Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Similar documents
Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Lecture Embedded System Security Trusted Platform Module

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

CSE543 - Computer and Network Security Module: Trusted Computing

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

Flicker: An Execution Infrastructure for TCB Minimization

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Embedded System Security Mobile Hardware Platform Security

OVAL + The Trusted Platform Module

Embedded System Security Mobile Hardware Platform Security

INF3510 Information Security Spring Lecture 4 Computer Security. University of Oslo Audun Jøsang

Unicorn: Two- Factor Attestation for Data Security

CIS 4360 Secure Computer Systems Secured System Boot

CIS 4360 Secure Computer Systems. Trusted Platform Module

How to create a trust anchor with coreboot.

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

TPM v.s. Embedded Board. James Y

Hypervisor Security First Published On: Last Updated On:

An Introduction to Trusted Platform Technology

Offline dictionary attack on TCG TPM authorisation data

A TRUSTED STORAGE SYSTEM FOR THE CLOUD

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

Trusted Computing and O/S Security. Aggelos Kiayias Justin Neumann

Atmel Trusted Platform Module June, 2014

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Sealing and Attestation in Intel Software Guard Extensions (SGX)

Crypto Background & Concepts SGX Software Attestation

Computer Security CS 426 Lecture 17

OS Security IV: Virtualization and Trusted Computing

Lecture 3 MOBILE PLATFORM SECURITY

Old, New, Borrowed, Blue: A Perspective on the Evolution of Mobile Platform Security Architectures

Intelligent Terminal System Based on Trusted Platform Module

CIS 4360 Secure Computer Systems. Trusted Platform Module

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

Applications of Attestation:

A Proposed Standard for Entity Attestation draft-mandyam-eat-00. Laurence Lundblade. November 2018

Certifying Program Execution with Secure Processors. Benjie Chen Robert Morris Laboratory for Computer Science Massachusetts Institute of Technology

Lecture Embedded System Security Introduction to Trusted Computing

INF3510 Information Security. Lecture 6: Computer Security. Universitetet i Oslo Audun Jøsang

Binding keys to programs using Intel SGX remote attestation

Trusted Computing and O/S Security

Intel Software Guard Extensions

EXTERNALLY VERIFIABLE CODE EXECUTION

Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services

Trusted Computing: Introduction & Applications

Trusted Computing. William A. Arbaugh Department of Computer Science University of Maryland cs.umd.edu

Trusted Computing: Introduction & Applications

Platform Configuration Registers

Mobile Platform Security Architectures A perspective on their evolution

I Don't Want to Sleep Tonight:

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

From TPM 1.2 to 2.0 and some more. Federico Mancini AFSecurity Seminar,

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

CIS 4360 Secure Computer Systems SGX

TRUSTED COMPUTING TECHNOLOGIES

Sanctum: Minimal HW Extensions for Strong SW Isolation

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

On-board Credentials. N. Asokan Kari Kostiainen. Joint work with Jan-Erik Ekberg, Pekka Laitinen, Aarne Rantala (VTT)

Bootstrapping Trust in Commodity Computers

Lecture Embedded System Security Introduction to Trusted Computing

Security and Privacy in Cloud Computing

Jonathan M. McCune. Carnegie Mellon University. March 27, Bryan Parno, Arvind Seshadri Adrian Perrig, Michael Reiter

Secure, Trusted and Trustworthy Computing

Advanced Systems Security: Cloud Computing Security

ARM Security Solutions and Numonyx Authenticated Flash

Trusted computing. Aurélien Francillon Secappdev 24/02/2015

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

6.857 L17. Secure Processors. Srini Devadas

TUX : Trust Update on Linux Kernel

Software Vulnerability Assessment & Secure Storage

An Execution Infrastructure for TCB Minimization

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

UNIT - IV Cryptographic Hash Function 31.1

Protecting your system from the scum of the universe

The Role of Trustworthy Computing to Build Future Secure Internet Architectures

Refresher: Applied Cryptography

Security of Cloud Computing

Preliminary analysis of a trusted platform module (TPM) initialization process

Influential OS Research Security. Michael Raitza

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

Protecting your system from the scum of the universe

ROTE: Rollback Protection for Trusted Execution

Hardware-Based Trusted Computing Architectures for Isolation and Attestation

Industrial IoT Security Attacks & Countermeasures

Sirrix AG security technologies. TPM Laboratory I. Marcel Selhorst etiss 2007 Bochum Sirrix AG

BCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.

Justifying Integrity Using a Virtual Machine Verifier

Connecting Securely to the Cloud

A Robust Integrity Reporting Protocol for Remote Attestation

CLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.

Lecture Secure, Trusted and Trustworthy Computing Mobile Hardware Platform Security

Enforcing Trust in Pervasive Computing. Trusted Computing Technology.

Transcription:

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing 02/06/14

Goals Understand principles of: Authenticated booting, diference to (closed) secure booting Remote attestation Sealed memory Dynamic root of trust Protection of applications from the OS Some variants of implementations (HW) Non-Goal: Lots of TPM, TCG-Spec details read the documents once needed SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 2

Some terms Secure Booting Authenticated Booting (Remote) Attestation Sealed Memory Late Launch / dynamic root of trust Trusted Computing (Group) / Trusted Computing Base Attention: terminology has changed SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 3

Trusted Computing (Base) Trusted Computing Base (TCB) The set of all components, hardware, software, procedures, that must be relied upon to enforce a security policy. Trusted Computing (TC) A particular technology compromised of authenticated booting, remote attestation and sealed memory. SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 4

TC key problems Can running certain Software be prevented? Which computer system do I communicate with? Which stack of Software is running? In front of me? On my server somewhere? Can I restrict access to certain secrets (keys) to certain software? Can I protect an application against the OS SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 5

1) End User Example Digital Rights Management: Provider sells content Provider creates key, encrypts content Client downloads encrypted content, stores on disk Provider sends key, but needs to ensure that only speci9c SW can use it Has to work also when client is of line PROVIDER DOES NOT TRUST CLIENT SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 6

2) Cloud Example Virtual machine provided by cloud Client buys Cycles + Storage (Virtual machine) Client provides its own operating system Needs to ensure that provided OS runs Needs to ensure that provider cannot access data CLIENT DOES NOT TRUST PROVIDER SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 7

3) Industrial Plant Example (Uranium Enrichment) Plant Control Remote Operator sends commands, keys Local operator occasionally has to run test SW, update to new version,... Local technicians are not Trusted SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 8

4) Anonymizer example Anonymity Service Intended to provide anonymous communication over internet Legal system can request introduction of trap door (program change) Service provider not trusted SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 9

Trusted Computing Terminology Measuring process of obtaining metrics of platform characteristics Example for metric: Hash- Codes of SW Attestation vouching for accuracy of information Sealed Memory binding information to a con9guration SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 10

An example application: DRM Digital Content is encrypted using symmetric key Smart-Card contains key authenticates device delivers key only after successful authentication Assumptions Smart Card can protect the key allowed OS can protect the key OS cannot be exchanged SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 11

Small Trusted Computing Base App. DRM X11 Linux GUI Mini OS Hardware SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 12

Protection of Application Principle Method: separate critical Software rely on small Trusted Computing Base Small OS kernels micro kernels, separation kernels,. Hardware SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 13

Notation SK priv SK pub Asymmetric key pair of some entity S { M }XK priv Digital Signature for message M using the private key of signer X { M }YK pub Message encrypted using public concellation key of Y H(M) Collision-Resistant Hash Function Certi4cate by authority Ca: { ID, SK pub, other properties } CaK priv SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 14

Notation Note: { M }Sk priv Digital Signature is short for: encrypt(h(m),sk priv ) { M }Sk pub Message concealed... does not necessarily imply public key encryption for full M (rather a combination of symmetric and asymmetric methods) SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 15

Identi4cation of Software Program vendor: Foosoft FS Two ways to identify Software: Hash / public key H(Program) {Program, ID- Program}FSK priv use FSK pub to check the signature must be made available, e.g. shipped with the Program The ID of SW must be made available somehow. SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 16

Tamperresistant black box CPU Non-Volatile Memory: Memory Platform Configuration Registers: SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 17

Ways to burn in the OS or secure booting Read-Only Memory Allowed H(OS) in NV memory preset by manufacturer load OS- Code compare H(loaded OS code) to preset H(OS) abort if diferent Preset FSK pub in NV memory preset by manufacturer load OS- Code check signature of loaded OS-Code using FSK pub abort if check fails SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 18

Authenticated Booting, using HASH Steps: Preparation by Manufacturers (TRB and OS) Booting & Measuring Remote attestation SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 19

Authenticated Booting, using HASH CPU Memory Non-Volatile Memory: Endorsement Key EK preset by Manufacturer Platform Configuration Registers: PCR: Hash-Code obtained during boot SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 20

Vendors of TRB and OS TRB generates key pair: Endorsement Key (EK) stores in TRB NV Memory: EK priv emits: EK pub TRB vendor certifies: { a valid EK, EK pub }TVK priv OS-Vendor certifies: { a valid OS, H(OS)}OSVK priv serve as identifiers: EK pub and H(OS) SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 21

Booting & Attestation, using HASH Booting: TRB measures OS- Code (computes H(OS-Code)) stores in PCR no other way to write PCR Attestation: Challenge: nonce TRB generates Response: {PCR, nonce' }EKpriv SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 22

Authenticated Booting, using public key CPU Memory Non-Volatile Memory: Endorsement Key EK preset by Manufacturer Platform Configuration Registers: PCR: OSK pub used to check OS SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 23

Vendors of TRB and OS, using Key TRB generates key pair: stores in TRB NV Memory: EK priv emits: EK pub TRB vendor certifies: { a valid EK, EK pub }TVK priv OS-Vendor certifies: { a valid OS, OSK pub }OSVK priv and signs OS-Code: {OS-Code}OSK priv serve as identifiers: EK pub and OSK pub SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 24

Booting & Attestation, using Key Booting: TRB checks OS- Code using some OSK pub stores OSK pub in PCR no other way to write PCR Attestation: Challenge: nonce TRB generates Response: {PCR, nonce' }EKpriv SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 25

A Race condition Nonce Boot Linux new active OS Content Boot Windows new active OS Content Boot Linux new active OS SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 26

Auth. Booting considering reboot attestation required at each request Do not use EK This is one way of doing it: create new keypairs on every reboot SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 27

Booting (AB considering reboot) Booting: TRB checks OS- Code using some OSK pub store OSK pub in PCR create 2 keypairs for the booted OS ( Active OS ): ActiveOSAuthK /* for Authentication ActiveOSConsK /* for Concellation certifies: { ActiveOSAuthK pub, ActiveOSConsKpub,OSK pub }EK priv Hand over ActiveOSKeys to booted OS SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 28

Attestation (AB considering reboot) Remote Attestation: Challenge: nonce Active OS generates response: { ActiveOSConsKpub, ActiveOSAuthK pub, OSK pub }EK priv /* see previous slide {nonce'} ActiveOSAuthK priv Encrypted Channel via the active OS: { message } ActiveOSConsK pub SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 29

Assumptions TRB can protect: EK, PCR OS can protect: ActiveOSAuthK priv ActiveOSConsK priv Rebooting destroys content of PCR Memory Holding ActiveOSAuthK priv ActiveOSConsKpriv SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 30

Software stacks and trees Application Application Application GUI GUI GUI OS Code OS Code OS Loader OS Loader ROOT ROOT SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 31

Software stacks and trees 2 Problems: Very large Trusted Computing Base for Booting Remote attestation of one process (leaf in tree) SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 32

Software stacks and trees Extend Operation stack: PCR n = H(PCR n-1 next-component ) tree: diqcult (unpublished?) Key pairs per step: OS controls applications generate key pair per application OS certi9es { Application 1, App1K pub } ActiveOSK priv { Application 2, App2K pub } ActiveOSK priv SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 33

Late Launch Problem: huge Software to boot system!!! Use arbitrary SW to start system and load all SW provide specific instruction to enter secure mode set HW in specific state (stop all processors, IO, ) Measure root of trust SW store measurement in PCR AMD: skinit (Hash) arbitrary root of trust Intel: senter (must be signed by chip set manufacturer) SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 34

Sealed Memory Problem: Send information using secure channels Bind that information to Software con9guration Work orine: How to store information in the absence of communication channels? For example DRM: bind encryption keys to speci9c machine, speci9c OS SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 35

Sealed Memory Tamper-resistant black box Add / delete entry Read / write Win 7 PCR: H(OS) SUSE-Linux L4-Test-Version SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 36

Sealed Memory Tamper-resistant black box Add / delete entry Read / write Win 7 PCR: H(Win-7) SUSE-Linux L4-Test-Version SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 37

Sealed Memory Tamper-resistant black box Add / delete entry Read / write Win 7 PCR: H(SUSE) SUSE-Linux L4-Test-Version SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 38

Sealed Memory: Seal Operation Tamper-resistant black box PCR: H(Win-7) Win 7 SUSE-Linux L4-Test-Version Message Sealed Message SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 39

Sealed Memory: Unseal Operation Tamper-resistant black box PCR: H(Win-7) Win 7 SUSE-Linux L4-Test-Version Sealed Message Message SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 40

Tamperresistant black box (TRB) CPU Memory Non-Volatile Memory: S: Storage key created my manufacturer seen by nobody Platform Configuration Register: PCR: SW-config SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 41

Sealed Memory Seal(message): encrypt( PCR, message, Storage-Key) sealed message ; emit sealed message Unseal(sealed_message): decrypt( sealed_message, Storage-Key) SW con9g, message ; If SW con9g == PCR then emit message else abort 9 SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 42

Sealed Memory for future con4guration Seal(message, FUTURE_Con4g): encrypt( FUTURE_Con4g, message, Storage-Key) sealed message ; emit sealed_message seals information such that it can be unsealed by a future con9guration (for example: future version) SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 43

Example Win8: Seal ( SonyOS, Sony-Secret ) SealedMessage (store it on disk) L4: Unseal (SealedMessage) SonyOS, Sony-Secret PCR#SonyOS abort SonyOS: Unseal(SealedMessage SonyOS, Sony-Secret PCR==SonyOS ok SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 44

Tamper Resistant Box? Ideally, includes CPU, Memory, In practice Additional physical protection, for example IBM 4758 look it up in Wikipedia Recent HW versions TPM: separate Trusted Platform Modules (replacing BIOS breaks TRB) Add a new privilege mode: ARM TrustZone Intel SGX SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 45

TCG PC Platforms: Trusted Platform Module (TPM) CPU Memory FSB PCI LPC BIOS TPM SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 46

TPM NV Store PCK EK / AIK Internal Program IO SHA-1 RSA Key gen Random number gen SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 47

ARM TrustZone Normal World Secure World PL0 User User Trusted Services PL1 Kernel Kernel Trusted OS PL2 Hypervisor Monitor SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 48

References Important Foundational Paper: Authentication in distributed systems: theory and practice Butler Lampson, Martin Abadi, Michael Burrows, Edward Wobber ACM Transactions on Computer Systems (TOCS) SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 49

More References TCG Speci9cations:https://www.trustedcomputinggroup.org/g roups/tcg_1_3_architecture_overview.pdf https://software.intel.com/sites/default/9les/329298-001.pdf http://www.slideshare.net/daniel_bilar/intel-sgx-2013 ARM Trustzone SS 2014 Distributed OS / Trusted Computing - Hermann Härtig 50

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback