Your SlideShare is downloading. ×
Property-Based TPM Virtualization
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Property-Based TPM Virtualization

1,068
views

Published on

Presentation of a paper at ISC 2008. Modification of a virtual TPM design to support more flexible key management and migration support for virtual machines.

Presentation of a paper at ISC 2008. Modification of a virtual TPM design to support more flexible key management and migration support for virtual machines.


0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,068
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
32
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Property­Based TPM Virtualization Ahmad­Reza Sadeghi, Christian Stüble*, Marcel Winandy Horst Görtz Institute for IT Security Ruhr­University Bochum, Germany * Sirrix AG security technologies Bochum, Germany ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 1
  • 2. Introduction: Virtualization ● Features – Standardized operating systems on various hardware platforms – Virtual machines: suspend & resume, migration – Security: isolation of virtual machines – Application scenario: corporate/private computing ● Isolated work loads for private and corporate working ● Isolated work loads for different security levels Linux Linux Windows Linux Windows Hypervisor Hypervisor Hardware Hardware ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 2
  • 3. Introduction: Trusted Computing (TPM) – TPM: cheap, tamper­evident hardware security module ● Cryptographic functions (RSA, SHA­1, key generation, RNG) ● Protected storage for small data (e.g. keys) ● Special keys: Endorsement Key (EK) and Storage Root Key (SRK) – Authenticated Boot (recording integrity measurements) ● Measurements stored in Platform Configuration Registers (PCRs) ● Each component measures next component (chain of trust) hash Apps store hash hash OS TPM Boot Loader store hash hash PCRs BIOS store hash SRK hash store hash EK CRTM – Attestation and Sealing ● Attestation Identity Key (AIK) signs PCRs for (remote) attestation ● Binding key is used to encrypt data to the current PCR values (decrypting only  possible with same PCR states) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 3
  • 4. Introduction: Virtual TPM (vTPM) ● Each VM should be able to use TPM – Providing protected storage and crypto coprocessor – Assurance about the booted hypervisor and virtual machines – Support for migration Private Working Unclassified Corporate Classified Corporate Environment Environment Environment VM VM VM Hypervisor TPM Hardware ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 4
  • 5. Introduction: Virtual TPM (vTPM) ● Each VM should be able to use TPM – Providing protected storage and crypto coprocessor – Assurance about the booted hypervisor and virtual machines – Support for migration ● Virtualization of the TPM – Emulation in software, but binding to VM and hardware TPM Private Working Unclassified Corporate Classified Corporate Environment Environment Environment VM VM VM TPM Driver TPM Driver TPM Driver vTPM vTPM vTPM Hypervisor TPM Hardware ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 5
  • 6. Shortcomings of Existing vTPM Solutions ● Migration – Protected data bound to binary representation of hypervisor ● VM's data may be unavailable after migration to another platform ● Keys – Differentiated strategies for key generation missing ● some IT environments demand hardware­protected keys ● wheras others would benefit from flexibility of software keys ● Privacy – Revealing information about system configuration ● (v)TPM reveals information during remote attestation of PCR values ● Profiling (security risk) and discrimination possible ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 6
  • 7. New vTPM Design ● Adding new components to internal vTPM design: ● Property Management – Representation of virtual PCRs – Different mechanisms to store and read values – Realizing property­based attestation and sealing ● Key Management – Creating and loading cryptographic keys – Supports software keys or keys of physical TPM ● vTPM Policy – User­defined policy of the vTPM instance ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 7
  • 8. Flexible vTPM Architecture VM TPM Driver TPM_CreateWrapKey() TPM_Extend(i, m) TPM_PCRRead(i) vTPM Interface Management Interface CreateKey() Extend(i, m) PCRRead(i) crypto... migrate() Key Property Cryptographic Migration Management Management Functions Controller PropertyFilter Software Key PropertyProvider 1 Hardware Key PropertyProvider 2 vTPM ... ... ... PropertyProvider N vTPM Policy Hypervisor TPM Key TPM Novel components for vTPM ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 8
  • 9. Property Providers ● Each property provider has its own PCR vector – How to store values is up to each implementation – This results in a matrix of vPCRs – vTPM Policy decides which vector to use on which operation vTPM Instance  PropertyProvider 1 PropertyProvider j PropertyProvider N vPCR[0] ... ... vPCR[1] ... ... Mapping ... ... ... vPCR[n] ... ... – Initialization TPM ● Applying all property providers to build the vPCR matrix PCRs ● Each Property Provider can implement a different mapping ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 9
  • 10. Changing the Measurement Function ● PCR extension function of the TPM: Extend(i, m): PCRi ← SHA1(PCRi || m) ● Generalizing this for each Providerj: Providerj.Extend(i,m): vPCRi,j← translatej(vPCRi,j,m) ● Examples: – translatehash() is hashing like in hardware TPM – translatecert() looks for a certificate and stores the public key ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 10
  • 11. PCR Extension: Example VM­OS measures a file and wants to extend the measurement in PCR 10 of the vTPM  TPM_Extend(10, f572d396fae9206628714fb2ce00f72e94f2258f)                                                                                Property Management of vTPM instance calls each Property Provider vPCR10,hash of Providerhash vPCR10,cert of Providercert 09d2af8dd22201dd8d48e5dcfcaed281ff9422c7 PKcertA                                                                                 vPCR10,hash := SHA1(vPCR10,hash ||  Look for cert for hash f572d.... f572d396fae9206628714fb2ce00f72e94f2258f) If found one (e.g., certB), add its PK vPCR10,hash : vPCR10,cert : 3a2fdfb2e10d4286a56715952340177c508b173c PKcertA , PKcertB                                                             ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 11
  • 12. Property­Based Attestation with vTPM ● Providercert is one example to use property certificates – Certificates describe the properties for a particular measurement – Issued by a Trusted Third Party 1. attest(nonce,i,...,j) VM 6. (pcrData, nonce) Verifier 2. quote(vAIKID,nonce,i,...,j) 5. (pcrData, nonce) vTPM 3. prov = policy.askForProvider(i,...,j) 4. sign[vAIKID](nonce,vPCRi,prov,...,vPCRj,prov) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 12
  • 13. Migration of VM and vTPM ● Secure migration needed (confidentiality, integrity, authenticity) ● Example: move private working environment to home PC Private Working Classified Corporate Online Gaming Environment Environment Environment VM VM VM vTPM vTPM vTPM  Hypervisor (Xen 3.1)  Hypervisor (Xen 3.2) Hardware (Office PC) TPM TPM Hardware (Home PC) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 13
  • 14. Trusted Channel based Migration ● Source platform requests trusted channel to destination – Creates secret encryption key bound to TPM and configuration of  destination platform (assurance about integrity of end points) – Configuration can also be property­based – Re­usable for several migrations Private Working Classified Corporate Online Gaming Environment Environment Environment VM VM VM vTPM vTPM vTPM  Hypervisor (Xen 3.1)  Hypervisor (Xen 3.2) Trusted Channel Hardware (Office PC) TPM TPM Hardware (Home PC) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 14
  • 15. Trusted Channel based Migration ● Source platform requests trusted channel to destination – Creates secret encryption key bound to TPM and configuration of  destination platform (assurance about integrity of end points) – Configuration can also be property­based – Re­usable for several migrations Private Working Classified Corporate Online Gaming Environment Environment Environment VM VM VM vTPM vTPM vTPM  Hypervisor (Xen 3.1)  Hypervisor (Xen 3.2) Trusted Channel Hardware (Office PC) TPM TPM Hardware (Home PC) Transfer encrypted TPM state via Trusted Channel No re­mapping of PCRs necessary (because of property providers) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 15
  • 16. Trusted Channel based Migration ● Source platform requests trusted channel to destination – Creates secret encryption key bound to TPM and configuration of  destination platform (assurance about integrity of end points) – Configuration can also be property­based – Re­usable for several migrations Classified Corporate Private Working Online Gaming Environment Environment Environment VM VM VM vTPM vTPM vTPM  Hypervisor (Xen 3.1)  Hypervisor (Xen 3.2) Trusted Channel Hardware (Office PC) TPM TPM Hardware (Home PC) Transfer encrypted TPM state via Trusted Channel No re­mapping of PCRs necessary (because of property providers) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 16
  • 17. Summary VM New vTPM Design TPM Driver TPM_CreateWrapKey() TPM_Extend(i, m) TPM_PCRRead(i) vTPM Interface Management Interface CreateKey() Extend(i, m) PCRRead(i) crypto... migrate() Key Property Cryptographic Migration Management Management Functions Controller ­ Property Providers PropertyFilter Software Key PropertyProvider 1 vTPM ­ Key Management Hardware Key PropertyProvider 2 ... ... ... PropertyProvider N vTPM Policy ­ vTPM Policy TPM Key TPM Novel components for vTPM ● Allows to link hypervisor to vTPM based on properties – Data availability after migration or software updates – Trusted Migration protocol ensures binding to trustworthy platform ● More flexibility in key usage – Key Management can delegate key requests to hardware TPM ● User­defined policy decides which information to reveal – Policy defines which Property Provider to use on attestation ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 17
  • 18. Thank you for your attention! Questions? Contact: Marcel Winandy Horst Görtz Institute for IT Security Ruhr­University Bochum, Germany marcel.winandy@trust.rub.de ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 18
  • 19. BACKUP ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 19
  • 20. Property­Based Sealing ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 20
  • 21. Migration Protocol Source platform Destination platform vTPM Migration Controlling Process Migration Controlling Process ' initiateMigration() create() vTPM ' migrate() requestTrustedChannel() (PKBind, certBind) verify(PKBind, certBind) sk := createKey() esk := bind[PKBind](sk) s := getState() es := encrypt[sk](s) deleteKey(sk), deleteState() transfer(es,esk) destroy() sk := unbind[PKBind](esk) s := decrypt[sk](es) X setState(s) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 21