Trusted Computing Systems Part I

1
Trusted Computing SystemsPart I
18732 Secure Software Systems

• Anupam Datta
• CMU
• Fall 2008-09

2
Trusted Computing Group (TCG)

• TCG consortium. Founded in 1999 as TCPA.
• Main players (promoters) (gt200 members)
  AMD, HP, IBM, Infineon, Intel, Lenovo,
  Microsoft, Sun
• Goals
• Attestation Prove to remote server what
  software is running on my machine.
• Hardware protected (encrypted/sealed) storage
• Only authorized software can decrypt data
• e.g. protecting key for decrypting file system
• Trusted boot method to authorize software

3
TCG changes to PC or cell phone

• Extra hardware TPM
• Trusted Platform Module (TPM) chip
• Single 33Mhz clock.
• Software changes
• BIOS
• OS and Apps

4
TPMs in the real world

• Systems containing TPM chips
• Lenovo (IBM) Thinkpads and desktops
• Fujitsu lifebook
• HP desktop and notebooks
• Acer, Toshiba, Panasonic, Gateway, Dell,
• Software using TPMs
• File/disk encryption Vista, IBM, HP,
  Softex
• Attestation for enterprise login Cognizance,
  Wave
• Client-side single sign on IBM, Utimaco, Wave

5
Understanding Attestation
6
Secure System Designs

• What is the desired security property?
• Examples confidentiality, integrity,
  authentication
• What is the attacker model?
• Examples controls network, cannot break crypto
• What mechanisms to use to achieve security
  property even in the face of attack?
• Examples cryptography, hardware-based protection
• What are some applications of this system?

This is how you should be thinking!
7
Motivating Example
Client System
Network
Server System
How do we trust remote servers?
8
High-level Idea
Since I last rebooted, Ive run 0 Operating
System 1 Web Server 2 Shopping Cart Server
Ill ask what programs they have run!
How do I know if I can trust that server?
Hey server! What code have you run?
I trust those programs to protect my data!
Network
Server System
Client System
Request
Reply
9
Attestation System Design

• Security Property
• Code integrity Server should prove what code it
  is running
• Attacker Model
• Network
• Attacker has complete control over the network
  (read, intercept, inject messages)
• Attacker cannot break cryptography
• System
• Attacker has complete control over the software
  (can modify, read)
• Attacker cannot break hardware protections
• Mechanism
• Lets try to figure this out!
• Applications
• Ideas?

10
First attempt
Since I last rebooted, Ive run malicious
code. Mwhahaha!!!!
Hey server! What code have you run?
I trust those programs to protect my data!
Since I last rebooted, Ive run linux. Really, I
have!
Network
Malicious Server System
Client System
Reply
request
Client request read question send
request reply receive match /reply/trusted/
MALICIOUS_Server r receive send linux
11
Solution Trusted Coprocessor
Server System
Trusted Coprocessor
Client System
Network
12
Trusted Coprocessor

• Trusted Computing
• Augments platform with trusted co-processor
• Coprocessor includes
• Crypto. Primitives
• Keys
• Append-only log (PCRs)

Coprocessor

Log
A
B
Log.append(A) Log.append(B)
13
TCG Trusted Platform Module (TPM)
Non-Volatile Storage (EK,SRK)
Platform Configuration Register (PCR)
I/O
LPC bus
Crypto RSA
Key Generation
Random Number Generator
Secure Hash SHA-1
DIP Packaging or integrated into SuperIO
14
Basic TPM Functions

• PCRs store integrity measurement chain
• PCRnew SHA-1(PCRoldmeasurement)
• Remote attestation (PCRs AIK)
• Attestation Identity Keys (AIKs) for signing PCRs
• Attest to value of integrity measurements to
  remote party
• Secure storage for Storage Root Key K-1SRK
• Manufacturer certificate, e.g., KTPM K-1IBM
• Sealed storage (PCRs SRK)
• Protected storage unlock state under a
  particular integrity measurement

15
Basic TCG-Style Attestation
Boot Loader
Boot Loader
BIOS

• BIOS

Hardware Software
K-1
16
Basic TCG-Style Attestation
Remote platform
Verifier
17
Platform Integrity Measurements

• TPM contains 24 PCRs to store integrity
  measurements
• Operations on PCRs
• PCR_Extend(N, S) PCRN SHA-1(PCRN S)
• PCR_Read(N) Return contents of PCRN
• Core Root of Trust Measurement is immutable
• PCRs cannot be counterfeited, but can be
  invalidated
• Extend with random value

18
Platform Attestation

• TPM can attest to contents of PCRs to remote
  entity
• Each TPM has a unique public endorsement key (EK)
  which is under control of the owner
  (enable/disable)
• EK enables machine identification, manufacturer
  does not keep EK, only certifies it
• Multiple attestation identity keys (AIK)
  generated by the TPM AIKpub is certified by a
  trusted third party
• TPM_Quote operation is used to sign a PCRN..M
  value under a specified AIKI
• Simplified attestation protocol
• Verifier ? Platform Attestation request, nonce
• Platform ? Verifier nonce, PCRN..M AIK-1
• Nonce (a random number) provides replay protection

19
Attestation Challenges
20
Attestation Timeline

• Reset attack possible after read of log

Verification of Stale Data
Read Log _at_ TRead
Verify Log _at_ TV
Client believes server can be trusted!
Call to OS Code _at_ TOS
Reset _at_ TR
Begin
End
No Resets during TR to TRead
21
1. Attesting to Current State

• Attestation only attests to what code was loaded.
• Does not guarantee that the same code is running
  at the time of check.
• Can we attest to the current state of a running
  system?
• or is there a better way?

22
2. Encrypted viruses

• Suppose malicious music file exploits bug in
  Windows Media Player.
• Music file is encrypted.
• TCG prevents anyone from getting music file in
  the clear.
• Can anti-virus companies block virus without ever
  seeing its code in the clear?

23
3. TPM Compromise

• Suppose one TPM Endorsement Private Key is
  exposed
• Destroys all attestation infrastructure
• Now, can attest to anything without running it.
• ? Certificate Revocation is critical for
  TCG Attestation.

24
4. Private attestation

• Attestation should not reveal platform ID.
• Private attestation
• Remote server can validate trustworthiness of
  attestation
• but cannot tell what machine it came from.
• TCG Solutions
• Privacy CA online trusted party
• Group sigs privacy without trusted
  infrastructure

25
Trusted Boot
26
Using PCRs the TCG boot process

• BIOS boot block executes
• Calls TPM_Startup (ST_CLEAR) to initialize PCRs
  to 0
• Calls PCR_Extend( n, ltBIOS codegt )
• Then loads and runs BIOS post boot code
• BIOS executes
• Calls PCR_Extend( n, ltMBR codegt )
• Then runs MBR (master boot record), e.g. GRUB.
• MBR executes
• Calls PCR_Extend( n, ltOS loader code, configgt )
• Then runs OS loader
• and so on

27
In a diagram
Hardware
BIOS boot block
OS loader
BIOS
Application
OS
Root of trust in integrity measurement
measuring
TPM
Extend PCR
Root of trust in integrity reporting

• After boot, PCRs contain hash chain of booted
  software
• Collision resistance of SHA1 (?) ensures
  commitment

28
Example Trusted GRUB (IBM05)
What PCR to use and what to measure specified
in GRUB config file
29
Sealed Storage
30
Using PCR values after boot

• Application 1 encrypted (a.k.a sealed)
  storage.
• Step 1 TPM_TakeOwnership( OwnerPassword, )
• Creates 2048-bit RSA Storage Root Key (SRK) on
  TPM
• Cannot run TPM_TakeOwnership again without
  OwnerPwd
• Ownership Enabled Flag ? False
• Done once by IT department or laptop owner.
• (optional) Step 2 TPM_CreateWrapKey /
  TPM_LoadKey
• Create more RSA keys on TPM protected by SRK
• Each key identified by 32-bit keyhandle

31
Protected Storage

• Main Step Encrypt data using RSA key on TPM
• TPM_Seal (some) Arguments
• keyhandle which TPM key to encrypt with
• KeyAuth Password for using key keyhandle
• PcrValues PCRs to embed in encrypted blob
• data block at most 256 bytes (2048 bits)
• Used to encrypt symmetric key (e.g. AES)
• Returns encrypted blob.
• Main point blob can only be decrypted with
  TPM_Unseal when PCR-reg-vals PCR-vals in
  blob.
• TPM_Unseal will fail otherwise

32
Protected Storage

• Embedding PCR values in blob ensures that only
  certain apps can decrypt data.
• e.g. Messing with MBR or OS kernel will
  change PCR values.

33
Sealed storage applications

• Lock software on machine
• OS and apps sealed with MBRs PCR.
• Any changes to MBR (to load other OS) will
  prevent locked software from loading.
• Prevents tampering and reverse engineering
• e.g. software integrity on voting terminals
• Microsoft Bitlocker
• Disk encyption
• Web server seal servers SSL private key
• Goal only unmodified Apache can access SSL key
• Problem updates to Apache or Apache config
• How to deal with software patches one part of
  Project 1

34

• Questions?

35
Acknowledgements

• Some of the slides are based on slides by Dan
  Boneh, Jason Franklin, and Jon McCune