Slashdot Treat

1
Slashdot Treat

• MICROSOFT WINDOWS VISTA HOME4. USE WITH
  VIRTUALIZATION TECHNOLOGIES. You may not use the
  software installed on the licensed device within
  a virtual (or otherwise emulated) hardware
  system.
• MICROSOFT WINDOWS VISTA BUSINESS/ULTIMATE6. USE
  WITH VIRTUALIZATION TECHNOLOGIES. You may use the
  software installed on the licensed device within
  a virtual (or otherwise emulated) hardware system
  on the licensed device. If you do so, you may not
  play or access content or use applications
  protected by any Microsoft digital, information
  or enterprise rights management technology or
  other Microsoft rights management services or use
  BitLocker. We advise against playing or accessing
  content or using applications protected by other
  digital, information or enterprise rights
  management technology or other rights management
  services or using full volume disk drive
  encryption.

2
Terra A Virtual Machine-Based Platform for
Trusted Computing

• Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel
  Rosenblum, Dan Boneh
• (Stanford)
• SOSP03
• Presented by Michael LeMay

3
Introduction

• VM-based architecture for supporting various
  security models on a single physical machine
• Context Old paper, not fully implementable at
  the time and many of the techniques are outdated,
  but principles have still been very influential

4
Outline

• Background
• Security Requirements
• Terra Design
• Limitations of Terra
• Enhanced Technologies
• Conclusion

5
Standard Operating Systems

• Large codebases
• Difficult to verify correctness and bug-freeness
• Offer poor isolation between applications
• Compromise in one can affect entire system
• Security reduced to level of most vulnerable
  application
• Applications with varying security requirements
  are unable to share a machine
• Dont provide trusted paths

6
Closed-Box Platforms

• Advantages
• Greater security provided by custom hardware and
  software, perhaps including tamper-resistance
• Embedded cryptographic keys can be used to
  authenticate platform to remote entity
• Disadvantages
• Expensive
• Unable to utilize standard software for commodity
  systems

7
Example Closed Boxes

• Automated Teller Machines
• Many cellphones
• Game consoles
• All three of the above have been cracked!
• Advanced meters
• These can be easily attacked
• Are there any other closed-box platforms you can
  think of?

8
What is a closed-box, really?

• Something that doesnt support standard
  development interfaces by default
• Linux GDB, /dev/kmem, cp, etc.
• Open-box
• Cellphone Windows Mobile File Explorer
• PS3 ?
• Closed boxes

9
Terra Objectives

• Combine best aspects of open- and closed-box
  platforms
• Strong support for privacy and integrity
• Support for standard hardware and software
• Provide semantics of dedicated, tamper-evident
  hardware platform to each application
• Doesnt actually use trusted hardware in
  implementation! Think about implications

10
Realization

• Trusted Virtual Machine Monitor (TVMM)
• Assurances
• Isolates VMs
• Will not falsely attest VM state
• Will not disclose or allow tampering with
  contents of closed-box VM
• These assurances are root-secure
• Limitations
• Unable to guarantee availability
• Relies on Management VM to provide additional
  functionality

11
Terra Architecture
12
Trusted Platform Module
13
TPM Interconnection
14
TPM 1.0 Components
TCG 1.0 Architecture Overview
15
Credential Types

• TPM contains 5 types of credentials
• Important
• Endorsement or EK credential uniquely identifies
  TPM, privacy concern
• Identity or AIK credential Issued by privacy CA
  to preserve privacy of EK credential
• Not-so-important
• Conformance credential Certifies that TPM meets
  specifications
• Platform credential Identifies TPM manufacturer
  and capabilities
• Validation credential Associated with peripheral
  or software to guarantee integrity

16
Threat Model

• Threat model dictated by hardware capabilities
• Tamper-evident, not tamper-resistant TPM
• Sets bit internally when compromised, but doesnt
  zero information
• Hardware-protected CPU and memory against
  adversaries lacking electrical analysis equipment
  and expertise
• Joe pointed out that this assumption was violated
  on the Xbox
• Unprotected disk
• Can be removed and inserted into new machine

17
Remote Attestation

• Three phases
• Measurement machine to be attested must measure
  its properties locally
• Attestation transfer measurements from machine
  being attested to remote machine
• Verification remote machine examines
  measurements transferred during attestation and
  decides whether they are valid and acceptable

18
Linux Integrity Measurement
19
Linux Attestation
20
Linux Verification
21
Terra Attestation Process

• Lower layers certify higher layers
• TPM ? Firmware ? Boot Loader ? TVMM ? VM ?
  Application
• For each layer above TPM
• Upper layer generates public/private keypair
• Upper layer requests that lower layer certify its
  public key and perhaps other data
• Lower layer signs certificate with hash over
  attestable parts of requests as the common name
  (main identifier) and the hashed data as
  auxiliary information

22
TVMM Attestation (cont.)

• VM disk contents included in attestation
• Simple hash tree used to optimize performance
• Permits VM to run for indefinite time using false
  disk hash
• Encrypted, integrity-protected, and non-encrypted
  disks all supported
• Keys used to protect disks placed in sealed
  storage, to prevent attackers from removing disks
  and performing an offline compromise

23
Attestation Verification

• Verify certificate in each layer by ensuring that
  it is signed by lower layer
• TPM certificate is signed by TPM manufacturer,
  which is also responsible for issuing CRLs
• No TPM manufacturer currently does this
• Check software hashes and attested data contained
  within certificates, ensure they are all trusted.

24
Attestation Binding

• Verification must be bound to attested process in
  some way
• Exchange certificate chains during SSL handshake
• If software is good, it will not persist session
  key
• Prevents system from rebooting and continuing
  execution in unattested state
• This problem was pointed out by John

25
Attestation Limitations

• In Terra, PCRs are not necessarily utilized, so
  no boot history is maintained
• Verifying entity must have comprehensive and
  up-to-date list of trusted software
  configurations
• A simple patch or software upgrade generates
  entirely new hash
• Difficult to obtain meaningful security
  assurances from simple software hashes

26
Policy-Reduced Integrity Measurement Architecture
JaegerSS 2006
27
Attestation Limitations (cont.)

• Compromising a TPM key undermines entire process
• TPM vendors do not maintain CAs or CRLs
• Platform privacy compromised by attestation
• Endorsement Key uniquely identifies platform
• Privacy CAs issue alternative keys (AIKs), but
  have an unsustainable business model
• Terra proposes group signatures

28
Attestation Limitations (cont.)

• Attestation can increase vendor lock-in and
  platform discrimination by permitting verifying
  entities to check the exact, complete software
  stack of the system.
• Attestation can only guarantee past and present
  system properties, it can say very little about
  the future.
• Owner can always turn machine off
• Operator can often load new software that
  violates trust (can be prevented)

29
Attestation Limitations (cont.)

• John pointed out that TPM revocation is an issue.
  Fortunately, TPMs are unlikely to be compromised
  while the system is running.
• Must decide how much state to attest. Should
  updating the high scores in Trusted Quake break
  the attestation?
• Use separate images for configuration data

30
Attestation Limitations (cont.)

• Cant directly detect MITM exploits
• Attestation simply tells you what software is
  running on system, not the identity of the system
• Could corrupt DNS or routing tables and run
  legitimate server, client wouldnt be able to
  detect.
• Is this a bad thing?
• No, leads to privacy problems.

31
Attestation Limitations (cont.)

• Useful for clients attempting to verify security
  of servers?
• No, clients couldnt possibly be provided with
  source code for major websites, so attestation
  would be meaningless.
• Is isolation important from the standpoint of
  attestation?
• Somewhat orthogonal, but often an important
  property being attested.

32
Management VM

• Analogous to Xen Dom0
• Performs administrative functions
• Create virtual device (NIC, block dev, etc.)
• Creates new VM
• Attach/detach virtual device to/from VM
• Powers VM up or down
• Suspends and resumes VM
• Hosts drivers

33
Driver Security

• Terra designers do not wish to include drivers in
  TCB, since they are often buggy
• They suggest nooks, but the VM-based driver
  isolation technique we discussed would also be
  applicable
• Just one of the problems with the suggested Terra
  architecture

34
Security-Enhanced Xen

• Would provide significant benefits to Terra
• Mandatory Access Control (MAC) for VM objects and
  commands
• Would permit controlled data sharing between
  Terra VMs, using shared memory buffers
• Currently implemented by IBM as sHype
• Xen Security Modules (XSM) provides extended
  hooks, backwards compatibility with sHype, and
  support for SELinux-style Type Enforcement
  policies

35
Security-Enhanced Xen (cont.)

• Better TPM support
• Trusted/secure boot
• TPM virtualization
• Dom0 decomposition
• Break management interface into pieces, allow
  different domains to use various parts
• Run drivers in separate domains
• Secure I/O
• IO-MMU support

http//www.xensource.com/files/xs0106_intel_xen_se
curity.pdf, http//www.xensource.com/files/XenSecu
rity_SHand.pdf
36
TPM Virtualization
http//www.xensource.com/files/XenSecurity_Intel_C
Rozas.pdf
37
Intel LaGrande
38
Intel Trusted Execution Technology (TET)
http//www.intel.com/technology/security/downloads
/arch-overview.pdf
39
TET System Architecture
40
TET System Implementation

• Enter VMM mode using GETSECSENTER instruction,
  measures VMM before transferring control
• CPU provides internal RAM that can execute code
  after hashing code and verifying against embedded
  digital signature. Enter Authenticated Code (AC)
  mode using GETSECENTERACCS instruction.
• Will only run software signed by Intel
• Is this a good thing? What if Intel decides they
  dont like ATI, so you have to choose between an
  ATI graphics card and an Intel processor?

http//download.intel.com/technology/security/down
loads/31516803.pdf
41
ARM TrustZone
http//www.arm.com/products/esd/trustzone_home.htm
l
42
Microsoft NGSCB

• Microsoft, AMD, HP, IBM, Infineon, Intel, Sun,
  all members of TCG
• Uses TPM to partitionsystem into two
  partsNexus and L.H.S.
• NCAs Nexus Comput-ing Agents
• Only two compartments

43
NGSCB Architecture WinHEC 2004

• Little device diversity
• Only a few drivers
• KLOC

• Great device diversity
• Thousands of drivers
• MLOC

• Compartments are Windows-based
• Significantly reduced footprint
• Strongly Isolated, hardened and armored
• Secure device ownership
• Nexus or service compartments

• Windows
• Owns most HW
• Only real-time OS
• Security benefits via scenarios

Biddle, 2004
44
Additional Questions

• What are some closed-box platforms that could not
  be easily adapted to run within Terra?
• What are some closed-box platforms that could
  benefit from Terra?
• What changes to Terra or its infrastructure are
  necessary to shrink the first list and/or expand
  the second?

45
Additional Questions (cont.)

• Are Terra-provided closed-box platforms more
  secure than standard closed-box platforms?
• Use tamper-evident hardware for key storage
• Would your answer change if the TPM were
  integrated into the CPU so it cant be snooped?

46
Conclusion

• Very influential general architecture
• Proposed before much needed functionality was
  available, but could be easily updated to use new
  functionality
• More general than NGSCB, but should benefit from
  NGSCB-inspired hardware

47
Appendices
48
Attested Meter

• Distributed Energy Resource management
• Demand Reducation/Load Management
• Automated Meter Reading/Real Time Pricing

49
Problem

• For real-time pricing to work, power company has
  to know exactly how much power was used by each
  customer at each point in time
• Could be privacy problem
• User should be able to access consumer portal
  software on meter from local network
• Were taking a closed-box platform, a meter, and
  adding an isolated open-box application
• Same thing suggested by Ravinder for Xbox

50
Attested Meter Architecture
51
Motivating Applications

• Trusted Access Point
• High-Assurance Terminals
• Isolated Monitors
• Virtual Secure Coprocessors
• Trusted Quake
• Attested Meter

52
Trusted Access Point
53
High-Assurance Terminals

• E-voting machines that attest their proper
  operation to the central tallying authority
• Stock feed viewers

54
Isolated Monitors

• Key stores
• Confidentiality must be very carefully protected
• Intrusion detection systems and virus scanners
• The VMI paper covered these in detail
• Secure loggers
• Should not be possible for compromised system
  being logged to remove entries

55
Virtual Secure Coprocessors

• Privacy-preserving databases
• Secure auctions
• Online commerce applications

56
Trusted Quake

• Game clients and servers can be modified to
  provide additional functionality to players
• Aiming proxies modify network commands to
  stabilize or otherwise assist in aiming weapons
• Eavesdropping determine information about other
  players activities
• Puts other players at disadvantage

57
Security Requirements
58
Root Security

• System administrator should not be able to
  compromise fundamental security assurances of
  system
• Non-traditional security model protect system
  from its owner/user

59
Remote Attestation

• Allow remote entity to determine properties about
  particular system
• What hardware is present?
• What software is running?
• What security properties does the software
  provide?

60
Trusted Path

• Guarantees that specific input was received from
  legitimate user
• Guarantees that output is only provided to
  legitimate user
• Addresses social engineering attacks, such as
  phishing

61
Properties of Commodity Systems
62
Implications of Characteristics

• Remote systems must be assumed to be malicious
• E.g. Game server must assume that game clients
  have been modified to cheat
• May prevent cooperation between components, or
  necessitate additional external monitoring of
  behavior
• Example P2P client
• If trusted, not necessary to audit operation
• If untrusted, might ask surrounding clients to
  monitor behavior of client.
• Increases system complexity

63
TERRA Design
64
TVMM Attestation

• Each layer of software has a keypair
• Lower layers certify higher layers
• Enables attestation ofentire stack

VM
Application
Operating System
Hash of Attestable Data
TVMM (Terra)
Higher Public Key
Bootloader
Firmware
Other Application Data
Signed by Lower Level
Hardware (TPM)
Certificate
Layers
65
Hardware Support
66
Required Hardware

• Hardware attestation
• Securely measure system configuration and issue
  digitally-signed certificates for that state
• Sealed storage
• Store persistent data such that only system with
  specific configuration can access it

TPM
67
Required Hardware (cont.)

• Hardware virtualization acceleration
• False requirement, just helps to minimize VMM
  (TCB) size and increase performance
• Secure I/O
• Secure connection between TVMM and mouse,
  keyboard, video card, etc.
• Secure counter
• Prevents replay/rollback attacks

68
Required Hardware (cont.)

• Device isolation
• Prevent devices from using DMA to overwrite TVMM
  structures, etc.
• Real-time support
• Many closed-box platforms have real-time
  requirements that are not supported by current
  commodity architectures

69
TCG Layers
http//trousers.sourceforge.net
70
TPM 1.2

• Additions
• Direct Anonymous Attestation
• Symmetric crypto 3-DES, AES192,256
• Removable Endorsement Key

Next Try TCG 1.2 Trustworthy or Treacherous?
(warning conspiratorial)
71
Opposition

• Trusted Computing has many opponents, because it
  considers the computer operator to be a potential
  attacker
• EFF Trust Computing Promise and Risk
• Against-TCPA
• LAFKON - A movie about Trusted Computing
• And, a rebuttal
• TCPA Misinformation Rebuttal and Linux drivers

72
Credential Relationships
DevID Relationship to TPM
73
Credential Relationships (cont.)
74
TERRA Implementation
75
Basic Implementation

• VMware Server GSX 2.0.1 on Debian
• Python management VM interface
• Serial port interface to TVMM attestation
  mechanism
• Doesnt use TPM

76
Implementation Performance

• Trusted Quake
• Direct boot (no attestation) 26.6 seconds
• Optimistic attestation 27.1 seconds
• Encrypted optimistic attestation 29.1 seconds
• Ahead-of-time attestation 57.1 seconds
• Interactive performance apparently equal across
  the board (but much slower than native Im sure!)

77
Sample Applications - Revisited
78
Trusted Access Points

• VPN client can be implemented as closed-box VM
  and distributed to visitors when they first
  connect to a regulated network
• VM can attest to VPN gateway that it is operating
  properly, and will enforce intended traffic
  regulations

79
TAP Benefits

• Prevents source forgery TAP can reliably check
  all outgoing packets
• Prevents DoS attacks TAP can block DoS attacks
  at their source, before they even reach the
  network
• Scalability Clients enforce regulations on their
  own traffic
• Network Scalability TAP can perform local
  vulnerability scan on host before permitting it
  to connect

80
Example 1

• Online gaming Quake
• Players often modify Quake to provide additional
  capabilities to their characters, or otherwise
  cheat
• Quake can be transformed into a closed-box VM and
  distributed to players
• Remote attestation shows that it is unmodified
• Very little performance degradation
• Covert channels remain, such as frame rate
  statistics

81
Trusted Quake Assurances

• Secure Communication VM cant be inspected, so
  shared key can be embedded in VM image to protect
  network communication
• Any software can be reverse engineered, so is
  this a good idea?
• Client Integrity maps and media files are
  protected from modification on client
• Server Integrity Bad clients cant connect

82
Trusted Quake Weaknesses

• Bugs and Undesirable Features Rendered polygon
  OSD permits prediction of impending character
  appearances
• Network DoS Attacks Terra does nothing in this
  regard
• Out-of-Band Collusion Players can still
  communicate if theyre sitting together in a
  basement or using IM

83
Analysis
84
Advantages of Terra

• Applications can customize their software stacks
• Supports attestation primitives directly
• Same hardware interface as physical machine
• Hardware memory and CPU protection, and software
  protection of disks prevents tampering by
  platform owner and other attackers

85
Limitations of Terra

• Obsolete attestation system (easily enhanced)
• Lack of trusted path support (coming soon)
• Lack of any inter-VM sharing (porting to Xen
  would provide this)
• Monolithic management VM (resolved by XenSE)

86
Related Work