hash digest of E) Extend Data (information about E) Slide Nr. 24, Embedded System Security, SS RTM measures entity E 2. RTM creates Event Structure in Event Log Event Log contains Event Structures for all measurements extended to the SM Event Log can be stored on (untrusted) storage device (e.g., hard disk) 3. RTM extends measurement value into SM registers 4. RTM executes/passes control to entity E

24 Abstract Model of TCG Concept Trusted Platform P Provides integrity of host H Host H (untrusted) Firmware Operating system Applications D execute(c H ) Attestor A Trusted component (hard- and software) Securely stores C H RTM challenge response Attest(Hash(C H )) Bind(Hash(C H ), D) init(c H ) Challenger / Verifier Verifier V Local or remote Can decide whether C H violates its security requirements Can bind/seal data D to a specific (probably secure) configuration/state of H Attest: Verify system integrity Bind/Seal: Access control depending on system configuration C H - initial configuration/state of host H when platform P has been booted D - data to be revealed only if host H is in the (secure) configuration C H User / Adversary insecure channel secure channel

25 Concerns About TCG Approach Potential basis for Digital Rights Management (DRM) Restriction of freedom Including freedom of choice and user control Privacy violations Disclosure of platform identity and configuration Core specifications not really readable Leads to misunderstanding and false implementations Potentially restricting competition Misuse of sealed storage capabilities, locking out alternative applications and inhibiting interoperation Much of the criticism related to Microsoft s NGSCB NGSCB = Next Generation Secure Computing Base Several name changes Palladium, NGSCB, Longhorn, Vista Bad publicity or legal challenges on rights to the names Slide Nr. 26, Embedded System Security, SS 2015

26 Some Legal Requirements on TC/TCG Prevent confusion and clarify terms Trust, trusted, trustworthy, thread model, etc. Privacy (user, platform, ) Application and design of new technologies should be privacy compliant by default Unrestricted user control For instance over keys and IT technology Transparency of trusted platform certification process Option for transferring secrets between different machines Product discrimination TC/DRM should not adversely affect security of governmentheld information Slide Nr. 27, Embedded System Security, SS 2015