CSc 466/566 Computer Security 9 : Operating Systems...
Transcript of CSc 466/566 Computer Security 9 : Operating Systems...
![Page 1: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/1.jpg)
CSc 466/566
Computer Security
9 : Operating Systems — IntroductionVersion: 2012/03/06 12:17:36
Department of Computer ScienceUniversity of Arizona
Copyright c© 2012 Christian Collberg
Christian Collberg
1/118
![Page 2: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/2.jpg)
Outline
1 IntroductionProcessesInter-Process CommunicationMemory managementVirtual machines
2 Process Security3 Authenticated boot
Trusted bootTaking measurementsThe TPMThe challengePrivacy issuesApplications and Controversies
4 Pioneer5 XOM
The XOM architecturePreventing replay attacksFixing a leaky address busFixing a leaky data busDiscussion
6 Filesystem SecuritySetUIDFile DescriptorsSymbolic Links
7 Summary
Introduction 2/118
![Page 3: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/3.jpg)
Operating Systems
The OS manages hardware devices (CPU, memory, networkinterfaces, output devices).
The OS manages multiple users with different access rights.
The OS manages multiple concurrent processes(multitasking) with different access rights.
Users and processes should not be allowed to damage sharedresources.
Introduction 3/118
![Page 4: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/4.jpg)
OS Layers
Userland: User Applications
OS: Non-essential Services
OS: Kernel
Hardware: CPU, Memory, I/O
Kernel : manages low-level resources (memory, processors,I/O devices).
Non-essential OS Services : printing, . . .
I/O : USB, network interfaces, . . . , are managed bydevice drivers .
Introduction 4/118
![Page 5: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/5.jpg)
System Calls
Userland: User Applications
OS: Non-essential Services
OS: Kernel
Hardware: CPU, Memory, I/O
User processes ask for services from the OS by issuingsystem calls ( syscalls ):
1 The user application signals the processor by issuing asoftware interrupt ;
2 the CPU switches control to an interrupt handler ;3 we enter kernel mode (the process traps );4 the system call executes.
Introduction 5/118
![Page 6: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/6.jpg)
Processes
Processes are created by and managed by the kernel.
Time slicing : The kernel gives each process a fair amount oftime.
A parent process creates a child process by forking :
The child has the same privileges as the parent.The child inherits the parent’s file descriptors.
The init process is the root of the process tree .
Introduction 6/118
![Page 7: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/7.jpg)
> pstree
-+= 00001 root /sbin/launchd
|--= 00012 root /usr/libexec/kextd
|--= 00013 root /usr/libexec/UserEventAgent -l System
|-+= 00054 root /usr/sbin/cupsd -l
| |--= 00202 _lp HP_LaserJet_1012 9 collberg xfig-batch.nTr527 1 finishings=3
| \--= 00203 _lp usb://Hewlett-Packard/hp%20LaserJet%201012?serial=00CNFB313769
|-+= 00055 root /usr/sbin/httpd -D FOREGROUND -D WEBSHARING_ON
| |--- 00199 _www /usr/sbin/httpd -D FOREGROUND -D WEBSHARING_ON
| |--- 52411 _www /usr/sbin/httpd -D FOREGROUND -D WEBSHARING_ON
| \--- 54604 _www /usr/sbin/httpd -D FOREGROUND -D WEBSHARING_ON
|--= 00056 root /usr/sbin/cron
|-+= 00223 collberg /sbin/launchd
| |--= 00233 collberg /usr/sbin/distnoted agent
| |--= 00240 collberg /usr/libexec/UserEventAgent -l Aqua
| |-+= 00249 collberg /Applications/iTerm.app/Contents/MacOS/iTerm -psn_0_32776
| | |-+= 83311 root login -fp collberg
| | | \-+= 83312 collberg -tcsh
| | | \--= 06649 collberg /usr/local/bin/email -tls -smtp-auth login -smtp-server
| | |-+= 79257 root login -fp collberg
| | | \-+= 79258 collberg -tcsh
| | | |--= 07961 collberg /Applications/Emacs.app/Contents/MacOS/Emacs slides.tex
| | | \-+= 08109 collberg pstree
| | | \--- 08110 root ps -axwwo user,pid,ppid,pgid,command
![Page 8: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/8.jpg)
Process Privileges
Each process has a uid (user ID) and gid (group ID) thatidentifies the user/group for the process.
Effective User ID (euid) — used when deciding a process’access privileges.
Introduction 8/118
![Page 9: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/9.jpg)
Inter-Process Communication
Sockets and pipes
Signals — asynchronous communication between processes.When a process receives a signal, the process is interruptedand a handler is invoked.
Remote Procedure Call (RPC) — One process invokes aprocedure in another process.
Introduction 9/118
![Page 10: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/10.jpg)
Memory management
Stack High addresses
Heap
BSS (uninitialized)
Data (initialized)
Text (code) Low addresses
Each executing process’ address space is separated into fiveregions.
Each region has access restrictions (read,execute,write).
The OS enforces address space boundaries between processes.
Introduction 10/118
![Page 11: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/11.jpg)
Virtual memory
Virtual Page 1 Physical Page 1
Virtual Page 2 Physical Page 2
Virtual Page 3 Physical Page 3
Virtual Page 4 Physical Page 4
Virtual Page 5 Physical Page 5
Disk
Each process sees a virtual address space . Virtual pages aremapped onto physical pages.From the process’ point of view, memory is large andcontiguous.Not currently needed pages are paged out to disk.
Introduction 11/118
![Page 12: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/12.jpg)
Virtual memory. . .
Typical memory management system:
TLB miss
OffsetPage Frame
Physical Address
OffsetPage Index
Virtual Address
Page Tables TLB
TLB hit
On a memory access, the Memory Management Unit (MMU)looks up real address from the virtual address.
On a TLB miss walk the page tables (slow), and update theTLB with the new virtual-to-physical address mapping.
Introduction 12/118
![Page 13: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/13.jpg)
Virtual machines
Guest OS 1 Guest OS 2 Guest OS 3
Hypervisor
Hardware
A Virtual Machine (VM) provides a simulated environment.
Hypervisor (Virtual Machine Monitor (VMM)) — softwarelayer that provides the environment.
Native virtualization — The VMM runs on the bare hardware.
Guest OS — the OS running inside the VM.
Introduction 13/118
![Page 14: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/14.jpg)
Virtual machines. . .
Guest 1 Guest 2 Guest 3 Guest 4 Guest 5
Hypervisor 1 Hypervisor 2
Host
Hardware
Hosted virtualization — The VMM runs inside the Host OS .
Introduction 14/118
![Page 15: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/15.jpg)
Implementing virtual machines — Advantages
Hardware efficiency — multiple OSs on the same machine.
Portability — snapshot the state of the OS and move toother hardware.
Security — the guest OS runs in a sandbox , on a breach it iseasy to shut it down without affecting any other services.
Introduction 15/118
![Page 16: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/16.jpg)
Implementing virtual machines — Emulation
Emulation — instructions are translated on-the-fly.
Linux operating system (to the left) booting inside the Bochsx86 emulator (right) while running on a PowerPC Macintoshcomputer.
Performance issues.
Introduction 16/118
![Page 17: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/17.jpg)
![Page 18: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/18.jpg)
Implementing virtual machines — Virtualization
Virtualization — Host and guest OSs run on the samehardware.
Virtual and physical interfaces are matched.
The hypervisor can insert actions on system calls, for example.
Introduction 18/118
![Page 19: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/19.jpg)
Outline
1 IntroductionProcessesInter-Process CommunicationMemory managementVirtual machines
2 Process Security3 Authenticated boot
Trusted bootTaking measurementsThe TPMThe challengePrivacy issuesApplications and Controversies
4 Pioneer5 XOM
The XOM architecturePreventing replay attacksFixing a leaky address busFixing a leaky data busDiscussion
6 Filesystem SecuritySetUIDFile DescriptorsSymbolic Links
7 Summary
Process Security 19/118
![Page 20: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/20.jpg)
Process Security
We must monitor the processes running on a computer.
Our trust depends on all the processes that are running:1 the first one when the computer starts up,2 the processes it starts,3 the processes they start,4 . . .
Process Security 20/118
![Page 21: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/21.jpg)
The Boot Sequence
BIOS
CPU Secondary Loader
OS
On system startup:1 the BIOS firmware is executed;2 the BIOS loadd the second-stage boot loader ;3 the second-stage boot loader loads the rest of the OS;4 control is passed to the OS.
A malicious user could take control at any point.
A BIOS password stops the second-stage boot loader fromexecuting.
Process Security 21/118
![Page 22: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/22.jpg)
Hibernation
hibernate.mem
When hibernating, the OS stores the memory image to file.
Attack:1 Restart the computer with a LiveCD.2 Extract passwords etc. from hibernation file.
Defense: hard disk encryption.
Process Security 22/118
![Page 23: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/23.jpg)
Event Logging and Process Monitoring
Monitor log files in /var/log for unusual events.
Monitor processes (MacOSX: Activity Monitor, Windows:Process Explorer).
Detect attacks:1 Locate malware with the same name as a real application, but
in the wrong location.
Process Security 23/118
![Page 24: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/24.jpg)
Outline
1 IntroductionProcessesInter-Process CommunicationMemory managementVirtual machines
2 Process Security3 Authenticated boot
Trusted bootTaking measurementsThe TPMThe challengePrivacy issuesApplications and Controversies
4 Pioneer5 XOM
The XOM architecturePreventing replay attacksFixing a leaky address busFixing a leaky data busDiscussion
6 Filesystem SecuritySetUIDFile DescriptorsSymbolic Links
7 Summary
Authenticated boot 24/118
![Page 25: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/25.jpg)
Authenticated boot
We’ve assumed the program executes in an untrustedenvironment. The adversary can
1 examine (reverse engineer),2 modify (tamper),3 copy (pirate),
our program.
Authenticated boot 25/118
![Page 26: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/26.jpg)
Authenticated boot
We’ve assumed the program executes in an untrustedenvironment. The adversary can
1 examine (reverse engineer),2 modify (tamper),3 copy (pirate),
our program.
What if we could trust the client to run trusted1 hardware,2 operating system,3 applications?
Authenticated boot 25/118
![Page 27: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/27.jpg)
Authenticated boot
We’ve assumed the program executes in an untrustedenvironment. The adversary can
1 examine (reverse engineer),2 modify (tamper),3 copy (pirate),
our program.
What if we could trust the client to run trusted1 hardware,2 operating system,3 applications?
Authenticated (or trusted) boot : before you agree tocommunicate with a system (to allow it to buy a programfrom you, for example) you ask it to prove to you that itwon’t do anything bad.
Authenticated boot 25/118
![Page 28: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/28.jpg)
Authenticated boot
Trusted Platform Module (TPM) — Some PCs (such as IBMlaptops) already have a TPM soldered onto the motherboard.
There are research systems built on top of the TPm toprovide trust.
However, at the present time, no actual deployed systems.
Authenticated boot 26/118
![Page 29: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/29.jpg)
Authenticated boot: Scenario
1 You want your program to run on Bob’s computer.
Authenticated boot 27/118
![Page 30: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/30.jpg)
Authenticated boot: Scenario
1 You want your program to run on Bob’s computer.2 Your program contains a secret, so you encrypt it.
Authenticated boot 27/118
![Page 31: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/31.jpg)
Authenticated boot: Scenario
1 You want your program to run on Bob’s computer.2 Your program contains a secret, so you encrypt it.3 You tell Bob to boot an operating system eOS that handles
encrypted executables.
Authenticated boot 27/118
![Page 32: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/32.jpg)
Authenticated boot: Scenario
1 You want your program to run on Bob’s computer.2 Your program contains a secret, so you encrypt it.3 You tell Bob to boot an operating system eOS that handles
encrypted executables.4 But, is Bob actually running eOS? Could he be cheating?
Authenticated boot 27/118
![Page 33: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/33.jpg)
Authenticated boot: Scenario
1 You want your program to run on Bob’s computer.2 Your program contains a secret, so you encrypt it.3 You tell Bob to boot an operating system eOS that handles
encrypted executables.4 But, is Bob actually running eOS? Could he be cheating?5 Bob could tell you he booted into the version of eOS you gave
him, while in facthe first hacked it to leak the encryption keys.
Authenticated boot 27/118
![Page 34: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/34.jpg)
Authenticated boot: Scenario
1 You want your program to run on Bob’s computer.2 Your program contains a secret, so you encrypt it.3 You tell Bob to boot an operating system eOS that handles
encrypted executables.4 But, is Bob actually running eOS? Could he be cheating?5 Bob could tell you he booted into the version of eOS you gave
him, while in facthe first hacked it to leak the encryption keys.6 You ask Bob compute a cryptographic hash over the kernel,
and send it to you. Unless he lies about the hash, you shouldbe fine!
Authenticated boot 27/118
![Page 35: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/35.jpg)
Authenticated boot: Scenario
1 You want your program to run on Bob’s computer.2 Your program contains a secret, so you encrypt it.3 You tell Bob to boot an operating system eOS that handles
encrypted executables.4 But, is Bob actually running eOS? Could he be cheating?5 Bob could tell you he booted into the version of eOS you gave
him, while in facthe first hacked it to leak the encryption keys.6 You ask Bob compute a cryptographic hash over the kernel,
and send it to you. Unless he lies about the hash, you shouldbe fine!
7 Now, the kernel was started by a bootloader, and Bob couldhave hacked it, to modify the eOS image before loading it.
Authenticated boot 27/118
![Page 36: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/36.jpg)
Authenticated boot: Scenario
1 You want your program to run on Bob’s computer.2 Your program contains a secret, so you encrypt it.3 You tell Bob to boot an operating system eOS that handles
encrypted executables.4 But, is Bob actually running eOS? Could he be cheating?5 Bob could tell you he booted into the version of eOS you gave
him, while in facthe first hacked it to leak the encryption keys.6 You ask Bob compute a cryptographic hash over the kernel,
and send it to you. Unless he lies about the hash, you shouldbe fine!
7 Now, the kernel was started by a bootloader, and Bob couldhave hacked it, to modify the eOS image before loading it.
8 So, you ask Bob to send you a hash of the bootloader.
Authenticated boot 27/118
![Page 37: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/37.jpg)
Authenticated boot: Scenario
1 You want your program to run on Bob’s computer.2 Your program contains a secret, so you encrypt it.3 You tell Bob to boot an operating system eOS that handles
encrypted executables.4 But, is Bob actually running eOS? Could he be cheating?5 Bob could tell you he booted into the version of eOS you gave
him, while in facthe first hacked it to leak the encryption keys.6 You ask Bob compute a cryptographic hash over the kernel,
and send it to you. Unless he lies about the hash, you shouldbe fine!
7 Now, the kernel was started by a bootloader, and Bob couldhave hacked it, to modify the eOS image before loading it.
8 So, you ask Bob to send you a hash of the bootloader.9 Of course, the bootloader was started by the BIOS, and it
could have been hacked!
Authenticated boot 27/118
![Page 38: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/38.jpg)
Authenticated boot: Scenario
1 You want your program to run on Bob’s computer.2 Your program contains a secret, so you encrypt it.3 You tell Bob to boot an operating system eOS that handles
encrypted executables.4 But, is Bob actually running eOS? Could he be cheating?5 Bob could tell you he booted into the version of eOS you gave
him, while in facthe first hacked it to leak the encryption keys.6 You ask Bob compute a cryptographic hash over the kernel,
and send it to you. Unless he lies about the hash, you shouldbe fine!
7 Now, the kernel was started by a bootloader, and Bob couldhave hacked it, to modify the eOS image before loading it.
8 So, you ask Bob to send you a hash of the bootloader.9 Of course, the bootloader was started by the BIOS, and it
could have been hacked!10 So, Bob sends you a hash of it, but. . .
Authenticated boot 27/118
![Page 39: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/39.jpg)
Algorithm: Authenticated boot
Before you agree to communicate with a system you ask it toprove to you that it won’t do anything bad.
Authenticated boot 28/118
![Page 40: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/40.jpg)
Algorithm: Authenticated boot
Before you agree to communicate with a system you ask it toprove to you that it won’t do anything bad.
Anything that’s running on Bob’s computer could, potentially,affect whether you should trust it:
1 OS,2 BIOS,3 bootloader,4 application programs,5 firmware, . . .
Authenticated boot 28/118
![Page 41: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/41.jpg)
Authenticated boot: Basic idea
The idea of trusted ¿boot is to measure every potentiallyhostile piece of software running on a computer, and compareit against a library of known-good-measurements .
Measure : “compute a cryptographic hash of”
Known-good-measurement : a hash of a program you trust.
If Bob can convince you that his computer, from the groundup, only runs code you trust, then you should have noproblem handing him (or selling him) a program to run.
Authenticated boot 29/118
![Page 42: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/42.jpg)
Authenticated boot
then load
measurethen load
measurethen load
measurethen load
measure
CRTM
kernel
BIOS
loader
Authenticated boot 30/118
![Page 43: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/43.jpg)
Authenticated boot: Basic idea
At the very bottom of the stack of turtles there are two thingsyou need to trus:
1 Core Root of Trust Measurement (CRTM): piece of codecontained in the BIOS which measures itself and the BIOS,before letting the BIOS execute.
2 Tamperproof Module : this is where the measurements arestored.
Authenticated boot 31/118
![Page 44: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/44.jpg)
Authenticated boot: Basic idea
At the very bottom of the stack of turtles there are two thingsyou need to trus:
1 Core Root of Trust Measurement (CRTM): piece of codecontained in the BIOS which measures itself and the BIOS,before letting the BIOS execute.
2 Tamperproof Module : this is where the measurements arestored.
The BIOS measures the bootloader, stores away themeasurement and lets the bootloader execute.
Authenticated boot 31/118
![Page 45: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/45.jpg)
Authenticated boot: Basic idea
At the very bottom of the stack of turtles there are two thingsyou need to trus:
1 Core Root of Trust Measurement (CRTM): piece of codecontained in the BIOS which measures itself and the BIOS,before letting the BIOS execute.
2 Tamperproof Module : this is where the measurements arestored.
The BIOS measures the bootloader, stores away themeasurement and lets the bootloader execute.
The bootloader measures the OS kernel, saves the result, andloads the OS.
Authenticated boot 31/118
![Page 46: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/46.jpg)
Authenticated boot: Basic idea
At the very bottom of the stack of turtles there are two thingsyou need to trus:
1 Core Root of Trust Measurement (CRTM): piece of codecontained in the BIOS which measures itself and the BIOS,before letting the BIOS execute.
2 Tamperproof Module : this is where the measurements arestored.
The BIOS measures the bootloader, stores away themeasurement and lets the bootloader execute.
The bootloader measures the OS kernel, saves the result, andloads the OS.
The OS measures kernel modules, configuration files, storesthem in the TPM, then lets applications run.
Authenticated boot 31/118
![Page 47: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/47.jpg)
Secure boot vs. Authenticated boot
Secure boot : only ever boot a system consisting of code thatyou trust.
Authenticated boot :
Bob can boot whatever system he wants!But, he cannot lie about what system he’s booted!
Authenticated boot 32/118
![Page 48: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/48.jpg)
Taking measurements
1 User hits power button.
Authenticated boot 33/118
![Page 49: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/49.jpg)
Taking measurements
1 User hits power button.
2 The computer’s POST (Power On and Self Test) function isinvoked.
Authenticated boot 33/118
![Page 50: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/50.jpg)
Taking measurements
1 User hits power button.
2 The computer’s POST (Power On and Self Test) function isinvoked.
3 The BIOS is loaded and run.
Authenticated boot 33/118
![Page 51: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/51.jpg)
Taking measurements
1 User hits power button.
2 The computer’s POST (Power On and Self Test) function isinvoked.
3 The BIOS is loaded and run.
4 The BIOS initializes the TPM.
Authenticated boot 33/118
![Page 52: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/52.jpg)
Taking measurements
1 User hits power button.
2 The computer’s POST (Power On and Self Test) function isinvoked.
3 The BIOS is loaded and run.
4 The BIOS initializes the TPM.
5 The BIOS invokes the CRTM (contained inside the BIOS).
Authenticated boot 33/118
![Page 53: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/53.jpg)
Taking measurements
1 User hits power button.
2 The computer’s POST (Power On and Self Test) function isinvoked.
3 The BIOS is loaded and run.
4 The BIOS initializes the TPM.
5 The BIOS invokes the CRTM (contained inside the BIOS).
6 The CRTM compute a SHA-1 hash over the BIOS.
Authenticated boot 33/118
![Page 54: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/54.jpg)
Taking measurements
1 User hits power button.
2 The computer’s POST (Power On and Self Test) function isinvoked.
3 The BIOS is loaded and run.
4 The BIOS initializes the TPM.
5 The BIOS invokes the CRTM (contained inside the BIOS).
6 The CRTM compute a SHA-1 hash over the BIOS.
7 The BIOS compute a SHA-1 hash over the BootLoader.
Authenticated boot 33/118
![Page 55: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/55.jpg)
Taking measurements
1 User hits power button.
2 The computer’s POST (Power On and Self Test) function isinvoked.
3 The BIOS is loaded and run.
4 The BIOS initializes the TPM.
5 The BIOS invokes the CRTM (contained inside the BIOS).
6 The CRTM compute a SHA-1 hash over the BIOS.
7 The BIOS compute a SHA-1 hash over the BootLoader.
8 The BIOS runs the BootLoader.
Authenticated boot 33/118
![Page 56: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/56.jpg)
Taking measurements
1 User hits power button.
2 The computer’s POST (Power On and Self Test) function isinvoked.
3 The BIOS is loaded and run.
4 The BIOS initializes the TPM.
5 The BIOS invokes the CRTM (contained inside the BIOS).
6 The CRTM compute a SHA-1 hash over the BIOS.
7 The BIOS compute a SHA-1 hash over the BootLoader.
8 The BIOS runs the BootLoader.
9 The BootLoader measures and calls the OSKernel.
Authenticated boot 33/118
![Page 57: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/57.jpg)
Taking measurements
1 User hits power button.
2 The computer’s POST (Power On and Self Test) function isinvoked.
3 The BIOS is loaded and run.
4 The BIOS initializes the TPM.
5 The BIOS invokes the CRTM (contained inside the BIOS).
6 The CRTM compute a SHA-1 hash over the BIOS.
7 The BIOS compute a SHA-1 hash over the BootLoader.
8 The BIOS runs the BootLoader.
9 The BootLoader measures and calls the OSKernel.
10 The OSKernelh measures and calls an application.
Authenticated boot 33/118
![Page 58: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/58.jpg)
Stored Measurement Lists
s t a t i c c l a s s OSKernel {pub l i c s t a t i c L i n k e dL i s t [ ] SML;pub l i c s t a t i c void run ( ) {
SML = new L i n k e dL i s t [TPM. NumberOfPCRs ] ;f o r ( i n t i =0; i<TPM. NumberOfPCRs ; i++)
SML[ i ] = new L i n k e dL i s t ( ) ;SML [ 0 ] . addLast (BIOS . BIOSHash ) ;SML [ 1 ] . addLast (BIOS . BootLoaderHash ) ;SML [ 2 ] . addLast (BIOS . OSKernelHash ) ;TPM. extend (10 ,TPM. SHA1( App l i c a t i o n . code ) ) ;SML[ 1 0 ] . addLast (TPM.SHA1( App l i c a t i o n . code ) ) ;TPM. extend (10 ,TPM. SHA1( App l i c a t i o n . i n pu t ) ) ;SML[ 1 0 ] . addLast (TPM.SHA1( App l i c a t i o n . i n pu t ) ) ;A p p l i c a t i o n . run ( ) ;
}}Authenticated boot 34/118
![Page 59: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/59.jpg)
Stored Measurement Lists
Each measurement is stored in two places:1 on the TPM (using the TPM.extend() call);2 in the kernel in an array of lists, Stored Measurement List
(SML).
When you challenge the computer to prove that it’s benign itwill return the SML so that you can check that all themeasurements correspond to programs you trust.
The SML is stored in the kernel (not on the TPM) because itcould be large.
Authenticated boot 35/118
![Page 60: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/60.jpg)
Stored Measurement Lists. . .
Just storing the hashes in the kernel isn’t enough — thekernel could be malicious and lie about them!
The TPM thefore stores a “summary” of the hashes — a“digest-of-the-digests” — in on-chip registers.
There are 16 Platform Configuration Registers (PCR), 20 byteslong, the size of a SHA-1 hash.
Authenticated boot 36/118
![Page 61: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/61.jpg)
The TPM
s t a t i c c l a s s TPM {pub l i c s t a t i c f i n a l i n t NumberOfPCRs = 16;pr i va te s t a t i c byte [ ] [ ] PCR ;pub l i c s t a t i c void extend ( i n t i , byte [ ] b ) {
i n t l e n = 1 + PCR[ i ] . l e n g t h + add . l e n g t h ;ubyte [ ] r e s = new byte [ l e n ] ;r e s [ 0 ] = ( byte ) i ;System . a r r a ycopy (
PCR[ i ] , 0 , r e s , 1 , PCR[ i ] . l e n g t h ) ;System . a r r a ycopy (
add , 0 , r es , PCR [ i ] . l eng th , add . l e n g t h ) ;return SHA1( r e s ) ;
}}
Authenticated boot 37/118
![Page 62: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/62.jpg)
The TPM. . .
The extend(i,b) function doesn’t just assign a new value toPCR[i].
It extends it by computing
PCR[i] = SHA1(i ‖ PCR[i] ‖ b).
Each PCR[i] register becomes a combination of all hashesever assigned to it and preserves the order in which themeasurements were added.
Authenticated boot 38/118
![Page 63: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/63.jpg)
The TPM: Data and Functions
s t a t i c c l a s s TPM {pr i va te s t a t i c KeyPai r EK ;pr i va te s t a t i c byte [ ] [ ] PCR ;pr i va te s t a t i c byte [ ] owne rSec r e t ;pub l i c s t a t i c void extend ( i n t i , byte [ ] b )pub l i c s t a t i c Object [ ] quote ( byte [ ] nonce )pub l i c s t a t i c byte [ ] SHA1 ( byte [ ] b )pub l i c s t a t i c byte [ ] s ignRSA (
Object data , P r i v a t eKey key )pub l i c s t a t i c KeyPai r generateRSAKeyPai r ( )pub l i c s t a t i c byte [ ] RND( i n t s i z e )pub l i c s t a t i c void atManufactu re ( )pub l i c s t a t i c void takeOwnersh ip (
byte [ ] password )pub l i c s t a t i c void POST( )
}Authenticated boot 39/118
![Page 64: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/64.jpg)
The TPM: Data and Functions
pub l i c s t a t i c void atManufactu re ( ) {EK = generateRSAKeyPai r ( ) ;
}pub l i c s t a t i c void takeOwnersh ip (
byte [ ] password ) {owne rSec r e t = password ;
}pub l i c s t a t i c void POST( ) {
PCR = new byte [ NumberOfPCRs ] [ ] ;f o r ( i n t i =0; i<NumberOfPCRs ; i++)
PCR[ i ] = new byte [ 2 0 ] ;}
Authenticated boot 40/118
![Page 65: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/65.jpg)
The TPM: Data and Functions. . .
At manufacturing time the TPM gets a unique identity, an RSAkey pair (the Endorsement Key (EK)).
When the owner takes possession of the computer he givesthe TPM with a secret password.
At system startup time, the PCR registers are zeroed out.
Authenticated boot 41/118
![Page 66: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/66.jpg)
Client
01
15
...
Server
SHA-1()
EK
PCR[0]PCR[1]
PCR[15]
nonce←RND()send nonce
1.
kernelSML:
![Page 67: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/67.jpg)
Client
01
15
...
Server
SHA-1()
EK
PCR[0]PCR[1]
PCR[15]
receive nonce2.nonce←RND()send nonce
1.
kernelSML:
![Page 68: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/68.jpg)
01
15
Server Client
SHA-1()
PCR[0]PCR[1]
PCR[15]
3. send (quote,SML)
receive nonce2.nonce←RND()send nonce
1.
kernel
quote← sig{PCR, nonce}EKpriv
SML:
![Page 69: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/69.jpg)
Client
01
15
...
Server
SHA-1()
EK
PCR[0]PCR[1]
PCR[15]
3. send (quote,SML)
receive nonce2.nonce←RND()send nonce
1.
kernel
quote← sig{PCR, nonce}EKpriv
receive (quote,SML)4.
SML:
![Page 70: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/70.jpg)
Client
01
15
...
Server
SHA-1()
EK
PCR[0]PCR[1]
PCR[15]
3. send (quote,SML)
receive nonce2.nonce←RND()send nonce
1.
kernel
quote← sig{PCR, nonce}EKpriv
receive (quote,SML)
cert(EK pub) OK?
4.
5.
SML:
![Page 71: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/71.jpg)
Client
01
15
...
Server
SHA-1()
EK
PCR[0]PCR[1]
PCR[15]
3. send (quote,SML)
receive nonce2.nonce←RND()send nonce
1.
kernel
quote← sig{PCR, nonce}EKpriv
receive (quote,SML)
cert(EK pub) OK?
sig{PCR, nonce2}EKprivvalid?
4.
5.
6.
SML:
![Page 72: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/72.jpg)
Client
01
15
...
Server
SHA-1()
EK
PCR[0]PCR[1]
PCR[15]
receive nonce2.nonce←RND()send nonce
1.3. send (quote,SML)
kernel
quote← sig{PCR, nonce}EKpriv
receive (quote,SML)
cert(EK pub) OK?
sig{PCR, nonce2}EKprivvalid?
nonce2 fresh?
4.
5.
6.
7.SML not tampered?measurements OK?
SML:
![Page 73: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/73.jpg)
The Challenge
✞ ☎
pub l i c s t a t i c Object [ ] quote ( byte [ ] nonce ) {Object [ ] data = { nonce ,PCR} ;byte [ ] s i g = signRSA ( data , EK . g e tP r i v a t e ( ) ) ;return new Object [ ] { nonce ,PCR, s i g } ;
}✝ ✆
To avoid replay attacks, the challenger starts by creating arandom value, a nonce , and sends it in a challenge to thecomputer.
The computer asks the TPM for a quote, i.e. the values of thePCRs, signed with the endorsement private key EKpriv
(actually, a different key is used, for privacy reasons).
Authenticated boot 43/118
![Page 74: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/74.jpg)
The Challenge. . .
The computer collects the stored measurement list SML,packages it all up, and returns the package to the challenger.
The challenger looks up a certificate corresponding to theTPM’s public key EKpub, and verifies that the TPM belongs to atrusted computer.
The challenger validates the signature on the package itreceived from the remote computer (only the TPM knows theprivate key EKpriv ).
The challenger walks through the stored measurement listsand, merges the values together by simulating the TPM’sextend() function. If the aggregate measurements matchthose of the PCRs you can be sure that the SML wasn’ttampered with.
Finally, check the measurements against a white- or blacklist.
Authenticated boot 44/118
![Page 75: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/75.jpg)
Privacy issues
We said that the computer is using the endorsement key EK toidentify itself.
We lied.
Using the EK is a really bad idea because it has the potentialto compromise your privacy.
The EK public key uniquely identifies the TPM, and hence you.
You want the challenger to learn that you’re using aTPM-enabled trusted platform but not which one, or else allyour transactions could be linked to each other.
Authenticated boot 45/118
![Page 76: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/76.jpg)
Attestation Identity Key
Instead we use a special RSA keypair, the Attestation IdentityKey (AIK) that the TPM manufactures before engaging in thechallenge protocol.
No one knows that the AIK and the EK actually represent thesame computer, except a a trusted third party,thePrivacy Certification Authority , (PrivacyCA).
The PrivacyCA knows all the public keys EK pub of allmanufactured TPMs.
The computer and the PrivacyCA engage in a protocol tomanufacture an identity credential that the computer can useto prove that it’s a compliant tamperproof platform, butwithout revealing exactly who it is.
Authenticated boot 46/118
![Page 77: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/77.jpg)
Protocol to manufacture an identity credential. . .
The computer holds three credentials:1 endorsement credential — the TPM is genuine, the EKpub is
the public part of the endorsement keypair that was squirtedinto it during manufacture (signed by the TPM manufacturer);
2 platform credential — the TPM and the motherboard it’s beensoldered onto make up a trusted system (signed by themanufacturer of the platform);
3 conformance credential — the platform has been tested by athird party and found to conform to certain security properties(signed by a testing lab).
Authenticated boot 47/118
![Page 78: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/78.jpg)
.........
.........
.........
.........
.........
..................
.........
.........
"A genuine TPM!"
signed,infineon.com
Endorsement Cred
Computer
"A trusted TPM ID!"
signed,
Identity Cred
privacyCA.com
Platform Cred
"A genuine platform!"
intel.com
Endorsement Cred
Conformance Cred
signed, signed,
Conformance Cred
UL.com
"I tested it all!"
PrivacyCA
AIK
EK
EK pub = . . .
version=...
AIKpub = . . .
AIK ← makeIdentity ()
test results=...
![Page 79: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/79.jpg)
Protocol to manufacture an identity credential. . .
To obtain an identity credential the computer1 asks the TPM to manufacture a new AIK key-pair;2 bundles up AIK pub together with all the credentials;3 sends everything off to the PrivacyCA.
The PrivacyCA
1 convinces itself that the credentials belong to a genuinuetamperproof platform;
2 issues the identity credential and returns it to the computer.
Authenticated boot 49/118
![Page 80: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/80.jpg)
Social trust
The endorsement, platform, and conformance credentials arepublished in the form of digital certificates.
The certificates are signed by companies willing to put theirgood name behind a guarantee that a particular computer canbe trusted.
This is a form of social trust .
You trust that the companies which manufactured and testedit are trustworthy.
If they didn’t take great care in ensuring that no security flawswere allowed to creep in — their brand name could bedamaged.
Authenticated boot 50/118
![Page 81: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/81.jpg)
Trusted third party limitation
Having to rely on a trusted third party (TTP) such as thePrivacyCA is limiting:
1 the PrivacyCA will be involved in every transaction;2 if the PrivacyCA’s security is compromised the identity of
every TPM will be revealed.
There are other protocols which avoid the TTP.
Authenticated boot 51/118
![Page 82: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/82.jpg)
Controversies
Hatred for Digital Rights Management.
Privacy issues.
Technical doubts that authenticated boot has any hope ofsucceeding in the real world.
Authenticated boot 52/118
![Page 83: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/83.jpg)
Technical issues: IBM’s implementation
Database of measurements for Redhat Fedora: 25000measurements.
A typical SML: 700-1000 measurements.
Authenticated boot 53/118
![Page 84: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/84.jpg)
Technical issues: IBM’s implementation
Database of measurements for Redhat Fedora: 25000measurements.
A typical SML: 700-1000 measurements.
How to collect “good” measurements:1 boot a “trusted system”2 measure all modules, config files, scripts ⇒ whitelist of hashes
Authenticated boot 53/118
![Page 85: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/85.jpg)
Technical issues: IBM’s implementation
Database of measurements for Redhat Fedora: 25000measurements.
A typical SML: 700-1000 measurements.
How to collect “good” measurements:1 boot a “trusted system”2 measure all modules, config files, scripts ⇒ whitelist of hashes
How to collect “bad” measurements:1 boot a compromised system (root kits, trojans, . . . )2 measure infected files ⇒ blacklist of hashes
How do we keep these lists up-to-date?!?!
Authenticated boot 53/118
![Page 86: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/86.jpg)
Uses and Abuses
Help digital rights management players to run untampered onPCs.
Before you’re allowed you to buy and download a movie, themovie studio will verify that only approved software andhardware is installed on your computer.
If you have the SoftICE debugger on your harddisk, or you’rerunning an out-of-date kernel, or your media, you’re out ofluck.
If you are approved, the movie will be encrypted with yourpublic key AIKpub so that only an approved player running onan approved OS on a computer with an approved TPM candecrypt and play it.
Actually,the movie will now only play on your computer sinceit’s been tied directly to your TPM.
Authenticated boot 54/118
![Page 87: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/87.jpg)
Uses and Abuses. . .
If your OS happens to be localized to a part of the worldwhere the movie has yet to appear in theaters, the studio maydecide to refuse the download.
The OS can’t lie about any of the files on the harddisk,including any configuration files, it can’t lie about in whichpart of the world it’s running.
Authenticated boot 55/118
![Page 88: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/88.jpg)
Sealing
Disney encrypts Nemo with a special sealing key Seal .
Authenticated boot 56/118
![Page 89: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/89.jpg)
Sealing
Disney encrypts Nemo with a special sealing key Seal .
Seal depends on
the values in the PCRsthe TPM itself.
⇒ your friend with an identical computer can’t watch yourcopy of Nemo!
Authenticated boot 56/118
![Page 90: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/90.jpg)
Sealing
Disney encrypts Nemo with a special sealing key Seal .
Seal depends on
the values in the PCRsthe TPM itself.
⇒ your friend with an identical computer can’t watch yourcopy of Nemo!
If you reboot with slightly hacked OS
the PCRs will have changed⇒ the Seal will be different⇒ you can’t decrypt Nemo!
Authenticated boot 56/118
![Page 91: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/91.jpg)
Sealing
Disney encrypts Nemo with a special sealing key Seal .
Seal depends on
the values in the PCRsthe TPM itself.
⇒ your friend with an identical computer can’t watch yourcopy of Nemo!
If you reboot with slightly hacked OS
the PCRs will have changed⇒ the Seal will be different⇒ you can’t decrypt Nemo!
Microsoft could do the same to protect Office.
Authenticated boot 56/118
![Page 92: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/92.jpg)
Outline
1 IntroductionProcessesInter-Process CommunicationMemory managementVirtual machines
2 Process Security3 Authenticated boot
Trusted bootTaking measurementsThe TPMThe challengePrivacy issuesApplications and Controversies
4 Pioneer5 XOM
The XOM architecturePreventing replay attacksFixing a leaky address busFixing a leaky data busDiscussion
6 Filesystem SecuritySetUIDFile DescriptorsSymbolic Links
7 Summary
Pioneer 57/118
![Page 93: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/93.jpg)
Pioneer
In a very restricted environment you can measure aspects ofthe untrusted client to verify that it is running the correctsoftware:
ClientServerm( )
C
C
Pioneer 58/118
![Page 94: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/94.jpg)
Pioneer
In a very restricted environment you can measure aspects ofthe untrusted client to verify that it is running the correctsoftware:
ClientServerm( )
C
C
Assume1 The the client’s hardware configuration is known;2 The client-server latency is known;3 The client can only communicate with the server.
Pioneer 58/118
![Page 95: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/95.jpg)
Pioneer
In a very restricted environment you can measure aspects ofthe untrusted client to verify that it is running the correctsoftware:
ClientServerm( )
C
C
Assume1 The the client’s hardware configuration is known;2 The client-server latency is known;3 The client can only communicate with the server.
Applications:1 Check cell phone/PDA/smartcard for viruses;2 Check voting machine code;3 Check for rootkits on machines on your LAN.
Pioneer 58/118
![Page 96: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/96.jpg)
Pioneer. . .
Measure the untrusted client code:
Trusted site Untrusted site
response
challenge
took too long?
response OK?
compute
Pioneer 59/118
![Page 97: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/97.jpg)
Pioneer. . .
Measure the untrusted client code:
Trusted site Untrusted site
response
challenge
took too long?
response OK?
compute
Assume a very restricted environment :1 The the client’s hardware configuration is known;2 The client-server latency is known;3 The client can only communicate with the server.
Pioneer 59/118
![Page 98: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/98.jpg)
Pioneer. . .
Measure the untrusted client code:
Trusted site Untrusted site
response
challenge
took too long?
response OK?
compute
Assume a very restricted environment :1 The the client’s hardware configuration is known;2 The client-server latency is known;3 The client can only communicate with the server.
Applications:1 Check cell phone/PDA/smartcard for viruses;2 Check voting machine code;3 Check for rootkits on machines on your LAN.Pioneer 59/118
![Page 99: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/99.jpg)
Pioneer: Protocol
Basic idea: ask client for a hash of its code.
If1 the hash is the wrong value, or2 the computation took too long
the client has cheated!
The hash function is constructed such that it can’t becomputed quicker.
Pioneer 60/118
![Page 100: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/100.jpg)
Server Client
V :
executableE:
1.
send nonce
nonce←random()
t1 ←currentTime()
hash6()
send()
SHA-1()
![Page 101: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/101.jpg)
Server Client
V :
executableE:
2.1.
send nonce
nonce←random()
t1 ←currentTime() receive noncec ← hash6(nonce, V )send c
hash6()
send()
SHA-1()
![Page 102: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/102.jpg)
Server Client
V :
executableE:
2.1.
send nonce
3.
if t2 − t1 > ∆t or
receive c
nonce←random()
t2 ←currentTime()
t1 ←currentTime()
FAILc is wrong then
receive noncec ← hash6(nonce, V )send c
hash6()
send()
SHA-1()
![Page 103: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/103.jpg)
Server Client
V :
send hh← SHA-1(nonce||E)
executableE:
2.1.
send nonce
3.
if t2 − t1 > ∆t or
receive c
nonce←random()
t2 ←currentTime()
t1 ←currentTime()
FAILc is wrong then
receive noncec ← hash6(nonce, V )send c
hash6()
send()
SHA-1()
4.
![Page 104: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/104.jpg)
Server Client
V :
send hh← SHA-1(nonce||E)
executableE:
2.1.
send nonce
3.
if t2 − t1 > ∆t or
5.
FAIL
receive c
receive h
if h is wrong then
nonce←random()
t2 ←currentTime()
t1 ←currentTime()
FAILc is wrong then
receive noncec ← hash6(nonce, V )send c
hash6()
send()
SHA-1()
4.
![Page 105: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/105.jpg)
Server Client
6.send r
4.
send hh← SHA-1(nonce||E)
executableE:
2.1.
send nonce
3.
if t2 − t1 > ∆t or
5.
FAIL
receive c
receive h
if h is wrong then
nonce←random()
t2 ←currentTime()
t1 ←currentTime()
FAILc is wrong then
receive noncec ← hash6(nonce, V )send c
hash6()
send()
SHA-1()
V :
r ← execute E
![Page 106: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/106.jpg)
Server Client
6.send r
4.
send hh← SHA-1(nonce||E)
executableE:
2.1.
send nonce
3.
if t2 − t1 > ∆t or
5.
FAIL
receive c
receive h
if h is wrong then
receive r7.
nonce←random()
t2 ←currentTime()
t1 ←currentTime()
FAILc is wrong then
receive noncec ← hash6(nonce, V )send c
hash6()
send()
SHA-1()
V :
r ← execute E
![Page 107: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/107.jpg)
Pioneer: Protocol
The hash function must be time optimal , if not
the client can use the time he saved to execute his owninstructions without the server noticing.
Pioneer 62/118
![Page 108: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/108.jpg)
Pioneer: Protocol
The hash function must be time optimal , if not
the client can use the time he saved to execute his owninstructions without the server noticing.
Others have tried to extend the protocol to general scenarios— highly controversial .
Pioneer 62/118
![Page 109: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/109.jpg)
Outline
1 IntroductionProcessesInter-Process CommunicationMemory managementVirtual machines
2 Process Security3 Authenticated boot
Trusted bootTaking measurementsThe TPMThe challengePrivacy issuesApplications and Controversies
4 Pioneer5 XOM
The XOM architecturePreventing replay attacksFixing a leaky address busFixing a leaky data busDiscussion
6 Filesystem SecuritySetUIDFile DescriptorsSymbolic Links
7 Summary
XOM 63/118
![Page 110: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/110.jpg)
Encrypted execution
Idea:
Encrypt the program.Keep a (unique) secret key in the CPU.Decrypt inside the CPU.
Protect algorithms (privacy)!
Protect from tampering (integrity)!
Protect from cloning (piracy)!
Assume the CPU cannot be tampered with.
XOM 64/118
![Page 111: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/111.jpg)
XOM Overview
server
ALU
cacheDES
RSA
AR
MCPU
Kpriv
Ksym
EKsym(P)
EKpub(Ksym)
P
Kpub
XOM 65/118
![Page 112: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/112.jpg)
XOM Overview. . .
1 To buy a program P from the server you start by handing ityour public RSA key Kpub.
XOM 66/118
![Page 113: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/113.jpg)
XOM Overview. . .
1 To buy a program P from the server you start by handing ityour public RSA key Kpub.
2 Kpriv is stored inside your CPU.
XOM 66/118
![Page 114: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/114.jpg)
XOM Overview. . .
1 To buy a program P from the server you start by handing ityour public RSA key Kpub.
2 Kpriv is stored inside your CPU.3 The server generates a symmetric session key Ksym and
encrypts P .
XOM 66/118
![Page 115: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/115.jpg)
XOM Overview. . .
1 To buy a program P from the server you start by handing ityour public RSA key Kpub.
2 Kpriv is stored inside your CPU.3 The server generates a symmetric session key Ksym and
encrypts P .4 It then encrypts the session key with Kpub.
XOM 66/118
![Page 116: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/116.jpg)
XOM Overview. . .
1 To buy a program P from the server you start by handing ityour public RSA key Kpub.
2 Kpriv is stored inside your CPU.3 The server generates a symmetric session key Ksym and
encrypts P .4 It then encrypts the session key with Kpub.5 The server creates a new executable file consisting of the
encrypted code and a file header containing the encryptedsession key, i.e.
[EKpub(Ksym)‖EKsym
(P)].
XOM 66/118
![Page 117: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/117.jpg)
XOM Overview. . .
1 To buy a program P from the server you start by handing ityour public RSA key Kpub.
2 Kpriv is stored inside your CPU.3 The server generates a symmetric session key Ksym and
encrypts P .4 It then encrypts the session key with Kpub.5 The server creates a new executable file consisting of the
encrypted code and a file header containing the encryptedsession key, i.e.
[EKpub(Ksym)‖EKsym
(P)].
6 You download this file and give it to the OS to execute.
XOM 66/118
![Page 118: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/118.jpg)
XOM Overview. . .
1 To buy a program P from the server you start by handing ityour public RSA key Kpub.
2 Kpriv is stored inside your CPU.3 The server generates a symmetric session key Ksym and
encrypts P .4 It then encrypts the session key with Kpub.5 The server creates a new executable file consisting of the
encrypted code and a file header containing the encryptedsession key, i.e.
[EKpub(Ksym)‖EKsym
(P)].
6 You download this file and give it to the OS to execute.7 The OS gives the CPU EKpub
(Ksym) and the CPU decrypts itwith Kpriv .
XOM 66/118
![Page 119: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/119.jpg)
XOM Overview. . .
1 To buy a program P from the server you start by handing ityour public RSA key Kpub.
2 Kpriv is stored inside your CPU.3 The server generates a symmetric session key Ksym and
encrypts P .4 It then encrypts the session key with Kpub.5 The server creates a new executable file consisting of the
encrypted code and a file header containing the encryptedsession key, i.e.
[EKpub(Ksym)‖EKsym
(P)].
6 You download this file and give it to the OS to execute.7 The OS gives the CPU EKpub
(Ksym) and the CPU decrypts itwith Kpriv .
8 The CPU can now decrypt and execute the encrypted code.
XOM 66/118
![Page 120: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/120.jpg)
XOM Overview. . .
The DES engine sits between external RAM and the cache sothat every piece of code or data that gets read or written willfirst pass through it.
In other words:
external RAM is always encrypted,internal data and code is always in the clear,the private key Kpriv and the decrypted symmetric Ksym neverleave the CPU.
XOM 67/118
![Page 121: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/121.jpg)
Encrypted execution — Consequences
Solves the copy protection problem — each program is tied toone CPU!
Solves the privacy problem — code or data always encryptedoff-chip!
Solves the integrity problem — changing encrypted code ishard!
Actually: There are still attacks!
XOM 68/118
![Page 122: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/122.jpg)
The XOM architecture
Stanford design.
Never implemented in silicon.
Simulated in software.
Operating system, XOMOS, runs on top of it.
XOM 69/118
![Page 123: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/123.jpg)
The XOM architecture — Compartments
Each process may run in different security mode.
Encrypted programs are slow!
Programs may switch between encrypted and cleartextexecution.
CPU has 4 Compartments :
logical containersprotect one process from being observed or modified byanother process.the OS is untrusted: runs in its own compartment!
Even a severely subverted operating system won’t be allowedto examine or manipulate another protected process!
XOM 70/118
![Page 124: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/124.jpg)
The XOM architecture — Compartments
Compartment 0 : code runs unencrypted
ACTIVE register: current executing compartment
Session key table : Maps compartment ID to key.
Each register is tagged with compartment key.
Each cache line is tagged with compartment key.
On-chip data is in cleartext.
On cache flush: encrypt!
XOM 71/118
![Page 125: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/125.jpg)
The XOM architecture — Example
ALUDESCPU
RAM
session-key table
ID session-key
0 --------
1 Asym
2 Bsym
3 --------
register file
reg contents tag
r0 42 0
r1 67 2
r2 314 2
r3 218 1
cache
addr cache line tag
0
1 I1 2
2 I2 1
3 D1 2
ACTIVE
2
Currently, two programs A and B are running.
XOM 72/118
![Page 126: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/126.jpg)
The XOM architecture — Example. . .
Two compartments, 1 and 2, for programs A and B .
Compartment 2 is the currently active.
Session-key table: 1 7→ Asym, 2 7→ Bsym.
Registers r1 and r2 belong to compartment 2, register r3 tocompartment 1.
Register r0 is unprotected ⇒ compartments 1 and 2 coulduse r0 for insecure communication.
XOM 73/118
![Page 127: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/127.jpg)
The XOM architecture — Example. . .
RAM
CPU
addr contents
0
1 Bsym(I1‖CRC (I1))2 Asym(I2‖CRC (I2))3 Bsym(D1‖CRC (D1))
XOM 74/118
![Page 128: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/128.jpg)
The XOM architecture — Example
The CPU tries to load data value D1 at address 3 into register r0:
1 Look in the cache line: empty!
XOM 75/118
![Page 129: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/129.jpg)
The XOM architecture — Example
The CPU tries to load data value D1 at address 3 into register r0:
1 Look in the cache line: empty!
2 Cache miss, read Bsym(D1‖CRC (D1)) from address 3.
XOM 75/118
![Page 130: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/130.jpg)
The XOM architecture — Example
The CPU tries to load data value D1 at address 3 into register r0:
1 Look in the cache line: empty!
2 Cache miss, read Bsym(D1‖CRC (D1)) from address 3.
3 Look up key for the active compartment: Bsym.
XOM 75/118
![Page 131: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/131.jpg)
The XOM architecture — Example
The CPU tries to load data value D1 at address 3 into register r0:
1 Look in the cache line: empty!
2 Cache miss, read Bsym(D1‖CRC (D1)) from address 3.
3 Look up key for the active compartment: Bsym.
4 Decrypt the cache-line!
XOM 75/118
![Page 132: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/132.jpg)
The XOM architecture — Example
The CPU tries to load data value D1 at address 3 into register r0:
1 Look in the cache line: empty!
2 Cache miss, read Bsym(D1‖CRC (D1)) from address 3.
3 Look up key for the active compartment: Bsym.
4 Decrypt the cache-line!
5 Adversary could have swapped D1it for another encryptedvalue from some other part of the code!
Store CRC hash of each cache line.If CRC doesn’t match ⇒ exception!Otherwise, load D1 into register r0Set r0’s tag to 2.
XOM 75/118
![Page 133: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/133.jpg)
The XOM architecture — ISA modifications
secure load reg, addr :
On a cache-miss, load the cache-line at addressaddr.Decrypt using the session key of the currentlyactive process.If the hash doesn’t validate, throw an exception.Store the decrypted value in regTag reg with the tag of the active process.
XOM 76/118
![Page 134: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/134.jpg)
The XOM architecture — ISA modifications. . .
secure store reg, addr :
reg’s tag 6= active tag, exception!Store reg to addr’s cache-lineSet the cache mine tag to the tag of the activeprocess.On a cache-flush:
1 Compute a hash of the cache line and its virtualmemory address,
2 Encrypt the cache-line and the hash with thesession key,
3 Write to memory.
XOM 77/118
![Page 135: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/135.jpg)
The XOM architecture — ISA modifications. . .
Insecure load and store instructions work on data in the nullcompartment:
load reg, addr :
1 Load the value at address addr into register reg2 Set its tag to 0.
store reg, addr :
1 If reg isn’t tagged with 0, exception!2 Write it to address addr.
XOM 78/118
![Page 136: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/136.jpg)
The XOM architecture — ISA modifications. . .
move to null reg : If reg’s tag is different from the active tag,throw an exception. Otherwise, set reg’s tag to 0.
move from null reg : If reg’s tag is isn’t 0, throw an exception.Otherwise, set reg’s tag to the tag of the currentlyactive process.
The OS needs to move data from a device into a user process.
Two processes can insecurely exchange data: process 1 loadsthe data into a register, changes its tag to 0, process 2changes the tag from 0 to its own tag value.
XOM 79/118
![Page 137: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/137.jpg)
The XOM architecture — ISA modifications. . .
Enter and exit protected mode:
enter addr : The encrypted session-key is stored at address addr.If it’s already been loaded into a slot in thesession-key table, just set the ACTIVE register to theslot tag. Otherwise, load the key, decrypt it with theCPU’s private key, store into an empty slot in thesession-key table, and set the ACTIVE register. Startfetching and decrypting instructions.
exit: Set ACTIVE to 0. Stop decrypting instructions.
XOM 80/118
![Page 138: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/138.jpg)
Attack: Replay!
The adversary can save a value from a particular location andthen later write it back into the same location!
Check that a value you write into memory hasn’t beenchanged the next time you read from the same location.
XOM 81/118
![Page 139: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/139.jpg)
Replay attacks — Merkle Tree
HH
CPU
ASH
HASH
HASH
HASH
HASH
HASHH
SAH H
ASH
ASH
HASH
HASH
HASH
HASH
HASH
ASH H
SAH
HASH
HASH
HASH
HASH
RAM
HASH
cache H
XOM 82/118
![Page 140: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/140.jpg)
Replay attacks — Merkle Tree. . .
The leaves of the tree are chunks of memory that you want toprotect.
Internal nodes are hashes of child nodes.
The root of the tree is a hash stored protected on the CPU.
A reply attack won’t work: the attacker can change a word inmemory, and the hash of the word, and the hash of the hash— but not the root!
XOM 83/118
![Page 141: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/141.jpg)
Replay attacks — Merkle Tree. . .
Performance. . .
Extra space: 14th of memory is taken up by hashes.
Extra cost in memory bandwidth: a balanced m-ary tree ofmemory of size N ⇒ logm(N) hash checks per read.
Solution: cache parts of the tree on chip in the L2 cache ⇒only 20% performance hit.
XOM 84/118
![Page 142: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/142.jpg)
Attack: Watching the address bus!
OK, so maybe the adversary can’t directly examine anexecutable since it’s encrypted.
He may still be able to extract information from it byexamining its control flow execution pattern.
In this attack the adversary examines the addresses goingacross the bus.
XOM 85/118
![Page 143: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/143.jpg)
Modular exponentiation routine
Consider the modular exponentiation routine used in RSA andDiffie-Hellman.
x is the private key, w bits long.
In the XOM architecture code and data doesn’t move.
Blocks of code are encrypted but reside in the same locationin memory throughout execution.
XOM 86/118
![Page 144: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/144.jpg)
Modular exponentiation routine. . .
✞ ☎
s [ 0 ] = 1 ;f o r ( k=0; k<w ; k++) {
i f ( x [ k ] == 1)R [ k ] = ( s [ k ]∗ y ) mod n ;
e l s e
R[ k ] = s [ k ] ;s [ k+1] = R[ k ]∗R[ k ] mod n
}return R[w−1] ;
✝ ✆
s[0]=1k=0
if (k<w)
if (x[k]==1) return R[w−1]
R[k]=s[k]R[k]=(s[k]*y) mod n
s[k+1]=R[k]*R[k] mod nk++goto B1
B0 :
B1 :
B2 :B6 :
B4 :B3 :
B5 :
XOM 87/118
![Page 145: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/145.jpg)
Examining runtime execution patterns
The encrypted blocks could be laid out in memory like this:
000 100 200 300 400 500 600
Ek(B0) Ek(B1) Ek(B2) Ek(B3) Ek(B4) Ek(B5) Ek(B6)
An adversary monitors the address bus while a secret messageis being decrypted would see:
〈000,100, 200, 300, 500,100, 200, 300, 500,100, 200, 400, 500,100, 200, 300, 500,
· · ·100,
600〉
XOM 88/118
![Page 146: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/146.jpg)
Examining runtime execution patterns
The adversary can draw several conclusions:1 There’s a loop involving B1 and B5.2 From B2 control either goes to B3 or B4, and from B3 and B4
we always proceed to B5 ⇒ if-then-else-statement!3 Reconstruct the control-flow graph!4 Pattern-match to see that this is the modular exponentiation
routine!
He still doesn’t know what’s inside the blocks.
Examine the trace:
A branch B2 → B3 ⇒ a 0!A branch B2 → B4 ⇒ a 1!(or possibly the opposite).
XOM 89/118
![Page 147: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/147.jpg)
Side-channel attacks
This is a form of a side-channel attack .
Variants to distinguish between B3 and B4:
use execution time,use energy consumption.
Noisy data: run multiple experiments.
XOM 90/118
![Page 148: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/148.jpg)
Side-channel attacks. . .
Our own measurements are watching addresses go by on theaddress bus.
These can be noisy too.
For example,if a routine is small enough to at least partially fitin on-chip caches, then some branches will not be exposed!
The adversary can turn off caching alltogether.
On the Intel X86: set bit 30 of status register CR0.
So, we can assume that all branches are exposed.
XOM 91/118
![Page 149: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/149.jpg)
Fixing a leaky address bus!
Idea: blocks must be constantly permuted in memory!
CPU has a shuffle buffer that keeps some memory blocks.
When a block is needed from memory it’s swapped with arandom block from the shuffle buffer.
A block is a cache line.
In other words:1 a block M is read from memory,2 a block S is selected randomly from the shuffle buffer,3 M replaces S in the buffer,4 S is written back to M ’s location.
XOM 92/118
![Page 150: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/150.jpg)
Shuffle Buffer Example
s[0]=1k=0
if (k<w)
if (x[k]==1) return R[w−1]
R[k]=s[k]R[k]=(s[k]*y) mod n
s[k+1]=R[k]*R[k] mod nk++goto B1
B0 :
B1 :
B2 :B6 :
B4 :B3 :
B5 :
7 blocks from our example program, all residing in memory.
The CPU has a 3-slot shuffle buffer.
XOM 93/118
![Page 151: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/151.jpg)
Shuffle Buffer Example. . .
First, three blocks are selected from memory and brought in topopulate the shuffle buffer.
STEP shuffle buffer memory
1 B0 B1 B2 B3 B4 B5 B6
2 B0 B1 B2 B3 B4 B5 B6
XOM 94/118
![Page 152: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/152.jpg)
Shuffle Buffer Example. . .
Next, B4 is needed so it’s brought in from memory, replaces blockB1 which was selected randomly from the shuffle buffer, and B1 iswritten back to memory, in B4’s place:
STEP shuffle buffer memory
3 B0 B4 B2 B3 B1 B5 B6
XOM 95/118
![Page 153: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/153.jpg)
Shuffle Buffer Example. . .
Next, B0 is swapped with B6, B4 with B5, and, finally, as theprogram is finishing executing, the blocks in the buffer are writtenback to memory:
STEP shuffle buffer memory
4 B6 B4 B2 B3 B1 B5 B0
5 B6 B5 B2 B3 B1 B4 B0
6 B6 B5 B2 B3 B1 B4 B0
XOM 96/118
![Page 154: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/154.jpg)
Shuffle Buffer Architecture
buffer
AM
300 500100 200 400000 600
1 2 3 4 5 60
600 400 SB2 300 500 SB1 SB0
controller
BAT cache
SB0
SB1
SB2
CPU
BAT:
cache shuffle
R
Ek (B4)Ek (B1) Ek (B0)Ek (B3)
Ek (B6)
Ek (B5)
Ek (B2)
XOM 97/118
![Page 155: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/155.jpg)
Shuffle Buffer Architecture. . .
The Block Address Table (BAT) keeps track of where blockscurrently reside (address in memory or shuffle buffer index).
On a cache miss, the controller queries the BAT for thecurrent location of the block. If the block is in the shufflebuffer already, it’s returned to the cache. If, on the otherhand, it’s in memory, it’s loaded and stored in both the cacheand the shuffle buffer.
Whatever block was evicted from the buffer gets written backto the location of the loaded block.
An on-chip BAT cache reduces the latency of checking theBAT.
XOM 98/118
![Page 156: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/156.jpg)
Attack: Watching the data bus!
After a while our adversary has noticed that blocks are beingcontinuously relocated.
So, he gets tired of watching the address bus.
Then can take to watching the data bus intead!
XOM 99/118
![Page 157: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/157.jpg)
Example
Assume these cipher-texts:
000 100 200 300 400 500 600
Ek(B0) = Ek (B1) = Ek(B2) = Ek(B3) = Ek(B4) = Ek (B5) = Ek(B6) =0000 1000 2000 3000 4000 5000 6000
Watch the cipher-texts going past on the data bus!
〈0000,1000, 2000, 3000, 5000,1000, 2000, 3000, 5000,1000, 2000, 4000, 5000,1000, 2000, 3000, 5000,
· · ·1000,
6000〉
XOM 100/118
![Page 158: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/158.jpg)
Fixing a leaky data bus
Watching the blocks go by on the data bus reveals as much aswatching addresses go by on the address bus!
Easy to fix:
When a block is written back to a new location make sure thatit has a different ciphertext.⇒ xor the cleartext block with its new address prior toencrypting it.
XOM 101/118
![Page 159: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/159.jpg)
The XOM architecture — Discussion
If you really want to protect your program you have to makesure that you hide everything that’s going on inside the CPUand you have to protect every piece of code and data thatgets stored off-chip.
You cannot1 leak any information in the address stream,2 leak any information on the data bus,3 can’t let the adversary change or replay a single bit in memory
without you detecting it.
Performance. . .
system-on-a-chip : If the CPU and RAM both reside in thesame physical capsule then there’s no need to worry aboutanyone snooping on the bus.
XOM 102/118
![Page 160: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/160.jpg)
Outline
1 IntroductionProcessesInter-Process CommunicationMemory managementVirtual machines
2 Process Security3 Authenticated boot
Trusted bootTaking measurementsThe TPMThe challengePrivacy issuesApplications and Controversies
4 Pioneer5 XOM
The XOM architecturePreventing replay attacksFixing a leaky address busFixing a leaky data busDiscussion
6 Filesystem SecuritySetUIDFile DescriptorsSymbolic Links
7 Summary
Filesystem Security 103/118
![Page 161: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/161.jpg)
Virtual Memory Security
On some systems, a swap file holds all virtual memory pages.
Attack:1 Abruptly power down the computer;2 Re-boot with a LiveCD;3 Search swap file for passwords, keys, etc.
Defense: Don’t store passwords in cleartext in memory.
Filesystem Security 104/118
![Page 162: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/162.jpg)
Linux permissions
See the book!
Filesystem Security 105/118
![Page 163: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/163.jpg)
SetUID
To change password:1 run the passwd program;
2 change /etc/passwd file.
But, processes inherit the permissions of their parents, thus:1 passwd runs with the user’s privileges!2 /etc/passwd is owned by root!
Filesystem Security 106/118
![Page 164: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/164.jpg)
SetUID. . .
Unix permissions include a setuid bit.
If prog has setuid=1 ⇒
prog runs with effective uid (euid) of its owner.
Example:1 passwd is owned by root.
Filesystem Security 107/118
![Page 165: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/165.jpg)
SetUID. . .
Unix permissions include a setuid bit.
If prog has setuid=1 ⇒
prog runs with effective uid (euid) of its owner.
Example:1 passwd is owned by root.2 passwd has setuid=1.
Filesystem Security 107/118
![Page 166: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/166.jpg)
SetUID. . .
Unix permissions include a setuid bit.
If prog has setuid=1 ⇒
prog runs with effective uid (euid) of its owner.
Example:1 passwd is owned by root.2 passwd has setuid=1.3 Bob runs passwd.
Filesystem Security 107/118
![Page 167: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/167.jpg)
SetUID. . .
Unix permissions include a setuid bit.
If prog has setuid=1 ⇒
prog runs with effective uid (euid) of its owner.
Example:1 passwd is owned by root.2 passwd has setuid=1.3 Bob runs passwd.4 Bob’s passwd process runs with root permissions.
Filesystem Security 107/118
![Page 168: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/168.jpg)
SetUID. . .
Unix permissions include a setuid bit.
If prog has setuid=1 ⇒
prog runs with effective uid (euid) of its owner.
Example:1 passwd is owned by root.2 passwd has setuid=1.3 Bob runs passwd.4 Bob’s passwd process runs with root permissions.5 ⇒ Bob can change /etc/passwd!
Filesystem Security 107/118
![Page 169: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/169.jpg)
SetUID: Issues
Attack:1 Bob makes setuid program run arbitrary code.2 ⇒ Bob gets privileges of the program’s owner!
Privilege escalation scenario.
setuid programs must be safe!
Filesystem Security 108/118
![Page 170: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/170.jpg)
SetUID: Example
s t a t i c u i d t eu id , u i d ;
i n t main ( i n t argc , char ∗ a rgv [ ] ) {u i d = ge t u i d ( ) ;eu i d = ge t eu i d ( ) ;s e t e u i d ( u i d ) ; // Drop p r i v i l e g e s// Do someth ing . . .s e t e u i d ( eu i d ) ; // Ra i s e p r i v i l e g e sFILE ∗ f i l e = fopen ( ”/ va r / l og ” , ”a” ) ;s e t e u i d ( u i d ) ; // Drop p r i v i l e g e sf p r i n t f ( f i l e , ” . . . ” ) ; // p r i n t u s i n g p e rm i s s i o n s of c l o s e ( f i l e ) ;return 0 ;
}
Filesystem Security 109/118
![Page 171: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/171.jpg)
SetUID: Example. . .
The example program runs with the user’s permissions, mostof the time.
It raises permissions to the owner’s in order to write to the logfile.
Filesystem Security 110/118
![Page 172: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/172.jpg)
SetUID: Vulnerability
i n t main ( ) {system ( ” l s ” ) ;return 0 ;
}
Assume this program has setuid=1.
system() invokes /bin/sh.
The shell is told to execute "ls".
But, the shell uses the PATH variable to look up "ls"!
⇒ The user can manipulate PATH to make system execute thewrong program.
Defense: system("/usr/bin/ls").
Filesystem Security 111/118
![Page 173: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/173.jpg)
File descriptors
open("filename",read/write/append/...):1 kernel checks if the process has the right permissions;2 kernel opens the file;3 kernel returns a file descriptor .
write(file descriptor,"..."):1 kernel checks that the file descriptor has write
permissions.2 kernel writes, or returns error.
Filesystem Security 112/118
![Page 174: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/174.jpg)
File descriptors. . .
NOTE: The OS only checks read/write/. . . permissions onopen!
NOTE: On read()/write() calls, the OS only checks thefile descriptor was opened with those permissions!
NOTE: File descriptors can be passed between processes!
NOTE: Child processes inherit open file descriptors fromparents!
Filesystem Security 113/118
![Page 175: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/175.jpg)
File descriptor leaks
i n t main ( i n t argc , char ∗ a rgv [ ] ) {FILE ∗pw = fopen ( ”/ e t c / passwd” , ” r ” ) ;// Read passwords . . .// Ooops , f o r g o t to c l o s e pw !e x e c l ( ”/home/bob/ s h e l l ” , ” s h e l l ” ,NULL ) ;
}
Bob’s child process inherits open file descriptors.
He can use fcntl() functions to access the open file.
Filesystem Security 114/118
![Page 176: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/176.jpg)
Symbolic links
ln -s source-file target-file:A symbolic link points to the original copy.
open("filename",read/write/append/..., flags):O NOFOLLOW: do not follow symlinksO SYMLINK: allow open of symlinks
✞ ☎
i n t main ( i n t argc , char ∗ a rgv [ ] ) {i f ( st rcmp ( a rgv [ 1 ] , ”/ e t c /passwd”)==0)
abo r t ( ) ;e l s e {
FILE ∗pw = fopen ( a rgv [ 1 ] , ” r ” ) ;. . .
}}
✝ ✆
The attacker could pass a symlink to /etc/passwd instead. . .
Filesystem Security 115/118
![Page 177: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/177.jpg)
Outline
1 IntroductionProcessesInter-Process CommunicationMemory managementVirtual machines
2 Process Security3 Authenticated boot
Trusted bootTaking measurementsThe TPMThe challengePrivacy issuesApplications and Controversies
4 Pioneer5 XOM
The XOM architecturePreventing replay attacksFixing a leaky address busFixing a leaky data busDiscussion
6 Filesystem SecuritySetUIDFile DescriptorsSymbolic Links
7 Summary
Summary 116/118
![Page 178: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/178.jpg)
Readings and References
Chapter 3 in Introduction to Computer Security, by Goodrichand Tamassia.
Section 9.7.3 in Introduction to Computer Security, byGoodrich and Tamassia.
Summary 117/118
![Page 179: CSc 466/566 Computer Security 9 : Operating Systems ...collberg/Teaching/466-566/2012/Slides/Slides-9.pdf2 the BIOS loadd the second-stage boot loader; 3 the second-stage boot loader](https://reader035.fdocuments.in/reader035/viewer/2022070814/5f0e296c7e708231d43de7b3/html5/thumbnails/179.jpg)
Acknowledgments
Material and exercises have also been collected from these sources:
1 Christian Collberg, Jasvir Nagra, Surreptitious Software,Obfuscation, Watermarking, and Tamperproofing for SoftwareProtection,http://www.amazon.com/Surreptitious-Software-Obfuscation-Watermarking-Tamperproofing/dp/0321549252.
2 Lie, Thekkath, Mitchell, Lincoln, Boneh, Mitchell, Horowitz,Architectural support for copy, tamper resistant software,ASPLOS-IX, 2000.
3 Zhuang, Zhang, Pande, HIDE: an infrastructure for efficientlyprotecting information leakage on the address bus,ASPLOS-XI, 2004.
4 Gomathisankaran, Architecture Support for 3D Obfuscation,IEEE Trans. Comput., Vol. 55, No. 5, pp. 497–507, 2006.
Summary 118/118