Bootstrapping Trust in Commodity Computers Bryan Parno, Jonathan McCune, Adrian Perrig 1 Carnegie Mellon University.

Slides:



Advertisements
Similar presentations
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Advertisements

Copyright© 2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Computing David Grawrock TPM.
Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
Vpn-info.com.
1 Privacy Enhancing Technologies Elaine Shi Lecture 5 Trusted Computing.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
The Operating System. What is an Operating System? The software which makes it possible for you to use your computer The software which starts up when.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
1 How Low Can You Go? Recommendations for Hardware- Supported Minimal TCB Code Execution Bryan Parno Arvind Seshadri Adrian Perrig Carnegie Mellon University.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
1 Flicker: An Execution Infrastructure for TCB Minimization April 4, 2008 Jonathan McCune 1, Bryan Parno 1, Adrian Perrig 1, Michael Reiter 2, and Hiroshi.
TrustVisor: Efficient TCB Reduction and Attestation Jonathan M
Securing Information Transfer in Distributed Computing Environments AbdulRahman A. Namankani.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Types of software. Sonam Dema..
Trusted Computing Technologies for Embedded Systems and Sensor Networks Adrian Perrig Carnegie Mellon University.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
 Security and Smartphones By Parker Moore. The Smartphone Takeover  Half of mobile phone subscribers in the United States have a smartphone.  An estimated.
Patterns for Secure Boot and Secure Storage in Computer Systems By: Hans L¨ohr, Ahmad-Reza Sadeghi, Marcel Winandy Horst G¨ortz Institute for IT Security,
Trusted Computing BY: Sam Ranjbari Billy J. Garcia.
Introduction and Overview Questions answered in this lecture: What is an operating system? How have operating systems evolved? Why study operating systems?
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko
Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.
Cosc 4765 Trusted Platform Module. What is TPM The TPM hardware along with its supporting software and firmware provides the platform root of trust. –It.
出處 :2010 2nd International Conference on Signal Processing Systems (ICSPS) 作者 :Zhidong Shen 、 Qiang Tong 演講者 : 碩研資管一甲 吳俊逸.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Wireless and Mobile Security
 Programming - the process of creating computer programs.
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
Introduction Why are virtual machines interesting?
Course Title: Introduction to Computer Course Instructor: ILTAF MEHDI Chapter No: 04 1BY ILTAF MEHDI (MCS, MCSE, CCNA)
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
1 3 Computing System Fundamentals 3.3 Computer Systems.
VMM Based Rootkit Detection on Android
1 Information Security – Theory vs. Reality , Winter Lecture 12: Trusted computing architecture (cont.), Eran Tromer Slides credit:
Function as a Service An Ad Hoc Approach to Cloud Computing By Keith Downie.
Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted IaaS Clouds Kenichi Kourai Kazuki Juda Kyushu Institute of Technology.
Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources 1.
If it’s not automated, it’s broken!
Principles Identified - UK DfT -
Topic 2: Hardware and Software
Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources.
Trusted Computing and the Trusted Platform Module
Building a Trustworthy Computer
Operating System Structure
Trusted Computing and the Trusted Platform Module
Outline What does the OS protect? Authentication for operating systems
Introduction to Operating System
A SDN Attestation Approach
Outline What does the OS protect? Authentication for operating systems
TRUST:Team for Research in Ubiquitous Secure Technologies
TERRA Authored by: Garfinkel, Pfaff, Chow, Rosenblum, and Boneh
Building hardware-based security with a Trusted Platform Module (TPM)
Mumtaz Ali Rajput +92 – INFORMATION SECURITY – WEEK 5 Mumtaz Ali Rajput +92 – 301-
Introduction to Operating Systems
Aimee Coughlin, Greg Cusack, Jack Wampler, Eric Keller, Eric Wustrow
Bruce Maggs (with some slides from Bryan Parno)
Bruce Maggs (with some slides from Bryan Parno)
Presentation transcript:

Bootstrapping Trust in Commodity Computers Bryan Parno, Jonathan McCune, Adrian Perrig 1 Carnegie Mellon University

2 A Travel Story

Trust is Critical 3 Will I regret having done this?

Bootstrapping Trust What F will this machine compute? 4 F X Alice Y Alice Y Other X Other Bootstrapping Trust: What F will this machine compute? Software Engineering & Programming Languages: Is F what the programmer intended? Does program P compute F?

H( ) ^ Bootstrapping Trust is Hard! 5 OS App 1 App 1 App 2 App 2 App 3 App 3 App 4 App 4 App N App N Module 1 Module 3 Module 2 Module 4 App 5 App 5 Challenges: Hardware assurance Ephemeral software User Interaction Safe? Yes! S 1 ( ) S 2 ( ) S 3 ( ) S 4 ( ) S 5 ( ) S 6 ( ) S 7 ( ) S 8 ( ) S 9 ( ) S 10 ( ) S 11 ( ) S 12 ( ) S 13 ( ) S 14 ( ) S 15 ( )

Evil App Evil App Evil OS Evil OS Bootstrapping Trust is Hard! 6 Challenges: Hardware assurance Ephemeral software User Interaction Safe? Yes!

In the paper… 7 Bootstrapping foundations Transmitting bootstrap data Interpretation Validation Applications Human factors Limitations Future directions … and much more! What do we need to know? How can we use it locally? How can we use it remotely? How do we interpret it? What serves as a foundation of trust? How can we validate the bootstrapping? Applications Human factors Limitations Future directions

1) Establish Trust in Hardware Hardware is durable Establish trust via: – Trust in the manufacturer – Physical security 8 Open Question: Can we do better?

2) Establish Trust in Software 9 OS App 1 App 1 App N App N … Software is ephemeral We care about the software currently in control Many properties matter: – Proper control flow – Type safety – Correct information flow … Which property matters most?

A Simple Thought Experiment Imagine a perfect algorithm for analyzing control flow – Guarantees a program always follows intended control flow Does this suffice to bootstrap trust? 10 No! P Respects control flow Type Safe We want code identity

What is Code Identity? An attempt to capture the behavior of a program Current state of the art is the collection of: – Program binary – Program libraries – Program configuration files – Initial inputs Often condensed into a hash of the above 11 Function f Inputs to f Attempt to capture the f computed by a program Current state of the art is the collection of: – Program binary – Program libraries – Program configuration files – Program inputs Often condensed into a hash of the above

Code Identity as Trust Foundation From code identity, you may be able to infer: – Proper control flow – Type safety – Correct information flow … Reverse is not true! 12

What Can Code Identity Do For You? 13 Research applications Commercial applications Thwart insider attacks Protect passwords Create a Trusted Third Party Secure the boot process Count-limit objects Improve security of network protocols Secure disk encryption (e.g., Bitlocker) Improve network access control Secure boot on mobile phones Validate cloud computing platforms

14 Establishing Code Identity [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],… F X Alice X Other Y Alice Y Other

15 Establishing Code Identity [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],… X Alice X Other f1f1 f2f2 fNfN Y Alice Y Other …

Software N Software N Software N-1 Software N-1 Software 1 Software 1 Establishing Code Identity ? Root of Trust Chain of Trust [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],…

Software N Software N Software N-1 Software N-1 Software 1 Software 1 Trusted Boot: Recording Code Identity Root of Trust SW 1 SW 1 SW N SW N SW N-1 SW N-1 SW 2 SW 2 [Gasser et al. ’89], [England et al. ‘03], [Sailer et al. ‘04],…

Attestation: Conveying Records to an External Entity 18 Software N Software N Software N-1 Software N-1 Software 1 Software 1... SW 1 SW 1 SW N SW N SW N-1 SW N-1 SW 2 SW 2 [Gasser et al. ‘89], [Arbaugh et al. ‘97], [England et al. ‘03], [Sailer et al. ’04]… random # Sign ( ) K priv random # SW 1 SW 1 SW 2 SW 2 SW N-1 SW N-1 SW N SW N Controls K priv

Interpreting Code Identity 19 BIOS Bootloader Drivers 1…N App 1…N OS Option ROMs [Gasser et al. ‘89], [Sailer et al. ‘04] Traditional [Marchesini et al. ‘04], [Jaeger et al. ’06] Policy Enforcement

Interpreting Code Identity 20 BIOS Bootloader Virtual Machine Monitor Option ROMs Virtual Machine Virtual Machine Traditional [Marchesini et al. ‘04], [Jaeger et al. ’06] Policy Enforcement [England et al. ‘03], [Garfinkel et al. ‘03] Virtualization [Gasser et al. ‘89], [Sailer et al. ‘04]

Interpreting Code Identity 21 BIOS Bootloader Virtual Machine Monitor Option ROMs OS VMM Virtual Machine Virtual Machine Traditional [Marchesini et al. ‘04], [Jaeger et al. ’06] Policy Enforcement [England et al. ‘03], [Garfinkel et al. ‘03] Virtualization Late Launch [Kauer et al. ‘07], [Grawrock ‘08] [Gasser et al. ‘89], [Sailer et al. ‘04]

Interpreting Code Identity 22 Traditional [Marchesini et al. ‘04], [Jaeger et al. ’06] Policy Enforcement [England et al. ‘03], [Garfinkel et al. ‘03] Virtualization Late Launch [Kauer et al. ‘07], [Grawrock ‘08] Targeted Late Launch [McCune et al. ‘07] OS Flicker S S Attested [Gasser et al. ‘89], [Sailer et al. ‘04]

Interpreting Code Identity 23 BIOS Bootloader Drivers 1…N App 1…N OS Option ROMs Flicker S S

Load-Time vs. Run-Time Properties Code identity provides load-time guarantees What about run time? Approach #1: Static transformation 24 Code Compiler Run-Time Policy Code’ Attested [Erlingsson et al. ‘06]

Load-Time vs Run-Time Properties Code identity provides load-time guarantees What about run time? Approach #1: Static transformation Approach #2: Run-Time Enforcement layer 25 Code Enforcer Attested Run Time Load Time [Erlingsson et al. ‘06] [Haldar et al. ‘04], [Kil et al. ‘09] Open Question: How can we get complete run-time properties?

Roots of Trust General purpose Tamper responding General purpose No physical defenses Special purpose Timing-based attestation Require detailed HW knowledge [Chun et al. ‘07] [Levin et al. ‘09] [Spinellis et al. ‘00] [Seshadri et al. ‘05] … [ARM TrustZone ‘04] [TCG ‘04] [Zhuang et al. ‘04] … [Weingart ‘87] [White et al. ‘91] [Yee ‘94] [Smith et al. ‘99] … Cheaper Open Question: What functionality do we need in hardware?

Human Factors 27 SW 1 SW 1 SW 2 SW 2 SW N-1 SW N-1 SW N SW N Open Questions: How should be communicated to Alice? What does Alice do with a failed attestation? How can Alice trust her device? SW 1 SW 1 SW 2 SW 2 SW N-1 SW N-1 SW N SW N Open Question: What does Alice do with a failed attestation? Open Question: How can Alice trust her device?

Conclusions Code identity is critical to bootstrapping trust Assorted hardware roots of trust available Many open questions remain! 28

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.