Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of Remote Attestation Lavina Jain, Jayesh Vyas.

Published byBonnie Barton Modified over 9 years ago

Similar presentations

Presentation on theme: "Analysis of Remote Attestation Lavina Jain, Jayesh Vyas."— Presentation transcript:

1 Analysis of Remote Attestation Lavina Jain, Jayesh Vyas

2 Remote Attestation Protocol proposed by IBM Remote Attestation Protocol that we propose Protocol model on Murphi Analysis and Attacks Conclusion Presentation Outline

3 Hardware CRTM BIOS OS Application Reset PCR Extend PCR with BIOS image Extend PCR with OS image Pre - boot The Big Picture (Recap) Integrity of kernel, applications, libraries, files Dynamic/Run-time measurements Post - boot TPM PCR Hardware Keys Measurement list (ML) Kernel Client/Attestator Server/ Challenger Remote Attestation Trusted Third Party AIK credential request AIK Credential Auth Validate

4 Remote Attestation Protocol (as proposed by IBM) Client/Attestator Ver (Sig AIK (PCR, N), AIK pub ) = true/false TPM PCR Keys Attestation service Challenger 1. 160-bit Nonce, N 2. Quote Request 3. Quote Response 4. Integrity Response 5. Integrity Validation { Sig AIK (PCR, N), ML, AIK cert } N Sig AIK (PCR, N) Assumption: A secure session is set up between the client and the server. Authentication on top of SSL is not secure, prone to MITM attack!!

5 Integrity Measurement Architecture (IMA) Kernel Hooks (Measurement Agents) Kernel Hardware CRTM BIOS PCR_Extend(BIOS) Measurement list InsmodLoader/bin/sh, /bin/perl PCR TPM Reset PCR Boot Up PCR_Extend(OS) PCR_Extend Update

6 Remote Attestation Protocol (as we propose) C AIK pub / AIK pvt S PK s / SK s C, N c N s, SIG CA (S, PK s ) E PK s (Secret, ML), SIG CA (C, AIK pub ) SIG AIK pvt (PCR, hash(N c, N s, Secret)) SIG SK s (N c, AIK pub ) SIG AIK pvt (N s, PK s ) TPM Quote Response AIK cert obtained from TTP Three-step Protocol Four-step Five-step Rational Construction using Murphi, with inputs from Prof. John and Prof. Dan.

7 Entities modeled in Murphi: –Client – Attestator, who wants to attest it’s platform to remote server. –Server – Challenger, wants to determine it’s trust in client. –Intruder – Malicious entity on network. –Attacker – Malicious entity on client. –Super Attacker – Capable of hardware attacks on TPM (Eg. PCR Reset). Assumptions: –CRTM(BIOS boot block) that initiates chain of measurements is trusted. –TPM is trusted. –CPU is trusted. –Memory cannot be hacked at runtime (e.g. via DMA). Flags that can be set or reset to study the behavior of protocol: –FOUR_STEP: Run four-step protocol. –FIVE_STEP: Run five step protocol. –CERT_FORGED: Intruder can forge a certificate issued by CA. –SUPER_ATTACKER: Enable hardware attacks when this flag is true. –TPM_COMPROMISED: TPM on intruder is compromised (she knows AIK pvt ). –SERVER_NONCE_PREDICTABLE: To model predictable nonces. Murphi Model

8 Behavior of model: –Both client and intruder are equipped with a TPM chip. –Intruder is malicious, so TPM quote response always contains an invalid PCR value on intruder. –If attacker is active on client, then TPM quote response contains an invalid PCR value. –If super attacker is active on client, then TPM quote response contains a valid value. –Client always sends a valid measurement list (ML), because an attacker/super attacker can always modify ML to reflect a valid value. Invariants: –Authentication invariants. –Secrecy invariants: Client and server should share the same session secret. Intruder should not learn any session secret. –Remote attestation invariants: If server attests a client, then attacker should not be active on that client. Server must not attest an intruder. Murphi Model (contd.)

9 Three-step protocol Authentication and secrecy invariants fail. Remote attestation invariants fail if intruder is allowed to forge certificates, super attacker is active or TPM is compromised. Four-step protocol Client authentication invariant fails, but server authentication invariant does not fail. Secrecy invariants still fail because of MITM attack. Remote attestation invariants fail as in 3-step protocol. Five-step protocol Authentication invariants do not fail in any case. Secrecy invariants do not fail until intruder is allowed to forge certificates. Remote attestation invariant fail as in 4-step protocol. Conclusion The proposed protocol refuses to attest a malicious client unless: –Certificates can be forged. –Hardware attack on TPM is possible. –TPM is compromised. Attacks

10 Intruder can forge certificates or can convince client/server to trust on forged certificates. Most severe attack! –Can generate fake signatures over PCR and Nonces, which look like a signatures from a real TPM. –Can impersonate as a server to a client and vice versa, and learn secrets. –All attacks are possible: Authentication attacks, secrecy attacks and attestation attacks. Example: MITM Attack Attacks (Certificate Forging) ServerIntruderClient Fake Certificate in step 2 Fake Signature in step 4 Step 3: Signature using fake AIK pvt and fake certificate in step 3 Fake Signature in step 5

11 Attacker’s objective is to hide the presence of a malicious software running on client Possible ways: –Bug in Integrity Measurement Architecture (IMA): It did not measure the malicious software and put it in PCRs. –Reset PCRs without rebooting the system, and push known good values into it. –Hardware attacks like changing a running process’s image (through DMA). –Break the TPM and retrieve secret key used for signing PCR. Consequence: An attacker is able to start a malicious software without letting its fingerprints go into the PCRs. Modeled as SUPER_ATTACKER in Murphy. Attack: A client running a malicious software gets attested by server. Hardware Attacks and Attacks on IMA

12 Intruder breaks the TPM and retrieves AIK pvt. Intruder can attest itself to the server. Can it do more harm? No other attack found. Encouraging because if one TPM is compromised, it does not compromise the security of other systems. TPM on Intruder Compromised

13 Server uses a bad source of randomness, and so its nonce is predictable. Client can pre-compute signature over that nonce and PCRs before a malicious application starts (that is when PCRs have trustworthy value) But a client that does so is itself malicious! So two hosts need to collude to mount an attack. Predictable Server Nonce Server Intruder Client 1. Get sign over N S, N C, Secret (Normal Attestation) 3. Give the malicious Attestor, signature generated in step 1 2. Start a malicious Attesting service on client, which uses precomputed N S and secret 4. Normal Attestation, but Server’s nonce (N S ) is already known to client/attacker

14 The proposed protocol for remote attestation is secure under the following assumptions: –CRTM and CPU are trusted –TPM adheres to TCG’s specifications –IMA (Integrity Measurement Architecture) is bug free –A running process behavior or image cannot be changed (e.g. via DMA) A malicious platform can be attested by: –Forging certificates –Hardware attacks (DMA, resetting PCRs) –Breaking the IMA and retrieving keys –Predicting server/challenger’s nonce Attacks were found and confirmed by modeling the protocol on Murphi. Conclusions

15 References 1. Trusted Computing Group, http://www.trustedcomputing.org 2. Reiner Sailer, Trent Jaeger, Xiaolan Zhang, Leendert van Doorn, “Attestation- based Policy Enforcement for Remote Access”, In Proceedings of the 11th ACM conference on Computer and Communications Security, October 2004. 3. Reiner Sailer, Xiaolan Zhang, Trent Jaeger and Leendert van Doorn, “Design and Implementation of a TCG-Based Integrity Measurement Architecture”, In Thirteenth Usenix Security Symposium, pages 223-238, August 2004. 4. H. Maruyama, T. Nakamura, S. Munetoh, Y. Funaki, Y. Yamashita, “Linux with TCPA Integrity Measurement”, IBM Research Report, Tokyo Research Laboratory, Japan, Jan. 2003. 5. D. Safford, J. Kravitz, and L. van Doorn, “Take Control of TCPA”, Linux Journal, pages 50-55, August 2003. 6. Karim Faez, Ashkan H. Karimabad, “Open-Source Applications of TCPA Hardware”, In International Journal of Computer Science and Network Security, Vol. 7, No. 3, March 2007. 7. Murphi description language and verifier, http://verify.stanford.edu/dill/murphi.html

Download ppt "Analysis of Remote Attestation Lavina Jain, Jayesh Vyas."

Similar presentations

Peer-to-Peer Access Control Architecture Using Trusted Computing Technology Ravi Sandhu and Xinwen Zhang George Mason University SACMAT05, June 1--3, 2005,

Peer-to-Peer Access Control Architecture Using Trusted Computing Technology Ravi Sandhu and Xinwen Zhang George Mason University SACMAT05, June 1--3, 2005,
Trusted Platform Module

Trusted Platform Module
Secure Mobile Payment via Trusted Computing

Secure Mobile Payment via Trusted Computing
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Vpn-info.com.

Vpn-info.com.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.

Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.
The Attestation Mechanism in Trusted Computing. A Simple Remote Attestation Protocol Platform TPM Verifier Application A generates PK A & SK A 2) computes.

The Attestation Mechanism in Trusted Computing. A Simple Remote Attestation Protocol Platform TPM Verifier Application A generates PK A & SK A 2) computes.
Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.

Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.
Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.

Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Similar presentations

Ads by Google