Bootstrapping Trust in a “Trusted” Platform
description
Transcript of Bootstrapping Trust in a “Trusted” Platform
1
Bootstrapping Trust in aBootstrapping Trust in a“Trusted” Platform“Trusted” Platform
Carnegie Mellon University
November 11, 2008
Bryan Parno
2
A Travel Story
3
Do you trust…
• A kiosk computer?
• A friend’s computer?
• A relative’s computer?
• Your own computer?
Without trust, you cannot…
• Check your email• Pay bills• Privately surf the web• …How do we bootstrap trust in a computer? How do we bootstrap trust in a computer?
4
Assumptions• User has a trusted, mobile device
• User trusts someone to vouch for the physical security of the computer
5
Bootstrapping Trust
PhysicalSecurity
TrustedHardware
TrustedSoftware
6
CPU, RAMTPM, Chipset
CPU, RAMTPM, Chipset
Trusted Software Using Flicker
DMA Devices (Network, Disk,
USB, etc.)
OS
App
SS
App1 …
DMA Devices (Network, Disk,
USB, etc.)
OS
AppApp1 …
SS
ShimShim
7
Flicker’s Properties• Isolate security-sensitive code execution
from all other code and devices
• Attest to security-sensitive code and its arguments and nothing else
• Convince a remote party that security-sensitive code was protected
• Add < 250 LoC to the software TCB
ShimShim
SSSoftwareTCB < 250 LoC
All relies on bootstrapping trust!All relies on bootstrapping trust!
PhysicalSecurity
TrustedHardware
TrustedSoftware
8
Outline
• Introduction
• Background
• The Cuckoo Attack
• Potential Solutions
• Conclusions
9
TPM Background
• The Trusted Platform Module (TPM) is a dedicated security chip
• Contains a public/private keypair {KPub, KPriv}
• Contains a certificate indicating that KPub belongs to a legitimate TPM
• Not tamper-resistant!
10
BIOSBIOS Boot LoaderBoot Loader OS KernelOS Kernel
conf
Module 2Module 2
Module 1Module 1
TPMTPM
PCRs
BIOSBIOS Boot LoaderBoot Loader
HardwareSoftware
KPriv
AppsApps
App 2App 2
App 1App 1
AppsApps
App 2App 2
App 1App 1
OS KernelOS Kernel
conf
Module 2Module 2
Module 1Module 1
Bootstrapping Trust with a TPM
11
BIOSBIOS Boot LoaderBoot Loader OS KernelOS Kernel
conf
Module 2Module 2
Module 1Module 1
TPMTPM
PCRs
KPriv
AppsApps
App 2App 2
App 1App 1
Bootstrapping Trust with a TPMNonce
Sign( ), KPriv
Nonce
KPub
Guarantees freshness
Guarantees freshnessGuarantees key
originated from a real TPM
Guarantees key originated from a
real TPM
TPM attests to the software
TPM attests to the software
Trustworthy!
12
Outline
• Introduction
• Background
• The Cuckoo Attack
• Potential Solutions
• Conclusions
13
The Cuckoo Attack
Nonce
Sign( ), KPriv
Nonce
KKPrivPriv KKPrivPriv
Nonce
KPub
Guarantees freshness
Guarantees freshness
Guarantees key originated from a
real TPM
Guarantees key originated from a
real TPM
TPM attests to the software
TPM attests to the software
Trustworthy!
14
What went wrong?
• An attestation says that a TPM vouches for a software state, but not which TPM
Sign( ), KPriv
NonceKPub
Sign( ), KPriv
NonceKPub
15
Analyzing the Attack• Paper develops a logical framework for
bootstrapping trust– Allows precise characterization of the
attack
• Framework identifies which solutions work, and which do not
16
Potential Solutions
• Remove the network• Trust the computer• Detect timing
deviations• Make late-launch
data available• Add a special-
purpose button
• Employ SiB• Employ camera-less SiB• Trust the BIOS• Trust a third party• Use an existing interface• Use a special-purpose
interface
Analyze which work, and which don’t Analyze which work, and which don’t
Identify pros and cons of eachIdentify pros and cons of each
17
KKPrivPriv
An Invalid Solution
KKPrivPriv
Sign( ), KPriv
NonceKPub
HWHWViolation!Violation!
HWHWViolation!Violation!
18
High-Level Goal
• Establish a secure channel to the local TPM– Channel must provide authenticity & integrity
• We can instantiate the channel via:– Cryptography– Hardware
19
KKPrivPriv
SHA-1(KPub)camera…
vision…
Cryptographic Secure Channels• Requires authentic public key (or shared
secret)• Use Seeing-is-Believing (SiB) [McCune et al., ‘05]
– Place a barcode on the PC encoding the TPM’s public key
• Trust the BIOS– Reboot and trust BIOS to output public key via
existing interface
20
Hardware Secure Channels
• Reuse an existing interface– Existing interfaces do not support direct
communication with the TPM
• Add a special-purpose interface– Reduces opportunities for user error– Makes manufacturers unhappy
21
Choosing a Solution
• After analyzing 10 potential solutions, none is entirely satisfactory
• Preferred solutions:– Short-term: Seeing-is-Believing– Long-term: Special-purpose Interface
22
Related Work• Device Pairing
– Typically assumes both devices are trusted
• Kiosk Computing [Garriss et al., ‘08]
– Even more difficult, since hardware integrity may not be guaranteed
• Secure Object Identification [Alkassar et al., ‘03], [Brands & Chaum ‘94]
– Solutions inappropriate to TPM setting
23
Conclusions
• Trust in your local computer is critical
• Due to the cuckoo attack, current techniques cannot bootstrap trust
• Changes are needed to make useful security guarantees