![Page 1: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/1.jpg)
Department of Computer Science Institute for System Architecture, Operating Systems Group
CARSTEN WEINHOLD
TRUSTED COMPUTING
![Page 2: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/2.jpg)
TU Dresden Trusted Computing
THIS LECTURE ...
2
■ Today: Trusted Computing Technology
■ Lecture discusses basics in context of TPMs
■ More theoretical concepts also covered in lecture „Distributed Operating Systems“
■ Things you should have heard about:
■ How to use asymmetric encryption
■ Concept of digital signatures
■ Collision-resistant hash functions
![Page 3: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/3.jpg)
TU Dresden Trusted Computing
L4
AN.ON
INTRODUCTION
3
TPM
? ?
? ?
![Page 4: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/4.jpg)
TU Dresden Trusted Computing
ANONYMITY
4
ISP
Proxy
![Page 5: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/5.jpg)
TU Dresden Trusted Computing
ANONYMITY
5
ISP
ProxyMIX
![Page 6: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/6.jpg)
TU Dresden Trusted Computing
ANONYMITY
6
ISP
MIX MIX
![Page 7: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/7.jpg)
TU Dresden Trusted Computing
ANONYMITY
7
AN.ON? ?
? ?
![Page 8: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/8.jpg)
TU Dresden Trusted Computing
PROBLEM
8
■ Last proxy sees data in plaintext
■ No additional end-to-end encryption?
■ Ideal for password phishing or identifying returning users (cookies, ...)
■ Dan Egerstad [1]: 100 passwords sniffed with 5 exit nodes
■ TOR: increasing number of exit nodes in China, Russia, USA
![Page 9: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/9.jpg)
TU Dresden Trusted Computing
IDEA
9
MIX
Do you spy?
#/G«@ñ
![Page 10: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/10.jpg)
TU Dresden Trusted Computing
SYSTEM LAYERS
10
AN.ON MIX
OS
Boot Loader
BIOS
Hardware
![Page 11: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/11.jpg)
TU Dresden Trusted Computing
TPM
11
![Page 12: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/12.jpg)
TU Dresden Trusted Computing
TPM
12
PCR := SHA-1( PCR | X )
Platform Configuration Register
![Page 13: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/13.jpg)
TU Dresden Trusted Computing
OS
Boot Loader
BIOS
BOOTING + TPM
13
PCR
OS
Boot Loader
BIOS
OS
Boot Loader
BIOS
AN.ON MIXAN.ON MIXAN.ON MIX
015FE78607A13BD4C03FFA80B4490EF83
![Page 14: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/14.jpg)
TU Dresden Trusted Computing
ATTESTATION
14
MIX
Remote Attestation
4490EF834490EF83✹✹
![Page 15: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/15.jpg)
TU Dresden Trusted Computing
ARCHITECTURE
15
AN.ON
TPM
? ?
? ?
Linux
Windows
![Page 16: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/16.jpg)
TU Dresden Trusted Computing
AFC937A0
MONOLITHIC
16
Monolithic OS
MIX
![Page 17: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/17.jpg)
TU Dresden Trusted Computing
4490EF83
L4/AN.ON
17
MIX
L4.Fiasco
TPM Driver
Memory
Network Stack
Network Driver
GUI
USB Driver
L4Linux
![Page 18: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/18.jpg)
TU Dresden Trusted Computing
L4/AN.ON
18
![Page 19: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/19.jpg)
TU Dresden Trusted Computing
L4/AN.ON
19
![Page 20: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/20.jpg)
TU Dresden Trusted Computing
L4/AN.ON
20
![Page 21: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/21.jpg)
TU Dresden Trusted Computing
L4/AN.ON
21
L4
AN.ON
TPM
? ?
? ?
![Page 22: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/22.jpg)
TU Dresden Trusted Computing
THE TRUSTED PLATFORM MODULE
22
![Page 23: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/23.jpg)
TU Dresden Trusted Computing
TPM HARDWARE
23
http://www.heise.de/bilder/61155/0/0
■ TPMs are tightly integrated into platform:
■ Soldered on motherboards
■ ... or built into chipset
■ Tamper resistant casing
■ Widely deployed:
■ Business notebooks
■ Office desktop machines
■ Windows 8/10/RT tablets
![Page 24: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/24.jpg)
TU Dresden Trusted Computing
TPM OVERVIEW
24
■ TPM is cryptographic coprocessor:
■ RSA (encryption, signatures), AES (encryption), SHA-1 (cryptographic hashes)
■ Other crypto schemes (e.g., DAA)
■ Random number generator
■ Platform Configuration Registers (PCRs)
■ Non-volatile memory
■ TPMs are passive devices!
![Page 25: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/25.jpg)
TU Dresden Trusted Computing
TPM SPECS■ TPMs specified by Trusted Computing
Group [2]
■ Multiple hardware implementations
■ TPM specifications [3,4] cover:
■ Architecture, interfaces, security properties
■ Data formats of input / output
■ Schemes for signatures, encryption, ...
■ TPM life cycle, platform requirements
25
![Page 26: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/26.jpg)
TU Dresden Trusted Computing
TPM & PLATFORM
26
CPURAM
TPM
BIOS
CRTM
Chipset
Platform
Reset Init PCRs
![Page 27: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/27.jpg)
TU Dresden Trusted Computing
TPM IDENTITY■ TPM identified by Endorsement Key EK:
■ Generated in manufacturing process
■ Certified by manufacturer
■ Unique among all TPMs
■ Can only decrypt, serves as root of trust
■ Creating entirely new EK possible (e.g., for use in corporate environments)
■ Private part of EK never leaves TPM27
![Page 28: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/28.jpg)
TU Dresden Trusted Computing
KEY HIERARCHY■ All keys except for EK are part of key
hierarchy below Storage Root Key SRK:
■ SRK created when user „takes ownership“
■ Key types: storage, signature, identity, ...
■ Storage keys are parent keys at lower levels of hierarchy (like SRK does at root level)
■ Keys other than EK / SRK can leave TPM:
■ Encrypted under parent key before exporting
■ Parent key required for loading and decrypting
28
![Page 29: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/29.jpg)
TU Dresden Trusted Computing
KEY HIERARCHY
29
EK
SKSK
AIKAIK
AIK
SK
AIKs required for Remote Attestation
SigK
SRK
![Page 30: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/30.jpg)
TU Dresden Trusted Computing
AIK
30
■ Special key type for remote attestation: Attestation Identity Key (AIKs)
■ TPM creates AIK + certificate request
■ Privacy CA checks certificate request, issues certificate and encrypts under EK
■ TPM can decrypt certificate using EK
■ AIK certificate:
■ „This AIK has been created by a valid TPM“
■ TPM identity (EK) cannot be derived from it
![Page 31: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/31.jpg)
TU Dresden Trusted Computing
Application
OS
Boot Loader
BIOS
BOOTING + TPM
31
PCR
OS
Boot Loader
BIOS
OS
Boot Loader
BIOS
015FE78607A13BD4C03FFA80B4490EF83
Application Application
Authenticated Booting
![Page 32: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/32.jpg)
TU Dresden Trusted Computing
AIKS & QUOTES
32
System
✹
Challenger
✹4490EF83AE58B991
TPM_Quote(AIK, Nonce, PCR)
Remote Attestation with Challenge/Response
![Page 33: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/33.jpg)
TU Dresden Trusted Computing
SEALED MEMORY
33
■ Applications require secure storage
■ TPMs can lock data to PCR values:
■ TPM_Seal():
■ Encrypt user data under specified storage key
■ Encrypted blob contains expected PCR values
■ TPM_Unseal():
■ Decrypt encrypted blob using storage key
■ Compare current and expected PCR values
■ Release user data only if PCR values match
![Page 34: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/34.jpg)
TU Dresden Trusted Computing
SEALED BLOBS
34
Only the TPM_SEALED_DATA structure is encrypted
![Page 35: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/35.jpg)
TU Dresden Trusted Computing
FRESHNESS■ Sealed data is stored outside the TPM
■ Vulnerable to replay attacks:
■ Multiple versions of sealed blob may exist
■ Any version can be passed to TPM
■ TPM happily decrypts, if crypto checks out
■ Problem:
■ What if sealed data must be current?
■ How to prevent use of older versions?35
![Page 36: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/36.jpg)
TU Dresden Trusted Computing
COUNTERS■ TPMs provide monotonic counters
■ Only two operations: increment, read
■ Password protected
■ Prevent replay attacks:
■ Seal expected value of counter with data
■ After unseal, compare unsealed value with current counter
■ Increment counter to invalidate old versions36
![Page 37: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/37.jpg)
TU Dresden Trusted Computing
TPM SUMMARY■ Key functionality of TPMs:
■ Authenticated booting
■ Remote attestation
■ Sealed memory
■ Problems with current TPMs:
■ No support for virtualization
■ Slow (hundreds of ms / operation)
■ Linear chain of trust
37
![Page 38: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/38.jpg)
TU Dresden Trusted Computing
TPMS IN NIZZA ARCHITECTURE
38
![Page 39: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/39.jpg)
TU Dresden Trusted Computing
App A
OS
Boot Loader
BIOS
BOOTING + TPM
39
PCR
OS
Boot Loader
BIOS
OS
Boot Loader
BIOS
015FE78607A13BD4C03FFA80B4490EF83
App A App B App BApp BApp A
83E2FF9A
![Page 40: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/40.jpg)
TU Dresden Trusted Computing
MULTIPLE APPS
40
■ Use one PCR per application:
■ Application measurements independent
■ Number of PCRs is limited (max 24)
■ Use one PCR for all applications:
■ Chain of trust / application log grows
■ All applications reported in remote attestation (raises privacy concerns)
■ All applications checked when unsealing
![Page 41: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/41.jpg)
TU Dresden Trusted Computing
EXTENDING TPMS■ Idea: per-application PCRs in software:
■ Measure only base system into TPM PCRs (microkernel, basic services, TPM driver, ...)
■ „Software TPM“ provides „software PCRs“ for each application
■ More flexibility with „software PCRs“:
■ Chain of trust common up to base system
■ Extension of chains of trust for applications fork above base system
■ Branches in Tree of Trust are independent41
![Page 42: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/42.jpg)
TU Dresden Trusted Computing
SOFTWARE PCRS
42
Microkernel
GUINamesUser Auth
Secure Storage
I/O Support
TPM Driver
TPM Multiplexer
App A
App BApp C
Loader
PCR: 4490EF83
PCR: 4490EF83 vPCR(A): 6B17FC28 vPCR(B): 153B9D14
![Page 43: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/43.jpg)
TU Dresden Trusted Computing
TPM MULTIPLEX’D
43
■ Operations on software PCRs:
■ Seal, Unseal, Quote, Extend
■ Add_child, Remove_child
■ Performed using software keys (AES, RSA)
■ Software keys protected with real TPM
■ Link between software PCRs and real PCRs: certificate for RSA signature key
■ Implemented for L4: TPM multiplexer Lyon
![Page 44: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/44.jpg)
TU Dresden Trusted Computing
A SECOND LOOK AT VPFS
44
![Page 45: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/45.jpg)
TU Dresden Trusted Computing
Sealed Memory
VPFS SECURITY
45
Inode File
FileFile File File
Dir
Dir
Dir
83E2FF9A
![Page 46: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/46.jpg)
TU Dresden Trusted Computing
VPFS TRUST
46
Microkernel
VPFS
TPM Driver
TPM Multiplexer
L4LinuxApp VPFS can access secrets only,
if its own vPCR and the vPCR for the app match the respective expected values.
![Page 47: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/47.jpg)
TU Dresden Trusted Computing
VPFS SECURITY
47
■ VPFS uses sealed memory:
■ Secret encryption key
■ Root hash of Merkle hash tree
■ Second use case is remote attestation:
■ Trusted backup storage required, because data in untrusted storage can be lost
■ Secure access to backup server needed
■ VPFS challenges backup server: „Will you store my backups reliably?“
![Page 48: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/48.jpg)
TU Dresden Trusted Computing
A CLOSER LOOK AT THE WHOLE PICTURE
48
![Page 49: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/49.jpg)
TU Dresden Trusted Computing
NITPICKER
49
![Page 50: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/50.jpg)
TU Dresden Trusted Computing
TRUST NITPICKER
50
■ User cannot just trust what he / she sees on the screen!
■ Solution:
■ Remote attestation
■ For example with trusted device:
■ User’s cell phone sends nonce to PC
■ PC replies with quote of nonce + PCR values
■ User can decide whether to trust or not
![Page 51: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/51.jpg)
TU Dresden Trusted Computing
A SECOND LOOK AT THE CHAIN OF TRUST
51
![Page 52: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/52.jpg)
TU Dresden Trusted Computing
CRTM■ When you press the power button ...
■ First code to be run: BIOS boot block
■ Stored in small ROM
■ Starts chain of trust:
■ Initialize TPM
■ Hash BIOS into TPM
■ Pass control to BIOS
■ BIOS boot block is Core Root of Trust for Measurement (CRTM)
52
![Page 53: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/53.jpg)
TU Dresden Trusted Computing
CHAIN OF TRUST■ Discussed so far:
■ CRTM & chain of trust
■ How to make components in chain of trust smaller
■ Observation: BIOS and boot loader only needed for booting
■ Question: can chain of trust be shorter?
53
App
OS
Boot Loader
BIOS
Hardware
App
![Page 54: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/54.jpg)
TU Dresden Trusted Computing
DRTM■ CRTM starts chain of trust early
■ Dynamic Root of Trust for Measurement (DRTM) starts it late:
■ Special CPU instructions (AMD: skinit, Intel: senter)
■ Put CPU in known state
■ Measure small „secure loader“ into TPM
■ Start „secure loader“
■ DRTM: Chain of trust can start anywhere54
![Page 55: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/55.jpg)
TU Dresden Trusted Computing
DRTM
DRTM: OSLO■ First idea: DRTM put right
below OS
■ Smaller TCB:
■ Large and complex BIOS / boot loader removed
■ Small and simple DRTM bootstrapper added
■ Open Secure Loader OSLO: 1,000 SLOC, 4KB binary size [6]
55
App
OS
Boot Loader
BIOS
Hardware
App
![Page 56: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/56.jpg)
TU Dresden Trusted Computing
DRTM CHALLENGE
■ DRTM remove boot software from TCB
■ Key challenges:
■ „Secure loader“ must not be compromised
■ Requires careful checking of platform state
■ Secure loader must actually run in locked RAM, not in insecure device memory
■ DRTM can also run after booting OS
56
![Page 57: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/57.jpg)
TU Dresden Trusted Computing
DRTM: FLICKER■ New DRTM can be
established anytime
■ Flicker [7] approach:
■ Pause legacy OS
■ Execute critical code as DRTM using skinit
■ Restore CPU state
■ Resume legacy OS
57
App
Legacy OS
Boot Loader
BIOS
Hardware
App
![Page 58: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/58.jpg)
TU Dresden Trusted Computing
DRTM: FLICKER
58
App
Legacy OS
Hardware
App
Flicker Applet
![Page 59: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/59.jpg)
TU Dresden Trusted Computing
FLICKER DETAILS■ Pause untrusted legacy OS, stop all CPUs
■ Execute skinit:
■ Start Flicker code as „secure loader“
■ Unseal input / sign data / seal output
■ Restore state on all CPUs
■ Resume untrusted legacy OS
■ If needed: create quote with new PCRs
■ TCB in order of only few thousand SLOC!59
![Page 60: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/60.jpg)
TU Dresden Trusted Computing
FLICKER LIMITS
60
■ Problems with Flicker approach:
■ Untrusted OS must cooperate
■ Only 1 CPU active, all other CPUs stopped
■ Secure input and output only via slow TPM functionality (seal, unseal, sign)
■ Works for some server scenarios (e.g., handling credentials)
■ Client scenarios require more functionality (e.g., trusted GUI for using applications)
![Page 61: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/61.jpg)
TU Dresden Trusted Computing
ISA EXTENSIONS■ ARM TrustZone [8]:
■ New processor mode for critical software
■ Private memory partition (accessible only in secure processor mode)
■ Can be used to implement software TPM
■ Intel SGX [9]:
■ Secure enclaves: protected regions of address space for code, stack, heap
■ Sealed memory and remote attestation61
![Page 62: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/62.jpg)
TU Dresden Trusted Computing
MOBILE DEVICES■ Simple implementations in smartphones, etc.
■ Non-modifiable boot ROM loads OS
■ OS is signed with manufacturer key, checked
■ Small amount of flash integrated into SoC
■ Cryptographic co-processor: software can use (but not obtain) encryption key
■ Not open: closed or secure boot instead of authenticated booting
62
![Page 63: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/63.jpg)
TU Dresden Trusted Computing
WHAT’S NEXT?
63
■ January 19, 2015:
■ Lecture „Resilience“
■ Paper Reading Exercise “Popek/Goldberg”
![Page 64: TRUSTED COMPUTING - os.inf.tu-dresden.deos.inf.tu-dresden.de/Studium/KMB/WS2015/12-Trusted-Computing.pdf · Resume legacy OS 57 App Legacy OS Boot Loader BIOS Hardware App. TU Dresden](https://reader033.vdocuments.net/reader033/viewer/2022051813/60333ac8a3c4c838394e7909/html5/thumbnails/64.jpg)
TU Dresden Security Architectures
References■ [1] http://www.heise.de/security/Anonymisierungsnetz-Tor-abgephisht--/news/meldung/95770
■ [2] https://www.trustedcomputinggroup.org/home/
■ [3] https://www.trustedcomputinggroup.org/specs/TPM/
■ [4] https://www.trustedcomputinggroup.org/specs/PCClient/
■ [5] Carsten Weinhold and Hermann Härtig, „VPFS: Building a Virtual Private File System with a Small Trusted Computing Base“, Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, 2008, Glasgow, Scotland UK
■ [6] Bernhard Kauer, „OSLO: Improving the Security of Trusted Computing“, Proceedings of 16th USENIX Security Symposium, 2007, Boston, MA, USA
■ [7] McCune, Jonathan M., Bryan Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki, "Flicker: An Execution Infrastructure for TCB Minimization", In Proceedings of the ACM European Conference on Computer Systems (EuroSys'08), Glasgow, Scotland, March 31 - April 4, 2008
■ [8] http://arm.com/products/processors/technologies/trustzone/index.php
■ [9] http://software.intel.com/en-us/intel-isa-extensions#pid-19539-1495
64