Title: 563'8 Remote Attestation
1563.8 Remote Attestation
- Presented by Michael LeMay
- University of Illinois
- Spring 2006
2Problem
- Software is controlled by machine operator
- Machine operator, software distributor, or
attacker can maliciously subvert software - Modify binary
- Run on untrusted hardware
- Attach debugger to monitor operation
- Software publisher has no assurance that software
is being used in unmodified state, as intended - Problem worsens when network communication is
involved
3Remote Attestation
- Allows changes to computer to be detected by user
and remote entities - Hardware generates certificate chain specifying
current system configuration - Actually, hardware certifies 2nd-lowest layer,
which certifies next layer up, etc.
4Trusted Computing
- Remote attestation just one piece of TC
- Secure I/O
- Memory curtaining/protected execution/process
isolation even OS cant read everything in
memory - Sealed storage
- Basic concepts
- Machine-specific public key and cert. chain
- Hardware crypto implementations
- Common applications
- Digital rights management
- System integrity verification
- Similar to IBM 4758 coprocessor, but more capable
Marchesini, Smith, Wild, MacDonald
5Secure I/O
- Many ways to compromise user I/O
- Screen-scrapers
- Keyloggers
- TC hardware verifies checksums of software
performing I/O, detecting malicious components - Doesnt address hardware keyloggers, TEMPEST
devices, etc.
6Sealed Storage
- Data can be encrypted using key derived from
current software/hardware configuration - Key must be re-derived to decrypt data
- Prevents modified configuration from reading data
7TC Applications
- Online banking protect PINs, passwords, account
numbers using sealed storage - Anonymous networks process isolation prevents
operators from inspecting mix - Mobile agents protect a software agent from its
host using process isolation - Digital rights management Lock media files to
one computer using sealed storage
8Remote Attestation Applications
- Protection of P2P only cooperate with remote
clients if they are valid - Distributed computing (Folding_at_Home) ensure
participants run valid software - Selling CPU cycles run an attested process with
your idle cycles, get paid - Online shopping make sure the merchant is really
running TRUSTe, etc. - VPNs, online games more later
Interesting Uses of Trusted Computing
9TCG Layers
10TCG Components
TCG 1.0 Architecture Overview
11Credential Types
- TPM contains 5 types of credentials
- Endorsement or EK credential uniquely identifies
TPM, privacy concern - Conformance credential Certifies that TPM meets
specifications - Platform credential Identifies TPM manufacturer
and capabilities - Validation credential Associated with peripheral
or software to guarantee integrity - Identity or AIK credential Issued by privacy CA
to preserve privacy of EK credential
12Opposition
- Trusted Computing has many opponents, because it
considers the computer operator to be a potential
attacker - EFF Trust Computing Promise and Risk
- Against-TCPA
- LAFKON - A movie about Trusted Computing
- And, a rebuttal
- TCPA Misinformation Rebuttal and Linux drivers
13Microsoft NGSCB
- Microsoft, AMD, HP, IBM, Infineon, Intel, Sun,
all members of TCG - Uses TPM to partitionsystem into two
partsNexus and L.H.S. - NCAs Nexus Comput-ing Agents
- Only two compartments
14NGSCB Architecture WinHEC 2004
- Little device diversity
- Only a few drivers
- KLOC
- Great device diversity
- Thousands of drivers
- MLOC
- Compartments are Windows-based
- Significantly reduced footprint
- Strongly Isolated, hardened and armored
- Secure device ownership
- Nexus or service compartments
- Windows
- Owns most HW
- Only real-time OS
- Security benefits via scenarios
Biddle, 2004
15Terra A Virtual Machine-Based Platform for
Trusted Computing
- Similar to 2004 NGSCB architecture, supports
multiple, isolated compartments - Terra supports an arbitrary number of
user-defined VMs, more flexible than NGSCB - Provides both open- and closed-box
environments - Implemented on VMware but didnt actually use TPM
Garfinkel, Pfaff, Chow, Rosenblum, Boneh, 2003
16Closed-box Platforms
- Developer has complete control over environment
- Cell phone
- Game console
- ATM
- May contain cryptographic keys
- Allows remote attestation to server using
pre-shared key - Not every application can run on closed-box
platform, expensive!
17Virtualization
- Hypervisors, or virtual-machine monitors (VMMs),
run entire guest operating system on top of host
operating system - Xen (open-source)
- Requires guest operating system to be modified,
but runs with very little slowdown - VMware (now available for free download)
- Supports unmodified operating systems, and is
reasonably fast - Terra (well be discussing this one)
- Not publicly available
18Terra Architecture
19Solution
- TVMM Trusted Virtual Machine Monitor
- Open-box VMs
- Just like current GP systems, no protection
- Closed-box VMs
- VM protected from modification, inspection
- Can attest to remote peer that VM is protected
- Behaves like true closed-box, but with cost and
availability benefits of open-box - Cant assure availability
- Operator can always pull the plug!
-
20TVMM Attestation
- Each layer of software has a keypair
- Lower layers certify higher layers
- Enables attestation ofentire stack
VM
Application
Operating System
Hash of Attestable Data
TVMM (Terra)
Higher Public Key
Bootloader
Firmware
Other Application Data
Signed by Lower Level
Hardware (TPM)
Certificate
Layers
21Additional Benefits
- Software stack can be tailored on per-application
basis - Game can run on thin, high-performance OS
- Email client can run on highly-secure,
locked-down OS - Regular applications can use standard,
full-featured and permissively-configured OS - Applications are isolated and protected from each
other - Reduces effectiveness of email viruses and
spyware against system as a whole - Low-assurance applications can automatically be
transformed into medium-assurance applications,
since they are protected from external influences
22Example 1
- Online gaming Quake
- Players often modify Quake to provide additional
capabilities to their characters, or otherwise
cheat - Quake can be transformed into a closed-box VM and
distributed to players - Remote attestation shows that it is unmodified
- Very little performance degradation
- Covert channels remain, such as frame rate
statistics
23Trusted Quake Assurances
- Secure Communication VM cant be inspected, so
shared key can be embedded in VM image to protect
network communication - Any software can be reverse engineered, so is
this a good idea? - Client Integrity maps and media files are
protected from modification on client - Server Integrity Bad clients cant connect
24Trusted Quake Weaknesses
- Bugs and Undesirable Features Rendered polygon
OSD permits prediction of impending character
appearances - Network DoS Attacks Terra does nothing in this
regard - Out-of-Band Collusion Players can still
communicate if theyre sitting together in a
basement or using IM
25My Research Question
- How can remote attestation of virtual machines be
used to protect consumer privacy in advanced
distribution automation (ADA) systems?
26Advanced Distribution Automation
- Distributed Energy Resource management
- Demand Reducation/Load Management
- Automated Meter Reading/Real Time Pricing
27Problem
- For real-time pricing to work, power company has
to know exactly how much power was used by each
customer at each point in time - Could be privacy problem
- Different rates may apply to devices, but meters
dont have that granularity - Demand reduction should be extended to more
devices, but requires individual switching agents
28Advanced Distribution Automation
29Appendix Trusted Access Points
- VPN client can be implemented as closed-box VM
and distributed to visitors when they first
connect to a regulated network - VM can attest to VPN gateway that it is operating
properly, and will enforce intended traffic
regulations
30TAP Benefits
- Prevents source forgery TAP can reliably check
all outgoing packets - Prevents DoS attacks TAP can block DoS attacks
at their source, before they even reach the
network - Scalability Clients enforce regulations on their
own traffic - Network Scalability TAP can perform local
vulnerability scan on host before permitting it
to connect