08-tcg

7/29/2019 08-TCG

http://slidepdf.com/reader/full/08-tcg 1/54

TrustedComputing

CS155, Spring 2013

7/29/2019 08-TCG


BackgroundTCG consortium. Founded in 1999. Lots of companies

Goals:

• Hardware protected (encrypted) storage:

– Only “authorized” software can decrypt data

– e.g.: protecting key for decrypting file system

⇒ only “authorized” software can boot

• Attestation: Prove to remote server what software

started on my machine.

7/29/2019 08-TCG


TCG: changes to the PC

Extra hardware: Trusted Platform Module (TPM) chip

• TPM Chip vendors: (~.3$)

Atmel, Infineon, Broadcom, STMicro, Intel INTC0

Software changes:

Hardware layer: BIOS, EFI (UEFI)

Software: OS and apps

7/29/2019 08-TCG


TPMs in the real world

• TPMs widely available on laptops, desktops and some

• Software using TPMs:

– File/disk encryption: BitLocker, IBM, HP, Sophos

–Attestation for enterprise login: Cognizance, Wav

– Client-side single sign on: IBM, Wave

7/29/2019 08-TCG


This lecture

• What is the TPM?

• How it is being used for disk encryption

• How Windows 8 plans to use it for securing the boot

environment

7/29/2019 08-TCG


Trusted Compu

What is the TP

7/29/2019 08-TCG


Components on TPM ch

I/O

Crypto Engine:RSA, SHA1, HMAC, RNG

Non VolatileStorage

(> 1280 bytes)

PCR Registers(16 registers)

O

J

RSA: 1024, 2048 bit modulus

SHA1: Outputs 20 byte digest

N l il

7/29/2019 08-TCG


Non-volatile storage1. Endorsement Key (EK) (2048-bit RSA)

– Created at manufacturing time. Cannot be changed.

– Used for “attestation” (described later)

2. Storage Root Key (SRK) (2048-bit RSA)

– Used for encrypted storage. Created after running

TPM_TakeOwnership( OwnerPassword, … ) – Can be cleared later with TPM_ForceClear from BIOS

3. OwnerPassword (160 bits) and persistent flags

Private: EK, SRK, and OwnerPwd never leave the TPM

PCR th h t f th

7/29/2019 08-TCG


PCR: the heart of the maPCR: Platform Configuration Registers

•

Many PCR registers on chip (at least 16)• Contents: 20-byte SHA1 digest (+junk)

Updating PCR #n :

•

TPM_Extend(n,D): PCR[n] SHA1 ( PCR[n] ll D )

• TPM_PcrRead(n): returns value(PCR(n))

PCRs initialized to default value (e.g. 0) at boot time

7/29/2019 08-TCG


Using PCRs: the TCG boot proce

On power-up: TPM receives a TPM_Init signal from LPC bus.

BIOS boot block executes:• Calls TPM_Startup (ST_CLEAR) to initialize PCRs to 0

[can only be called once after TPM_In

• Calls PCR_Extend( n, <BIOS code> )

• Then loads and runs BIOS post boot code

BIOS executes: Calls PCR_Extend( n, <MBR code> )

• Then runs MBR (master boot record), e.g. GRUB.

MBR executes: Calls PCR_Extend( n, <OS loader code, confi

•

Then runs OS loader … and so on

7/29/2019 08-TCG


In a diagram

BIOSbootblock

BIOSOS

loader OS Applic

TPM

Hardware

Root of trust inintegritymeasurement

Root of trust inintegrity reporting

mea

Ext

After boot, PCRs contain hash chains of booted softwar

Collision resistance of SHA1 (?) ensures commitment

7/29/2019 08-TCG


Example: Trusted GRU

PCR # to use and what to measure is specified in GRUB co

7/29/2019 08-TCG


The main point

After boot completes, PCR registers measure the entire

software stack that booted on the machine:

• BIOS and hardware configuration

• Boot loader and its configuration

• Operating system

• Running apps

7/29/2019 08-TCG


What would go wrong if TPM_Startup (ST_CLEAR)

could be called at any time after boot?

Malicious OS could reset PCRs post-boot and th

set them to a valid OS hash. PCRs would then lo

as if valid OS loaded.

7/29/2019 08-TCG


TPM Counters

• TPM must support at least four hardware counters

– Increment rate: every 5 seconds for 7 years.

• Applications:

– Provide time stamps on blobs.

– Supports “music will pay for 30 days” policy.

7/29/2019 08-TCG


Trusted Compu

Using PCRs after

Using PCRs after boot

7/29/2019 08-TCG


Using PCRs after bootApplication: encrypted (a.k.a sealed) storage.

Setup step 1: TPM_TakeOwnership( OwnerPassword, …• Creates 2048-bit RSA Storage Root Key (SRK) on TPM

• Cannot run TPM_TakeOwnership again without OwnerPw

– Ownership Enabled Flag False

• Done once by IT department or laptop owner.

(optional) Step 2: TPM_CreateWrapKey / TPM_LoadK

• Create more RSA keys on TPM protected by SRK

• Each key identified by 32-bit keyhandle

Implementing Protected Storag

7/29/2019 08-TCG


Implementing Protected Storag

TPM_Seal: Encrypt data using RSA key on TPM. (some)

– keyhandle: which TPM key to encrypt with

– KeyAuth: Password for using key `keyhandle’

– PcrValues: PCRs to embed in encrypted blob (name

– data block: at most 256 bytes [e.g. an AES key]

Returns encrypted blob.

Main point: blob can only be decrypted with TPM_Unse

PCR-reg-vals = PCR-vals in blob. TPM_Unseal fails oth

d S

7/29/2019 08-TCG


Protected Storage

Embedding PCR values in blob ensures that onlyspecific apps can decrypt data.

– Changing MBR or OS kernel will change PCR value

⇒ data cannot be decrypted

S l d li i

7/29/2019 08-TCG


Sealed storage: applicatioLock software on machine:

•Suppose OS and apps are sealed with MBRs PCR value

• Any changes to MBR will prevent sealed OS from load

• Prevents modifying or inspecting OS (or loading othe

Web server: seal server’s SSL private key

• Goal: only unmodified Apache can access SSL key

• Problem: updates to Apache or Apache config

Example: BitLocker drive encryp

7/29/2019 08-TCG


Example: BitLocker drive encryptpm.msc: utility to manage TPM (e.g TakeOwnershi

• Auto generates 160-bit OwnerPassword

• Stored on TPM and in file computer_name.tpm

Volume Master Key ( VMK ) encrypts disk volume key

• VMK is sealed (encrypted) under TPM SRK using

– BIOS, extensions, and optional ROM (PCR 0 and

– Master boot record (MBR) (PCR 4)

– NTFS Boot Sector and block (PCR 8 and 9)

– NTFS Boot Manager (PCR 10), and

–

BitLocker Access Control (PCR 11)

BitL k

7/29/2019 08-TCG


BitLockerMany options for VMK recovery: disk, USB, paper (enc. w

• Recovery needed after legitimate system change:

– Moving disk to a new computer

– Replacing system board containing TPM

– Clearing TPM (with TPM_ForceClear )

At system boot (before OS boot)

• Optional: OS loader requests PIN or USB key from us

• TPM unseals VMK, only if PCR and PIN are correct

7/29/2019 08-TCG


Suppose BIOS code is updated by a firmware update

How would the system enable access to blobs previo

sealed to current BIOS version?

Patch process must re-seal all blobs with new P

7/29/2019 08-TCG


Trusted Compu

Security?

S it ?

7/29/2019 08-TCG


Security? [Kauer 2007]

Attack 1: reset TPM after boot with a wire

•Connect LRESET pin to ground -- mimics TPM_Init on

– then extend PCRs arbitrarily

• Harder in TPM 1.2 due to “locality”

Attack 2: block TPM until after boot, then extend PCRs a

• Root of trust: BIOS boot block resets PCRs (calls TPM_

– Defeated with one byte change to BIOS boot block

B tt t f t t

7/29/2019 08-TCG


Better root of trust

• DRTM – Dynamic Root of Trust Measurement

–

AMD: skinit Intel: senter – Atomically does:

• Reset CPU. Reset PCR 17 to 0.

• Load the given Secure Loader (SL) code into I-cach

• Extend PCR 17 with SL

• Jump to SL

• BIOS boot loader is no longer root of trust. Processor m

• Avoids TPM_Init attack: TPM_Init sets PCR 17 to -1

Oth bl

7/29/2019 08-TCG


Other problems

Roll-back attack on encrypted blobs

• Example: undo security patches without being notic

Can be mitigated using Data Integrity Regs. (DIR)

– Need OwnerPassword to write DIR, anyone can

– Stored in NV-RAM

7/29/2019 08-TCG


Trusted Compu

Attestation

Attestation: what it doe

7/29/2019 08-TCG


Attestation: what it doeGoal: prove to remote party what software loaded on m

Good applications:

• Bank allows money transfer only if customer’s machinruns “up-to-date” OS patches

• Enterprise allows laptop to connect to its network on

laptop runs“

authorized”

software• Gamers can join network only if their game client is u

DRM: MusicStore sells content for authorized players

Attestation: how it work

7/29/2019 08-TCG



Recall: EK private key on TPM.

– Cert for EK public-key issued by TPM vendor.

Step 1: Create Attestation Identity Key (AIK)

– Details not important here

– AIK Private key known only to TPM

– AIK public cert issued only if EK cert is valid


7/29/2019 08-TCG


Attestation: how it workStep 2: sign PCR values (after boot) with TPM_Quote.

•

keyhandle: which AIK key to sign with• KeyAuth: Password for using key `keyhandle’

• PCR List: Which PCRs to sign.

• Challenge: 20-byte challenge from remote serv

– Prevents replay of old signatures.

• Userdata: additional data to include in sig.

Returns signed data and signature.


7/29/2019 08-TCG



PC

TPM

OS

App• Generate pub/priv key pair

• TPM_Quote(AIK, PcrList, chal, pub-key)

• Obtain cert

Attestation Request (20-byte challenge)

(SSL) Key Exchange using Cert

V

1.

2.Communicate with app

using SSL tunnel

• Attestation typically includes key-exchange

• App must be isolated from rest of system

7/29/2019 08-TCG


What would go wrong if communication between

app. and server were done in the clear?

User can reboot machine after attestation and r

arbitrary software pretending to be app.

7/29/2019 08-TCG


Trusted Compu

Using Attestat

Attesting to VMs: Terra [GP

7/29/2019 08-TCG


Attesting to VMs: Terra [GP

TVMM Provides isolation between attested application

• sample app: secure login into a corporate netw

Nexus OS (S l ’06)

7/29/2019 08-TCG


Nexus OS (Sirer et al. ’06)

Problem: attesting to hashed application/kernel code

– Too many possible software configurations

Better approach: attesting to properties

– Example: “application never writes to disk”

Nexus OS: General attestation statements:

“TPM says that it booted Nexus,

Nexus says that it ran checker with hash X,

checker says that isolation domain A has property

EFF: Owner Override

7/29/2019 08-TCG


EFF: Owner OverrideTCG attestation:

• The good: enables user to prove to remote bankthat machine is up-to-date

• The bad: content owners can release decryption key omachines running “authorized” software.

– Stifles innovation in player design

EFF: allow users to inject chosen values into PCRs.

• Enables users to conceal changes to their computing e

• Defeats malicious software changes to computing plat

TCG Alternatives

7/29/2019 08-TCG


TCG AlternativesIBM 4758: Supports all TCG functionality and more.

– Tamper resistant 486 100MhZ PCI co-processor

–

… but expensive ~ $2000. TPM ~ $7.

AEGIS System: Arbaugh, Farber, Smith ’97:

– Secure boot with BIOS changes only.

– Cannot support sealed storage.

SWATT: Seshadri et al., 2004

– Attestation w/o extra hardware

– Server must know precise HW configuration

7/29/2019 08-TCG


Trusted Compu

Attestation:challenges

1 Attesting to Current Sta

7/29/2019 08-TCG


1. Attesting to Current Sta

• Attestation only attests to what code was loaded.

• Does not say whether running code has been comp

– Problem: what if Quake vulnerability exploited a

attestation took place?

• Can we attest to the current state of a running syste

– … or is there a better way?

2 Encrypted viruses

7/29/2019 08-TCG


2. Encrypted viruses

Suppose malicious music file exploits bug in video playe

–Video file is encrypted.

– TCG prevents anyone from getting video file in th

– Can anti-virus companies study virus without

seeing its code in the clear?

– How would you solve this?

3 TPM Compromise

7/29/2019 08-TCG


3. TPM Compromise

Suppose one TPM Endorsement Private Key is exposed

– Destroys all attestation infrastructure:

• Embed private EK in TPM emulator.

• Now, can attest to anything without running it

Certificate Revocation is critical for TCG Attesta

7/29/2019 08-TCG


Trusted Compu

Window 8 / Utrusted bo

Pre-boot attacks: attacking firm

7/29/2019 08-TCG


Pre boot attacks: attacking firm

BIOS: test and init hardware. Then launch OS bootloade

• BIOS code stored (compressed) on EEPROM or Flash –

• User settings persisted to CMOS

UEFI: modern version of BIOS – more modular and exte

• Includes new secure boot provisions (Apr. 2011, ch. 27)

Why attack BIOS/UEFI:

• Attacks are OS independent, can be persistent and har

• BIOS/UEFI runs before any defenses (e.g. antivirus)

Pre-boot attacks: attacking firm

7/29/2019 08-TCG


Pre boot attacks: attacking firm

History of BIOS/EFI malware:

•

CIH (1998): CIH virus corrupts system BIOS

• Heasman (2007): abuse System Management Mode (S

• Sacco, Ortega (2009): infect BIOS LZH decompressor

– CoreBOOT: generic BIOS flashing tool(see CanSecWest’09 pre

Pre-boot attacks: attacking the boo

7/29/2019 08-TCG


g

BIOS will start any bootloader: no authentication

• Example: Stoned Bootkit. Can be used to steal volum

UEFI 2.3.1 verifies bootloader digital signature:

Traditional BIOS boot process:

BIOSOS

bootloader(e.g. GRUB)

UEFIverified

bootloader

OS

sta

In more detail

7/29/2019 08-TCG


In more detail

• Computer manufacturer places signed firmware mo

in Flash prior to shipping machine, including OS load

• Vendors update modules by signing them with certif

option

option

Window

vendor

sig

vendor

sig

vendor

sig

UEFI

(1) only load modules signedby a properly certified key

(2) consult revocation list,

ignore sigs by revoked keys

Verified boot can be disabled by

7/29/2019 08-TCG


y

Why is this needed? (answer on next slide)

Samsung tablet with Windows 8 Developer Preview. credit: Steve

Complaints

7/29/2019 08-TCG


Co p a tsHow do users install Linux?

• method 1: user disables verified boot and then inst

• method 2: Linux distro. asks every PC manufactureinclude its signing key in the UEFI KEK da

• method 3: (Fedora) get Microsoft to sign Fedora’s K

Manufacturer can control what HW devices are allowe• User cannot install signed optional ROMs from othe

2013: AMI’s UEFI signing key leaked (Ivy Bridge)

The next arena: early kernel

7/29/2019 08-TCG


yRootkit registers as a boot-start driver

• Win kernel will run rootkit after kernel boots

• Problem: race condition with anti-malware softwar

– Rootkit might start early and evade anti-malware

Example (Win7/64): TDL4 rootkit (July 2010)• Infects MBR to disable Win/64 driver code signature

(will be prevented by UEFI ver

• Then Win kernel loads infected kdcom.dll before an

Defense 1: Windows 8 ELA

7/29/2019 08-TCG


UEFI boot ⇒ Win 8 loader ⇒ Win 8 kernel

ELAM: early launch anti malware

Win 8: signed policy file instructs kernel to load ELAM

ensures anti-malware starts early

Defense 2: Win 8 measured

7/29/2019 08-TCG


TPM

UEFI

OS loader

kernel init

pre-OS

measurement

ELAM

boot

drivers

ELAM:

• checks pre-ELAM PC

• Checks subsequent b

login

ELAM

re

atte

s

Validate

boot PCRs

post-login

Disallow network acces

remote attestation fails

post OS boot

ELAM and measured boo

7/29/2019 08-TCG


• If ELAM finds rootkits: calls Tbsi_Revoke_Attesta

– Messes up PCR[12]: extends it by an unspecifie

⇒ disables blob decryption and attesta

• Note: w/o remote attestation server, if rootkit can e

ELAM it can still take control of machine.

7/29/2019 08-TCG


THE END

08-tcg

Documents