Lecture Embedded System Security Introduction to Trusted Computing

Similar documents
Lecture Embedded System Security Introduction to Trusted Computing

Lecture Embedded System Security Introduction to Trusted Computing

Trusted Computing Special Aspects and Challenges

Lecture Embedded System Security Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Applications of Attestation:

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Trusted Computing Group

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

Embedded System Security Mobile Hardware Platform Security

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

Trusted Virtual Domains: Towards Trustworthy Distributed Services. Ahmad-Reza Sadeghi System Security Lab Ruhr-Universität Bochum

Security and Privacy in Cloud Computing

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Advanced Systems Security: Principles

Embedded System Security Mobile Hardware Platform Security

SECURITY ARCHITECTURES CARSTEN WEINHOLD

Accelerating the implementation of trusted computing

Trusted Platform for Mobile Devices: Challenges and Solutions

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Advanced Systems Security: Principles

NGSCB The Next-Generation Secure Computing Base. Ellen Cram Lead Program Manager Windows Security Microsoft Corporation

Technical Brief Distributed Trusted Computing

Platform Configuration Registers

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

IDACCS Wireless Integrity protection in a smart grid environment for wireless access of smart meters

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Lecture 1 Applied Cryptography (Part 1)

Trusted Network Access Control Experiences from Adoption

Creating the Complete Trusted Computing Ecosystem:

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Easy Incorporation of OPTIGA TPMs to Support Mission-Critical Applications

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

Towards Application Security on Untrusted Operating Systems

Who s Protecting Your Keys? August 2018

Trusted Computing Today: Benefits and Solutions

Dawn Song

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

Enforcing Trust in Pervasive Computing. Trusted Computing Technology.

Trusted Network Connect (TNC) 3rd European Trusted Infrastructure Summer School September 2008

Trusted Computing: Introduction & Applications

Advanced Systems Security: Principles

Lecture 3 MOBILE PLATFORM SECURITY

Network Security Issues and Cryptography

Lecture Secure, Trusted and Trustworthy Computing Introduction to SGX

Hypervisor Security First Published On: Last Updated On:

Most Common Security Threats (cont.)

GSE/Belux Enterprise Systems Security Meeting

Intelligent Terminal System Based on Trusted Platform Module

CIS 4360 Secure Computer Systems SGX

Computers and Security

CSE543 - Computer and Network Security Module: Trusted Computing

Secure Set Intersection with Untrusted Hardware Tokens

Windows 10 IoT Core Azure Connectivity and Security

Trusted Computing. William A. Arbaugh Department of Computer Science University of Maryland cs.umd.edu

The next step in IT security after Snowden

DICE: Foundational Trust for IoT

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

An Introduction to Trusted Platform Technology

TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing

Network Working Group Request for Comments: 1984 Category: Informational August 1996

Advanced Systems Security: Integrity

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Server side management system for multiple IoT terminals in industrial systems

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Flicker: An Execution Infrastructure for TCB Minimization

Security Using Digital Signatures & Encryption

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

OS Security IV: Virtualization and Trusted Computing

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

TUX : Trust Update on Linux Kernel

Trusted Computing: Security and Applications

Advanced Systems Security: Integrity

EXTERNALLY VERIFIABLE CODE EXECUTION

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

Intel Software Guard Extensions

L1: Computer Security Overview. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

OVAL + The Trusted Platform Module

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations.

Labels and Information Flow

Windows IoT Security. Jackie Chang Sr. Program Manager

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013

Trusted Computing and O/S Security

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

Lecture 44 Blockchain Security I (Overview)

Wrapup. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

Trusted Mobile Platform

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

INF3510 Information Security Spring Lecture 4 Computer Security. University of Oslo Audun Jøsang

Coordinated Disclosure of Vulnerabilities in AVG Antivirus Free Android

Building Trust Despite Digital Personal Devices

Coordinated Disclosure of Vulnerabilities in McAfee Security Android

Trusted Platform Modules Automotive applications and differentiation from HSM

SECURITY ARCHITECTURES CARSTEN WEINHOLD

Usability, Security and Privacy

Transcription:

1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Summer Term 2015

Roadmap: Trusted Computing Motivation Notion of trust Trusted Computing Chain of trust Integrity measurements Slide Nr. 2, Embedded System Security, SS 2015

The Big Picture Trustworthiness in distributed IT systems Different parties with potentially conflicting requirements involved Cryptographic methods are of limited help The challenges How to define trustworthiness? How to determine/verify trustworthiness? How could common computing platforms support such functionality? Even a secure OS cannot verify own integrity The role of Trusted Computing Enable the reasoning about trustworthiness of own and other IT systems Slide Nr. 3, Embedded System Security, SS 2015

Demand for Trusted Computing Increasing threats for IT systems Malware, phishing, targeted attacks, etc. Inflexibility of traditional secure systems Example: reference monitors Improve security of existing IT systems and infrastructures Servers, PCs, mobile phones, embedded systems, VPN, etc. Enable new applications with sophisticated (security) requirements Slide Nr. 4, Embedded System Security, SS 2015

Use-Cases Electronic services Government (e.g., e-voting integrity) Health (e.g., confidentiality of sensitive medical records) Commerce (e.g., enforceability of digital signatures) Online banking Digital/enterprise rights management. Slide Nr. 5, Embedded System Security, SS 2015

Roadmap: Trusted Computing Motivation Notion of trust Trusted Computing Chain of trust Integrity measurements Slide Nr. 6, Embedded System Security, SS 2015

Notions of Trust

Trust Complicated notion Studied and debated in different areas (social sciences, philosophy, psychology, computer science, ) Notion relating to belief in honesty, truthfulness, competence, reliability, etc. of the trusted entity Social trust Belief in the safety or goodness of something because of reputation, association, recommendation, perceived benefit, etc. Slide Nr. 8, Embedded System Security, SS 2015

Secure, Trusted, Trustworthy Secure: System or component will not fail with respect to security goals Trusted: System or component whose failure can break the (security) policy (Trusted Computing Base, TCB) Trusted Computing Group (TCG) defines a system as trusted if it always behaves in the expected manner for the intended purpose Trustworthy: Degree to which behavior of a component or system is demonstrably compliant with its stated functionality Slide Nr. 9, Embedded System Security, SS 2015

Roadmap: Trusted Computing Motivation Notion of trust Trusted Computing Chain of trust Integrity measurements Slide Nr. 10, Embedded System Security, SS 2015

Trusted Platform (Basic Idea) Has trusted components in hardware and software Provides a variety of trusted functions In particular a set of cryptographic and security functions Ideally creates a foundation of trust for software Provides hardware protection for sensitive data Examples: Keys, counters, etc. Desired goals in practice Trusted Computing Base (TCB) should be minimized Compatibility to commodity systems Application Application Application Application Operating System (OS) Hardware OS Hardware Trusted Component Trusted Component Conventional Platform Slide Nr. 11, Embedded System Security, SS 2015 Trusted Platform

Problems of Existing IT Systems Insufficient protection in software and hardware of existing computing platforms Malicious code (e.g., viruses, Trojan horses) Runtime attacks (e.g., return-oriented programming) DMA (Direct Memory Access) No secure storage Main reasons High complexity and poor fault isolation of existing operating systems Lack of protection mechanisms in hardware User unawareness and poor usable security Slide Nr. 13, Embedded System Security, SS 2015

Primary Goals of TC in Practice Improve security of (existing) computing platforms Reuse existing modules GUI, common OS, etc. Applicable to different operating systems No monopoly, room for innovation Open architecture Use open standards and open source components Trustworthiness, costs, reliability, compatibility Efficient portability New applications/business models Providing security needed for underlying applications (based on various sets of assumptions and trust relations) Avoid potential misuse of trusted computing Slide Nr. 14, Embedded System Security, SS 2015

Desired Primitives and Tools 1. Metric for code configuration/identity I/O behavior of machine determined by its code Example of a simple metric: Hash value of binary code Problematic when code functionality depends on other code not included in hash digest (e.g., shared or dynamically linked libraries) 2. Integrity verification (Attestation) Allows computing platform to export verifiable information about its properties (e.g., identity and initial state) Comes from the requirement of assuring the code configuration and execution environment of an application located on a remote computing platform Slide Nr. 15, Embedded System Security, SS 2015

Desired Primitives and Tools (ctd.) 3. Secure storage Securely stores data on untrusted storage (e.g. hard disks) Encrypts data and assures that no other entity can decrypt it 4. Strong process isolation Assures process (memory space) separation Prevents a process from reading or modifying the memory used by another process 5. Secure I/O Allows applications to assure the endpoints of input and output operations Assures to the user that he securely interacts with the intended application Slide Nr. 16, Embedded System Security, SS 2015

Need for Secure Hardware and Software Need for secure hardware Even a secure operating system cannot verify its own integrity Another party is needed Secure storage (e.g., for cryptographic keys) Isolation of security-critical programs (e.g., by DMA control) Hardware-based random numbers Fundamental to cryptography Need for secure software (operating systems) Hardening Still too complex and too large TCB (Trusted Computing Base) Complete new design Compatibility problem, low market acceptance Secure virtual machine monitors Allow reuse of legacy software (operating system and applications) Slide Nr. 17, Embedded System Security, SS 2015

Trusted Computing Group (TCG) Consortium of many IT-Enterprises Founded in April 2003 www.trustedcomputinggroup.org Focus development of hardware-enabled trusted computing and security technologies across multiple platforms/devices Publications Various specifications on Trusted Platforms and Infrastructures Slide Nr. 18, Embedded System Security, SS 2015

TCG Main Specifications Trusted Platform Module (TPM) Provides a set of immutable cryptographic and security functions Trusted Software Stack (TSS) Issues low-level TPM requests and receives low-level TPM responses on behalf of higher-level applications Slide Nr. 19, Embedded System Security, SS 2015

Roadmap: Trusted Computing Motivation Notion of trust Trusted Computing Chain of trust Integrity measurements Slide Nr. 20, Embedded System Security, SS 2015

Main TCG Concept: Chain of Trust Consider Entities E 0,, E n Goal is to gain trust in entity E n Operational standpoint: E 0 launches E 1, E 1 launches E 2, etc. To trust E n one must trust E n 1 The sequence E 0, E 1 to E n creates a chain of trust Transitive trust from E 0 to E 1 to E 2, etc. Trusting E 2 requires one to trust E 0 and E 1 However: Trusting E 0 does not imply that one trusts E 2 Entity E 0 Entity E 1 Entity E 2 Entity E n Slide Nr. 21, Embedded System Security, SS 2015

Chain Measurement What is needed to trust the chain? The identity of each entity E i in the chain Identity = measurement (according to TCG definition) Example: Hash digest of the binary code of E i Generic flow: Each E i measures E i+1 before passing control to it Who measures E 0? E 0 must be trusted, no mechanism to measure E 0 E 0 is called Root of Trust for Measurement (RTM) RTM Entity E 0 Entity E 1 Entity E 2 Entity E n Slide Nr. 22, Embedded System Security, SS 2015

Root of Trust for Measurement (RTM) Immutable portion of trusted platform s initialization code executed on every platform boot Trust in all integrity measurements based on integrity of RTM Slide Nr. 23, Embedded System Security, SS 2015

Performing Integrity Measurements RTM 3. SM (Security Module) Registers 2. 4. 1. Entity E Event Log One Event Structure per measurement Event Structure Extend Value (hash digest of E) Extend Data (information about E) Slide Nr. 24, Embedded System Security, SS 2015 1. RTM measures entity E 2. RTM creates Event Structure in Event Log Event Log contains Event Structures for all measurements extended to the SM Event Log can be stored on (untrusted) storage device (e.g., hard disk) 3. RTM extends measurement value into SM registers 4. RTM executes/passes control to entity E

Abstract Model of TCG Concept Trusted Platform P Provides integrity of host H Host H (untrusted) Firmware Operating system Applications D execute(c H ) Attestor A Trusted component (hard- and software) Securely stores C H RTM challenge response Attest(Hash(C H )) Bind(Hash(C H ), D) init(c H ) Challenger / Verifier Verifier V Local or remote Can decide whether C H violates its security requirements Can bind/seal data D to a specific (probably secure) configuration/state of H Attest: Verify system integrity Bind/Seal: Access control depending on system configuration C H - initial configuration/state of host H when platform P has been booted D - data to be revealed only if host H is in the (secure) configuration C H User / Adversary insecure channel secure channel

Concerns About TCG Approach Potential basis for Digital Rights Management (DRM) Restriction of freedom Including freedom of choice and user control Privacy violations Disclosure of platform identity and configuration Core specifications not really readable Leads to misunderstanding and false implementations Potentially restricting competition Misuse of sealed storage capabilities, locking out alternative applications and inhibiting interoperation Much of the criticism related to Microsoft s NGSCB NGSCB = Next Generation Secure Computing Base Several name changes Palladium, NGSCB, Longhorn, Vista Bad publicity or legal challenges on rights to the names Slide Nr. 26, Embedded System Security, SS 2015

Some Legal Requirements on TC/TCG Prevent confusion and clarify terms Trust, trusted, trustworthy, thread model, etc. Privacy (user, platform, ) Application and design of new technologies should be privacy compliant by default Unrestricted user control For instance over keys and IT technology Transparency of trusted platform certification process Option for transferring secrets between different machines Product discrimination TC/DRM should not adversely affect security of governmentheld information Slide Nr. 27, Embedded System Security, SS 2015