Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trusted Platform Module

Published byDana Wise Modified over 10 years ago

Similar presentations

Presentation on theme: "Trusted Platform Module"— Presentation transcript:

1 Trusted Platform Module
Integrity Measurement, Reporting, and Evaluation Dennis Kafura – CS5204 – Operating Systems

2 Dennis Kafura – CS5204 – Operating Systems
Motivation Reliance on remote clients/servers Financial records and e-commerce Electronic medical records Cloud computing Threats to clients from remote servers Malicious servers masquerade as legitimate ones Legitimate servers subject to attack Malware Viruses Rootkits Threats to servers from corrupted remote clients Penetrating firewalls Release of confidential data Dennis Kafura – CS5204 – Operating Systems

3 Dennis Kafura – CS5204 – Operating Systems
Motivation Need: mechanisms to verify the integrity of remote clients/servers Correct patches installed Advertised/expected services exist System not compromised Solution Provision of critical services by a trusted platform module (TPM) on the local host Capability of host to measure integrity of host software Protocol to communicate the integrity measurements from the host to a remote party Means for remote party to assess the integrity measurements and determine level of trust in the host Dennis Kafura – CS5204 – Operating Systems

4 Trusted Platform Module (TPM)
Standard defined by the Trusted Computing Group Availability Hardware chip currently in 100M laptops HP, Dell, Sony, Lenovo, Toshiba,… HP alone ships 1M TPM-enabled laptops each month Core functionality Secure storage Platform integrity reporting Platform authentication Dennis Kafura – CS5204 – Operating Systems

5 Dennis Kafura – CS5204 – Operating Systems
TPM Architecture keys, owner authorization data integrity measures signing keys when in use external interaction TPM control Dennis Kafura – CS5204 – Operating Systems

6 Dennis Kafura – CS5204 – Operating Systems
TPM Architecture symmetric keys, nonces encryption keys initialization hashes encrypt/decrypt Dennis Kafura – CS5204 – Operating Systems

7 Execution Environment
Executable content Types programs libraries scripts Loaded by kernel application Structured data class files configuration files Unstructured data databases Dennis Kafura – CS5204 – Operating Systems

8 Dennis Kafura – CS5204 – Operating Systems
Pragmatics Feasibility Manageable number of components to measure for typical systems 500 for a workstation configured for general technical work (document authoring, programming, browsing, etc.) 250 for a typical web server Approach Extensible architecture Provides essential measurement structures Allows future additions Dennis Kafura – CS5204 – Operating Systems

9 Trusted Building Blocks
TBB do no have shielded locations or protected capabilities (as does TPM) CRTM: core root of trust for measurement Keyboard: showing physical presence when needed Dennis Kafura – CS5204 – Operating Systems

10 Integrity Measurement
Measure a component before executing it Record the measurement as a hash value of the code/data (aka, fingerprint) Produces a hash chain by combining individual hash values Changes in the executing code can be detected by comparing measurement of executing code against recorded value The measurements themselves must be protected from undetected manipulation Dennis Kafura – CS5204 – Operating Systems

11 Detecting Malware Attacks
initial attack Measurement before rootkit attack Measurement after rootkit attack Dennis Kafura – CS5204 – Operating Systems

12 Platform Configuration Registers
Zero on reboot, power cycle PCR extend New = SHA-1(current || update) At least 16 PCR registers, each register stores 20 bytes Dennis Kafura – CS5204 – Operating Systems

13 Maintaining a Measurement List
executable load system measurement agents measurement New = SHA-1(current || update) extend add list PCR contains the linked hash of all measurements in the list Alterations to the list values can be detected Dennis Kafura – CS5204 – Operating Systems

14 Reporting a Measurement List
Questions How is the AIK generated? Where is it stored? How does the challenger validate the measurement list (ML)? C: challenger AS: attesting system AIK: attestation identity key Dennis Kafura – CS5204 – Operating Systems

15 Dennis Kafura – CS5204 – Operating Systems
Long-term Keys The TPM has two long-term key pairs stored in non-volatile memory on the TPM Endorsement Key (EK) Storage Root Key (SRK) Endorsement Key Private key never leaves the TPM Limited use to minimize vulnerability Identifies individual platform: potential privacy risk Public part contained in endorsement credential EK and endorsement credential loaded by manufacturer Storage Root Key Basis for a key hierarchy that manages secure storage More on this later… Dennis Kafura – CS5204 – Operating Systems

16 Attestation Identity Keys (AIKs)
Privacy CA must be trusted by platform and challenger AIK serves as alias for EK platform may have many AIKs to allow a number of unlinkable interactions held in secure storage (see later) guarantees that platform has a valid TPM (but does not identify platform) Dennis Kafura – CS5204 – Operating Systems

17 Dennis Kafura – CS5204 – Operating Systems
Creating AIKs AIK cryptographically bound to TPM with specific EK Dennis Kafura – CS5204 – Operating Systems

18 Dennis Kafura – CS5204 – Operating Systems
Secure Key Storage The TPM uses/manages many keys, but has limited storage Keys (except for the EK and SRK) may be placed in secure storage Secure storage may be on flash drive, file server, etc. Authdata (password) is associated with each key Key and authdata encrypted with storage key (creating a blob) Two forms: bind (normal encryption) and seal (bound to PCR state) Dennis Kafura – CS5204 – Operating Systems

19 Dennis Kafura – CS5204 – Operating Systems
Sealed Storage Goal: ensure that information is accessible only when the system is in a known/acceptable state System state determined by PCR value Dennis Kafura – CS5204 – Operating Systems

20 Dennis Kafura – CS5204 – Operating Systems
Assessing Integrity integrity assessment measurement list validate policy fingerprints acceptable malicious vulnerable-remote vulnerable-local unknown/uncontrolled Dennis Kafura – CS5204 – Operating Systems

21 Adding Measurement Instrumentation
file_mmap executables libraries kernel modules load_modules applications sysfs bash shell executable content structured data unstructured Dennis Kafura – CS5204 – Operating Systems

22 Dennis Kafura – CS5204 – Operating Systems
Measuring New Files if (found via inode HT) { if (CLEAN) exit; if (DIRTY) { compute fingerprint; if (same as stored) { set CLEAR; exit; } else { search fingerprint HT; if (found) { UPDATE(); if(not found) { (fingerprint, CLEAN/DIRTY) Hash Table Key: inode Key: fingerprint UPDATE() { add to database; update HTs; extend PCR; } Dennis Kafura – CS5204 – Operating Systems

23 Dennis Kafura – CS5204 – Operating Systems
Performance vast majority of cases does not require +extend Dennis Kafura – CS5204 – Operating Systems

24 Dennis Kafura – CS5204 – Operating Systems
Performance increase in overhead for computing fingerprint Dennis Kafura – CS5204 – Operating Systems

25 Dennis Kafura – CS5204 – Operating Systems
Secure Monitoring Monitoring of system activity is important Detect information leakage Warn of intrusions Indicate presence of malware activity Approach Security of monitoring module Implemented using LSM hooks Secured by SecVisor Monitoring result guaranteed to be secure LSM-base mandatory access control (MAC) DigSig (application integrity and invocation) Dennis Kafura – CS5204 – Operating Systems

26 Linux Security Module (LSM)
Dennis Kafura – CS5204 – Operating Systems

27 Dennis Kafura – CS5204 – Operating Systems
DigSig Verifier Verifies that load code conforms to signature Ensures that trusted applications are running Dennis Kafura – CS5204 – Operating Systems

28 Dennis Kafura – CS5204 – Operating Systems
SecVisor Small hypervisor creating Trusted boot Boots SecVisor and records SecVisor fingerprint in TPM Boots Linux kernel and records kernel fingerprint in TPM Memory protection During boot processes and kernel execution Provides run-time protection of kernel against rootkit attacks Dennis Kafura – CS5204 – Operating Systems

29 Dennis Kafura – CS5204 – Operating Systems
Protection Module Dennis Kafura – CS5204 – Operating Systems

30 Dennis Kafura – CS5204 – Operating Systems
Performance Dennis Kafura – CS5204 – Operating Systems

Download ppt "Trusted Platform Module"

Similar presentations

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
11 MANAGING DISKS AND FILE SYSTEMS Chapter 3. Chapter 3: Managing Disks and File Systems2 OVERVIEW Monitor and configure disks Monitor, configure, and.

11 MANAGING DISKS AND FILE SYSTEMS Chapter 3. Chapter 3: Managing Disks and File Systems2 OVERVIEW Monitor and configure disks Monitor, configure, and.
Computer Science 5204 Operating Systems Fall, 2010 Dr. Dennis Kafura Course Overview 1.

Computer Science 5204 Operating Systems Fall, 2010 Dr. Dennis Kafura Course Overview 1.
Session 8: Virtual Memory management

Session 8: Virtual Memory management
Automatic Trust Negotiation 1Dennis Kafura – CS5204 – Operating Systems.

Automatic Trust Negotiation 1Dennis Kafura – CS5204 – Operating Systems.
University of Amsterdam, Distributed Systems1 Distributed Systems DOAS Marinus Maris.

University of Amsterdam, Distributed Systems1 Distributed Systems DOAS Marinus Maris.
State Feedback Controller Design

State Feedback Controller Design
File Systems 1Dennis Kafura – CS5204 – Operating Systems.

File Systems 1Dennis Kafura – CS5204 – Operating Systems.
Operating Systems1 10. File Systems 10.1 Basic Functions of File Management 10.2 Hierarchical Model of a File System 10.3 User’s View of Files –Logical.

Operating Systems1 10. File Systems 10.1 Basic Functions of File Management 10.2 Hierarchical Model of a File System 10.3 User’s View of Files –Logical.
Operating Systems ECE344 Midterm review Ding Yuan

Operating Systems ECE344 Midterm review Ding Yuan
Time Response and State Transition Matrix

Time Response and State Transition Matrix
Vpn-info.com.

Vpn-info.com.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Similar presentations

Ads by Google