Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Similar documents
Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Flicker: An Execution Infrastructure for TCB Minimization

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Embedded System Security Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

SECURITY ARCHITECTURES CARSTEN WEINHOLD

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

OVAL + The Trusted Platform Module

SECURITY ARCHITECTURES CARSTEN WEINHOLD

Unicorn: Two- Factor Attestation for Data Security

TPM v.s. Embedded Board. James Y

Platform Configuration Registers

From TPM 1.2 to 2.0 and some more. Federico Mancini AFSecurity Seminar,

CIS 4360 Secure Computer Systems Secured System Boot

An Execution Infrastructure for TCB Minimization

jvpfs: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components

CIS 4360 Secure Computer Systems. Trusted Platform Module

Trusted Computing Group

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

Jonathan M. McCune. Carnegie Mellon University. March 27, Bryan Parno, Arvind Seshadri Adrian Perrig, Michael Reiter

How to create a trust anchor with coreboot.

CSE543 - Computer and Network Security Module: Trusted Computing

Flicker: An Execution Infrastructure for TCB Minimization

Secure, Trusted and Trustworthy Computing

Trusted Computing and O/S Security. Aggelos Kiayias Justin Neumann

Binding keys to programs using Intel SGX remote attestation

Applications of Attestation:

CIS 4360 Secure Computer Systems. Trusted Platform Module

Software Vulnerability Assessment & Secure Storage

Framework for Prevention of Insider attacks in Cloud Infrastructure through Hardware Security

Trusted Computing and O/S Security

Crypto Background & Concepts SGX Software Attestation

6.857 L17. Secure Processors. Srini Devadas

Expert Reference Series of White Papers. BitLocker: Is It Really Secure? COURSES.

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

Encrypting stored data

Certifying Program Execution with Secure Processors. Benjie Chen Robert Morris Laboratory for Computer Science Massachusetts Institute of Technology

EXTERNALLY VERIFIABLE CODE EXECUTION

L13. Reviews. Rocky K. C. Chang, April 10, 2015

A TRUSTED STORAGE SYSTEM FOR THE CLOUD

Connecting Securely to the Cloud

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Embedded System Security Mobile Hardware Platform Security

Hypervisor Security First Published On: Last Updated On:

Bootstrapping Trust in Commodity Computers

Embedded System Security Mobile Hardware Platform Security

Atmel Trusted Platform Module June, 2014

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

Intelligent Terminal System Based on Trusted Platform Module

The Early System Start-Up Process. Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu

Trusted Computing: Security and Applications

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

TPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies

Refresher: Applied Cryptography

Lecture Embedded System Security Introduction to Trusted Computing

I Don't Want to Sleep Tonight:

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Eric Eide, Mike Hibler, Rob Ricci

ROTE: Rollback Protection for Trusted Execution

Mobile Platform Security Architectures A perspective on their evolution

CSE484 Final Study Guide

An Introduction to Trusted Platform Technology

Old, New, Borrowed, Blue: A Perspective on the Evolution of Mobile Platform Security Architectures

Preliminary analysis of a trusted platform module (TPM) initialization process

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

Lecture Embedded System Security Introduction to Trusted Computing

Lecture Notes 12 : TCPA and Palladium. Lecturer: Pato/LaMacchia Scribe: Barrows/DeNeui/Nigam/Chen/Robson/Saunders/Walsh

Index. Boot sequence DRTM breakout measured launch, 336 local applications, 339 measured launch, 338 SINIT ACM, 338

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Virtual Monotonic Counters and Count-Limited Objects using a TPM without a Trusted OS

Trusted computing. Aurélien Francillon Secappdev 24/02/2015

Sirrix AG security technologies. TPM Laboratory I. Marcel Selhorst etiss 2007 Bochum Sirrix AG

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Remote E-Voting System

INF3510 Information Security Spring Lecture 4 Computer Security. University of Oslo Audun Jøsang

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

Trusted Computing: Introduction & Applications

Offline dictionary attack on TCG TPM authorisation data

Ari Singer. November 7, Slide #1

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Justifying Integrity Using a Virtual Machine Verifier

Designing a digital security envelope using the Trusted Platform Module

IBM Research Report. Towards Trustworthy Kiosk Computing. Scott Garriss Carnegie Mellon University Pittsburgh, PA

Design and Analysis of Fair-Exchange Protocols based on TPMs

Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors

On-board Credentials. N. Asokan Kari Kostiainen. Joint work with Jan-Erik Ekberg, Pekka Laitinen, Aarne Rantala (VTT)

MiniBox: A Two-Way Sandbox for x86 Native Code

Not-A-Bot: Improving Service Availability in the Face of Botnet Attacks

Data Integrity. Modified by: Dr. Ramzi Saifan

Solving Bigger Problems with the TPM 2.0

Lecture Embedded System Security Introduction to Trusted Computing

Transcription:

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

THIS LECTURE... Today: Technology Lecture discusses basics in context of TPMs More theoretical concepts also covered in lecture Distributed Operating Systems Things you should have heard about: How to use asymmetric encryption Concept of digital signatures Collision-resistant hash functions 2

INTRODUCTION AN.ON???? L4 TPM 3

ANONYMITY Proxy ISP 4

ANONYMITY Proxy MIX ISP 5

ANONYMITY MIX MIX ISP 6

ANONYMITY AN.ON???? 7

PROBLEM Last proxy sees data in plaintext No additional end-to-end encryption? Ideal for password phishing or identifying returning users (cookies,...) Dan Egerstad [1]: 100 passwords sniffed with 5 exit nodes TOR: increasing number of exit nodes in China, Russia, USA 8

IDEA Do you spy? MIX No 9

SYSTEM LAYERS AN.ON MIX OS Boot Loader BIOS Hardware 10

TPM 11

TPM Platform Configuration Register PCR := SHA-1( PCR X ) 12

BOOTING + TPM AN.ON MIX OS Boot Loader BIOS PCR 4490EF83 13

ATTESTATION Remote Attestation MIX 4490EF83 14

ARCHITECTURE AN.ON???? Linux Windows TPM 15

MONOLITHIC MIX Monolithic OS AFC937A0 16

L4/AN.ON MIX L 4 Linux TPM Driver Memory Network Stack Network Driver GUI USB Driver L4.Fiasco 4490EF83 17

L4/AN.ON 18

L4/AN.ON 19

L4/AN.ON 20

L4/AN.ON AN.ON???? L4 TPM 21

THE TRUSTED PLATFORM MODULE 22

TPM HARDWARE TPMs are tightly integrated into platform: Soldered on motherboards... or built into chipset Tamper resistant casing Widely deployed: Business notebooks Office desktop machines Windows 8/RT tablets http://www.heise.de/bilder/61155/0/0 23

TPM OVERVIEW TPM is cryptographic coprocessor: RSA (encryption, signatures), AES (encryption), SHA-1 (cryptographic hashes) Other crypto schemes (e.g., DAA) Random number generator Platform Configuration Registers (PCRs) Non-volatile memory TPMs are passive devices! 24

TPM SPECS TPMs specified by Group [2] Multiple hardware implementations TPM specifications [3,4] cover: Architecture, interfaces, security properties Data formats of input / output Schemes for signatures, encryption,... TPM life cycle, platform requirements 25

TPM & PLATFORM RAM CPU BIOS CRTM Reset Init PCRs Chipset TPM Platform 26

TPM IDENTITY TPM identified by Endorsement Key EK: Generated in manufacturing process Certified by manufacturer Unique among all TPMs Can only decrypt, serves as root of trust Creating entirely new EK possible (e.g., for use in corporate environments) Private part of EK never leaves TPM 27

KEY HIERARCHY All keys except for EK are part of key hierarchy below Storage Root Key SRK: SRK created when user takes ownership Key types: storage, signature, identity,... Storage keys are parent keys at lower levels of hierarchy (like SRK does at root level) Keys other than EK / SRK can leave TPM: Encrypted under parent key before exporting Parent key required for loading and decrypting 28

KEY HIERARCHY EK SRK SK SK AIK AIK SK AIKs required for Remote Attestation AIK SigK 29

AIK Special key type for remote attestation: Attestation Identity Key (AIKs) TPM creates AIK + certificate request Privacy CA checks certificate request, issues certificate and encrypts under EK TPM can decrypt certificate using EK AIK certificate: This AIK has been created by a valid TPM TPM identity (EK) cannot be derived from it 30

BOOTING + TPM Application OS Boot Loader Authenticated Booting BIOS PCR 4490EF83 31

AIKS & QUOTES TPM_Quote(AIK, Nonce, PCR) System Challenger 4490EF83 Remote Attestation with Challenge/Response AE58B991 4490EF83 32

SEALED MEMORY Applications require secure storage TPMs can lock data to PCR values: TPM_Seal(): Encrypt user data under specified storage key Encrypted blob contains expected PCR values TPM_Unseal(): Decrypt encrypted blob using storage key Compare current and expected PCR values Release user data only if PCR values match 33

SEALED BLOBS Only the TPM_SEALED_DATA structure is encrypted 34

FRESHNESS Sealed data is stored outside the TPM Vulnerable to replay attacks: Multiple versions of sealed blob may exist Any version can be passed to TPM TPM happily decrypts, if crypto checks out Problem: What if sealed data must be current? How to prevent use of older versions? 35

COUNTERS TPMs provide monotonic counters Only two operations: increment, read Password protected Prevent replay attacks: Seal expected value of counter with data After unseal, compare unsealed value with current counter Increment counter to invalidate old versions 36

TPM SUMMARY Key functionality of TPMs: Authenticated booting Remote attestation Sealed memory Problems with current TPMs: No support for virtualization Slow (hundreds of ms / operation) Linear chain of trust 37

TPMS IN NIZZA ARCHITECTURE 38

BOOTING + TPM App A App B OS Boot Loader BIOS PCR 15FE7860 83E2FF9A 39

MULTIPLE APPS Use one PCR per application: Application measurements independent Number of PCRs is limited (max 24) Use one PCR for all applications: Chain of trust / application log grows All applications reported in remote attestation (raises privacy concerns) All applications checked when unsealing 40

EXTENDING TPMS Idea: extend PCRs in software: Measure only base system into PCRs (microkernel, basic services, TPM driver,...) Software TPM provides software PCRs for each application More flexibility with software PCRs : Chain of trust common up to base system Extension of chains of trust for applications fork above base system Branches in Tree of Trust are independent 41

SOFTWARE PCRS App B App A App C PCR: vpcr(a): vpcr(b): 4490EF83 6B17FC28 153B9D14 TPM Multiplexer TPM Driver Loader Names User Auth GUI Secure Storage I/O Support PCR: 4490EF83 Microkernel 42

TPM MULTIPLEX D Operations on software PCRs: Seal, Unseal, Quote, Extend Add_child, Remove_child Performed using software keys (AES, RSA) Software keys protected with real TPM Link between software PCRs and real PCRs: certificate for RSA signature key Implemented for L4: TPM multiplexer Lyon 43

A SECOND LOOK AT VPFS 44

VPFS SECURITY Dir Dir Dir File File File File Inode File Sealed Memory 83E2FF9A 45

VPFS TRUST VPFS App VPFS can access secrets only, if its own vpcr and the vpcr for the app match the respective expected values. L 4 Linux TPM Multiplexer TPM Driver Microkernel 46

VPFS SECURITY VPFS uses sealed memory: Secret encryption key Root hash of Merkle hash tree Second use case is remote attestation: Trusted backup storage required, because data in untrusted storage can be lost Secure access to backup server needed VPFS challenges backup server: Will you store my backups reliably? 47

A CLOSER LOOK AT THE WHOLE PICTURE 48

NITPICKER 49

TRUST NITPICKER User cannot just trust what he / she sees on the screen! Solution: Remote attestation For example with trusted device: User s cell phone sends nonce to PC PC replies with quote of nonce + PCR values User can decide whether to trust or not 50

A SECOND LOOK AT THE CHAIN OF TRUST 51

CRTM When you press the power button... First code to be run: BIOS boot block Stored in small ROM Starts chain of trust: Initialize TPM Hash BIOS into TPM Pass control to BIOS BIOS boot block is Core Root of Trust for Measurement (CRTM) 52

CHAIN OF TRUST Discussed so far: CRTM & chain of trust App App How to make components in chain of trust smaller Observation: BIOS and boot loader only needed for booting OS Boot Loader BIOS Question: can chain of trust be shorter? Hardware 53

DRTM CRTM starts chain of trust early Dynamic Root of Trust for Measurement (DRTM) starts it late: Special CPU instructions (AMD: skinit, Intel: senter) Put CPU in known state Measure small secure loader into TPM Start secure loader DRTM: Chain of trust can start anywhere 54

DRTM: OSLO First idea: DRTM put right below OS Smaller TCB: App App Large and complex BIOS / boot loader removed Small and simple DRTM bootstrapper added DRTM OS Boot Loader BIOS Open Secure Loader OSLO: 1,000 SLOC, 4KB binary size [6] Hardware 55

DRTM CHALLENGE DRTM remove boot software from TCB Key challenges: Secure loader must not be compromised Requires careful checking of platform state (e.g., that secure loader is actually in locked RAM, not in insecure device memory) 56

DRTM: FLICKER New DRTM can be established anytime Flicker [7] approach: App App Pause legacy OS Execute critical code as DRTM using skinit Restore CPU state Resume legacy OS Legacy OS Boot Loader BIOS Hardware 57

DRTM: FLICKER App App Legacy OS Flicker Applet Hardware 58

FLICKER DETAILS Pause untrusted legacy OS, stop all CPUs Execute skinit: Start Flicker code as secure loader Unseal input / sign data / seal output Restore state on all CPUs Resume untrusted legacy OS If needed: create quote with new PCRs TCB in order of only few thousand SLOC! 59

FLICKER LIMITS Problems with Flicker approach: Untrusted OS must cooperate Only 1 CPU active, all other CPUs stopped Secure input and output only via slow TPM functionality (seal, unseal, sign) Works for some server scenarios (e.g., handling credentials) Client scenarios require more functionality (e.g., trusted GUI for using applications) 60

THERE IS A MTM... TPMs specified for mobile platforms, too MTMs protect network operator and user However, in reality: Simple implementations in smartphones, etc. Non-modifiable boot ROM loads OS OS is signed with manufacturer key, checked Small amount of flash integrated into SoC Not open: closed or secure boot instead of authenticated booting 61

WHAT S NEXT? January 15: Lecture Debugging Operating Systems Paper Reading Exercise (paper will be announced tonight!) 62

References [1] http://www.heise.de/security/anonymisierungsnetz-tor-abgephisht--/news/meldung/95770 [2] https://www.trustedcomputinggroup.org/home/ [3] https://www.trustedcomputinggroup.org/specs/tpm/ [4] https://www.trustedcomputinggroup.org/specs/pcclient/ [5] Carsten Weinhold and Hermann Härtig, VPFS: Building a Virtual Private File System with a Small Trusted Computing Base, Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, 2008, Glasgow, Scotland UK [6] Bernhard Kauer, OSLO: Improving the Security of, Proceedings of 16th USENIX Security Symposium, 2007, Boston, MA, USA [7] McCune, Jonathan M., Bryan Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki, "Flicker: An Execution Infrastructure for TCB Minimization", In Proceedings of the ACM European Conference on Computer Systems (EuroSys'08), Glasgow, Scotland, March 31 - April 4, 2008 Security Architectures 63

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback