1

RE-TRUST MeetingRE-TRUST Meeting30 – May – 200530 – May – 2005

Trento, ItalyTrento, Italy

Outline- List of Participants- Administrative Organization- Draft WPs, Tasks, Gantt- WP components- Meeting Minutes- Functional Descriptions: - Remote Entrusting - SW-based Tamper Resistance – TR - SW/HW-based Tamper Resistance - TR

2

RE-TRUSTList of Participants – 30/5/2005

P1: UNITN - Universita' di Trento - ITALY Yoram Ofek - ofek@dit.unitn.it Fabio Massacci - massacci@dit.unitn.it Harshit Shah - harshit@tcs.tifr.res.in

P2: POLITO - Politecnico di Torino - ITALY Mario Baldi – mario.baldi@polito.it; Riccardo Scandariato - riccardo.scandariato@polito.it Stefano Di Carlo - dicarlo@polito.it            

P3: IBM Research – Zurich - SWITZERLAND Matthias Schunter - mts@zurich.ibm.com

P4: GP - Gemplus - FRANCE P5: KUL - Katholieke Universiteit Leuven - BELGIUM 

Klaus Kursawe - kkursawe@esat.kuleuven.ac.be;   P6: VUA – Vrije Universiteit – The NETHERLANDS

Bruno Crispo - crispo@cs.vu.nl P7: SPIIA - St. Petersburg Institute for Informatics and Automation -

RUSSIA

3

List of Project Participants P1: UNITN - Universita' di Trento - ITALY

Yoram Ofek - ofek@dit.unitn.it Fabio Massacci - massacci@dit.unitn.it John Mylopoulos - jm@cs.toronto.edu

P2: POLITO - Politecnico di Torino - ITALY Paolo Prinetto - Paolo.Prinetto@polito.it Mario Baldi – mario.baldi@polito.it Riccardo Scandariato - riccardo.scandariato@polito.it

P3: IBM Research – Zurich - SWITZERLAND Michael Waidner - wmi@zurich.ibm.com Matthias Schunter - mts@zurich.ibm.com Jan Camenisch - jca@zurich.ibm.com

P4: GP - Gemplus - FRANCE Bruno Rouchouze - Bruno.ROUCHOUZE@gemplus.com Laurent MANTEAU - Laurent.MANTEAU@gemplus.com

(Cooperative R&D Manager Business Development Group) David NACCACHE - David.NACCACHE@gemplus.com

P5: KUL - Katholieke Universiteit Leuven - BELGIUM Bart Preneel - bart.preneel@esat.kuleuven.ac.be Karel Wouters - kwouters@esat.kuleuven.ac.be Klaus kursawe- kkursawe@esat.kuleuven.ac.be 

P6: VUA - Vrije Universiteit – The NETHERLANDS Andrew Tanenbaum - ast@cs.vu.nl Bruno Crispo - crispo@cs.vu.nl Chandana Gamage - chandag@cs.vu.nl

P7: SPIIA - St. Petersburg Institute for Informatics and Automation - RUSSIA Igor Kotenko - ivkote@mail.iias.spb.su

4

Administrative Organization Project secretary - Riccardo Scandariato

WPs editors (may change as we progress) WP0 – UNITN WP1 – UNITN WP2 - POLITO WP3 – KUL WP4 – UVA WP5 – IBM WP6 – UNITN

Next on the agenda:- Conference call - Trip to Brussels

5

Draft June 24: WPs, Tasks, Gantt (y1,y2,y3)

WP0: Coordination and Management - UNITN WP1: Overall architecture (y1, a: initial, y3-b: final) - UNITN

T1.1: Reference Applications and Requirements (grid, chat client, mobile, …) - UNITN T1.2: SW-app + SW-based tamper resistance (TR) - POLITO T1.3: SW-app + SW/HW-based tamper resistance (TR) – KUL/UNITN T1.4: Design of applications using HW/SW methods (y3) – polito Reference architeture

WP2: SW-based TR (y1-y2); y1: design; y2: PoC - POLITO T2.1: Replacement – POLITO T2.2: Obfuscation - KUL T2.3: Secure interlocking of two programs – POLITO T2.4: Each includes sec analysis (goals, assumptions, …) – KUL/POLITO

WP3: HW/SW-based TR (y2-y3 ); y2: design; y3: PoC - KUL T3.1: Using HW to improve SW-based TR – KUL T3.2: Splitting program into SW/HW parts – KUL/GEMPLUS T3.3: Security protocols for four-tier trust (entruster, app, SW-TR, HW-TR) – KUL/ ibm 6 pm T3.4: Using PCs as extension of secure HW - GEMPLUS T3.5: Secure downloading into OS+SC - GEMPLUS T3.6: Each includes sec analysis (goals, assumptions, …) – VUA

WP4: Security analysis (y2: SW-based, y3: SW/HW+overall) - VUA T4.1: Overall Security analysis of the SW-based technology - VUA T4.2: Security analysis of the SW/HW based technology - VUA T4.3: Comparison with security achieved by TCG – IBM w-p T4.4: Implementability of the security assumptions – IBM w-p

WP5: Remote verification and trust management – IBM w-p 2 pp. 14pm tot. WP6: Dissemination, etc. - UNITN

6

Initial Draft: WPs, Tasks, Gantt (y1,y2,y3) WP0: Coordination and Management - UNITN WP1: Overall architecture (y1, a: initial, y3-b: final) - UNITN

T1.1: Reference Applications and Requirements (grid, chat client, mobile, …) - UNITN T1.2: SW-app + SW-based tamper resistance (TR) - POLITO T1.3: SW-app + SW/HW-based tamper resistance (TR) – KUL/UNITN T1.4: Design of applications using HW/SW methods (y3) – polito Reference architeture

WP2: SW-based TR (y1-y2); y1: design; y2: PoC - POLITO T2.1: Replacement – POLITO T2.2: Obfuscation - KUL T2.3: Secure interlocking of two programs – POLITO T2.4: Each includes sec analysis (goals, assumptions, …) – KUL/POLITO

WP3: HW/SW-based TR (y2-y3 ); y2: design; y3: PoC - KUL T3.1: Using HW to improve SW-based TR – KUL T3.2: Splitting program into SW/HW parts – KUL/GEMPLUS T3.3: Security protocols for four-tier trust (entruster, app, SW-TR, HW-TR) – KUL/ ibm 6 pm T3.4: Using PCs as extension of secure HW - GEMPLUS T3.5: Secure downloading into OS+SC - GEMPLUS T3.6: Each includes sec analysis (goals, assumptions, …) – VUA

WP4: Security analysis (y2: SW-based, y3: SW/HW+overall) - VUA T4.1: Overall Security analysis of the SW-based technology - VUA T4.2: Security analysis of the SW/HW based technology - VUA T4.3: Comparison with security achieved by TCG – IBM w-p T4.4: Implementability of the security assumptions – IBM w-p

WP5: Remote verification and trust management – IBM w-p 2 pp. 14pm tot. WP6: Dissemination, etc. - UNITN

7

WP Components

For each WP: Description of research activities and their inter-relationships:

B.1 Scientific and Technological Objectives of the Project and Comparison to the State of the Art

B.2 Relevance to the Objectives of FET Open B.3 Potential Impact

[Note: selected parts will be moved to the body of the proposal]

Tasks Deliverables

Papers, reports, PoC – Proof of Concept – examples:

Software demonstrations Algorithmic design with formal proofs Complexity analysis (e.g., “de-hiding”) … … …

Milestones {IST Definition: Milestones are control points at which

decisions are needed; for example concerning which of several technologies will be adopted as the basis for the next phase of the project.}

Please use the enclosed WP template

8

Minutes by Riccardo – 1/6Morning session---------------1) Ric presentation

Mathias comment: state the assumptions to prove that the approach work

2) Yoram: explains the reference model - Method 1 - Method 2 - Conditional computing might be easier than conditional playback

Comments

Mathias: IBM has some work on Grid stuffCan be simpler than DRM if we only care about integrity of dataInteresting question: which is the minimal TCG h/w you need to build up trust on stacked (s/w) modules

Bruno/Klaus:-this is the level we can push forward with all-software... but can be necessary to introduce h/w to get bullet-proof security... well, let us find the minimal h/w platform... this type of discussion must be in the proposal

Yoram:TCG oblige trust to be extended to the whole platformwe want something than can be tailored, e.g. to the level of a single application (all the rest is untouched)

Mathias/Brunolook at connections with mobile agents security (similarities with our project) -> protecting agents

9

Minutes by Riccardo – 2/63) Stefano presentation

Presented three "dependability-related" techniques, which can be applied to the security field:- invariants over application variables- variable duplication- Control flow check by regular expression

CommentsMathias: concerning PROMON, there's a lot of related work in the area of behavior-based intrusion detection concerning RECCO, errors during computation are not covered (assumption: CPU is protected)

comments from Bruno/Riccardo : stress of effectiveness and measures

4) Mathias presentation

Mathias/Ian group working on anonymous attestation for TCG

- idemix: proof of authenticity of machine without revealing any identification info

Direct Anonymous Attestation (DAA)- now part of TPM chip- can be done in software

SLA: proof that machine is providing a trusted implementation (e.g. of an API)... actual implementation does not care (e.g. a Win implementation vs a Lin implementation)

Linux prototype: -Domain: set of corporate machine that are continuously checked by a central server, to check their configuration-After the fact: log of what happened (the approach does not prevent loading an untrusted module. Still, it will let you attest that an untrusted module has been loaded, by analyzing the logs)- You need to know in advance the correct configuration, in order to check that nothing illegal happened

10

Minutes by Riccardo – 3/65) Klaus presentationSobenet: white box crypto, code obfuscation

Interests in RE-TRUST- software security- Interface with HW (and HW/SW codesign)

MS: secure compartments (microkernel) plus TPM chip used for HD encryption

6) Bruno presentationDistributed system group (50 peoples, 4 full professors)Four sub-groups: Dist Sys, Parallel programming and grid, Intelligent autonomous agents, security group

Current activities and Interests for RE-TRUST

Secure OS: micro kernel- Drivers- MMU

Distributed enforcement: 1) Controlled information dissemination 2) local enforcement

Example policies: "Read/write file x only 7 times" or "Read file x only if file y satisfies some properties" (similar to DRM)To enforce such policies, TPM plus the secure OS is not enough (we are in a distributed environment). An additional middleware layer is needed (specifically a reference monitor)

- Yoram (general question)

Supposing TPM is on a USB device, would it matter? Can we implement the TCG approach with the chip on a USB token? Probably yes (by adapting BIOS), but this is not TCG compliant (standard requires the TCM is bound to a particular machine)

11

Minutes by Riccardo – 4/6

Original plan was to resort to TC if software, or software plus soft h/w, is not enough. Probably, we can stick to soft hardware (as far this project is concerned)

We can talk of "security token" or "trusted hardware" (in general) without saying whether that will be a TPM on a USB device (or smart card) or a "real" TCG-compliant TPM-> trusted hardware connected to an I/O port (without touching the motherboard)

7) Massacci presentationEnforceable security policies (Snider): Enforcer (security monitor) is outside and check the application by looking at a subset of the application I/O (and temporal dimension)

Afternoon session-----------------

Agreement on straw-man scheme (2 levels)-"trusted hardware" (in general) without saying whether that will be a TPM on a device connected -to an I/O port or an on-board TPM

Is it possible to plug in h/w without transitive trust? I.e. application stacked on secure OS, stacked on TPM ()

Focus on applications or on mechanisms?

-> OPEN ISSUE : IDENTIFICATION OF TARGET APPLICATIONS !!!!!

12

Minutes by Riccardo – 5/6

WPs + TASKS + MILESTONES + DELIVERABLES======================================

=> Overall Architecture: (y1, a: initial, y3-b: final) << TRENTO >>-> Reference Applications and Requirements (grid, banking client, mobile)-> SW->Application + SW Based Tamper Resistance-> SW->Application + SW/HW Based Tamper Resistance-> Design of applications using HW/SW methods (Validation ...) <(y3) <IBM>>

=> SW-Based Tamper Resistance (y1-y2); y1:design; y2: PoC <<TORINO>>-> Replacement <<TORINO>> -> Obfuscation <<LEUVEN>>-> Secure interlocking of two programs-> Something else-> Each includes sec analysis (goals,assumptions)

=> HW/SW based TR (y2-y3); y2:design; y3:PoC <<LEUVEN>>-> Using HW to improve SW-based TR <<LEUVEN>>-> Splitting program into SW/HW parts <<LEUVEN>>-> Security protocols for four-tier trust (entruster, app, SW-TR, HW-TR) <<LEUVEN>>-> Using PCs as extension of secure HW <<GEMPLUS>>-> Secure downloading into OS+SC <<GEMPLUS>>-> Each includes sec analysis (goals,assumptions) <<VUA*>>

13

Minutes by Riccardo – 6/6=> Security Analysis (y2: sw-based, y3: sw/hw+overall) <<VUA*>>

-> Overall Security analysis of the SW-based technology-> Security analysis of the SW/HW based technology <<VUA*>>-> Comparison with security achieved by TCG <<IBM>-> Implementability of the security assumptions <<IBM>>

=> Remote verification and trust management <<IBM>>

* AMSTERDAM

OTHER WORKPACKAGES===================

=> Coordination/Management <<TRENTO>>

=> Dissemination <<TRENTO>>

REFERENCE MODEL:================

+------------------+ +---+ +-------+ Public Channel +-----------+|Trusted Component |---> |APP| ----> |OBF App| -------------------> |Smart Card || |<--- | | <---- | | <------------------- | |+------------------+ +---+ +-------+ +-----------+

14

Secure Tags

2nd Entrusting Machine

1st Untrusted MachineEntrusting

IP Network

1st Untrusted machine emanates Secure Tags from a code/software during execution

2nd Entrusting Machine is ENTRUSTING the 1st Untrusted machine by verifying the Secure Tags

Functional Description: Remote Entrusting

Core of Trust

15

Definition of Trustfor Remote Entrusting

A software (code/protocol) is A software (code/protocol) is deemed authentic/trusteddeemed authentic/trusted if and only if its functionality if and only if its functionality has not been altered/tampered has not been altered/tampered by an untrusted/unauthorized by an untrusted/unauthorized entityentity prior to or during executionprior to or during execution

16

2nd EntrustingMachine

Application on 1st untrusted

Machine

Obfuscated Tag Generator

ObfuscatingCompiler

Code Replacement Secure taggenerator

Observes the application and generates tags securely

Messages + Tags

Functional Description: SW-based Tamper Resistance - TR

Core of Trust

17

Obfuscated Tag Generator

ObfuscatingCompiler

Code Replacement Secure taggenerator

Observes the application and generates tags securely

Secure Hardware:Smart card, etc.

Untrusted “public” channel:OS, etc.

Functional Description: SW/HW-based - TR

2nd EntrustingMachine

Application on 1st untrusted

Machine

Messages + Tags

Core of Trust