Download - 08-TCG
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 1/54
TrustedComputing
CS155, Spring 2013
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 2/54
BackgroundTCG consortium. Founded in 1999. Lots of companies
Goals:
• Hardware protected (encrypted) storage:
– Only “authorized” software can decrypt data
– e.g.: protecting key for decrypting file system
⇒ only “authorized” software can boot
• Attestation: Prove to remote server what software
started on my machine.
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 3/54
TCG: changes to the PC
Extra hardware: Trusted Platform Module (TPM) chip
• TPM Chip vendors: (~.3$)
Atmel, Infineon, Broadcom, STMicro, Intel INTC0
Software changes:
Hardware layer: BIOS, EFI (UEFI)
Software: OS and apps
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 4/54
TPMs in the real world
• TPMs widely available on laptops, desktops and some
• Software using TPMs:
– File/disk encryption: BitLocker, IBM, HP, Sophos
–Attestation for enterprise login: Cognizance, Wav
– Client-side single sign on: IBM, Wave
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 5/54
This lecture
• What is the TPM?
• How it is being used for disk encryption
• How Windows 8 plans to use it for securing the boot
environment
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 6/54
Trusted Compu
What is the TP
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 7/54
Components on TPM ch
I/O
Crypto Engine:RSA, SHA1, HMAC, RNG
Non VolatileStorage
(> 1280 bytes)
PCR Registers(16 registers)
O
J
RSA: 1024, 2048 bit modulus
SHA1: Outputs 20 byte digest
N l il
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 8/54
Non-volatile storage1. Endorsement Key (EK) (2048-bit RSA)
– Created at manufacturing time. Cannot be changed.
– Used for “attestation” (described later)
2. Storage Root Key (SRK) (2048-bit RSA)
– Used for encrypted storage. Created after running
TPM_TakeOwnership( OwnerPassword, … ) – Can be cleared later with TPM_ForceClear from BIOS
3. OwnerPassword (160 bits) and persistent flags
Private: EK, SRK, and OwnerPwd never leave the TPM
PCR th h t f th
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 9/54
PCR: the heart of the maPCR: Platform Configuration Registers
•
Many PCR registers on chip (at least 16)• Contents: 20-byte SHA1 digest (+junk)
Updating PCR #n :
•
TPM_Extend(n,D): PCR[n] SHA1 ( PCR[n] ll D )
• TPM_PcrRead(n): returns value(PCR(n))
PCRs initialized to default value (e.g. 0) at boot time
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 10/54
Using PCRs: the TCG boot proce
On power-up: TPM receives a TPM_Init signal from LPC bus.
BIOS boot block executes:• Calls TPM_Startup (ST_CLEAR) to initialize PCRs to 0
[can only be called once after TPM_In
• Calls PCR_Extend( n, <BIOS code> )
• Then loads and runs BIOS post boot code
BIOS executes: Calls PCR_Extend( n, <MBR code> )
• Then runs MBR (master boot record), e.g. GRUB.
MBR executes: Calls PCR_Extend( n, <OS loader code, confi
•
Then runs OS loader … and so on
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 11/54
In a diagram
BIOSbootblock
BIOSOS
loader OS Applic
TPM
Hardware
Root of trust inintegritymeasurement
Root of trust inintegrity reporting
mea
Ext
After boot, PCRs contain hash chains of booted softwar
Collision resistance of SHA1 (?) ensures commitment
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 12/54
Example: Trusted GRU
PCR # to use and what to measure is specified in GRUB co
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 13/54
The main point
After boot completes, PCR registers measure the entire
software stack that booted on the machine:
• BIOS and hardware configuration
• Boot loader and its configuration
• Operating system
• Running apps
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 14/54
What would go wrong if TPM_Startup (ST_CLEAR)
could be called at any time after boot?
Malicious OS could reset PCRs post-boot and th
set them to a valid OS hash. PCRs would then lo
as if valid OS loaded.
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 15/54
TPM Counters
• TPM must support at least four hardware counters
– Increment rate: every 5 seconds for 7 years.
• Applications:
– Provide time stamps on blobs.
– Supports “music will pay for 30 days” policy.
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 16/54
Trusted Compu
Using PCRs after
Using PCRs after boot
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 17/54
Using PCRs after bootApplication: encrypted (a.k.a sealed) storage.
Setup step 1: TPM_TakeOwnership( OwnerPassword, …• Creates 2048-bit RSA Storage Root Key (SRK) on TPM
• Cannot run TPM_TakeOwnership again without OwnerPw
– Ownership Enabled Flag False
• Done once by IT department or laptop owner.
(optional) Step 2: TPM_CreateWrapKey / TPM_LoadK
• Create more RSA keys on TPM protected by SRK
• Each key identified by 32-bit keyhandle
Implementing Protected Storag
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 18/54
Implementing Protected Storag
TPM_Seal: Encrypt data using RSA key on TPM. (some)
– keyhandle: which TPM key to encrypt with
– KeyAuth: Password for using key `keyhandle’
– PcrValues: PCRs to embed in encrypted blob (name
– data block: at most 256 bytes [e.g. an AES key]
Returns encrypted blob.
Main point: blob can only be decrypted with TPM_Unse
PCR-reg-vals = PCR-vals in blob. TPM_Unseal fails oth
d S
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 19/54
Protected Storage
Embedding PCR values in blob ensures that onlyspecific apps can decrypt data.
– Changing MBR or OS kernel will change PCR value
⇒ data cannot be decrypted
S l d li i
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 20/54
Sealed storage: applicatioLock software on machine:
•Suppose OS and apps are sealed with MBRs PCR value
• Any changes to MBR will prevent sealed OS from load
• Prevents modifying or inspecting OS (or loading othe
Web server: seal server’s SSL private key
• Goal: only unmodified Apache can access SSL key
• Problem: updates to Apache or Apache config
Example: BitLocker drive encryp
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 21/54
Example: BitLocker drive encryptpm.msc: utility to manage TPM (e.g TakeOwnershi
• Auto generates 160-bit OwnerPassword
• Stored on TPM and in file computer_name.tpm
Volume Master Key ( VMK ) encrypts disk volume key
• VMK is sealed (encrypted) under TPM SRK using
– BIOS, extensions, and optional ROM (PCR 0 and
– Master boot record (MBR) (PCR 4)
– NTFS Boot Sector and block (PCR 8 and 9)
– NTFS Boot Manager (PCR 10), and
–
BitLocker Access Control (PCR 11)
BitL k
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 22/54
BitLockerMany options for VMK recovery: disk, USB, paper (enc. w
• Recovery needed after legitimate system change:
– Moving disk to a new computer
– Replacing system board containing TPM
– Clearing TPM (with TPM_ForceClear )
At system boot (before OS boot)
• Optional: OS loader requests PIN or USB key from us
• TPM unseals VMK, only if PCR and PIN are correct
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 23/54
Suppose BIOS code is updated by a firmware update
How would the system enable access to blobs previo
sealed to current BIOS version?
Patch process must re-seal all blobs with new P
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 24/54
Trusted Compu
Security?
S it ?
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 25/54
Security? [Kauer 2007]
Attack 1: reset TPM after boot with a wire
•Connect LRESET pin to ground -- mimics TPM_Init on
– then extend PCRs arbitrarily
• Harder in TPM 1.2 due to “locality”
Attack 2: block TPM until after boot, then extend PCRs a
• Root of trust: BIOS boot block resets PCRs (calls TPM_
– Defeated with one byte change to BIOS boot block
B tt t f t t
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 26/54
Better root of trust
• DRTM – Dynamic Root of Trust Measurement
–
AMD: skinit Intel: senter – Atomically does:
• Reset CPU. Reset PCR 17 to 0.
• Load the given Secure Loader (SL) code into I-cach
• Extend PCR 17 with SL
• Jump to SL
• BIOS boot loader is no longer root of trust. Processor m
• Avoids TPM_Init attack: TPM_Init sets PCR 17 to -1
Oth bl
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 27/54
Other problems
Roll-back attack on encrypted blobs
• Example: undo security patches without being notic
Can be mitigated using Data Integrity Regs. (DIR)
– Need OwnerPassword to write DIR, anyone can
– Stored in NV-RAM
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 28/54
Trusted Compu
Attestation
Attestation: what it doe
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 29/54
Attestation: what it doeGoal: prove to remote party what software loaded on m
Good applications:
• Bank allows money transfer only if customer’s machinruns “up-to-date” OS patches
• Enterprise allows laptop to connect to its network on
laptop runs“
authorized”
software• Gamers can join network only if their game client is u
DRM: MusicStore sells content for authorized players
Attestation: how it work
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 30/54
Attestation: how it work
Recall: EK private key on TPM.
– Cert for EK public-key issued by TPM vendor.
Step 1: Create Attestation Identity Key (AIK)
– Details not important here
– AIK Private key known only to TPM
– AIK public cert issued only if EK cert is valid
Attestation: how it work
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 31/54
Attestation: how it workStep 2: sign PCR values (after boot) with TPM_Quote.
•
keyhandle: which AIK key to sign with• KeyAuth: Password for using key `keyhandle’
• PCR List: Which PCRs to sign.
• Challenge: 20-byte challenge from remote serv
– Prevents replay of old signatures.
• Userdata: additional data to include in sig.
Returns signed data and signature.
Attestation: how it work
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 32/54
Attestation: how it work
PC
TPM
OS
App• Generate pub/priv key pair
• TPM_Quote(AIK, PcrList, chal, pub-key)
• Obtain cert
Attestation Request (20-byte challenge)
(SSL) Key Exchange using Cert
V
1.
2.Communicate with app
using SSL tunnel
• Attestation typically includes key-exchange
• App must be isolated from rest of system
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 33/54
What would go wrong if communication between
app. and server were done in the clear?
User can reboot machine after attestation and r
arbitrary software pretending to be app.
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 34/54
Trusted Compu
Using Attestat
Attesting to VMs: Terra [GP
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 35/54
Attesting to VMs: Terra [GP
TVMM Provides isolation between attested application
• sample app: secure login into a corporate netw
Nexus OS (S l ’06)
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 36/54
Nexus OS (Sirer et al. ’06)
Problem: attesting to hashed application/kernel code
– Too many possible software configurations
Better approach: attesting to properties
– Example: “application never writes to disk”
Nexus OS: General attestation statements:
“TPM says that it booted Nexus,
Nexus says that it ran checker with hash X,
checker says that isolation domain A has property
EFF: Owner Override
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 37/54
EFF: Owner OverrideTCG attestation:
• The good: enables user to prove to remote bankthat machine is up-to-date
• The bad: content owners can release decryption key omachines running “authorized” software.
– Stifles innovation in player design
EFF: allow users to inject chosen values into PCRs.
• Enables users to conceal changes to their computing e
• Defeats malicious software changes to computing plat
TCG Alternatives
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 38/54
TCG AlternativesIBM 4758: Supports all TCG functionality and more.
– Tamper resistant 486 100MhZ PCI co-processor
–
… but expensive ~ $2000. TPM ~ $7.
AEGIS System: Arbaugh, Farber, Smith ’97:
– Secure boot with BIOS changes only.
– Cannot support sealed storage.
SWATT: Seshadri et al., 2004
– Attestation w/o extra hardware
– Server must know precise HW configuration
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 39/54
Trusted Compu
Attestation:challenges
1 Attesting to Current Sta
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 40/54
1. Attesting to Current Sta
• Attestation only attests to what code was loaded.
• Does not say whether running code has been comp
– Problem: what if Quake vulnerability exploited a
attestation took place?
• Can we attest to the current state of a running syste
– … or is there a better way?
2 Encrypted viruses
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 41/54
2. Encrypted viruses
Suppose malicious music file exploits bug in video playe
–Video file is encrypted.
– TCG prevents anyone from getting video file in th
– Can anti-virus companies study virus without
seeing its code in the clear?
– How would you solve this?
3 TPM Compromise
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 42/54
3. TPM Compromise
Suppose one TPM Endorsement Private Key is exposed
– Destroys all attestation infrastructure:
• Embed private EK in TPM emulator.
• Now, can attest to anything without running it
Certificate Revocation is critical for TCG Attesta
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 43/54
Trusted Compu
Window 8 / Utrusted bo
Pre-boot attacks: attacking firm
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 44/54
Pre boot attacks: attacking firm
BIOS: test and init hardware. Then launch OS bootloade
• BIOS code stored (compressed) on EEPROM or Flash –
• User settings persisted to CMOS
UEFI: modern version of BIOS – more modular and exte
• Includes new secure boot provisions (Apr. 2011, ch. 27)
Why attack BIOS/UEFI:
• Attacks are OS independent, can be persistent and har
• BIOS/UEFI runs before any defenses (e.g. antivirus)
Pre-boot attacks: attacking firm
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 45/54
Pre boot attacks: attacking firm
History of BIOS/EFI malware:
•
CIH (1998): CIH virus corrupts system BIOS
• Heasman (2007): abuse System Management Mode (S
• Sacco, Ortega (2009): infect BIOS LZH decompressor
– CoreBOOT: generic BIOS flashing tool(see CanSecWest’09 pre
Pre-boot attacks: attacking the boo
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 46/54
g
BIOS will start any bootloader: no authentication
• Example: Stoned Bootkit. Can be used to steal volum
UEFI 2.3.1 verifies bootloader digital signature:
Traditional BIOS boot process:
BIOSOS
bootloader(e.g. GRUB)
UEFIverified
bootloader
OS
sta
In more detail
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 47/54
In more detail
• Computer manufacturer places signed firmware mo
in Flash prior to shipping machine, including OS load
• Vendors update modules by signing them with certif
option
option
Window
vendor
sig
vendor
sig
vendor
sig
UEFI
(1) only load modules signedby a properly certified key
(2) consult revocation list,
ignore sigs by revoked keys
Verified boot can be disabled by
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 48/54
y
Why is this needed? (answer on next slide)
Samsung tablet with Windows 8 Developer Preview. credit: Steve
Complaints
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 49/54
Co p a tsHow do users install Linux?
• method 1: user disables verified boot and then inst
• method 2: Linux distro. asks every PC manufactureinclude its signing key in the UEFI KEK da
• method 3: (Fedora) get Microsoft to sign Fedora’s K
Manufacturer can control what HW devices are allowe• User cannot install signed optional ROMs from othe
2013: AMI’s UEFI signing key leaked (Ivy Bridge)
The next arena: early kernel
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 50/54
yRootkit registers as a boot-start driver
• Win kernel will run rootkit after kernel boots
• Problem: race condition with anti-malware softwar
– Rootkit might start early and evade anti-malware
Example (Win7/64): TDL4 rootkit (July 2010)• Infects MBR to disable Win/64 driver code signature
(will be prevented by UEFI ver
• Then Win kernel loads infected kdcom.dll before an
Defense 1: Windows 8 ELA
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 51/54
UEFI boot ⇒ Win 8 loader ⇒ Win 8 kernel
ELAM: early launch anti malware
Win 8: signed policy file instructs kernel to load ELAM
ensures anti-malware starts early
Defense 2: Win 8 measured
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 52/54
TPM
UEFI
OS loader
kernel init
pre-OS
measurement
ELAM
boot
drivers
ELAM:
• checks pre-ELAM PC
• Checks subsequent b
login
ELAM
re
atte
s
Validate
boot PCRs
post-login
Disallow network acces
remote attestation fails
post OS boot
ELAM and measured boo
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 53/54
• If ELAM finds rootkits: calls Tbsi_Revoke_Attesta
– Messes up PCR[12]: extends it by an unspecifie
⇒ disables blob decryption and attesta
• Note: w/o remote attestation server, if rootkit can e
ELAM it can still take control of machine.
7/29/2019 08-TCG
http://slidepdf.com/reader/full/08-tcg 54/54
THE END