CIS 4360 Secure Computer Systems. Trusted Platform Module

Similar documents
CIS 4360 Secure Computer Systems. Trusted Platform Module

Security of Cloud Computing

Introduction to Information Security

CIS 4360 Secure Computer Systems Secured System Boot

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Offline dictionary attack on TCG TPM authorisation data

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

The Early System Start-Up Process. Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu

CSE543 - Computer and Network Security Module: Trusted Computing

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Flicker: An Execution Infrastructure for TCB Minimization

Lecture Embedded System Security Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

Software Vulnerability Assessment & Secure Storage

Trusted Computing and O/S Security

Trusted Computing. William A. Arbaugh Department of Computer Science University of Maryland cs.umd.edu

Platform Configuration Registers

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

CIS 4360 Secure Computer Systems. Integers

Encrypting stored data

Expert Reference Series of White Papers. BitLocker: Is It Really Secure? COURSES.

OVAL + The Trusted Platform Module

TPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies

Trusted Computing Group

OS Security IV: Virtualization and Trusted Computing

Trusted Computing and O/S Security. Aggelos Kiayias Justin Neumann

INF3510 Information Security Spring Lecture 4 Computer Security. University of Oslo Audun Jøsang

Intelligent Terminal System Based on Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

TPM v.s. Embedded Board. James Y

Sirrix AG security technologies. TPM Laboratory I. Marcel Selhorst etiss 2007 Bochum Sirrix AG

Jonathan M. McCune. Carnegie Mellon University. March 27, Bryan Parno, Arvind Seshadri Adrian Perrig, Michael Reiter

How to create a trust anchor with coreboot.

EXTERNALLY VERIFIABLE CODE EXECUTION

Atmel Trusted Platform Module June, 2014

TUX : Trust Update on Linux Kernel

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

I Don't Want to Sleep Tonight:

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

Applications of Attestation:

Unicorn: Two- Factor Attestation for Data Security

From TPM 1.2 to 2.0 and some more. Federico Mancini AFSecurity Seminar,

Technical Brief Distributed Trusted Computing

Trusted computing. Aurélien Francillon Secappdev 24/02/2015

Secure, Trusted and Trustworthy Computing

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

A TRUSTED STORAGE SYSTEM FOR THE CLOUD

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

INF3510 Information Security. Lecture 6: Computer Security. Universitetet i Oslo Audun Jøsang

Dawn Song

Protecting Keys/Secrets in Network Automation Solutions. Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Trusted Computing: Introduction & Applications

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

An Introduction to Trusted Platform Technology

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Trusted Mobile Platform Technology for Secure Terminals

Bootstrapping Trust in Commodity Computers

ARM Security Solutions and Numonyx Authenticated Flash

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

6.857 L17. Secure Processors. Srini Devadas

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci

Trusted Computing: Security and Applications

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

Xbox Security. Daniel Butnaru. 28 th June 2006

Backup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.

Solving Bigger Problems with the TPM 2.0

Binding keys to programs using Intel SGX remote attestation

Security and Privacy in Cloud Computing

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Eric Eide, Mike Hibler, Rob Ricci

Offline dictionary attack on TCG TPM weak authorisation data, and solution

Certifying Program Execution with Secure Processors. Benjie Chen Robert Morris Laboratory for Computer Science Massachusetts Institute of Technology

CIS 4360 Secure Computer Systems SGX

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Introduction to Information Security Miscellaneous

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

Scalable Architectural Support for Trusted Software

CS 161 Computer Security

Big and Bright - Security

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II: Solutions

OP-TEE Using TrustZone to Protect Our Own Secrets

Crypto Background & Concepts SGX Software Attestation

Click to edit Master. Trusted Storage. title style. Master subtitle style Seagate Technology

Breaking Hardware Wallets

Hypervisor Security First Published On: Last Updated On:

Provisioning secure Identity for Microcontroller based IoT Devices

A Reconfigurable Trusted Platform Module

CIS 4360 Secure Computer Systems Symmetric Cryptography

Cisco Secure Boot and Trust Anchor Module Differentiation

Advanced Crypto. Introduction. 5. Disk Encryption. Author: Prof Bill Buchanan. Bob. Alice. Eve.

Transcription:

CIS 4360 Secure Computer Systems Trusted Platform Module Professor Qiang Zeng Spring 2017 Some slides were stolen from Stanford s Security Course, Bruce Maggs, and Bryan Parno

Previous Class Does a b concern you? How? What should you do? Yes, it may cause integer overflow. E.g., assume a and b are of int type. a = INT_MIN and b = 1 then a b = INT_MAX if( (b>0 && a < INT_MIN + b) (b <0 && a > INT_MAX + b) ) // report overflow else r = a b; CIS 4360 Secure Computer Systems 2

Signed Integer Representation INT_MIN INT_MAX CIS 4360 Secure Computer Systems 3

Previous Class unsigned int x = - 1; // What is x s value? Why? The binary representa]on will be preserved. Since - 1 is represented as 0xFFFFFFFF, which represents UINT_MAX for an unsigned integer CIS 4360 Secure Computer Systems 4

Re-cap about Conversion for a = b A conversion to a type that can represent the value being converted is always well-defined the value simply stays unchanged E.g., signed -> larger signed; unsigned -> larger unsigned; unsigned short -> int A conversion to an unsigned type is always welldefined y = x % (dst_type_max +1) A conversion to a signed type that cannot represent the value being converted results is implementation dependent But in many systems: truncate the higher-order bits and reinterpret the remaining CIS 4360 Secure Computer Systems 5

Previous Class short x = - 1; int y = 0; // x > y? Why? A`er integer promo]on, i.e., int z = x, obviously z > y is false. CIS 4360 Secure Computer Systems 6

Previous Class short x = - 1; unsigned int y = 0; // x > y? why? A`er integer promo]on, i.e., int z = x; // z is s]ll - 1 Wrt z op y, since z and y have the same rank and y is unsigned, z will further be transformed to an unsigned integer w = - 1 // w is now UINT_MAX Therefore, w > y is true and x > y is true. CIS 4360 Secure Computer Systems 7

Outline Format String Attacks TPM CIS 4360 Secure Computer Systems 8

Vulnerable code example Is the following code vulnerable? Why? void foo(char* user_provided) { printf(user_provided); } Yes. E.g., user_provided can be %08x %08x %08x %08x %08x ; this will leak information Why? CIS 4360 Secure Computer Systems 9

The format string can contain two types of data: printable characters and format direc,ves, such as %d, %x, %u "format %s%d" i s format string ptr return addr Memory address grows towards this way saved frame ptr local variables Figure 28. Activation record of printf( format %s%d, s, i) that has three parameters: the format string pointer, a string pointer, and an integer. A format function uses an internal stack pointer to access the parameters in the stack as it encounters the directives in the format string. Buffer Overflow and Format String Overflow Vulnerabili]es. Lhee and Chapin, 2002. CIS 4360 Secure Computer Systems 10

Width Specifier (specifies the minimum width) printf("%*d", 5, 10) will result in with a total width of 5 characters. 10 being printed, printf( %*d", -5, 10) will result in 10 being printed, with a total width of left-aligned 5 characters. Similarly, printf( %5d", 10) and printf( %-5d", 5, 10) can achieve the same effect printf( %05d, 10) prints 00010 printf("%#05x\n", 12); prints 0x00c (# for 0x and the width of 0x00c is 10) CIS 4360 Secure Computer Systems 11

Attack one: viewing the memory Now you should be able to understand why the following code can leak information: void foo(char* user_provided) { } printf(user_provided); user_provided can be, e.g., %08x %08x %08x %08x %08x to leak information A special form of buffer overflow CIS 4360 Secure Computer Systems 12

Attack two: Overwriting memory The %n direc]ve writes an integer value, the number of characters that is wrijen by the format func]on so far, at the loca]on pointed by the corresponding parameter. E.g., prink( \x10\x01\x48\x08%08x%08x %08x%08x%08x%n ); Writes 44 at 0x8480110 (four characters for \x10\x01\x48\x08 and eight characters for each of the five %08x ) You can make use of the Width Specifier, e.g., %10000d, to increase the value you want to write stack ptr internal when processing %n internal stack ptr MSB LSB \0 s % x 8 0 % x 8 0 % x 8 0 % x 8 0 % x 8 0 % 08 48 01 10 format string ptr return addr saved frame ptr local variables CIS 4360 Secure Computer Systems 13

Attack three: Overflow a buffer char buf[100]; // user-provided is %104d\x80\x48\x55\66 sprintf(buf, user-provided) CIS 4360 Secure Computer Systems 14

Suggestions Avoid using user-provided format string; try your best to use fixed predefined format string GCC can detect the mismatch (in terms of type and parameter number) between the directives and parameters when you use -Wall or Wformat CIS 4360 Secure Computer Systems 15

Writing Assignments Does a b concern you? How? What should you do? unsigned int x = -1; // What is x s value? Why? short x = -1; int y = 0; // x > y? Why? short x = -1; unsigned int y = 0; // x > y? why? CIS 4360 Secure Computer Systems 16

Outline Format String Attacks TPM CIS 4360 Secure Computer Systems 17

Bryan Parno s Travel Story CIS 4360 Secure Computer Systems 18

Attestation How can we know that a system that we would like to use does not have KeyLogger installed? How does a judge determine whether a voting machine has been hacked by one of the president candidates (or not)? How do you (or the IT people) determine whether your computer has no rootkits installed? Attestation is the creation and validation of proof of some fact CIS 4360 Secure Computer Systems 19

Bootstrapping Trust is Hard! Challenges: Hardware (firmware) Ephemeral software User Interaction App App App 14 3 N5 2 Module 1 Module 3 OS S ( ( ) ) 23 45 67 89 10 11 12 13 14 15 Safe? Yes! Module Module 2 4 ^ H( ) CIS 4360 Secure Computer Systems 20

Bootstrapping Trust is Hard! Challenges: Hardware assurance Ephemeral software User Interaction Evil App Evil Safe? OS Yes! CIS 4360 Secure Computer Systems 21

Background Trusted Computing Group: Founded in 1999 as TCPA. Main players: (>200 members) AMD, HP, IBM, Infineon, Intel, Lenovo, Microsoft, Sun Goals: Hardware protected (encrypted) storage: Only authorized software can decrypt data (Digital Rights Management) e.g.: protecting key for decrypting file system Secure boot: to recognized authorized software Attestation: Prove to remote server what software is running on my machine. CIS 4360 Secure Computer Systems 22

TCG: changes to PC or cell phone Extra hardware: ~ 1$ TPM TPM Chip vendors: Atmel, Infineon, National, STMicro Intel D875GRH motherboard Software changes (depending on applications): BIOS OS Apps CIS 4360 Secure Computer Systems 23

TPM Chip is in almost every PC CIS 4360 Secure Computer Systems 24

Components on TPM chip Non Vola]le Storage (> 1280 bytes) PCR Registers ( 16 registers) Other Junk I/O Crypto Engine: RSA, SHA- 1, HMAC, RNG RSA: 2048 bit modulus SHA-1: Outputs 20 byte digest RNG: Random Number Generator CIS 4360 Secure Computer Systems 25

Non-volatile storage 1. Endorsement Key (EK) (2048-bit RSA) Created at manufacturing time. Cannot be changed. Used for attestation (described later) 2. Storage Root Key (SRK) (2048-bit RSA) Used for implementing encrypted storage Created after running TPM_TakeOwnership( OwnerPassword, ) Can be cleared later with TPM_ForceClear from BIOS 3. OwnerPassword (160 bits) and persistent flags Private EK, SRK, and OwnerPwd never leave the TPM CIS 4360 Secure Computer Systems 26

PCR: the heart of the matter PCR: Platform Configuration Registers Lots of PCR registers on chip (at least 16) Register contents: 20-byte SHA-1 digest (+junk) Updating PCR #n : TPM_Extend(n,D): PCR[n] SHA-1 ( PCR[n] D ) Important: You cannot set a PCR, you can only extend it TPM_PcrRead(n): returns value(pcr(n)) PCRs initialized to default value (e.g. 0) at boot time CIS 4360 Secure Computer Systems 27

Overall, you can understand TPM as a passive component (1) that does signing/encryp]on/decryp]on, (2) that receives a value to extend a PCR, and (3) that protects the private keys It seems that it is prejy dumb Can we do something useful with a TPM? CIS 4360 Secure Computer Systems 28

Background: how a system boots CIS 4360 Secure Computer Systems 29

Using PCRs: the TCG boot process BIOS boot block executes Calls TPM_Startup (ST_CLEAR) to initialize PCRs to 0 Calls PCR_Extend( n, <BIOS code> ) Then loads and runs BIOS post boot code BIOS executes: Calls PCR_Extend( n, <MBR code> ) Then runs MBR (master boot record), e.g. GRUB. MBR executes: Calls PCR_Extend( n, <OS loader code, config> ) Then runs OS loader and so on CIS 4360 Secure Computer Systems 30

In a diagram Other firmware BIOS boot block BIOS OS loader OS Application Root of trust in integrity of measurement TPM Root of trust in integrity reporting measuring Extend PCR After boot, PCRs contain hash chain of booted software Properties of SHA-1 prevent manipulation CIS 4360 Secure Computer Systems 31

Measured Boot 1 1 1 4 4 4 3 2 2 3 2 3 TPM Measurement Log # 1 2 3 4 Steps Measurement Extend PCR Log Event Transfer control 32

Attestation: what it does Goal: prove to remote party what software is running on my machine. Good applications: Bank allows money transfer only if customer s machine runs up-to-date OS patches. Enterprise allows laptop to connect to its network only if laptop runs authorized software Quake players can join a Quake network only if their Quake client is unmodified. DRM: MusicStore sells content for authorized players only. CIS 4360 Secure Computer Systems 33

Attestation: how it works Recall: EK (Endorsement Key) private key on TPM. Cert for EK public-key issued by TPM vendor The attestation initiator has the public key of all TPM vendors and thus can verify the TPM s cert Step 1: Create Attestation Identity Key (AIK) AIK Private key known only to TPM AIK public cert issued only if EK cert is valid CIS 4360 Secure Computer Systems 34

Attestation: how it works Step 2: sign PCR values (after boot) Call TPM_Quote (some) Arguments: keyhandle: which AIK key to sign with KeyAuth: Password for using key `keyhandle PCR List: Which PCRs to sign. Challenge: 20-byte challenge from remote server Prevents replay of old signatures. Userdata: additional data to include in sig. Returns signed data and signature. CIS 4360 Secure Computer Systems 35

TPM-Based Attestation Example [Gasser et al. 89], [Arbaugh et al. 97], [Sailer et al. 04], [Marchesini et al. 04] BIOS Bootloader Module Module Module Module OS App App App PCRs TPM K Priv 36

Module Module Establishing Trust via a TPM [Gasser et al. 89], [Arbaugh et al. 97], [Sailer et al. 04], [Marchesini et al. 04] Accurate! random # Module Module A Module A Module K p p A p p p OS Pu OS p BIOS Bootloader BIOS Bootloader b Module Sign ( ) K priv Module Module BIOS Bootloader Module Module OS Module random # A A p p A p p p p Guarantees freshness App App App Guarantees real TPM Guarantees actual TPM logs TPM PCRs K Priv 37

We have covered Ajesta]on; next, we will cover another main applica]on: Sealed Data 38

Sealing Sealing: TPM encrypts a pieced of data using a private key of TPM and records the PCR values upon encryption the client is interested in TPM then returns an encrypted blob = Encrypt(K, {data, PCR values}) The encrypted blob is NOT stored in TPM Unsealing: The encrypted blob is sent to TPM for decryption, but TPM will refuse to release the clear text unless it finds the current values in PCR registers match those recorded in the blob CIS 4360 Secure Computer Systems 39

How to seal a key? Main Step: Encrypt data (e.g., a key) TPM_Seal (some) Arguments: keyhandle: the index of a TPM key used to encrypt the data KeyAuth: Password for using key `keyhandle PcrValues: PCRs to be embedded in encrypted blob data block: at most 256 bytes (2048 bits), e.g., an AES key Returns encrypted blob, which will be stored in disk In BitLocker, an AES key is used to encrypt the disk in BitLocker. The AES key is sealed in a blob, which is stored in the disk The AES key will not be released by TPM unless the PCR values match those recorded in the blob

What is Measured? Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0) Option ROM Code (PCR 2) Master Boot Record (MBR) Code (PCR 4) NTFS Boot Sector (PCR 8) NTFS Boot Block (PCR 9) Boot Manager (PCR 10) BitLocker Access Control (PCR 11) CIS 4360 Secure Computer Systems 41

Question Is it possible that an ajacker installs some malicious firmware used to sniffer the AES key released by TPM? No, if the firmware is infected, the corresponding PCR value will change. So TPM will simply refuse to release the AES key CIS 4360 Secure Computer Systems 42

Question A disk is protected by BitLocker +TPM. Can I insert it into another computer to get the data in the disk? No, unless the TPM in the second computer has the same Storage Root Key. Recall that the SRK is needed to decrypt the encrypted blob stored in the disk In this case, what you need is the recovery key, which is the AES key used to encrypt the disk. The user is asked to store the recovery key in a another place (e.g., a USB drive) CIS 4360 Secure Computer Systems 43

Summary What a TPM is: Hardware protected keys Endorsement key: for signing (PCR values) Storage root key: for encrypting storage keys Crypto-processor RSA HMAC SHA-1 (SHA-2 in TPM 2.0) PCR What the TPM can do Attestation Sealed storage CIS 4360 Secure Computer Systems 44

Writing Assignments What is Measured Boot? What attacks can you do if you have extracted the private keys from a TPM What knowledge should an IT service have for attestation over a laptop of the company? CIS 4360 Secure Computer Systems 45

Backup slides CIS 4360 Secure Computer Systems 46

A cloud application [JPBM 10] Client VM sealed to VMM VMM TPM cloud servers Client seals VM to VMM measurement VM code and data is encrypted Can only be decrypted on valid cloud server Cloud operator cannot easily access data VMM TPM CIS 4360 Secure Computer Systems 47

BitLocker Driver Encryption Volume Master Key (VMK) encrypts disk More precisely, VMK encrypts the Full Volume Encryption Key, which in turns encrypts disk VMK is sealed (encrypted) under TPM SRK (Storage Root Key) using Master Boot Record (MBR) Code (PCR 4), NTFS Boot Sector (PCR 8), NTFS Boot Block (PCR 9), NTFS Boot Manager (PCR 10), and Other Critical Components (PCR 11) CIS 4360 Secure Computer Systems 48

1. Attesting to code integrity only Attestation only attests to what code was loaded. Does not say whether running code has been compromised. Ineffective against buffer overflows CIS 4360 Secure Computer Systems 49

2. AV gets confused by encrypted viruses Suppose malicious music file exploits bug in Windows Media Player. Music file is encrypted. TCG prevents anyone from getting music file in the clear. Can anti-virus companies block virus without ever seeing its code in the clear? CIS 4360 Secure Computer Systems 50

TCG Alternatives IBM 4758: Supports all TCG functionality and more. Tamper resistant 486 100MhZ PCI co-processor. Programmable. but expensive ~ $2000. TPM ~ $1. AEGIS System: Arbaugh, Farber, Smith 97: Secure boot with BIOS changes only. Cannot support sealed storage. Phoenix TrustConnector 2 SWATT: Seshadri et al., 2004 Attestation w/o extra hardware Server must know precise HW configuration CIS 4360 Secure Computer Systems 51

How to configure a TPM TPM_TakeOwnership( OwnerPassword, ) Creates 2048-bit RSA Storage Root Key (SRK) on TPM Cannot run TPM_TakeOwnership again without OwnerPwd: Done once by IT department or laptop owner. CIS 4360 Secure Computer Systems 52

Sealed storage: applications Web server: seal server s SSL private key Goal: only unmodified Apache can access SSL key Problem: updates to Apache or Apache config Lock software on machine: OS and apps sealed with MBR s PCR. Any changes to MBR (to load other OS) will prevent locked software from loading. Prevents tampering and reverse engineering e.g. software integrity on voting terminals CIS 4360 Secure Computer Systems 53

Better root of trust DRTM Dynamic Root of Trust Measurement AMD: skinit Intel: senter Atomically does: Reset CPU. Reset PCR 17 to 0. Load given Secure Loader (SL) code into I-cache Extend PCR 17 with SL Jump to SL BIOS boot loader is no longer root of trust Avoids TPM_Init attack: TPM_Init sets PCR 17 to -1 CIS 4360 Secure Computer Systems 54

Example: Trusted GRUB (IBM 05) What PCR # to use and what to measure specified in GRUB config file CIS 4360 Secure Computer Systems 55

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback