Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

Published byCandice Loren Atkins Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno."— Presentation transcript:

1 1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno

2 2 A Travel Story

3 3 Do you trust… A kiosk computer? A friend’s computer? A relative’s computer? Your own computer? Without trust, you cannot… Check your email Pay bills Privately surf the web … How do we bootstrap trust in a computer?

4 4 Assumptions User has a trusted, mobile device User trusts someone to vouch for the physical security of the computer

5 5 Bootstrapping Trust Physical Security Trusted Hardware Trusted Software

6 6 CPU, RAM TPM, Chipset CPU, RAM TPM, Chipset Trusted Software Using Flicker DMA Devices (Network, Disk, USB, etc.) OS App S S 1 … DMA Devices (Network, Disk, USB, etc.) OS App 1 … S S Shim

7 7 Flicker’s Properties Isolate security-sensitive code execution from all other code and devices Attest to security-sensitive code and its arguments and nothing else Convince a remote party that security- sensitive code was protected Add < 250 LoC to the software TCB Shim S S Software TCB < 250 LoC All relies on bootstrapping trust! Physical Security Trusted Hardware Trusted Software

8 8 Outline Introduction Background The Cuckoo Attack Potential Solutions Conclusions

9 9 TPM Background The Trusted Platform Module (TPM) is a dedicated security chip Contains a public/private keypair {K Pub, K Priv } Contains a certificate indicating that K Pub belongs to a legitimate TPM Not tamper-resistant!

10 10 BIOS Boot Loader OS Kernel conf Module 2 Module 1 TPM PCRs BIOS Boot Loader Hardware Software K Priv Apps App 2 App 1 Apps App 2 App 1 OS Kernel conf Module 2 Module 1 Bootstrapping Trust with a TPM

11 11 BIOS Boot Loader OS Kernel conf Module 2 Module 1 TPM PCRs K Priv Apps App 2 App 1 Bootstrapping Trust with a TPM Nonce Sign (), K Priv Nonce K Pub Guarantees freshness Guarantees key originated from a real TPM TPM attests to the software Trustworthy!

12 12 Outline Introduction Background The Cuckoo Attack Potential Solutions Conclusions

13 13 The Cuckoo Attack Nonce Sign (), K Priv Nonce K Priv Nonce K Pub Guarantees freshness Guarantees key originated from a real TPM TPM attests to the software Trustworthy!

14 14 What went wrong? An attestation says that a TPM vouches for a software state, but not which TPM Sign (), K Priv Nonce K Pub Sign (), K Priv Nonce K Pub

15 15 Analyzing the Attack Paper develops a logical framework for bootstrapping trust –Allows precise characterization of the attack Framework identifies which solutions work, and which do not

16 16 Potential Solutions Remove the network Trust the computer Detect timing deviations Make late-launch data available Add a special- purpose button Employ SiB Employ camera-less SiB Trust the BIOS Trust a third party Use an existing interface Use a special-purpose interface Analyze which work, and which don’t Identify pros and cons of each

17 17 K Priv An Invalid Solution K Priv Sign (), K Priv Nonce K Pub HWViolation!HWViolation!

18 18 High-Level Goal Establish a secure channel to the local TPM –Channel must provide authenticity & integrity We can instantiate the channel via: –Cryptography –Hardware

19 19 K Priv SHA-1(K Pub ) camera… vision… Cryptographic Secure Channels Requires authentic public key (or shared secret) Use Seeing-is-Believing (SiB) [McCune et al., ‘05] –Place a barcode on the PC encoding the TPM’s public key Trust the BIOS –Reboot and trust BIOS to output public key via existing interface

20 20 Hardware Secure Channels Reuse an existing interface –Existing interfaces do not support direct communication with the TPM Add a special-purpose interface –Reduces opportunities for user error –Makes manufacturers unhappy

21 21 Choosing a Solution After analyzing 10 potential solutions, none is entirely satisfactory Preferred solutions: –Short-term: Seeing-is-Believing –Long-term: Special-purpose Interface

22 22 Related Work Device Pairing –Typically assumes both devices are trusted Kiosk Computing [Garriss et al., ‘08] –Even more difficult, since hardware integrity may not be guaranteed Secure Object Identification [Alkassar et al., ‘03], [Brands & Chaum ‘94] –Solutions inappropriate to TPM setting

23 23 Conclusions Trust in your local computer is critical Due to the cuckoo attack, current techniques cannot bootstrap trust Changes are needed to make useful security guarantees

24 24 Thanks! parno@cmu.edu

25 25 A Bit of Ornithology

26 26 TCG Trusted Platform Module (TPM) RandomNumberGenerator CryptoRSA Non-VolatileStorage (EK, AIK, SRK) KeyGeneration PlatformConfiguration Register (PCR) LPC bus SecureHashSHA-1 I/O DIP Packaging or integrated into SuperIO

27 27 TPM PCRs: K -1 … 000 Shim S S Inputs Outputs Attestation What code are you running? Shim S S Inputs Outputs Sign (), K -1 Sign ), K -1 … OS App S S 5 App 5 App 4 App 4 App 3 App 3 App 2 App 2 App 1 App 1 ( Versus

28 28 Basic TPM Functions PCRs store integrity measurement chain –PCR new = SHA-1(PCR old ||measurement) Secure storage for Storage Root Key K -1 SRK Manufacturer certificate, e.g., {K TPM }K -1 IBM Remote attestation (PCRs + AIK) –Attestation Identity Keys (AIKs) for signing PCRs –Attest to value of integrity measurements to remote party Sealed storage (PCRs + SRK) –Protected storage + unlock state under a particular integrity measurement (data portability concern)

29 29 Platform Attestation TPM can attest to contents of PCRs to remote entity Each TPM has a unique public endorsement key (EK) which is under control of the owner (enable/disable) EK enables machine identification, manufacturer does not keep EK, only certifies it Multiple attestation identity keys (AIK) generated by the TPM, AIK is not tied endorsement key TPM_Quote operation is used to sign a PCR N..M value under a specified AIK I Simplified attestation protocol –Verifier  Platform: Attestation request, nonce –Platform  Verifier: {nonce, PCR N..M } AIK -1

30 30 A Logical Framework

31 31 Analyzing the Attack Paper develops a logical framework for bootstrapping trust –Allows precise characterization of the attack Framework identifies which solutions work, and which do not

32 32 Physical Security Trusted Hardware Trusted Software

Download ppt "1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno."

Similar presentations

Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.

Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.
Vpn-info.com.

Vpn-info.com.
BIND: A F INE - GRAINED ATTESTATION S ERVICE FOR S ECURE D ISTRIBUTED S YSTEMS Presented by: Maryam Alipour-Aghdam University of Guelph.

BIND: A F INE - GRAINED ATTESTATION S ERVICE FOR S ECURE D ISTRIBUTED S YSTEMS Presented by: Maryam Alipour-Aghdam University of Guelph.
1 Trusted Systems in Networking Infrastructure Rafael Mantilla Montalvo Cisco Systems June 2013.

1 Trusted Systems in Networking Infrastructure Rafael Mantilla Montalvo Cisco Systems June 2013.
1 Privacy Enhancing Technologies Elaine Shi Lecture 5 Trusted Computing.

1 Privacy Enhancing Technologies Elaine Shi Lecture 5 Trusted Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Analysis of Remote Attestation Lavina Jain, Jayesh Vyas.

Analysis of Remote Attestation Lavina Jain, Jayesh Vyas.
Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.

Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.
Trustworthy Computing Trent Jaeger February 18, 2004.

Trustworthy Computing Trent Jaeger February 18, 2004.
Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.

Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
Systems and Internet Infrastructure Security (SIIS) LaboratoryPage Systems and Internet Infrastructure Security Network and Security Research Center Department.

Systems and Internet Infrastructure Security (SIIS) LaboratoryPage Systems and Internet Infrastructure Security Network and Security Research Center Department.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Enforcement of Security Policy Compliance in Virtual Private Networks Prof. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh
Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.

Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Trusted Computing Technology and Client-side Access Control Architecture Acknowledgement: Some slides and diagrams are adapted from TCG Architecture Overview,

Trusted Computing Technology and Client-side Access Control Architecture Acknowledgement: Some slides and diagrams are adapted from TCG Architecture Overview,
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.

Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

Similar presentations

Ads by Google