˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls...
Transcript of ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls...
![Page 1: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/1.jpg)
����������� ��������
����� ���������������� ��
Mike BondComputer Security Group
Information Security Solutions Europe 30th September ‘04
![Page 2: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/2.jpg)
������������
• Introduction: The Trusted Computing Stack• TC Hardware• TC Operating Systems• TC Software• Introducing Security APIs• Application Level Security
– The Identification Challenge– Version Control and Updating– Secure Backup– Helper Applications
• Conclusions
![Page 3: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/3.jpg)
���������������� �������
TPM
HSM
PC
NGSCB Nexus Boot LoaderKernel Support
for S/W Controls
HSM Firmware
ApplicationNCA
Windows MediaPlayer
Financial APIS/W
O/S
H/WSCC
Intel LaGrande
Attestation Support
![Page 4: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/4.jpg)
���������
• How do we design and build our Trusted Computing applications?
• Where do we start?– Trusted Computing Specs are sets of moving targets– TCG Hardware (TPM) fairly well defined now, but this
is too far down the stack to have all the answers for the application designer
– MS NGSCB: not even the overall architecture has been agreed on
• Proposal: can we learn from applications already designed and deployed on the original TC platforms: Hardware Security Modules?
![Page 5: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/5.jpg)
��� � !����������"��
• A number of paradigms– The Hardware Security Module
(The original island of trust. Many will run arbitrary code)
– The Passive Trusted PC (e.g. TPM-based)(Monitors state, but does not enforce – all or nothing control)
– The Active Trusted PC (e.g. Intel LaGrande, MS SCC, Trusted Graphics & Sound Cards)
– The Proprietary Box(Microsoft XBOX 3? Sony PS3? Apple iThingy? Centre of your home area network, completely closed protocols)
![Page 6: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/6.jpg)
����"������ ���������
• Specialised computer hardware (e.g. PCI cards) for implementing Security APIs and performing cryptography.
• Characteristics:– Often physically tamper-resistant– May have hardware crypto acceleration– May have special ‘trusted’ peripherals
• Limitation: Unlike potential for TC, HSMs mainly run a single application at a time e.g. PKCS#11 or PIN Processing API.
• HSMs are not “vapourware” like some TC, they are out there, designed and deployed.
![Page 7: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/7.jpg)
����"������ ���������
![Page 8: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/8.jpg)
����� ������# �������
• Using HSMs– TC applications involving licensing, or content
distribution have many secrets to protect– TPM/LaGrande based TC not currently highly tamper-
resistant, we need a more secure place for our top-level keys and business logic – answer: use HSMs for top levels of hierarchy.
– HSMs already standard for top levels in CAs.
• Learning from HSMs– HSMs have been designed and built since the mid 80s.
TC can learn a lot from understanding their hardware, OS and application design.
![Page 9: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/9.jpg)
��� � !������$���� ���������
• People have tried to build trustworthy O/Ses for years, there was limited success: main problem was security/usability compromise
• Microsoft trying to build trust into operating systems (Palladium, NGSCB). Their idea: to retain compatibility, keep existing OS controls, and branch off in a new axis too. Will it make it in time for Longhorn?
• Plans for Linux with TCG technology• We are also seeing DRM-Aware Operating
Systems in mobile phones
![Page 10: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/10.jpg)
�%������� ����!��&'��
O/S Nexus
App1
App2
NCA1
NCA2
DriversServices
TPM / SSCHardware
Ring 1
Ring 0
Ring 2+
![Page 11: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/11.jpg)
������������!�"��
• What goes at the top of the stack?• We already have heavy-weight applications we
might wish to TC enable– Office/Lotus Notes (Information Rights Management)– IC Design Packages (Protect proprietary routing algorithms)– Windows Media Player (Protect digital content, new charging strategies)
• Some applications already use software obfuscation to achieve same goals – can we harden these applications?
• What new applications can we build?
![Page 12: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/12.jpg)
������� �� ����('����)� ��*
• IRM – Information Rights Management– Companies can stop leaks– Mafia can keep their records secret
• DRM – Digital Rights Management• Proprietary Algorithm Protection• Trusted I/O – Enter your ATM PIN at your PC• Global PKI – All devices potentially indentifiable• Trusted Anonymity Systems• Truly Anonymous peer-to-peer systems• High-availability systems• Reverse-engineering resistant viruses
![Page 13: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/13.jpg)
�%��������!����� ���+ �������������
• Microsoft Office 2003 withMicrosoft Rights Management Server
• Will it be secure when it becomes TC enabled?
The “restrict” button
![Page 14: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/14.jpg)
��������� ��������������
• The crucial question: which parts of an application go inside the trust boundary?
• We can’t make a whole monolithic app trusted (otherwise it will be full of buffer overruns etc.).
• If too little is trusted, then only very simple policies will be enforceable (no fancy new payment models)
• This problem has been thought about by trusted app designers using HSMs, but unfortunately remains unsolved. There has been a whole catalogue of failures of HSM APIs. Security API research is the place to start looking for the answers, so that TC designers at least do not repeat the same mistakes…
![Page 15: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/15.jpg)
#���� ������� �������,
• An API that allows users to work with sensitive data and keys, and uses cryptography to enforce a policy on the usage of data
• The conventional Security API:
HostPC or Mainframe
Security ModulePCI Card or Separate Module
Security API
VDU
I/O Devs
Network
![Page 16: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/16.jpg)
������ �������
O/S Nexus
App1
App2
NCA1
NCA2
DriversServices
TPM / SSCHardware
Ring 1
Ring 0
Ring 2+
![Page 17: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/17.jpg)
������ �������
O/S Nexus
DRM App
App2
DRM NCA
NCA2
DriversServices
TPM / SSCHardware
Ring 1
Ring 0
Ring 2+
![Page 18: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/18.jpg)
������ �������
O/S Nexus
DRM App
MyApp
DRM NCA
MyNCA
DriversServices
TPM / SSCHardware
Ring 1
Ring 0
Ring 2+
![Page 19: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/19.jpg)
������ �������
O/S (hacked) Nexus
DRM App
MyApp
DRM NCA
MyNCA
DriversServices
TPM / SSCHardware
Ring 1
Ring 0
Ring 2+
![Page 20: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/20.jpg)
������ �������
O/S (hacked) Nexus
DRM App
MyApp
DRM NCA
MyNCA
DriversServices
TPM / SSCHardware
Ring 1
Ring 0
Ring 2+
![Page 21: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/21.jpg)
��� �������������)��� �����
• Financial APIs for processing PINs. A very complex heterogeneous system: many different boxes at many banks. A stream of vulnerabilities discovered:– Key Binding, Weak 3DES (2001)– Information Leakage, Decimalisation Table Attack (2003)– ISO PIN Block Attacks (2004)
• Depending on your point of view, PIN processing systems are either too hard to get right, or too expensive to get right.
• Certification Authorities. Simple policy: “the private key never leaves the box”. On the whole, a success.
• The better we understand the problem, the cheaper it will be to build quality solutions
![Page 22: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/22.jpg)
���� �� ��-./����� ��
• Some application-level security challenges have already been tackled by today’s Security APIs– Major vendor APIs support straightforward back-up,
access control, auditing, and specific business logic
• However, all these problems get more complex when they are generalised. Modern Security APIs can often solve the challenges single-application scenarios, with infrequent update, but the solutions used become impractical …
• Let’s consider how these issues develop.
![Page 23: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/23.jpg)
������� ! �� ����������
• Many HSMs recognise that I/O through the host computer can be sabotaged to be misleading, so have special authorisation and feedback paths:– nCipher uses a smartcard insertion to enable e.g. a limited
number of signatures with a private key– Thales RG modules have a special “console” connection for
issuing of sensitive commands• But what about when there are myriads of different
trusted apps under different ownership?• Trojan apps can be easily developed (e.g. phishing
scams), and if the user has not seen a particular application before, it is trivial to make a plausible imitation
![Page 24: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/24.jpg)
������� ! �� ����������
• How do you know which trusted app you’re talking to?
“I’m the internetbanking application”
“No, I’m the internetbanking application!”
“Trusted” When Light is On
![Page 25: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/25.jpg)
0�� ���������������1����
MyApp NewMyApp
Hash: 34CA22… Hash: F4AE52…
Data1
Sealed: 34CA22…
Data1
Sealed: 34CA22…
Data1’
Sealed: F4AE52…
![Page 26: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/26.jpg)
0�� ���������������1����
• Toy Problem before, the solutions seems straightforward – give the old program a migration routine to re-seal all the files to the new version.
• Real world complexity– How to migrate offline backups?– What about un-installation and roll-back? (suppose the new
software has an unrelated bug that crashes the client PC all thetime)
– What if you’re trying to patch a fault in the migration routine?– How often will you have to migrate? Every time a DLL the app
uses changes? Every time you add a new plug-in to an app?– What do you migrate? Suppose the PC has multiple users, running
different versions, or one uses Windows Media Player for jukebox, one uses RealPlayer – who owns which music files? What about shared music files?
![Page 27: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/27.jpg)
���� ����
• Users have to trust that they will always be able to access their data, and retrieve it from back-up if necessary
• What if the user buys a new PC? What are the back-ups bound to, the user, the application or the PC?
• What if the user restores back-ups onto a different PC, conflict with DRM use-limits?
• What if a manufacturer goes bust?
![Page 28: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/28.jpg)
����� �������������� �� ���,
MS Office 2010
EncryptedDocument
SecureWord
FileAccessControl
BackupControl
ComponentUpdateHelper
SecureExcel
SecurePPT
Pay-per-ViewLicenser
(Potentially a SecurityAPI at the boundarybetween every component)
![Page 29: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/29.jpg)
������ ���
• We are making good progress laying down base architecture for TC, but there’s still more work to be done. We must not neglect the design of applications that sit on top, and must not assume that the correct O/S support for TC will make it easy to write trusted apps.
• Studying the Security APIs of applications built on HSMs can give us a good starting point for TC application design.
• However, there are some fundamentally hard problems raised when mutually distrustful parties share computing resources. We need to work very hard on these to make a success of desktop Trusted Computing.
![Page 30: ˘ ˇˆ˙˝˘˚ ˘ ˇˆ˙˝ ˛ TPM HSM PC NGSCB Nexus Boot Loader Kernel Support for S/W Controls HSM Firmware Application NCA Windows Media Player Financial API S/W O/S H/W](https://reader033.fdocuments.in/reader033/viewer/2022042102/5e7e869a600c7e50156b00b9/html5/thumbnails/30.jpg)
������!����� ��Papers, Links & Resourceshttp://www.cl.cam.ac.uk/~mkb23/research.html
Cambridge Computer Laboratoryhttp://www.cl.cam.ac.uk/Research/Security/
Colleagues and Related Workhttp://www.cl.cam.ac.uk/~mkb23/phantom/http://www.cl.cam.ac.uk/~jc407/http://www.cl.cam.ac.uk/~rja14/
Email… [email protected]