Trusted Virtual Domains: Towards Trustworthy Distributed Services. Ahmad-Reza Sadeghi System Security Lab Ruhr-Universität Bochum

Transcription

1 Trusted Virtual Domains: Towards Trustworthy Distributed Services Ahmad-Reza Sadeghi System Security Lab Ruhr-Universität Bochum

2 The Main Motivation

3 Trustworthy Distributed Computing

4 Selected Applications..

5 Outsourcing of Computation Jobs execution in potentially untrusted environment Health Care, Data Centers, Grid Computing, Cloud Computing,. Untrusted Servers User

6 Enterprise Right Management Information Sharing (fine-grained access to and usage of documents) Mainly required by large enterprises, government

7 Supply Chains Usage and Access Control of Resources and Services Automotive, pharmaceutical industries

8 Privacy-Enhancing Information Management Students Lecture/course information Examination dates Scores Registration for lectures/courses Registration for exams Lecture/course information Examination dates Scores Profs/Lecturers List of participants (Name, Mat.Nr., examination rules) VSPL System Examination dates Scores Certificates Statistics Personal student data (Name, birthday, etc.) Study-related data (Study path, examination rules, etc.) University Management

9 And solutions..

10 Ideally: Secure Multiparty Computation (SMP)

11 However, SMP not realistic for complex IT systems, but, a useful tool

12 Potential Real World Approach: Establishing Trust(worthy) Domains

13 Trust Domains - Requirements Negotiation basis Mutually Trusted Computing Base (TCB) TCB := System components whose failure can break the (security) policy Control basis Operational requirements and environments to which each system must adhere Execution services Responders who take on roles on behalf of the initiators Flexibility and scalability

14 Trusted Virtual Domains (TVD) A coalition of virtual and/or physical machines Trust each other based on a security policy beyond physical boundaries TVD member can ``see'' and access each other but are closed to non-members Separation of workflows and workloads More abstract than typical access control mechanisms Platform independent, suitable for large distributed systems Several projects focus on Virtual Data Centers (VDC) e.g., Open Trusted Computing (opentc)

15 Example: TVD Network Isolated workflows/offloads (red, yellow and blue) Isolation of workflows in Domains Joining Trust Domain, if policy conform Leave Trust Domain

16 Logical TVD Architecture Green TVD TVD Master Blue TVD Execution Entities Red TVD VM VM VM VM VM VM Trusted Computing Base Trusted Computing Base Trusted Computing Base physical machine Basis for Negotiation and Control

17 Security Objectives & Requirements Secure TVD membership and revocation Platforms, VMs, Secure intra-tvd communication Note: some members of TVD may have more privileges than others Secure inter-tvd communication Usually undesired (due to isolation) to control information flow

18 Trust & Adversary Model No compromise of TCB at run-time Trust each other

19 Distributed IT systems Challenges Common computing platforms cannot provide means to Different parties with potentially conflicting requirements involved Cryptographic methods are of limited help represent and to verify trustworthiness of an IT system e.g., migration, join and leave of virtual machines Further, how can common computing platforms support such a functionality? Note: Even a secure OS cannot verify its own integrity Internet Y 1 Y 2 Y n

20 Trusted Computing (TC): Enable the reasoning about the trustworthiness of own and other s IT system

21 An Industrial Attempt: Trusted Platforms A possible instantiation of this idea is proposed by Trusted Computing Group (TCG) TCG : Consortium of major IT enterprises (HP, IBM, Intel, MS, Infineon,...) Trusted components in hardware and software providing small set of security functionalities (trust anchor) Integrity reporting through trust anchor Application Application Application Application Operating System (OS) Trusted Operating Component System (SW) (OS) Hardware Trusted Component Hardware (HW) Trusted Platform

22 TCG s TPM Current implementation is a security chip Already in platforms of major vendors Provides a set of cryptographic functionalities e.g., encryption, signing, hashing Additional functionalities Secure storage Platform Configuration Registers (PCRs) TCG trust model: SW attacks only Trusted Software Stack (TSS) for SW interface to TPM PCR[23] PCR[22] PCR[1] PCR[0]

23 Chain of Trust TCG s Authenticated Boot Execution Application Trusted Channel Remote Party Verification Operating System (OS) Boot Loader (BL) BIOS PCR[23] PCR[22] m App Measurement m OS OS measures Applications BL measures OS CRTM CPU TPM PC-Hardware PCR[1] PCR[0] m BL m BIOS BIOS measures BL CRTM measures BIOS CRTM Core Root of Trust for Measurement TPM Trusted Platform Module

24 TVD Realization: Leverage Trusted Virtualization and Trusted Computing

25 Trusted Virtualization Cost reductions by sharing hardware among multiple software workload Flexible system administration Reduction in space and power consumption Security services provide access control and attestation

26 Virtualization: Implementation

27 Virtualization: Implementation

28 Virtualization: Implementation

29 Trusted Computing Technology Based TCG Approach Linking software to the underlying hardware platform Requires hardware assumptions

30 TVD Architecture TVD B TVD A VM TVD Proxy B TVD Proxy A VM TVD Master A Trusted Virtualization Layer Compartment Manager Trust Manager TVD-Proxy- Factory Hardware Resource Management Services (network, memory, I/O, etc.) L4 Microkernel Turaya Trusted Platform Security Module Hardware

31 Main Components of TVD TVD policy Admission control for virtual or real machines to join the TVD Inter/Intra-TVD communication policy TVD Master Controls the access to the TVD as specified in the TVD policy Rules include platforms integrity measurements TVD Proxy Local proxy of the TVD Master running on each physical platform Responsible for the local enforcement of the TVD policy Several TVD proxies can reside on one physical platform TC functionality E.g., TPM and TSS

32 TVD Implementation Architecture TVD A VM TVD Proxy B TVD Proxy A VM P TVD Master A Trusted Virtualization Layer Compartment Manager Trust Manager TVD-Proxy- Factory Hardware Resource Management Services (network, memory, I/O, etc.) L4 Microkernel Turaya Trusted Platform TPM Hardware

33 Main Services TVD proxy factory Creates and manages TVD proxies Compartment manager TVD-Proxy- Factory Compartment Manager Starts and terminates compartments (e.g., virtual machines) Takes integrity measurements of the virtual machines on start-up Defines access rights for communication between active compartments Trust Manager Provides an interface to the underlying TPM Trust Manager

34 Main Protocols TVDDeploy(): deploys the TVD Policy to a local platform TVDJoin(): Connets a VM to the TVD TVDLeave() and Undeploy(): disconnects the VM and removes the TVDProxy

35 Local Platform P: Policy C : Credentials TVD Deployment Protocol (I) TVD-Proxy- Factory requesttvd() Trust Manager TPM Compart. Manager TVD Master P C deploytvd(noncea) nonceb getcert(nonceb) getmeasurement(tvd-proxy-factory) m CreateKey(TCBConf) PKbind CertifyKey(PKbind, m, nonceb) certbind TPMsig getpolicy(certbind) Penc verify(certbind, nonceb) Msig:=sign[MSKsign](P, C, noncea) Penc := bind[pkbind](p, C, Msig) 35

36 Local Platform TVD Deployment Protocol (II) TVD-Proxy- Factory Trust Manager TPM unbind(penc, certbind, noncea, nonceb) getmeasurement(tvd-proxy-factory) m verify(certbind, m, nonceb) unbind(penc) P, C, Msig Compart. Manager Resource Mgmt C verifysig[mpksign](p, C, Psig, noncea) P C addtolist(tvdid, tvdproxyid) P,C CreateProxy(P) CreateVNet(C) netid P TVD Proxy

37 TVD Join Protocol User/VM Compart. Manager Local Platform TVD Proxy Resource Mgmt startvm(img) m := measure(img) create() VMcompID VM VMjoin() getmeasurement(vmcompid) m setlabel(vmcompid, tvdid) checkpolicy(p, m) connectvm(vmcompid, netid)

38 TVD Undeploy TVD Leave 38 TVD Leave and Undeploy VM TVD Proxy TVD-Proxy- Factory Compart. Manager Resource Mgmt VMleave() disconnectvm(vmcompid, netid) removeaccessrights(vmcompid, tvdid) Are any other VMs connected? No? removevnet(netid) tvdundeploy() terminate() removefromlist (tvdid, tvdproxyid)

39 Description of TPM Commands Key Generation KeyParameters, AuthSecret, PCRState, ParentKey TPM_CreateWrapKey KeyObject KeyObject = [ PublicKeyData, SecretKeyData ] PublicKeyData = [ KeyParameters, PCRState, PublicKey ] SecretKeyData = Enc ParentKey (AuthSecret, SecretKey, Hash(PublicKeyData)) Key Certification KeyObject, SignKey, Nonce TPM_CertifyKey KeyCertificate KeyCertificate = [PublicKeyData, Sign SignKey (PublicKeyData, Nonce) ]

40 40 Binding and Unbinding Binding (done by TPM Software) PublicKey, PlainData TSS_Bind EncData Unbinding (involves TPM) SecretKeyID, AuthData, EncData TPM_UnBind PlainData SecretKeyID is pointer to decryption key (that must have been previously loaded into the TPM) AuthData authorizes the use of the decryption key

41 A Real Life Problem Prison health records on lost memory stick (UK) Central Lancashire Primary Care Trust said personal details of more than 6,000 prisoners were carried on the USB memory stick, lost on 30 December, The patient data held on the stick was encrypted but the password had been written on a note, stuck to the stick when it was misplaced. Recent surveys security policies vary across organizations from none to very restrictive ones disallowing Mobile Storage Devices (MSDs) [ENISA2008,Fabian07,wired_us_mil_bans_usb2008]

42 Security Objectives Free and transparent deployment of Mobile Storage Devices (MSDs) within the same TVD Data confidentiality and integrity Prevention of unauthorized access by outsiders Prevention of unintentional keys/data disclosure by insiders Enforcing access policy also while data is accessed by an off-line platform

43 Secure Mobile Storage Handling

44 Secure Mobile Storage Handling Turaya Trusted Platform

45 Secure Mobile Storage Handling Turaya Trusted Platform

46 Current Work Secure Mobile Storage Handling Turaya Trusted Platform!

47 Requirements Different MSDs may unpredictably appear and disappear within the TVD Device identification: Whenever an MSD is plugged in, the platform should be able to distinguish the device and the domain this device belongs to. Dynamic device management: The architecture should be able to enforce the policy and deliver the correct encryption keys wherever the device is plugged-in

48 A Solution Device identification A unique identification record (IR) is assigned to the device when it is initialized Key retrieval Encryption (and signing) keys are indexed with the IR and stored in a two level database Local/Domain Device Directory (LDD/DDD) Access Policy Enforcement Accomplished by the TVD infrastructure. Device access policy is incorporated into the TVD Policy. Device Access Data encryption/integrity verification is transparently done by a specific component on the platform and is not in charge of the user VM Revocation E.g., Lazy revocation (old data can still be accessed but new data not)

49 The Platform Architecture Red TVD Master DDD Red VM Admin. Platform Key retrieval Red TVDProxy Policy Keys Identification record vmsd Storage Manager LDD Compartment Manager MSD Manager L4 microkernel TPM Hardware Physical device MSD

50 Current and Future Work Proving trustworthiness of configuration without revealing it (privacy preserving) e.g., TVDs beyond enterprise boundaries Secure handling of Mobile Storage Devices e.g., USB, hard disks, also for offline access Measuring trustworthiness of hardware security modules Hardware Trojan and Trapdoor Detection New EU project (Start Sept. 2009)