Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Similar documents
Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Lecture Embedded System Security Introduction to Trusted Computing

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Flicker: An Execution Infrastructure for TCB Minimization

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Embedded System Security Introduction to Trusted Computing

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

Lecture Embedded System Security Trusted Platform Module

CIS 4360 Secure Computer Systems. Trusted Platform Module

EXTERNALLY VERIFIABLE CODE EXECUTION

Lecture Embedded System Security Introduction to Trusted Computing

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

INF3510 Information Security. Lecture 6: Computer Security. Universitetet i Oslo Audun Jøsang

INF3510 Information Security Spring Lecture 4 Computer Security. University of Oslo Audun Jøsang

Trusted Computing and O/S Security

Trusted Computing. William A. Arbaugh Department of Computer Science University of Maryland cs.umd.edu

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

OS Security IV: Virtualization and Trusted Computing

Applications of Attestation:

GSE/Belux Enterprise Systems Security Meeting

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Platform Configuration Registers

CIS 4360 Secure Computer Systems. Trusted Platform Module

Dawn Song

TPM v.s. Embedded Board. James Y

Hypervisor Security First Published On: Last Updated On:

Intelligent Terminal System Based on Trusted Platform Module

OVAL + The Trusted Platform Module

Computer Security CS 426 Lecture 17

Towards Application Security on Untrusted Operating Systems

Trusted Computing Group

Atmel Trusted Platform Module June, 2014

W11 Hyper-V security. Jesper Krogh.

Software Vulnerability Assessment & Secure Storage

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

Offline dictionary attack on TCG TPM authorisation data

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Trusted Computing and O/S Security. Aggelos Kiayias Justin Neumann

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

Unicorn: Two- Factor Attestation for Data Security

ROTE: Rollback Protection for Trusted Execution

Firmware Updates for Internet of Things Devices

CSE543 - Computer and Network Security Module: Trusted Computing

Intel Software Guard Extensions

Certifying Program Execution with Secure Processors. Benjie Chen Robert Morris Laboratory for Computer Science Massachusetts Institute of Technology

Jonathan M. McCune. Carnegie Mellon University. March 27, Bryan Parno, Arvind Seshadri Adrian Perrig, Michael Reiter

Mobile Platform Security Architectures A perspective on their evolution

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

How to create a trust anchor with coreboot.

Lecture 3 MOBILE PLATFORM SECURITY

SECURITY ARCHITECTURES CARSTEN WEINHOLD

CIS 4360 Secure Computer Systems Secured System Boot

Trusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July IETF 99 th, Prague

Connecting Securely to the Cloud

Operating system hardening

CS 356 Operating System Security. Fall 2013

TPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

Trusted Mobile Platform Technology for Secure Terminals

ARM Security Solutions and Numonyx Authenticated Flash

Embedded System Security Mobile Hardware Platform Security

Embedded System Security Mobile Hardware Platform Security

Security of Cloud Computing

Intel s s Security Vision for Xen

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

Virtualisation on Mobile Devices {Hugo Marques, Nuno Conceição, Luis Pereira}

An Introduction to Trusted Platform Technology

Trusted Computing: Security and Applications

A TRUSTED STORAGE SYSTEM FOR THE CLOUD

Crypto Background & Concepts SGX Software Attestation

Technical Brief Distributed Trusted Computing

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

How to protect Automotive systems with ARM Security Architecture


Framework for Prevention of Insider attacks in Cloud Infrastructure through Hardware Security

TrInc: Small Trusted Hardware for Large Distributed Systems

Master s Thesis. End-To-End Application Security Using Trusted Computing. Michiel Broekman. August 18, 2005

SGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees

Trusted Platform Module explained

NGSCB The Next-Generation Secure Computing Base. Ellen Cram Lead Program Manager Windows Security Microsoft Corporation

Hardening with Hardware

CPS 510 final exam, 4/27/2015

Old, New, Borrowed, Blue: A Perspective on the Evolution of Mobile Platform Security Architectures

Security and Privacy in Cloud Computing

Expert Reference Series of White Papers. BitLocker: Is It Really Secure? COURSES.

Introduction to Computer Security

Putting It (almost) all Together: ios Security. Konstantin Beznosov

Virtualization. Michael Tsai 2018/4/16

Trusted Computing Use Cases and the TCG Software Stack (TSS 2.0) Lee Wilson TSS WG Chairman OnBoard Security November 20, 2017

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Trusted Mobile Keyboard Controller Architecture

Trusted Computing Special Aspects and Challenges

Transcription:

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Trusted Computing Hardware What can you do if you have trusted hardware? Immutable, with deep control over the resulting behavior of the machine Can use to guarantee certain behaviors and properties of the machine How can you do it? Practically? With legacy O/S and applications? 2

Primitives of Trusted Computing Attestation I m running what you think I m running Secure boot I can only run what is OK Less popular approach -- privacy/usability/monopoly concerns Note lots of policy/social/legal?s Can be useful tool e.g., dga s distributed testbed Prevent bots from hijacking bank session Can be used for evil (DRM, lock-in, etc.) Sorry, can only play this CD under windows! 3

Trusting Software Code attestation enables us to establish trust in a remote platform

Attestation Today TCG (formerly known as TCPA) goal is to add secure platform primitives to each client (now the focus is also on servers, cell phones, PDAs, etc.) Industry consortium by AMD, IBM, Intel, HP, Microsoft, These secure platform primitives include Platform integrity measurements Measurement attestation Protected storage Sealed storage These can be used to provide trusted boot Provides attestation, which enables an external verifier to check integrity of software running on host Goal: ensure absence of malware; detect spyware, viruses, worms

Hardware Attestation Functions Starts from the bottom Hash the firmware, bootstrap loader, OS, etc. TPM can sign these with secret key (hardware protected) Trusted boot / remote attestation Attest to value of integrity measurements to remote party Protected storage Provide secure data storage (think smartcard) Secure storage for private key K -1 TPM Manufacturer certificate, for example {K TPM } K -1 IBM Sealed storage Unlock state under a particular integrity measurement

Terra Argument Need to deploy secure systems with commodity computing systems Commodity systems (hardware and software) impose fundamental limitations on security Poor isolation between applications (processes) Weak mechanisms to authentication applications to peers (distributed computing) No trusted paths between users and trusted computing base (TCB)

Two Worlds Open Box Closed Box

Two Worlds Open Box General-purpose Extensible Runs huge body of existing code Economies of scale Rich functionality Few security guarantees Closed Box Hardware tamperresistance Embedded cryptographic keys Higher assurance than open box

Uniting Two Worlds with a TVMM Trusted virtual machine monitor (TVMM) partitions a single tamper-resistant, general-purpose platform into multiple isolated virtual machines Open Boxes Closed Boxes

Trusted Computing and Closed-box VMs Terra s Goal: make closed-box VMs equivalent to dedicated hardware and software of closedbox platforms While still allowing open-box VMs And do it all on general purpose hardware TVMM protects privacy and integrity of closedbox VM s contents Applications inside closed-box VM can redefine software stack to suit application TVMM can authenticate the contents of a closed-box VM (attestation)

Assumptions Assume VMM is free of software vulnerabilities (i.e., trusted) Hardware support required Hardware attestation Like the Trusted Computing Group s (TCG s) Trusted Platform Module (TPM) Sealed Storage Decryption (unseal) of data (storage) only possible in same state as during encryption (sealing) Hardware support for virtualization (optional) Intel VT or AMD Pacifica Hardware support for secure I/O (trusted path) Secure counter (optional) Increment only counter Device isolation Countering attacks from below by DMA Real-time support Tamper-resistant hardware (not disk but CPU, memory, etc.)

TVMM Revisited TVMM provides standard VMM properties: Isolation Each VM runs in own hardware protection domain Extensibility VM is a dedicated platform Efficiency Negligible virtualization overhead Compatibility Zero modifications required to run commodity OSs Security Small code size, narrow/stable/well-defined interface (like drivers?)

TVMM Revisited TVMM only capabilities: Root secure Security against tampering by root user Attestation Hey peer! What code are you running? Trusted path (unimplemented) Direct to the TCB communication channel with guarantees of data authenticity, secrecy, and integrity

Local Security Model Two components: TVMM and management VM TVMM runs at the highest privilege level and is secure against tampering by administrator (root secure) TVMM dictates policy for attestation (all other policy decisions made by management VM) TVMM cannot guarantee availability Management VM Formulates all platform access control and resource management policies Grants access to peripherals, issues CPU and memory limits, etc. Management VM run by platform owner Security guarantees of the TVMM cannot depend on management VM

Application Assurance Commodity OS kernels Poor assurance, easily compromised Difficult to reason about isolation Platform security equivalent to security of most vulnerable component Terra provides: Strong isolation between VMs Ability to run application-specific OS Attestation to ensure applications only interact with trusted peers Assurance of Terra is equivalent to assurance of the OS (TVMM)

Distributed Computation

TCG Trusted Platform Module (TPM) Platform Configuration Register (PCR) Non-Volatile Storage (EK AIK, SRK) LPC bus I/O Random Number Generator Secure Hash SHA-1 Key Generation Crypto RSA DIP Packaging or integrated into SuperIO chip

Basic TPM Functionality TPM contains 16 program configuration registers (PCRs) to store integrity measurements Operations on PCRs TPM_Extend(N, S): PCR N = SHA-1(PCR N S) TPM_Read(N): Return contents of PCR N TPM contains private key to sign attestations and manufacturer certificate Tamper resistant storage for private key K -1 TPM Manufacturer certificate, for example {K TPM } K -1 IBM

Ahead-of-Time (offline) Attestation Module 1 Module 2 conf BIOS Boot Loader OS Kernel App 1 App 2 Apps TPM PCRs K -1 Hardware Software

Ahead-of-Time (offline) Attestation Verifier Remote platform

Application Trusted Quake Quake multi-player online game vulnerable to client cheating Terra provides: Secure communication Client integrity Server integrity Isolation Terra can t prevent: Bugs and undesirable features DoS attacks Covert channels

Discussion Limited TVMM implementation Do not emulate underlying TCPA hardware (no TPM) No trusted path (lack of hw) Bulky TVMM (VMware GSX Server) No high assurance guarantees (Debian/VMware) Some experiences implementing trusted quake and trusted access points Tons of discussion and material, much of it based on yet unreleased or alpha technologies Lots of we re sorry but we Don t have special hardware Didn t have source code Didn t implement this or that Great deal of foresight into future technologies Trusted computing technologies are a available today Terra could be realized almost as predicted

Open Research?s How to build secure systems using TPM? Attestation is potentially ugly! Must attest/trust every version of windows with every combination of patches?! Or do you force WinXP sp2 with IE7 and patches 1, 5, 9, 10? Alternate approch: Gun Sirer s Nexus OS Labels that attest to properties e.g., Media player will not copy; will allow only N plays of video Media can be played by any player that makes those guarantees (some cert. auth. has to sign for them...) 24

This is ongoing research Definitely don t know the answers yet! What does TPM let us do differently? Where would you draw security bounds differently? How much trust should you export to trusted client? Still vulnerable to... maybe: Rogue DMA hardware? RDMA network card?? bus analyzer? CPU interposer? government/org. crime with STEM? 25

Examples to consider Fairness / congestion control in networks (most people don t care enough to break; rewards small) DDoS prevention (hardware owner probably doesn t want computer being used to launch DDoS) Virus scanning (benefits owner of computer) Cheating prevention in games (stakes aren t that high...) Secure RDMA-like access to NFS with access control performed by trusted local proxy (earlier papers) Updating bank balance / securely handling e-cash Voting? Where to draw the line between {on trusted server, on trusted client, on untrusted client}? What changes? 26

Building Secure Distributed Systems Challenge: Build trustworthy service based on distributed set of potentially untrusted hosts Approaches Software security community has proposed mechanisms to harden software to prevent exploits [Prevention] Intrusion detection community has proposed mechanisms for detecting specific attacks or anomalies [Detection and Recovery] Distributed systems community has designed protocols to provide property if up to 1/3 of hosts are compromised (Byzantine hosts) [Resilience] Attestation Provide guarantee that correct code is executing on remote host Vendors embed trusted HW in devices providing attestation Exciting new directions for building secure systems

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback