Phoolproof Phishing Prevention Bryan Parno, Cynthia Kuo, Adrian Perrig Carnegie Mellon University.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind...
-
Upload
noreen-higgins -
Category
Documents
-
view
217 -
download
1
Transcript of 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind...
1
Minimal TCB Code ExecutionMinimal TCB Code ExecutionJonathan McCune, Bryan Parno, Adrian Perrig,
Michael Reiter, and Arvind Seshadri
Carnegie Mellon University
May 22, 2007
2
CPU, RAMTPM, Chipset
CPU, RAMTPM, Chipset
Trusted Computing Base (TCB)
DMA Devices (Network, Disk,
USB, etc.)
OS
App
SS
App1 …
DMA Devices (Network, Disk,
USB, etc.)
OS
AppApp1 …
SS
ShimShim
3
Contributions• Isolate security-sensitive code execution
from all other code and devices
• Attest to security-sensitive code and its arguments and nothing else
• Convince a remote party that security-sensitive code was protected
• Add < 250 LoC to the software TCB
ShimShim
SSSoftwareTCB < 250 LoC
4
TPM Background• The Trusted Platform Module (TPM) is a
dedicated security chip
• It can provide an attestation to remote parties– Platform Configuration Registers (PCRs)
summarize the computer’s software state– TPM provides a signature over PCR values
• TPM spec v1.2 includes dynamic PCRs– Values can be reset without a reboot
5
Late Launch Background• Supported by new commodity CPUs
– SVM for AMD– TXT (formerly LaGrande) for Intel
• Designed to launch a VMM without a reboot– Hardware-based protections ensure launch integrity
• New CPU instruction (SKINIT/SENTER) accepts a memory region as input and atomically:– Resets dynamic PCRs – Disables interrupts– Extends a measurement of the region into PCR 17– Begins executing at the start of the memory region
6
Adversary Capabilities
• Run arbitrary code with maximum privileges
• Subvert any DMA-enabled device– E.g., network cards, USB
devices, hard drives
• Perform limited hardware attacks– E.g., power cycle the
machine– Excludes physically
monitoring/modifying CPU-to-RAM communication
CPU, RAMTPM, Chipset
DMA Devices (Network, Disk,
USB, etc.)
OS
AppApp1 …
ShimShim
SS
7
Architecture Overview• Core technique
– Pause current execution environment– Execute security-sensitive code with hardware-
enforced isolation– Resume previous execution
• Extensions– Preserve state securely across invocations– Attest only to code execution and protection– Establish secure communication with remote parties
8
Execution Flow
TPMTPM
PCRs:
K-1
7 2 9 …0 0 0
CPUCPU
OS
App
ShimShim
SSModuleModule
RAM
OS
App
ModuleModule
SKINITReset
InputsOutputsModuleModule
0 h 00 H 00
ShimShim
SS
00 0
9TPMTPM
PCRs: 0
K-1
…
TPMTPM
PCRs:
K-1
…
0 0 0
ShimShim
SS Inputs
Outputs
Attestation
10
TPMTPM
PCRs:
K-1
…
000
ShimShim
SS Inputs
Outputs
AttestationWhat code areyou running?
ShimShim
SS InputsOutputsSign( ), K-1
Sign ), K-1
…
OS
AppAppSS
App5
App5
App4
App4
App3
App3
App2
App2
App1
App1
(
Versus
11
Potential Applications• Server applications
– Password authentication, SSL keys, Certificate Authority (CA), etc.
• Verifiable distributed computing– SETI@Home, Folding@Home, distcc, etc.
• Client-side applications– Secure password entry
12
Ongoing Work
• Extracting security-sensitive code from existing applications
• Containing malicious or malfunctioning security-sensitive code
• Coping with slow security-sensitive code
• Creating a trusted path to the user
13
Related Work• Secure coprocessors
– Dyad [Yee 1994], IBM 4758 [JiSmiMi 2001]
• System-wide attestation– Secure Boot [ArFaSm 1997], IMA [SaZhJaDo 2004],
Enforcer [MaSmWiStBa 2004]
• VMM-based isolation– BIND [ShPeDo2005], AppCores [SiPuHaHe 2006],
Trustworthy Kiosks [GaCáBeSaDoZh 2006], Proxos [TaLiLi 2006]
14
Conclusions
• Explore how far an application’s TCB can be minimized
• Isolate security-sensitive code execution
• Provide fine-grained attestations
• Allow application writers to focus on the security of their own code
15
Thank [email protected]