1

Minimal TCB Code ExecutionMinimal TCB Code ExecutionJonathan McCune, Bryan Parno, Adrian Perrig,

Michael Reiter, and Arvind Seshadri

Carnegie Mellon University

May 22, 2007

2

CPU, RAMTPM, Chipset

CPU, RAMTPM, Chipset

Trusted Computing Base (TCB)

DMA Devices (Network, Disk,

USB, etc.)

OS

App

SS

App1 …

DMA Devices (Network, Disk,

USB, etc.)

OS

AppApp1 …

SS

ShimShim

3

Contributions• Isolate security-sensitive code execution

from all other code and devices

• Attest to security-sensitive code and its arguments and nothing else

• Convince a remote party that security-sensitive code was protected

• Add < 250 LoC to the software TCB

ShimShim

SSSoftwareTCB < 250 LoC

4

TPM Background• The Trusted Platform Module (TPM) is a

dedicated security chip

• It can provide an attestation to remote parties– Platform Configuration Registers (PCRs)

summarize the computer’s software state– TPM provides a signature over PCR values

• TPM spec v1.2 includes dynamic PCRs– Values can be reset without a reboot

5

Late Launch Background• Supported by new commodity CPUs

– SVM for AMD– TXT (formerly LaGrande) for Intel

• Designed to launch a VMM without a reboot– Hardware-based protections ensure launch integrity

• New CPU instruction (SKINIT/SENTER) accepts a memory region as input and atomically:– Resets dynamic PCRs – Disables interrupts– Extends a measurement of the region into PCR 17– Begins executing at the start of the memory region

6

Adversary Capabilities

• Run arbitrary code with maximum privileges

• Subvert any DMA-enabled device– E.g., network cards, USB

devices, hard drives

• Perform limited hardware attacks– E.g., power cycle the

machine– Excludes physically

monitoring/modifying CPU-to-RAM communication

CPU, RAMTPM, Chipset

DMA Devices (Network, Disk,

USB, etc.)

OS

AppApp1 …

ShimShim

SS

7

Architecture Overview• Core technique

– Pause current execution environment– Execute security-sensitive code with hardware-

enforced isolation– Resume previous execution

• Extensions– Preserve state securely across invocations– Attest only to code execution and protection– Establish secure communication with remote parties

8

Execution Flow

TPMTPM

PCRs:

K-1

7 2 9 …0 0 0

CPUCPU

OS

App

ShimShim

SSModuleModule

RAM

OS

App

ModuleModule

SKINITReset

InputsOutputsModuleModule

0 h 00 H 00

ShimShim

SS

00 0

9TPMTPM

PCRs: 0

K-1

…

TPMTPM

PCRs:

K-1

…

0 0 0

ShimShim

SS Inputs

Outputs

Attestation

10

TPMTPM

PCRs:

K-1

…

000

ShimShim

SS Inputs

Outputs

AttestationWhat code areyou running?

ShimShim

SS InputsOutputsSign( ), K-1

Sign ), K-1

…

OS

AppAppSS

App5

App5

App4

App4

App3

App3

App2

App2

App1

App1

(

Versus

11

Potential Applications• Server applications

– Password authentication, SSL keys, Certificate Authority (CA), etc.

• Verifiable distributed computing– SETI@Home, Folding@Home, distcc, etc.

• Client-side applications– Secure password entry

12

Ongoing Work

• Extracting security-sensitive code from existing applications

• Containing malicious or malfunctioning security-sensitive code

• Coping with slow security-sensitive code

• Creating a trusted path to the user

13

Related Work• Secure coprocessors

– Dyad [Yee 1994], IBM 4758 [JiSmiMi 2001]

• System-wide attestation– Secure Boot [ArFaSm 1997], IMA [SaZhJaDo 2004],

Enforcer [MaSmWiStBa 2004]

• VMM-based isolation– BIND [ShPeDo2005], AppCores [SiPuHaHe 2006],

Trustworthy Kiosks [GaCáBeSaDoZh 2006], Proxos [TaLiLi 2006]

14

Conclusions

• Explore how far an application’s TCB can be minimized

• Isolate security-sensitive code execution

• Provide fine-grained attestations

• Allow application writers to focus on the security of their own code

15

Thank you!parno@cmu.edu