0
Slashdot Treat <ul><li>MICROSOFT WINDOWS VISTA HOME 4. USE WITH VIRTUALIZATION TECHNOLOGIES. You may not use the software ...
Terra: A Virtual Machine-Based Platform for Trusted Computing Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, Dan Bo...
Introduction <ul><li>VM-based architecture for supporting various security models on a single physical machine </li></ul><...
Outline <ul><li>Background </li></ul><ul><li>Security Requirements </li></ul><ul><li>Terra Design </li></ul><ul><li>Limita...
Standard Operating Systems <ul><li>Large codebases </li></ul><ul><ul><li>Difficult to verify correctness and bug-freeness ...
Closed-Box Platforms <ul><li>Advantages: </li></ul><ul><ul><li>Greater security provided by custom hardware and software, ...
Example Closed Boxes <ul><li>Automated Teller Machines </li></ul><ul><li>Many cellphones </li></ul><ul><li>Game consoles <...
What is a closed-box, really? <ul><li>Something that doesn’t support standard development interfaces by default </li></ul>...
Terra Objectives <ul><li>Combine best aspects of open- and closed-box platforms: </li></ul><ul><ul><li>Strong support for ...
Realization <ul><li>Trusted Virtual Machine Monitor (TVMM) </li></ul><ul><ul><li>Assurances: </li></ul></ul><ul><ul><ul><l...
Terra Architecture
Trusted Platform Module
TPM Interconnection
TPM 1.0 Components TCG 1.0 Architecture Overview
Credential Types <ul><li>TPM contains 5 types of credentials: </li></ul><ul><ul><li>Important: </li></ul></ul><ul><ul><ul>...
Threat Model <ul><li>Threat model dictated by hardware capabilities: </li></ul><ul><ul><li>Tamper-evident, not tamper-resi...
Remote Attestation <ul><li>Three phases: </li></ul><ul><ul><li>Measurement : machine to be attested must measure its prope...
Linux Integrity Measurement
Linux Attestation
Linux Verification
Terra Attestation Process <ul><li>Lower layers certify higher layers: </li></ul><ul><ul><li>TPM -> Firmware -> Boot Loader...
TVMM Attestation (cont.) <ul><li>VM disk contents included in attestation </li></ul><ul><ul><li>Simple hash tree used to o...
Attestation Verification <ul><li>Verify certificate in each layer by ensuring that it is signed by lower layer </li></ul><...
Attestation Binding <ul><li>Verification must be bound to attested process in some way </li></ul><ul><li>Exchange certific...
Attestation Limitations <ul><li>In Terra, PCRs are not necessarily utilized, so no boot history is maintained </li></ul><u...
Policy-Reduced Integrity Measurement Architecture JaegerSS 2006
Attestation Limitations (cont.) <ul><li>Compromising a TPM key undermines entire process </li></ul><ul><ul><li>TPM vendors...
Attestation Limitations (cont.) <ul><li>Attestation can increase vendor lock-in and platform discrimination by permitting ...
Attestation Limitations (cont.) <ul><li>John pointed out that TPM revocation is an issue.  Fortunately, TPMs are unlikely ...
Attestation Limitations (cont.) <ul><li>Can’t directly detect MITM exploits </li></ul><ul><ul><li>Attestation simply tells...
Attestation Limitations (cont.) <ul><li>Useful for clients attempting to verify security of servers? </li></ul><ul><ul><li...
Management VM <ul><li>Analogous to Xen Dom0 </li></ul><ul><li>Performs administrative functions: </li></ul><ul><ul><li>Cre...
Driver Security <ul><li>Terra designers do not wish to include drivers in TCB, since they are often buggy </li></ul><ul><u...
Security-Enhanced Xen <ul><li>Would provide significant benefits to Terra </li></ul><ul><li>Mandatory Access Control (MAC)...
Security-Enhanced Xen (cont.) <ul><li>Better TPM support: </li></ul><ul><ul><li>Trusted/secure boot </li></ul></ul><ul><ul...
TPM Virtualization http://www.xensource.com/files/XenSecurity_Intel_CRozas.pdf
Intel LaGrande
Intel Trusted Execution Technology (TET) http://www.intel.com/technology/security/downloads/arch-overview.pdf
TET System Architecture
TET System Implementation <ul><li>Enter VMM mode using GETSEC[SENTER] instruction, measures VMM before transferring contro...
ARM TrustZone http://www.arm.com/products/esd/trustzone_home.html
Microsoft NGSCB <ul><li>Microsoft, AMD, HP, IBM, Infineon, Intel, Sun, … all members of TCG </li></ul><ul><li>Uses TPM to ...
NGSCB Architecture – WinHEC 2004 <ul><li>Windows </li></ul><ul><ul><li>Owns most HW </li></ul></ul><ul><ul><li>Only real-t...
Additional Questions <ul><li>What are some closed-box platforms that could not be easily adapted to run within Terra? </li...
Additional Questions (cont.) <ul><li>Are Terra-provided closed-box platforms more secure than standard closed-box platform...
Conclusion <ul><li>Very influential general architecture </li></ul><ul><li>Proposed before much needed functionality was a...
APPENDICES
Attested Meter <ul><li>Distributed Energy Resource management </li></ul><ul><li>Demand Reducation/Load Management </li></u...
Problem <ul><li>For real-time pricing to work, power company has to know exactly how much power was used by each customer ...
Attested Meter Architecture
Motivating Applications <ul><li>Trusted Access Point </li></ul><ul><li>High-Assurance Terminals </li></ul><ul><li>Isolated...
Trusted Access Point
High-Assurance Terminals <ul><li>E-voting machines that attest their proper operation to the central tallying authority </...
Isolated Monitors <ul><li>Key stores </li></ul><ul><ul><li>Confidentiality must be very carefully protected </li></ul></ul...
Virtual Secure Coprocessors <ul><li>Privacy-preserving databases </li></ul><ul><li>Secure auctions </li></ul><ul><li>Onlin...
Trusted Quake <ul><li>Game clients and servers can be modified to provide additional functionality to players </li></ul><u...
SECURITY REQUIREMENTS
Root Security <ul><li>System administrator should not be able to compromise fundamental security assurances of system </li...
Remote Attestation <ul><li>Allow remote entity to determine properties about particular system </li></ul><ul><ul><li>What ...
Trusted Path <ul><li>Guarantees that specific input was received from legitimate user </li></ul><ul><li>Guarantees that ou...
PROPERTIES OF COMMODITY SYSTEMS
Implications of Characteristics <ul><li>Remote systems must be assumed to be malicious </li></ul><ul><ul><li>E.g. Game ser...
TERRA DESIGN
TVMM Attestation <ul><li>Each layer of software has a keypair </li></ul><ul><li>Lower layers certify higher layers </li></...
HARDWARE SUPPORT
Required Hardware <ul><li>Hardware attestation </li></ul><ul><ul><li>Securely measure system configuration and issue digit...
Required Hardware (cont.) <ul><li>Hardware virtualization acceleration </li></ul><ul><ul><li>False requirement, just helps...
Required Hardware (cont.) <ul><li>Device isolation </li></ul><ul><ul><li>Prevent devices from using DMA to overwrite TVMM ...
TCG Layers http://trousers.sourceforge.net
TPM 1.2 <ul><li>Additions: </li></ul><ul><ul><li>Direct Anonymous Attestation </li></ul></ul><ul><ul><li>Symmetric crypto:...
Opposition <ul><li>Trusted Computing has many opponents, because it considers the computer operator to be a potential atta...
Credential Relationships DevID Relationship to TPM
Credential Relationships (cont.)
TERRA IMPLEMENTATION
Basic Implementation <ul><li>VMware Server GSX 2.0.1 on Debian </li></ul><ul><li>Python management VM interface </li></ul>...
Implementation Performance <ul><li>Trusted Quake: </li></ul><ul><ul><li>Direct boot (no attestation): 26.6 seconds </li></...
SAMPLE APPLICATIONS - REVISITED
Trusted Access Points <ul><li>VPN client can be implemented as closed-box VM and distributed to visitors when they first c...
TAP Benefits <ul><li>Prevents source forgery: TAP can reliably check all outgoing packets </li></ul><ul><li>Prevents DoS a...
Example #1 <ul><li>Online gaming: Quake </li></ul><ul><li>Players often modify Quake to provide additional capabilities to...
Trusted Quake Assurances <ul><li>Secure Communication: VM can’t be inspected, so shared key can be embedded in VM image to...
Trusted Quake Weaknesses <ul><li>Bugs and Undesirable Features: Rendered polygon OSD permits prediction of impending chara...
ANALYSIS
Advantages of Terra <ul><li>Applications can customize their software stacks </li></ul><ul><li>Supports attestation primit...
Limitations of Terra <ul><li>Obsolete attestation system  (easily enhanced) </li></ul><ul><li>Lack of trusted path support...
RELATED WORK
Upcoming SlideShare
Loading in...5
×

ppt

1,400

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,400
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "ppt"

  1. 1. Slashdot Treat <ul><li>MICROSOFT WINDOWS VISTA HOME 4. USE WITH VIRTUALIZATION TECHNOLOGIES. You may not use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system. </li></ul><ul><li>MICROSOFT WINDOWS VISTA BUSINESS/ULTIMATE 6. USE WITH VIRTUALIZATION TECHNOLOGIES. You may use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system on the licensed device. If you do so, you may not play or access content or use applications protected by any Microsoft digital, information or enterprise rights management technology or other Microsoft rights management services or use BitLocker. We advise against playing or accessing content or using applications protected by other digital, information or enterprise rights management technology or other rights management services or using full volume disk drive encryption. </li></ul>
  2. 2. Terra: A Virtual Machine-Based Platform for Trusted Computing Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, Dan Boneh (Stanford) SOSP’03 Presented by: Michael LeMay
  3. 3. Introduction <ul><li>VM-based architecture for supporting various security models on a single physical machine </li></ul><ul><li>Context: Old paper, not fully implementable at the time and many of the techniques are outdated, but principles have still been very influential </li></ul>
  4. 4. Outline <ul><li>Background </li></ul><ul><li>Security Requirements </li></ul><ul><li>Terra Design </li></ul><ul><li>Limitations of Terra </li></ul><ul><li>Enhanced Technologies </li></ul><ul><li>Conclusion </li></ul>
  5. 5. Standard Operating Systems <ul><li>Large codebases </li></ul><ul><ul><li>Difficult to verify correctness and bug-freeness </li></ul></ul><ul><li>Offer poor isolation between applications </li></ul><ul><ul><li>Compromise in one can affect entire system </li></ul></ul><ul><li>Security reduced to level of most vulnerable application </li></ul><ul><ul><li>Applications with varying security requirements are unable to share a machine </li></ul></ul><ul><li>Don’t provide trusted paths </li></ul>
  6. 6. Closed-Box Platforms <ul><li>Advantages: </li></ul><ul><ul><li>Greater security provided by custom hardware and software, perhaps including tamper-resistance </li></ul></ul><ul><ul><li>Embedded cryptographic keys can be used to authenticate platform to remote entity </li></ul></ul><ul><li>Disadvantages: </li></ul><ul><ul><li>Expensive </li></ul></ul><ul><ul><li>Unable to utilize standard software for commodity systems </li></ul></ul>
  7. 7. Example Closed Boxes <ul><li>Automated Teller Machines </li></ul><ul><li>Many cellphones </li></ul><ul><li>Game consoles </li></ul><ul><li>All three of the above have been cracked! </li></ul><ul><li>Advanced meters </li></ul><ul><ul><li>These can be easily attacked </li></ul></ul><ul><li>Are there any other closed-box platforms you can think of? </li></ul>
  8. 8. What is a closed-box, really? <ul><li>Something that doesn’t support standard development interfaces by default </li></ul><ul><ul><li>Linux: GDB, /dev/kmem, cp, etc. </li></ul></ul><ul><ul><ul><li>Open-box </li></ul></ul></ul><ul><ul><li>Cellphone: Windows Mobile File Explorer </li></ul></ul><ul><ul><li>PS3: ? </li></ul></ul><ul><ul><ul><li>Closed boxes </li></ul></ul></ul>
  9. 9. Terra Objectives <ul><li>Combine best aspects of open- and closed-box platforms: </li></ul><ul><ul><li>Strong support for privacy and integrity </li></ul></ul><ul><ul><li>Support for standard hardware and software </li></ul></ul><ul><li>Provide semantics of dedicated, tamper-evident hardware platform to each application </li></ul><ul><li>Doesn’t actually use trusted hardware in implementation! Think about implications… </li></ul>
  10. 10. Realization <ul><li>Trusted Virtual Machine Monitor (TVMM) </li></ul><ul><ul><li>Assurances: </li></ul></ul><ul><ul><ul><li>Isolates VMs </li></ul></ul></ul><ul><ul><ul><li>Will not falsely attest VM state </li></ul></ul></ul><ul><ul><ul><li>Will not disclose or allow tampering with contents of closed-box VM </li></ul></ul></ul><ul><ul><ul><li>These assurances are root-secure </li></ul></ul></ul><ul><ul><li>Limitations: </li></ul></ul><ul><ul><ul><li>Unable to guarantee availability </li></ul></ul></ul><ul><ul><li>Relies on Management VM to provide additional functionality </li></ul></ul>
  11. 11. Terra Architecture
  12. 12. Trusted Platform Module
  13. 13. TPM Interconnection
  14. 14. TPM 1.0 Components TCG 1.0 Architecture Overview
  15. 15. Credential Types <ul><li>TPM contains 5 types of credentials: </li></ul><ul><ul><li>Important: </li></ul></ul><ul><ul><ul><li>Endorsement or EK credential : uniquely identifies TPM, privacy concern </li></ul></ul></ul><ul><ul><ul><li>Identity or AIK credential : Issued by privacy CA to preserve privacy of EK credential </li></ul></ul></ul><ul><ul><li>Not-so-important: </li></ul></ul><ul><ul><ul><li>Conformance credential : Certifies that TPM meets specifications </li></ul></ul></ul><ul><ul><ul><li>Platform credential : Identifies TPM manufacturer and capabilities </li></ul></ul></ul><ul><ul><ul><li>Validation credential : Associated with peripheral or software to guarantee integrity </li></ul></ul></ul>
  16. 16. Threat Model <ul><li>Threat model dictated by hardware capabilities: </li></ul><ul><ul><li>Tamper-evident, not tamper-resistant TPM </li></ul></ul><ul><ul><ul><li>Sets bit internally when compromised, but doesn’t zero information </li></ul></ul></ul><ul><ul><li>Hardware-protected CPU and memory against adversaries lacking electrical analysis equipment and expertise </li></ul></ul><ul><ul><ul><li>Joe pointed out that this assumption was violated on the Xbox </li></ul></ul></ul><ul><ul><li>Unprotected disk </li></ul></ul><ul><ul><ul><li>Can be removed and inserted into new machine </li></ul></ul></ul>
  17. 17. Remote Attestation <ul><li>Three phases: </li></ul><ul><ul><li>Measurement : machine to be attested must measure its properties locally </li></ul></ul><ul><ul><li>Attestation : transfer measurements from machine being attested to remote machine </li></ul></ul><ul><ul><li>Verification : remote machine examines measurements transferred during attestation and decides whether they are valid and acceptable </li></ul></ul>
  18. 18. Linux Integrity Measurement
  19. 19. Linux Attestation
  20. 20. Linux Verification
  21. 21. Terra Attestation Process <ul><li>Lower layers certify higher layers: </li></ul><ul><ul><li>TPM -> Firmware -> Boot Loader -> TVMM -> VM -> Application </li></ul></ul><ul><li>For each layer above TPM: </li></ul><ul><ul><li>Upper layer generates public/private keypair </li></ul></ul><ul><ul><li>Upper layer requests that lower layer certify its public key and perhaps other data </li></ul></ul><ul><ul><li>Lower layer signs certificate with hash over attestable parts of requests as the common name (main identifier) and the hashed data as auxiliary information </li></ul></ul>
  22. 22. TVMM Attestation (cont.) <ul><li>VM disk contents included in attestation </li></ul><ul><ul><li>Simple hash tree used to optimize performance </li></ul></ul><ul><ul><ul><li>Permits VM to run for indefinite time using false disk hash </li></ul></ul></ul><ul><ul><li>Encrypted, integrity-protected, and non-encrypted disks all supported </li></ul></ul><ul><ul><li>Keys used to protect disks placed in sealed storage, to prevent attackers from removing disks and performing an offline compromise </li></ul></ul>
  23. 23. Attestation Verification <ul><li>Verify certificate in each layer by ensuring that it is signed by lower layer </li></ul><ul><ul><li>TPM certificate is signed by TPM manufacturer, which is also responsible for issuing CRLs </li></ul></ul><ul><ul><ul><li>No TPM manufacturer currently does this </li></ul></ul></ul><ul><li>Check software hashes and attested data contained within certificates, ensure they are all trusted. </li></ul>
  24. 24. Attestation Binding <ul><li>Verification must be bound to attested process in some way </li></ul><ul><li>Exchange certificate chains during SSL handshake </li></ul><ul><li>If software is good, it will not persist session key </li></ul><ul><li>Prevents system from rebooting and continuing execution in unattested state </li></ul><ul><ul><li>This problem was pointed out by John </li></ul></ul>
  25. 25. Attestation Limitations <ul><li>In Terra, PCRs are not necessarily utilized, so no boot history is maintained </li></ul><ul><li>Verifying entity must have comprehensive and up-to-date list of trusted software configurations </li></ul><ul><ul><li>A simple patch or software upgrade generates entirely new hash </li></ul></ul><ul><li>Difficult to obtain meaningful security assurances from simple software hashes </li></ul>
  26. 26. Policy-Reduced Integrity Measurement Architecture JaegerSS 2006
  27. 27. Attestation Limitations (cont.) <ul><li>Compromising a TPM key undermines entire process </li></ul><ul><ul><li>TPM vendors do not maintain CAs or CRLs </li></ul></ul><ul><li>Platform privacy compromised by attestation </li></ul><ul><ul><li>Endorsement Key uniquely identifies platform </li></ul></ul><ul><ul><li>Privacy CAs issue alternative keys (AIKs), but have an unsustainable business model </li></ul></ul><ul><ul><li>Terra proposes group signatures </li></ul></ul>
  28. 28. Attestation Limitations (cont.) <ul><li>Attestation can increase vendor lock-in and platform discrimination by permitting verifying entities to check the exact, complete software stack of the system. </li></ul><ul><li>Attestation can only guarantee past and present system properties, it can say very little about the future. </li></ul><ul><ul><li>Owner can always turn machine off </li></ul></ul><ul><ul><li>Operator can often load new software that violates trust (can be prevented) </li></ul></ul>
  29. 29. Attestation Limitations (cont.) <ul><li>John pointed out that TPM revocation is an issue. Fortunately, TPMs are unlikely to be compromised while the system is running. </li></ul><ul><li>Must decide how much state to attest. Should updating the high scores in Trusted Quake break the attestation? </li></ul><ul><ul><li>Use separate images for configuration data </li></ul></ul>
  30. 30. Attestation Limitations (cont.) <ul><li>Can’t directly detect MITM exploits </li></ul><ul><ul><li>Attestation simply tells you what software is running on system, not the identity of the system </li></ul></ul><ul><ul><li>Could corrupt DNS or routing tables and run legitimate server, client wouldn’t be able to detect. </li></ul></ul><ul><ul><li>Is this a bad thing? </li></ul></ul><ul><ul><li>No, leads to privacy problems. </li></ul></ul>
  31. 31. Attestation Limitations (cont.) <ul><li>Useful for clients attempting to verify security of servers? </li></ul><ul><ul><li>No, clients couldn’t possibly be provided with source code for major websites, so attestation would be meaningless. </li></ul></ul><ul><li>Is isolation important from the standpoint of attestation? </li></ul><ul><ul><li>Somewhat orthogonal, but often an important property being attested. </li></ul></ul>
  32. 32. Management VM <ul><li>Analogous to Xen Dom0 </li></ul><ul><li>Performs administrative functions: </li></ul><ul><ul><li>Create virtual device (NIC, block dev, etc.) </li></ul></ul><ul><ul><li>Creates new VM </li></ul></ul><ul><ul><li>Attach/detach virtual device to/from VM </li></ul></ul><ul><ul><li>Powers VM up or down </li></ul></ul><ul><ul><li>Suspends and resumes VM </li></ul></ul><ul><li>Hosts drivers </li></ul>
  33. 33. Driver Security <ul><li>Terra designers do not wish to include drivers in TCB, since they are often buggy </li></ul><ul><ul><li>They suggest nooks, but the VM-based driver isolation technique we discussed would also be applicable </li></ul></ul><ul><li>Just one of the problems with the suggested Terra architecture </li></ul>
  34. 34. Security-Enhanced Xen <ul><li>Would provide significant benefits to Terra </li></ul><ul><li>Mandatory Access Control (MAC) for VM objects and commands </li></ul><ul><ul><li>Would permit controlled data sharing between Terra VMs, using shared memory buffers </li></ul></ul><ul><ul><li>Currently implemented by IBM as sHype </li></ul></ul><ul><ul><li>Xen Security Modules (XSM) provides extended hooks, backwards compatibility with sHype, and support for SELinux-style Type Enforcement policies </li></ul></ul>
  35. 35. Security-Enhanced Xen (cont.) <ul><li>Better TPM support: </li></ul><ul><ul><li>Trusted/secure boot </li></ul></ul><ul><ul><li>TPM virtualization </li></ul></ul><ul><li>Dom0 decomposition </li></ul><ul><ul><li>Break management interface into pieces, allow different domains to use various parts </li></ul></ul><ul><ul><li>Run drivers in separate domains </li></ul></ul><ul><li>Secure I/O </li></ul><ul><ul><li>IO-MMU support </li></ul></ul>http://www.xensource.com/files/xs0106_intel_xen_security.pdf , http://www.xensource.com/files/XenSecurity_SHand.pdf
  36. 36. TPM Virtualization http://www.xensource.com/files/XenSecurity_Intel_CRozas.pdf
  37. 37. Intel LaGrande
  38. 38. Intel Trusted Execution Technology (TET) http://www.intel.com/technology/security/downloads/arch-overview.pdf
  39. 39. TET System Architecture
  40. 40. TET System Implementation <ul><li>Enter VMM mode using GETSEC[SENTER] instruction, measures VMM before transferring control </li></ul><ul><li>CPU provides internal RAM that can execute code after hashing code and verifying against embedded digital signature. Enter Authenticated Code (AC) mode using GETSEC[ENTERACCS] instruction. </li></ul><ul><ul><li>Will only run software signed by Intel </li></ul></ul><ul><ul><li>Is this a good thing? What if Intel decides they don’t like ATI, so you have to choose between an ATI graphics card and an Intel processor? </li></ul></ul>http://download.intel.com/technology/security/downloads/31516803.pdf
  41. 41. ARM TrustZone http://www.arm.com/products/esd/trustzone_home.html
  42. 42. Microsoft NGSCB <ul><li>Microsoft, AMD, HP, IBM, Infineon, Intel, Sun, … all members of TCG </li></ul><ul><li>Uses TPM to partition system into two parts: Nexus and L.H.S. </li></ul><ul><li>NCAs: Nexus Comput- ing Agents </li></ul><ul><li>Only two compartments </li></ul>
  43. 43. NGSCB Architecture – WinHEC 2004 <ul><li>Windows </li></ul><ul><ul><li>Owns most HW </li></ul></ul><ul><ul><li>Only real-time OS </li></ul></ul><ul><ul><li>Security benefits via scenarios </li></ul></ul><ul><li>Compartments are Windows-based </li></ul><ul><ul><li>Significantly reduced footprint </li></ul></ul><ul><ul><li>Strongly Isolated, hardened and armored </li></ul></ul><ul><li>Secure device ownership </li></ul><ul><ul><li>Nexus or service compartments </li></ul></ul><ul><li>Great device diversity </li></ul><ul><li>Thousands of drivers </li></ul><ul><li>MLOC </li></ul><ul><li>Little device diversity </li></ul><ul><li>Only a few drivers </li></ul><ul><li>KLOC </li></ul>Biddle, 2004
  44. 44. Additional Questions <ul><li>What are some closed-box platforms that could not be easily adapted to run within Terra? </li></ul><ul><li>What are some closed-box platforms that could benefit from Terra? </li></ul><ul><li>What changes to Terra or its infrastructure are necessary to shrink the first list and/or expand the second? </li></ul>
  45. 45. Additional Questions (cont.) <ul><li>Are Terra-provided closed-box platforms more secure than standard closed-box platforms? </li></ul><ul><ul><li>Use tamper-evident hardware for key storage </li></ul></ul><ul><ul><li>Would your answer change if the TPM were integrated into the CPU so it can’t be snooped? </li></ul></ul>
  46. 46. Conclusion <ul><li>Very influential general architecture </li></ul><ul><li>Proposed before much needed functionality was available, but could be easily updated to use new functionality </li></ul><ul><li>More general than NGSCB, but should benefit from NGSCB-inspired hardware </li></ul>
  47. 47. APPENDICES
  48. 48. Attested Meter <ul><li>Distributed Energy Resource management </li></ul><ul><li>Demand Reducation/Load Management </li></ul><ul><li>Automated Meter Reading/Real Time Pricing </li></ul>
  49. 49. Problem <ul><li>For real-time pricing to work, power company has to know exactly how much power was used by each customer at each point in time </li></ul><ul><ul><li>Could be privacy problem </li></ul></ul><ul><li>User should be able to access consumer portal software on meter from local network </li></ul><ul><ul><li>We’re taking a closed-box platform, a meter, and adding an isolated open-box application </li></ul></ul><ul><ul><li>Same thing suggested by Ravinder for Xbox </li></ul></ul>
  50. 50. Attested Meter Architecture
  51. 51. Motivating Applications <ul><li>Trusted Access Point </li></ul><ul><li>High-Assurance Terminals </li></ul><ul><li>Isolated Monitors </li></ul><ul><li>Virtual Secure Coprocessors </li></ul><ul><li>Trusted Quake </li></ul><ul><li>Attested Meter </li></ul>
  52. 52. Trusted Access Point
  53. 53. High-Assurance Terminals <ul><li>E-voting machines that attest their proper operation to the central tallying authority </li></ul><ul><li>Stock feed viewers </li></ul>
  54. 54. Isolated Monitors <ul><li>Key stores </li></ul><ul><ul><li>Confidentiality must be very carefully protected </li></ul></ul><ul><li>Intrusion detection systems and virus scanners </li></ul><ul><ul><li>The VMI paper covered these in detail </li></ul></ul><ul><li>Secure loggers </li></ul><ul><ul><li>Should not be possible for compromised system being logged to remove entries </li></ul></ul>
  55. 55. Virtual Secure Coprocessors <ul><li>Privacy-preserving databases </li></ul><ul><li>Secure auctions </li></ul><ul><li>Online commerce applications </li></ul>
  56. 56. Trusted Quake <ul><li>Game clients and servers can be modified to provide additional functionality to players </li></ul><ul><ul><li>Aiming proxies: modify network commands to stabilize or otherwise assist in aiming weapons </li></ul></ul><ul><ul><li>Eavesdropping: determine information about other players’ activities </li></ul></ul><ul><li>Puts other players at disadvantage </li></ul>
  57. 57. SECURITY REQUIREMENTS
  58. 58. Root Security <ul><li>System administrator should not be able to compromise fundamental security assurances of system </li></ul><ul><ul><li>Non-traditional security model: protect system from its owner/user </li></ul></ul>
  59. 59. Remote Attestation <ul><li>Allow remote entity to determine properties about particular system </li></ul><ul><ul><li>What hardware is present? </li></ul></ul><ul><ul><li>What software is running? </li></ul></ul><ul><ul><li>What security properties does the software provide? </li></ul></ul>
  60. 60. Trusted Path <ul><li>Guarantees that specific input was received from legitimate user </li></ul><ul><li>Guarantees that output is only provided to legitimate user </li></ul><ul><li>Addresses social engineering attacks, such as phishing </li></ul>
  61. 61. PROPERTIES OF COMMODITY SYSTEMS
  62. 62. Implications of Characteristics <ul><li>Remote systems must be assumed to be malicious </li></ul><ul><ul><li>E.g. Game server must assume that game clients have been modified to cheat </li></ul></ul><ul><ul><li>May prevent cooperation between components, or necessitate additional external monitoring of behavior </li></ul></ul><ul><ul><ul><li>Example: P2P client </li></ul></ul></ul><ul><ul><ul><ul><li>If trusted, not necessary to audit operation </li></ul></ul></ul></ul><ul><ul><ul><ul><li>If untrusted, might ask surrounding clients to monitor behavior of client. </li></ul></ul></ul></ul><ul><ul><ul><li>Increases system complexity </li></ul></ul></ul>
  63. 63. TERRA DESIGN
  64. 64. TVMM Attestation <ul><li>Each layer of software has a keypair </li></ul><ul><li>Lower layers certify higher layers </li></ul><ul><li>Enables attestation of entire stack </li></ul>VM Hardware (TPM) Firmware Operating System Application Bootloader TVMM (Terra) Hash of Attestable Data Higher Public Key Other Application Data Signed by Lower Level Certificate Layers
  65. 65. HARDWARE SUPPORT
  66. 66. Required Hardware <ul><li>Hardware attestation </li></ul><ul><ul><li>Securely measure system configuration and issue digitally-signed certificates for that state </li></ul></ul><ul><li>Sealed storage </li></ul><ul><ul><li>Store persistent data such that only system with specific configuration can access it </li></ul></ul>TPM
  67. 67. Required Hardware (cont.) <ul><li>Hardware virtualization acceleration </li></ul><ul><ul><li>False requirement, just helps to minimize VMM (TCB) size and increase performance </li></ul></ul><ul><li>Secure I/O </li></ul><ul><ul><li>Secure connection between TVMM and mouse, keyboard, video card, etc. </li></ul></ul><ul><li>Secure counter </li></ul><ul><ul><li>Prevents replay/rollback attacks </li></ul></ul>
  68. 68. Required Hardware (cont.) <ul><li>Device isolation </li></ul><ul><ul><li>Prevent devices from using DMA to overwrite TVMM structures, etc. </li></ul></ul><ul><li>Real-time support </li></ul><ul><ul><li>Many closed-box platforms have real-time requirements that are not supported by current commodity architectures </li></ul></ul>
  69. 69. TCG Layers http://trousers.sourceforge.net
  70. 70. TPM 1.2 <ul><li>Additions: </li></ul><ul><ul><li>Direct Anonymous Attestation </li></ul></ul><ul><ul><li>Symmetric crypto: 3-DES, AES192,256 </li></ul></ul><ul><ul><li>Removable Endorsement Key </li></ul></ul>Next Try TCG 1.2: Trustworthy or Treacherous? (warning: conspiratorial)
  71. 71. Opposition <ul><li>Trusted Computing has many opponents, because it considers the computer operator to be a potential attacker: </li></ul><ul><ul><li>EFF: Trust Computing: Promise and Risk </li></ul></ul><ul><ul><li>Against-TCPA </li></ul></ul><ul><ul><li>LAFKON - A movie about Trusted Computing </li></ul></ul><ul><li>And, a rebuttal: </li></ul><ul><ul><li>TCPA Misinformation Rebuttal and Linux drivers </li></ul></ul>
  72. 72. Credential Relationships DevID Relationship to TPM
  73. 73. Credential Relationships (cont.)
  74. 74. TERRA IMPLEMENTATION
  75. 75. Basic Implementation <ul><li>VMware Server GSX 2.0.1 on Debian </li></ul><ul><li>Python management VM interface </li></ul><ul><li>Serial port interface to TVMM attestation mechanism </li></ul><ul><ul><li>Doesn’t use TPM </li></ul></ul>
  76. 76. Implementation Performance <ul><li>Trusted Quake: </li></ul><ul><ul><li>Direct boot (no attestation): 26.6 seconds </li></ul></ul><ul><ul><li>Optimistic attestation: 27.1 seconds </li></ul></ul><ul><ul><li>Encrypted optimistic attestation: 29.1 seconds </li></ul></ul><ul><ul><li>Ahead-of-time attestation: 57.1 seconds </li></ul></ul><ul><ul><li>Interactive performance apparently equal across the board (but much slower than native I’m sure!) </li></ul></ul>
  77. 77. SAMPLE APPLICATIONS - REVISITED
  78. 78. Trusted Access Points <ul><li>VPN client can be implemented as closed-box VM and distributed to visitors when they first connect to a regulated network </li></ul><ul><li>VM can attest to VPN gateway that it is operating properly, and will enforce intended traffic regulations </li></ul>
  79. 79. TAP Benefits <ul><li>Prevents source forgery: TAP can reliably check all outgoing packets </li></ul><ul><li>Prevents DoS attacks: TAP can block DoS attacks at their source, before they even reach the network </li></ul><ul><li>Scalability: Clients enforce regulations on their own traffic </li></ul><ul><li>Network Scalability: TAP can perform local vulnerability scan on host before permitting it to connect </li></ul>
  80. 80. Example #1 <ul><li>Online gaming: Quake </li></ul><ul><li>Players often modify Quake to provide additional capabilities to their characters, or otherwise cheat </li></ul><ul><li>Quake can be transformed into a closed-box VM and distributed to players </li></ul><ul><li>Remote attestation shows that it is unmodified </li></ul><ul><li>Very little performance degradation </li></ul><ul><li>Covert channels remain, such as frame rate statistics </li></ul>
  81. 81. Trusted Quake Assurances <ul><li>Secure Communication: VM can’t be inspected, so shared key can be embedded in VM image to protect network communication </li></ul><ul><ul><li>Any software can be reverse engineered, so is this a good idea? </li></ul></ul><ul><li>Client Integrity: maps and media files are protected from modification on client </li></ul><ul><li>Server Integrity: Bad clients can’t connect </li></ul>
  82. 82. Trusted Quake Weaknesses <ul><li>Bugs and Undesirable Features: Rendered polygon OSD permits prediction of impending character appearances </li></ul><ul><li>Network DoS Attacks: Terra does nothing in this regard </li></ul><ul><li>Out-of-Band Collusion: Players can still communicate if they’re sitting together in a basement or using IM </li></ul>
  83. 83. ANALYSIS
  84. 84. Advantages of Terra <ul><li>Applications can customize their software stacks </li></ul><ul><li>Supports attestation primitives directly </li></ul><ul><li>Same hardware interface as physical machine </li></ul><ul><li>Hardware memory and CPU protection, and software protection of disks prevents tampering by platform owner and other attackers </li></ul>
  85. 85. Limitations of Terra <ul><li>Obsolete attestation system (easily enhanced) </li></ul><ul><li>Lack of trusted path support (coming soon) </li></ul><ul><li>Lack of any inter-VM sharing (porting to Xen would provide this) </li></ul><ul><li>Monolithic management VM (resolved by XenSE) </li></ul>
  86. 86. RELATED WORK
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×