Secure Computing

7/31/2019 Secure Computing

1/77

Page 1 / 77 Guillaume Duc

May 2009

Licence de droits dusage

Trusted & Secure ComputingIntroduction


2/77


May 2009


Plan

Introduction

Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groups

Criticism

Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion

Secure computingIntroductionSecure co-processorsBus encryption

Conclusion


3/77


May 2009


Trusted Computing?

To guarantee that a computing system behaves in a well-defined

way

Applications

Online services (banking, commerce, voting, gaming, gridcomputing...)Disk encryptionVPNDRM


4/77


May 2009


Plan

Introduction


Criticism



Conclusion


5/77


May 2009


Plan

Introduction


Criticism



Conclusion


6/77


May 2009


Trusted Computing Group

The Trusted Computing Group (TCG) is a not-for-profit

organization formed to develop, define and promote open,

vendor-neutral, industry standards for trusted computing building

blocks and software interfaces across multiple platforms

(http://www.trustedcomputinggroup.org/)

Founded in 2003 with 14 companies, including AMD, HP, IBM,

Intel, Microsoft, Sony and Sun Microsystems (board members)

The specifications of the Trusted Platform Module (TPM) were

previously developed by the Trusted Computing Platform Alliance(the infamous TCPA) and reused by the TCG

Goal: extend trust to all the components of a computing system

(network, servers, storage, mobiles, etc.)
http://www.trustedcomputinggroup.org/http://www.trustedcomputinggroup.org/


7/77


May 2009


Members 1/2

Three levels: Promoter, Contributor et Adopters.

Promoters (beginning 2009)

AMD

FujitsuHewlett-PackardIBMInfineonIntelLenovo

MicrosoftSonySun MicrosystemsWave


8/77


May 2009


Members 2/2

Large scope (non-exhaustive list)

Semiconductors: Atmel, STMicroelectronics, Freescale, NXPSmartcards: GemaltoPC: DellMobiles: Nokia, Ericsson MobileNetwork equipments: JuniperStorage: Seagate, Western DigitalNetwork operators: Vodafone, Orange (until 2008)

Security software: McAfee, SymantecCertification organisms: BSI


9/77


May 2009


Working groups

Infrastructure

Mobile Phone

PC Client

ServerSoftware Stack

Storage

Trusted Network Connect

Trusted Platform ModuleVirtualization

Hard Copy

Compliance


10/77


May 2009


Some dates

2003: Foundation

2004: TPM version 1.2, creation of the Trusted Network Connectworking group, 98 companies

2005: 120 companies, specifications for TPM in servers

2006: MTM (Mobile Trusted Module) specifications

2008: Support for TNC in FreeRADIUS


11/77


May 2009


Fundamental Trusted Platform Features

TCG definition: Trust is the expectation that a device will behave in

a particular manner for a specific purpose

According to the TCG, a trusted platform should provide three

basic featuresProtected capabilities: functions that have exclusive permission toaccess shielded locations (where sensitive data are stored andmanipulated)Attestation: process of vouching for the accuracy of information

Integrity measurement, logging and reporting: process of obtaining,storing and attesting metrics of the platform characteristics thataffect its trustworthiness


12/77


May 2009


Roots of Trust

Roots of trust are components that must be trusted

Three roots of trust are defined by the TCG

Root of trust for measurement (RTM): performs integritymeasurementsRoot of trust for storage (RTS): securely stores integritymeasurementsRoot of trust for reporting (RTR): reports information stored in the

RTS


13/77


May 2009


Trusted Building Blocks

Trusted Building Blocks (TBB): parts of the Roots of Trust that are

not implemented as shielded locations or protected capabilities

ExampleCore Root of Trust for Measurement (part of the BIOS)Physical link between the CRTM storage and the motherboardPhysical link between the TPM and the motherboard

TBB must be trusted (no way to detect if they are corrupted) but

are not protected


14/77


May 2009


Plan

Introduction


Criticism



Conclusion


15/77


16/77


May 2009


Inside the TPM Components

I/O

Cryptographic co-processor (RSA and symmetric encryption)

RSA key generator

SHA-1 engine

HMAC engine

Random number generator (RNG)

Opt-In

Execution engine

Volatile and non-volatile memory


17/77


May 2009


Integrity storage PCR

Platform Configuration Register: 160-bit storage location inside

the TPM

Used to store measurement values

Minimum 16 PCR in a TPM (usually 32)

To allow the TPM to store more than 16 measurement values,

extension mechanism: PCRi = H(PCRimeasure), where H is a

collision-resistant hash function (SHA-1)


18/77


May 2009


Integrity measurement Principles

Measurement value: value and/or state of something that may

impact the trustworthiness of the platform (e.g. the code of the

BIOS, the bootloader, the kernel...)

The measurement agent computes a hash of the measurementvalue, sends the hash to the TPM which stores it in a PCR

(extension mechanism), and stores the value in a log (Stored

Measurement Log)

With the SML, one can compute the theoretical values of the PCR

and compare them with the real values in the TPM

Impossible to forge a SML which matches the values of the PCR

(strong hash function)


19/77


May 2009


Integrity measurement PC

Transitive trust

BIOS = CRTM

CRTM measures itself and sends the measure to PCR[0]CRTM measures other low-level pieces of software (CPUmicrocode, PCI option ROM code, first part of the MBR(bootloader)...) and sends them to PCR[17]The bootloader may measure the first part of the OS kernel andsend the measure to the TPMThe kernel may measure other OS parts...

I t it ti ( tt t ti )


20/77


May 2009


Integrity reporting (attestation)

Principles

A challenger requests one or more PCR value from a platform

An agent on the platform collects corresponding SML entries

The TPM signs the values of the PCR with a key

The agent sends the signed PCR values, SML entries andcredentials to the challenger

The challenger verifies the signature on the PCR values with the

credentials of the TPM and verifies the SML entries with the PCR

values

Problem: privacy (if all the signatures are performed using the

same private key, it is possible to link all the attestations

performed by one TPM)


21/77


May 2009


TPM Credentials

Each TPM has a unique Endorsement Key (2048-bit RSA key)

Credentials (equivalent to certificates)

Endorsement credential issued by the entity which generates theEK and contains the TPM manufacturer name, the version and the

model number of the TPM and the EK public keyConformance credential issued by the entity which has evaluatedthe TPM and contains the name of the evaluator, the platformmanufacturer, model number and version, and the TPMmanufacturer, model number and version

Platform credential issued by the platform manufacturer andcontains the platform manufacturer, model number and version, theendorsement credential and the conformance credentialValidation credentialsissued by the manufacturers of measurablecomponents and contains reference measurements


22/77


May 2009


Attestation Identity Keys

Attestation Identity Keys (RSA 2048) are used to sign PCR values

Attestation Identity Credential contains an AIK public key and is

issued by a service that is trusted to verify the various credentials

and preserve privacy policies of the client

Unlimited number of AIK in order to use different keys to perform

attestations (privacy)

The TPM generates an AIK, signs the public part with the EK and

sends it to a Privacy Certification Authority (Privacy CA)

The privacy CA checks the signature, generates the Attestation

Identity Credential and sends it back to the TPM

Solution developed in TPM version 1.1


23/77


May 2009


Direct Anonymous Attestation (DAA)

Problem with AIK: need for trusted Privacy CA (collusion,

saturation...)

Solution in TPM 1.2: Direct Anonymous Attestation (DAA)

E. Brickell, J. Camenisch, L. Chen, Direct Anonymous Attestation,

Proceedings of the 11th ACM conference on Computer and

Communications Security, oct. 2004,

http://www.zurich.ibm.com/~jca/papers/brcach04.pdf

Complex cryptographic protocol based on group signatures and

zero-knowledge proofs that allows the TPM to prove that it is agenuine one without disclosing its EK or relying on a third party

Choice possible between full anonymity and traceability (variable

in the original paper, in the TPM specs)
http://www.zurich.ibm.com/~jca/papers/brcach04.pdfhttp://www.zurich.ibm.com/~jca/papers/brcach04.pdf


24/77


May 2009


Secure storage Sealing

Sealing: encrypt a message so that it could only be decrypted if a

selected set of PCR takes values decided when the encryption

was performed

SealingThe message is encrypted with a symmetric keyThe TPM encrypts the symmetric key and a structure storing thevalues of the selected PCR with an asymmetric storage key

Unsealing

The TPM decrypts the data structure and checks whether theselected PCR have correct valuesThe TPM releases the symmetric key to the application


25/77


May 2009


Secure storage

Used to securely store small pieces of data (mainly

symmetric/asymmetric keys used by the TPM or applications)

Data organized in a tree structureThe first level of the tree (nodes or leaves) is encrypted using thestorage root key embedded inside the TPMNodes: storage keys used to encrypt the sonsLeaves: data securely stored

The TPM does not need to store all the data, thanks to theencryption tree structure


26/77


May 2009


Secure storage

(figure from TCG Specification Architecture Overview, revision 1.4)


27/77


May 2009


Secure storage Key types

Signing keys: asymmetric keys used to sign application data and

messages

Storage keys: asymmetric keys used to encrypt data or other keys

Identity keys (AIK): signing keys exclusively used to sign data

originated by the TPM

Endorsement keys (EK)

Bind key: used to encrypt small amounts of data on one platform

and decrypt it on another

Legacy keys: keys created outside of the TPM and imported to theTPM to be used to sign and encrypt

Authentication keys: symmetric keys used to protect transport

sessions involving the TPM


28/77


May 2009


Authentication

Each object in the TPM contains a 160-bit shared secret

(AuthData)The user who knows this shared secret is granted the full usage

on the object

TPM 1.2: Delegation mechanism


29/77


May 2009


Misc

Monotonic counters

Counters provided by the TPM that can only be incrementedLimited number but more can be provided by the OS using only onephysical monotonic counter (virtual monotonic counters)Used in DRM for instance


30/77


May 2009


Software stack (TSS)



31/77


May 2009


Software stack Interaction



32/77


May 2009


Plan

Introduction

Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groupsCriticism



Conclusion


33/77


May 2009


Mobile Phone Working Group

Adapt the TPM specifications to mobile phone and PDA

Constraints

Multiple owners (radio = MNO, main firmware = handsetmanufacturer, data = user)Some owners are distant (MNO, manufacturer) and some are local(user)Size and cost

Result: the MTM (Mobile Trusted Module)


34/77


May 2009


Mobile Phone Working Group MTM

Can be implemented as a separate chip (like the TPM), a module

inside the application processor or a software

Multiple engines, one per owner (two mandatory: handset

manufacturer and user, other optional: MNO, service provider,etc.)

Big feature: Secure boot

During the boot, the MTM takes and stores measurements but alsocompares them to Reference Integrity Measurements (stored asRIM certificates) and halts the boot process if they are not correctSo if the OS is booted, it can be trusted


35/77


May 2009


Trusted Network Connect

The TNC WG is working to define and promote an open solution

architecture that enables network operators to enforce policies

regarding the security state of endpoints in order to determine

whether to grant access to a requested network infrastructureCompared to current network access control technologies

Add Platform Credential Authentication using certificates storedinside the TPMAdd Integrity Verification Handshake using the values of the PCR of

the clients TPME.g. define an EAP method to transport integrity measurements

and platform credentials


36/77


May 2009


Plan

Introduction




Conclusion


37/77


May 2009


True/False 1

TPM will prevent me from running my OS/application (e.g. Linux):

falseThe TPM, when enabled, just takes measurements but does notprevent an OS or an application from booting (contrary to the MTM)The TPM can be deactivated


38/77


May 2009


True/False 2

Someone may oblige me to run a specific OS/application: true

A service provider who wants to use the TPM to check the integrityof platforms used by its clients will have to decide whichmeasurements are considered as trustworthy and which are notFor instance, if the service provider decides to only acceptmeasurements indicating that a specific OS is loaded, other OS willnot be able to access the serviceBig question: how these lists of reference measurements will be

defined?


39/77


May 2009


True/False 3

TPM may prevent interoperability between applications: true

Using sealed storage, an application can store a document in a waythat it can only be accessed using the same application and not acompatible applicationPotential threat


40/77


May 2009


Compatibility with Free Software

Support for TPM exists in several free software projects (e.g. the

Linux kernel)

However, the concept of integrity measurement is not totallycompatible with free software model

Free software are often distributed as source code (BSDs ports,meta-distribution such as Gentoo, etc.)However, two compilations of the same application is likely to givedifferent binaries, even on the same machine (the date/time ofcompilation are often embedded into the binary)

So the measure (hash) of two instances of the same version of anapplication may be differentDifficult (impossible ?) to build reference integrity measurements ofFOSS applications


41/77


May 2009


Problems for the TCG

Infamous TCPA/Palladium: bad reputation among computer

scientists and free software community (Treacherous computing),

so the main target of TCG is, for the moment, companies and not

individualsTPM are largely deployed in PC but most of the time they are not

activated by their owners

Very few applications use TPM (mainly BitLocker, some VPN and

some disk encryption software; and only to store keys)

20092010 may be critical years for the success of the

deployment of TCG technologies


42/77


May 2009


Plan

Introduction




Conclusion


43/77


May 2009


Plan

Introduction




Conclusion


44/77


May 2009


Introduction

Intel Trusted Execution Technology (TXT)

Formerly known as LaGrande Technology

Versatile set of hardware extensions to Intel processors and

chipsets that enhance the digital office platform with security

capabilities such as measured launch and protected execution

(http://developer.intel.com/technology/security/index.htm)

Relies on the TPM for basic services

Already available on high-end motherboards (part of the vProbrand)

Pl
http://developer.intel.com/technology/security/index.htmhttp://developer.intel.com/technology/security/index.htm


45/77


May 2009


Plan

Introduction




Conclusion

M d L h d E i t


46/77


May 2009


Measured Launched Environment

Main objective: Protected Execution, i.e. provide applications with

an execution environment where they can be executed without

being observed or compromised by untrusted applications

This environment is called Measured Launched Environment

TXT protects the launch and the execution of this MLE

MLE can be launch at anytime, including long after the boot

L h f th MLE DRTM


47/77


May 2009


Launch of the MLE DRTM

As the MLE can be launched at anytime, it is difficult to rely on the

measurements performed since the boot and stored in the TPM

Solution: Dynamic Root of Trust for Measurement (DRTM)

provided by TXT (also called late launch)

L h f th MLE P


48/77


May 2009


Launch of the MLE Process

The launching environment loads the MLE and Authenticated

Code (AC) in memory

The launching environment calls the GETSEC[SENTER] instruction

The processor loads, authenticates (digital signature) and

executes the AC (the execution happens in internal SRAM inside

the processor)

The AC checks the configuration of the chipset and the processors

The AC measures the MLE, sends the measurements to the TPMand launches the MLE

Protection of the MLE DMA


49/77


May 2009


Protection of the MLE DMA

Need to protect the MLE against unauthorized modifications

DMA: protection using the Intel VT-d technology (requires chipset

modifications) to prevent unauthorized DMA transfers to/from a

memory area belonging to the MLE

Protection of the MLE Misc


50/77


May 2009


Protection of the MLE Misc.

Protected Input/Output: data encryption between the driver in the

MLE and the I/O device (e.g. mouse, keyboard...)

Protected GraphicsData encryption between the driver in the MLE and the graphic cardProof to the user that what is displayed in a part of the screen reallycomes from the MLE

Not deployed yet

Plan


51/77


May 2009


Plan

Introduction




Conclusion

Already attacked!


52/77


May 2009


Already attacked!

Interesting technology

But already attacked using a flaw in the System Management

Mode (SMM, ring -2) of x86 architecture

More details: R. Wojtczuk and J. Rutkowska, Attacking Intel

Trusted Execution Technology, Black Hat DC, Feb 2009,

http://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20paper.pdf

Plan
http://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20paper.pdfhttp://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20paper.pdf


53/77


May 2009


Plan

Introduction




Conclusion

Plan


54/77


May 2009


Plan

Introduction




Conclusion

Attack model TCG


55/77


May 2009


Attack model TCG

Some software attacks

Some physical attacks against the TPM itself (the TPM chip often

uses a smartcard core)

But does not resist to some hardware attacks against othercomponents

Bus snoopingMemory

Some secure computing architectures have been developed to tryto prevent these hardware attacks

Motivations


56/77


May 2009


Motivations

Hardware attacks

Read or modification of the content of the RAMAddress and data buses snoopingDirect attacks against the CPU

Fault injection

Power analysis (side channel attacks)

Need sophisticated tools and knowledges but not unrealistic (e.g.

X-BOX

break)

A security model


57/77


May 2009


A security model

Guaranteed properties

Confidentiality: an attacker shall obtain as little information aspossible about the code or the data of a processIntegrity: the correct execution of a process shall not be altered by

an attackerAttacker

Total control on the CPU externals (buses, memory, storage, etc.)The CPU itself cannot be attacked (this excludes side channelattacks)

Denial of service excluded

Problem: keep good performances


58/77

Secure computing


59/77

Page 59 / 77Guillaume Duc

May 2009


Secure computing

Two approaches

Secure co-processorBus encryption architecture

Plan


60/77

Page 60 / 77Guillaume Duc

May 2009


Introduction



Secure computing

IntroductionSecure co-processorsBus encryption

Conclusion

Coprocessors


61/77

Page 61 / 77

Guillaume Duc

May 2009


p

First solution: shielded execution environment (processor,memory, bus, etc.) to run secure processes

SmartcardsIBM 4758/4764 (processor, RAM, flash)

Problems

Performances (smartcards)Difficult to upgrade

Plan


62/77

Page 62 / 77

Guillaume Duc

May 2009


Introduction



Secure computing


Conclusion

Secure architecture


63/77

Page 63 / 77

Guillaume Duc

May 2009


Second solution: execute encrypted programs

Encryption

DecryptionProcessor

Data bus

Address bus

Memory

Key dates


64/77

Page 64 / 77

Guillaume Duc

May 2009


Confidentiality

BES T, 1979DALLAS DS500x, 1995 (commercialized, broken by KUHN in 1998)KUH N (TrustNo 1), 1997: asymmetric encryption and OS support

GILMONT, LEGAT et QUISQUATER, 1998: hybrid encryption

Confidentiality and integrity

LIE, THEKKATH, MITCHELL, LINCOLN (XOM), 2000KERYELL (CRYPTOPAGE), 2000SUH, CLARKE, GASSEND, DIJK et DEVADAS (Aegis), 2003:

protection against replay attacksKERYELL, LAURADOUX (CRYPTOPAGE 2), 2003

Confidentiality


65/77


May 2009


Confidentiality is not very difficult (the main problem is to optimize

the decryption part)

During execution: everything outside of the processor is encrypted

Interrupts: the CPU cleans the registers before running the

interrupt handler

Memory integrity


66/77


May 2009


Property to guarantee

The value read at a given address from memory must be the latestvalue stored by the processor at this address

Attacks

InjectionSpatial permutationReplay

Much more expensive...

Message Authentication Codes (MAC)


67/77


May 2009


L hK(L)

hK A

Message Authentication Codes (MAC)


68/77


May 2009


Vulnerable to replay attacks

L1 hK(L1)

t1

L2 hK(L2)

t2

L1 hK(L1)

t3

Solution: add counters?

Problem: We have to securely store them

MAC must be computed again when the counter is modified


69/77

Example: DS5002FP


70/77


May 2009


8-bit microcontroller from Dallas SemiconductorData bus (8 bits) is encrypted (d = EDK,a(d))

Address bus (16 bits) is encrypted (a = EAK(a))

K (64 bits) is stored in a small battery-backuped SRAM inside the

microcontrollerProgram loaded using a special mode (the microcontroller

generates a key, loads the program in clear from the serial port,

encrypts and stores it in memory)

Random dummy memory access to hide memory access patternsBroken: M. Kuhn, Cipher Instruction Search Attack on the

Bus-Encryption Security Microcontroller DS5002FP, IEEE

Transactions on Computers, 47(10), pp. 11531157, october 1998

Example: DS5002FP


71/77


May 2009


Example: CRYPTOPAGE


72/77


May 2009


Memory encryption

Memory integrity protection (including against replay attacks)

Reduction of information leakages on the address busNo need for a trusted operating system

Good performances (simulations: less than 10 % compared to a

normal architecture)

Still on paper, no prototype yet...

Example: CRYPTOPAGE


73/77


May 2009


Chip

Processor

Identification

buffer

SHA -1

unit

DataCaches Permutation

unit

AES CM +

CBC -MAC

MM UAdresses

Permutation

buffer

TLB ETLB

Permutation

R(e)c,p, R

(i)c,p

AES CBC

MERKLE

tree

verifier

MERKLE

tree

verifier

Kpid,i, Kpid,d, Kpid,m

Plaintext

hardware

context

buffer

AES CBC

Verifier

Kproc,e Kproc,m

Encrypted

hardware

context

buffer

Encrypted

initial

context

buffer

AES

RSA

SKproc

Random

number

generatpr

Securestorage

tree

verifier

RootKproc,s

Databus

Addressbus

Plan


74/77


May 2009


Introduction



Secure computing


Conclusion

Conclusion


75/77


May 2009


Trusted computing: existing industrial solutions (TCG, Intel TXT...)

Secure computing: more difficult (attacker much more powerful)

and expensive, some industrial solutions but still largely inacademic field

Before choosing a solution: check the security model and the

attacker model to see if they match your needs

As always, these technologies are double-edged...


76/77



77/77


May 2009


Contexte public } sans modifications

Par le tlchargement ou la consultation de ce document, lutilisateur accepte la licence dutilisation qui y est attache, telle que dtaille dansles dispositions suivantes, et sengage la respecter intgralement.

La licence confre lutilisateur un droit dusage sur le document consult ou tlcharg, totalement ou en partie, dans les conditions dfinies ci-aprs et lexclusion expresse de toute utilisation commerciale.

Le droit dusage dfini par la licence autorise un usage destination de tout public qui comprend : Le droit de reproduire tout ou partie du document sur support informatique ou papier, Le droit de diffuser tout ou partie du document au public sur support papier ou informatique, y compris par la mise la disposition du public sur un rseaunumrique.

Aucune modification du document dans son contenu, sa forme ou sa prsentation nest autorise.

Les mentions relatives la source du document et/ou son auteur doivent tre conserves dans leur intgralit.

Le droit dusage dfini par la licence est personnel, non exclusif et non transmissible.

Tout autre usage que ceux prvus par la licence est soumis autorisation pralable et expresse de lauteur : [email protected]

Documents

Secure Computing