Applications of Attestation:

Transcription

1 Lecture Secure, Trusted and Trustworthy Computing : IMA and TNC Prof. Dr. Ing. Ahmad Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Winter Term 2011/2012 1

2 Roadmap: TC Functionalities IBM Integrity Measurement Architecture (IMA) Trusted Network Connect (TNC) Problems of Trusted Computing Slide Nr. 2, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

3 Overview of the Integrity Measurement Architecture (IMA) Design and implementation of a secure measurement system for Linux All executable data that is loaded onto the Linux system is measured before execution Uses conventional PC hardware with TPM Measurements are protected by the TPM Goal: Enable a remote system (challenger) to prove that a program on another system is integral to be used Integrity: binary code indicating whether a program and/or its environment has been modified in an unauthorized manner Slide Nr. 3, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

4 Problems IMA Aims to Solve Measurement of all executed content before it is executed on the system e.g., kernel, kernel modules, binaries, shared libraries, etc. Order of measurements Order of loading executable content is nearly random TCG integrity reports depend on the order of measurements and thus on the order of execution Performance overhead Operating system almost continuously loads executable content Measuring content at each load time results in considerable performance overhead Slide Nr. 4, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

5 Integrity Measurement Architecture Kernel, Runtime Environment, File Systems Measurement Agents Agents (MA) a) store Measurement List (ML) Trusted BIOS Hardware b) report digest report 2. QuoteRequest Attestation Service (AS) 3. QuoteResponse TPM PCR[0] PCR[N] 1. integrity challenge 5. integrity response Challenger/ Verifier (C) BIOS measures boot loader a) MAs store measurements in ordered list in kernel b) MAs report extension of measurement list to TPM 1. C requests ML and corresp. TPM signed aggregate 2. AS requests signed aggregate 3. TPM sends signed aggregate 4. AS gets ML from kernel 5. AS returns ML and corresp. TPM signed aggregate to C 6. C reasons about trustworthiness of attesting system s runtime integrity

6 Integrity Measurements Application e.g., script interpreter Measurement Agent Linux Kernel (LK) 11. m EC Measurement List... Storage Device e.g., hard disk Hardware m boot i 13. load EC Executable Content (EC) e.g., binaries, libraries, drivers, interpreters, scripts, etc. 12. TPM_Extend(SHA 1(EC)) contain hash chain of executable files loaded after they have been measured 10. load EC TPM PCR[15]... PCR[1] Measurement Agent bootup aggregate: PCR 0 to7 (BIOS,BL,LK) number of measurement 7. m boot 8. m EC 9. TPM_Extend(SHA 1(EC)) 5. TPM_Extend(SHA 1(LK)) 3. TPM_Extend(SHA 1(BL)) i, SHA 1( EC ), name EC load LK Boot Loader (BL) 4. load BL BIOS 2. load BIOS 1. TPM_Extend(SHA 1(BIOS)) CRTM EC name EC executable content name and/or version of EC

7 Security Goals Prevention of replay attacks e.g., an adversary should not be able to answer the challenger with an old measurement list Authenticity of the measurement list Tampering with measurement list or signature e.g., an adversary should not be able to manipulate the measurement list or to forge the TPM s signature Masquerading as another trusted platform e.g., an adversary should not be able to replace the original measurement list with the measurement list of another (noncompromised) system Slide Nr. 7, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

8 Integrity Challenge Protocol Attesting System Kernel, Run Time, File System ML ml Attestation Service based on ml and given reference measurements C is able to decide whether the attesting system can be considered trustworthy ChallengeRequest( N ) Challenger/Verifier System Challenger (C) create nonce N report store MA MA MA Hardware TPM_Quote2(N) TPM quote ChallengeResponse( quote, ml ) prevents masquerading provides integrity of ml (together with quote and PCR) prevents replay (together with quote) get trusted cert AIK (e.g., from Privacy CA) Verify cert AIK quote N ml (by re computing PCR using reference measurements) if verification is successful, ml is valid quote sign AIK ( PCR, N ) PCR current PCR values ml measurement list

9 Assumptions TCG specified services and protection used to Enable challenging parties to establish trust into the platform configuration of the attesting system Ensure challengers that the measurement list has not been tampered with Specifically: TPM is compliant with TCG specification: extend(), quote(),.. TPM is integrated correctly into the platform to ensure measurement of BIOS and boot loader Boot loader measures Linux Kernel correctly No hardware attacks (since TPM cannot prevent them) Slide Nr. 9, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

10 Roadmap: TC Functionalities IBM Integrity Measurement Architecture Trusted Network Connect (TNC) Problems of Trusted Computing Slide Nr. 10, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

11 TNC Overview TNC is a framework designed to add remote attestation to existing network authentication protocols Transforms secure channel into trusted channel i.e., a user is not only authenticated but also the user s computing platform identity and configuration are checked before access is granted proof of identity platform integrity report platform s integrity may be compromised by, e.g., viruses, Trojans, etc. TC concept ensures authentic reporting of platform integrity information may decide whether peer is trustworthy based on reported integrity information Slide Nr. 11, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

12 TCG Terminology Access Requestor (AR) Entity that requests access to a protected network e.g., a user or software process Platform Credential Authentication Proof of the identity of a platform e.g., via AIK certificates Integrity Check Handshake Verification of the integrity of a platform e.g., via remote attestation Slide Nr. 12, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

13 Goals of TNC Interoperable network access solution for different vendors and protocols IT T EAP: Integrate TNC as EAP method in handshake (EAP TNC) IF T TLS: Run TNC in parallel, on separate TLS channel Platform Authentication Platform Credential Authentication and Integrity Check Handshake of access requestor s platform Endpoint Policy Compliance Assignment of a level of trust to the access requestor s platform according to the presence, integrity and version of software on AR s platform. E.g., latest patches and anti virus. Otherwise, enforce isolation and provide remediation (recovery) Slide Nr. 13, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

14 Goals of TNC (cntd.) Access Policy Ensuring authentication of the access requestor and the disclosure of the access requestor s security posture before granting access to the network Assessment, Isolation and Remediation Isolation of systems that do not match the given Endpoint Policy Compliance or Access Policy Remediation of isolated platforms, e.g., by updating their software to match the given Endpoint Policy Compliance Slide Nr. 14, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

15 Basic TNC Architecture Access Requestor (AR) e.g., software on the platform that requests access to the protected network 1. request network access 4. request platform integrity report 6. platform integrity report Policy Enforcement Point (PEP) e.g., a router enforcing access restrictions to the protected network given by the PDP 2. AR s request 3. request platform integrity report 7. AR s platform integrity report Policy Decision Point (PDP) AAA server (e.g. RADIUS) that decides whether to grant AR access to the protected network according to given security policies 9. access restrictions 5. performs integrity measurements 10.enforces access restrictions given by PDP AAA stands for Authentication, Authorization and Accounting (well known AAA protocol implementations are RADIUS or DIAMETER) 8. verifies AR s platform integrity report and decides according to a given security policy and AR s platform configuration which levelof access should be granted to AR

16 TNC Architecture Details Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) measures AR s Integrity platform integrity Measurement may use TPM to obtain authentic Collectors (IMC) platform integrity measurements Integrity Measurement Layer verifies AR s integrity based on measurements received from IMCs Integrity Measurement Verifiers (IMVs) TNC Client (TNCC) Integrity Evaluation Layer Network Access Requestor (NAR) Network Access Layer aggregates integrity measurements from IMCs assists management of Integrity Check Handshake negotiates and establishes network access to a given network implements network layer protocols controls access to the protected network enforces decisions of the PDP Policy Enforcement Point (PEP) manages message flow between IMCs and IMVs creates an Action Recommendation for the NAA based on the verification results from IMVs and a given policy decides whether NAR should be given access to the network TNC Server (TNCS) Network Access Authority (NAA)

17 TNC Example Scenario direct communication logical communication Notebook (AR) virusscanner personal firewall measurement IMC VS IMC PF IMCs All messages are relayed through the NAR, PEP and NAA a specific notebook is only allowed to connect to the network if its virus scanner and personal firewall software is up to date and has not been modified 7. integrity measurements 6. request for integrity measurements Authentication Server (PDP) security policies verification IMV VS IMV PF IMVs TNC Client (TNCC) 4. Platform Credential Authentication of AR to PDP 5. initiate Integrity Check Handshake 8. result of Integrity Check Handshake TNC Server (TNCS) WLAN Access Point (PEP) 3. initiate platform authentication 9. Action Recommendation NAR 802.1X Supplicant 1. request access PEP 802.1X Authenticator 2. decision request 10. access rules for AR NAA RADIUS Server

18 Illustration of TNC EAP Overhead: A Typical IKEv2 (IPsec) Flow Client Server IKE(Nonce,DH A,...) IKE(Nonce, DH B,...) Diffie Hellman key exchange & algorithm negotation IKE(ID,AUTH,CERT) Mutual authentication IKE(ID, AUTH, CERT) IKE([optional infos & Child SA negotiation]) Channel established in 2 roundtrips. IKE([optional infos & Child SA negotiation]) Optional Messages / Management Slide Nr. 18, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

19 EAP starts inside IKEv2 authentication Client IKE(Nonce,DH,...) Gateway EAP/TNC Server IKE(Nonce, DH,...) IKE(ID,[missing AUTH payload],..) IKE(ID, EAP(ID request)) IKE(EAP(ID response)) IKE(EAP(EAP FAST(start)))) IKE(EAP (EAP FAST(TLS_Client Hello)))) [full TLS handshake] RADIUS(AccessRequest) RADIUS(AccessChallenge)... Slide Nr. 19, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

20 EAP starts TLS for authentication, then TNC starts inside TLS... Client... Gateway EAP/TNC Server TNC Agents IKE(EAP(EAP FAST(TLS([client auth]))))... IKE(EAP(EAP FAST(TLS(IDrequest)))) IKE(EAP(EAP FAST(TLS(IDresponse)))) IKE(EAP(EAP FAST(TLS(EAP TNC(start))))) Messages in XML or TLV based reporting language with optional encryption. IKE(EAP(EAP FAST(TLS(EAP TNC(TNCCS(Batch1))))))... IKE(EAP(EAP FAST(TLS(EAP TNC(TNCCS(BatchN))))))... TNCCS(Batch1) TNCCS(Success) Batch1 Success Slide Nr. 20, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

21 EAP returns shared key, IKE resumes with PSK authentication (AUTH) Client Gateway... IKE(EAP(EAP FAST(TLS(EAP TNC(TNCCS(Success)))))) EAP/TNC Server IKE(EAP(Success)) IKE(AUTH) RADIUS(AccessRequest) RADIUS(AccessAccept) Mutual PSK authentication IKE([optional infos & Child SA negotiation])... At least 10 to 14 roundtrips to establish channel, plus RADIUS queries and protocol overhead(fragmentation!) Slide Nr. 21, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

22 Roadmap: TC Functionalities IBM Integrity Measurement Architecture Trusted Network Connect (TNC) Problems of Trusted Computing Slide Nr. 22, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

23 Expectations of Trusted Computing Initially very high expectations (and criticism) Full control over the software stack and files Proprietary programs will [ ] control which other programs you can run, which documents or data you can access Richard Stallmann, Can you trust your Computer? PCs become much harder to attack Really serious, well funded opponents will still be able to crack it Ross Anderson, TCPA FAQ What happened? Slide Nr. 23, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

24 Problems of Trusted Computing What to measure? IMA measures ~6000 files on for a default Linux desktop Not including configuration files, call parameters, scripts, To identify all attacks, should we measure all runtime I/O? TC will likely never be able to assure the absence of compromise Slide Nr. 24, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

25 Problems of Trusted Computing Integrity is not Security Measurement of program is mostly worthless if X has a security bug every day How to establish trust in Software X? 90% of the problem is software security, not TC Slide Nr. 25, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

26 Beyond TCG Improve software security ( trustworthiness ) TCB is all the software that an application depends on (typically several MB of libraries, services and drivers) Different OS designs improve isolation and reduce TCB Virtualization Microkernel Safe programming languages reduce security flaws (Java?) Design critical applications for simplicity, code re use and reduced information flow (e.g., services, not libraries) Trusted Execution Environments execute a transaction without relying on the complete OS, libraries etc. (e.g., Intel TXT, ARM TrustZone) Hard for established systems but possible for embedded Slide Nr. 26, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

27 Possible TC friendly OS Architecture Applications Existing OS Security applications App. Legacy OS (e.g., Linux) App. Isolation App. Legacy OS (e.g., Linux) App. untrusted storage Online VPN Grid Banking untrusted storage Trusted Software Layer Secure VMM Attestation Manager Compartment Manager Storage Manager Secure GUI TPM Manager Virtualization Layer Hypervisor (IPC, Memory Management, Scheduling) based on microkernel (e.g. Xen) Hardware CPU Devices Conventional Hardware TPM Trusted Computing (TC) Technology (TPM, Trusted Execution Technology (TXT), Presidio, etc.)

28 Components TC enabled hardware Ensuring authentication of the access requestor and the Trusted Service Layer Trust Manager: controls access to TPM interface Compartment Manager: Manages creation, updates, and deletion of compartments measures compartments and assigns unique IDs to them Storage manager guarantees trusted storage, i.e., authenticity, confidentiality and integrity (and freshness) of stored data Has access to configuration of clients it is communicating to over trusted channel Secure GUI: guarantee a trusted path to application Virtualization Layer provides abstraction of physical machine Provides isolation between virtual machines Slide Nr. 28, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012

29 Questions for Future Engineers Why are half of the TPM PCRs reserved for bootup? Should IMA be allowed to delete/reset PCRs? What if App X does not measure the code it loads? What app uses TPM today? Why? Slide Nr. 29, Lecture Secure, Trusted and Trustworthy Computing, WS 2011/2012