Uni-directional Trusted Path: Transaction Confirmation on Just One Device

System Security Lab

Uni-directional Trusted Path:Transaction Confirmation

on Just One DeviceAtanas Filyanov1, Jonathan M. McCune2,Ahmad-Reza Sadeghi3, Marcel Winandy1

1 Ruhr-University Bochum, Germany2 Carnegie Mellon University, USA

3 Technical University Darmstadt, Germany

DSN 2011 - 41st Annual IEEE/IFIP International Conference on Dependable Systems and NetworksHong Kong, China, 27-30 June 2011

Dienstag, 28. Juni 2011

System Security Lab

Marcel Winandy Uni-directional Trusted Path: Transaction Confirmation on Just One Device (DSN 2011)

Motivation• Malware can have strong power on commodity systems

• Keyloggers, transaction generators, ... (commit online fraud)

• Credit card companies, banks absorb most liabilities

• Users have disincentive to solve the problem

• Even e-commerce servers are under attack!

• Sony: attackers have eventually stolen credit card data from several customers

• Recently similar attacks at other game companies

2


System Security Lab


Motivation• Malware can have strong power on commodity systems

• Keyloggers, transaction generators, ... (commit online fraud)

• Credit card companies, banks absorb most liabilities

• Users have disincentive to solve the problem

• Even e-commerce servers are under attack!

• Sony: attackers have eventually stolen credit card data from several customers

• Recently similar attacks at other game companies

2

If all had used our proposed solution,there would have been no problem! :-)


System Security Lab


Threat Scenario

• Typical scenarios: online purchases, online banking,e-government, enrollment for online services, etc.

3

issue transaction request transaction

request confirmationrequest confirmation

ServerUser Client System

confirmation confirmation


System Security Lab


Threat Scenario


3





Adversary

• Adversary: controls network traffic and controls client system• only software attacks (no hardware tampering)


System Security Lab


Threat Scenario


3





Adversary

• Adversary: controls network traffic and controls client system• only software attacks (no hardware tampering)

?Server cannot distinguish

between transactions issued/confirmed by user or malware


System Security Lab


Our Goals

• Assurance to a remote server that a user indeed confirmed a proposed action

• Technical solution without additional devices,but compatible to existing operating systems

• Minimal/no deviation from normal user experience

• Assumption:Client System hardware provides some form of secure execution environment

4


System Security Lab


Our Goals

• Assurance to a remote server that a user indeed confirmed a proposed action

• Technical solution without additional devices,but compatible to existing operating systems

• Minimal/no deviation from normal user experience

• Assumption:Client System hardware provides some form of secure execution environment

4

Available on commodity platforms:PC: Intel TXT, AMD SVMMobile: ARM TrustZone; Playstation3: Cell BE


Idea of the Uni-directional Trusted Path


System Security Lab


Full Trusted Path

Properties:

1. Isolation of I/O channels(integrity & confidentiality)

2. Assurance for user about authenticity of application

3. Assurance for application about user-generated input

6

User

Application12 3

Application

Application

Client System

OS


System Security Lab


Trusted Path: Existing Approaches

• Secure GUI (reserved screen area)

• Requires a secure OS

• Secure Attention Sequence (e.g., Ctrl+Alt+Delete)

• Requires OS kernel to remain uncompromised

• Additional hardware indicators (e.g., color LED)


7


System Security Lab


Trusted Path: Existing Approaches

• Secure GUI (reserved screen area)

• Requires a secure OS

• Secure Attention Sequence (e.g., Ctrl+Alt+Delete)


• Additional hardware indicators (e.g., color LED)


7

No widespread adoption, or lack of interest from users(also: usability unclear)


System Security Lab


Server

Uni-directional Trusted Path (UTP)Properties:




8

User

3

Application

Client System

Secure Execution Mode

Untrusted Execution Mode

OS

CPU

UTP Agent1


System Security Lab


Server

Uni-directional Trusted Path (UTP)Properties:




8

User

3

Application

Client System



OS

CPU

UTP Agent1

• Enable remote server to gain assurance about human-initiated action

• Based on CPU‘s capability to switch between untrusted and secure execution mode

• UTP is only available in Secure Execution Mode:

• Isolated execution environment and control of user I/O devices

• Ability to provide evidence to remote system what has executed in this mode


Transaction Confirmation with UTP


System Security Lab


Transaction Initiation

10

Browser

Client System



OS

CPU

UTP Agent

ServerUser

I/O Devices


System Security Lab



10

Browser

Client System



OS

CPU

UTP Agent

ServerUser

I/O Devices

1. issuestransaction


System Security Lab



10

Browser

Client System



OS

CPU

UTP Agent

2. requests transaction

ServerUser

I/O Devices



System Security Lab



10

Browser

Client System



OS

CPU

UTP Agent


3. requests confirmation(conf. message)

ServerUser

I/O Devices



System Security Lab


Transaction Confirmation

11

Browser

Client System



OS

CPU


ServerUser

I/O Devices


System Security Lab



11

Browser

Client System



OS

CPU


ServerUser

I/O Devices UTP Agent


System Security Lab



11

Browser

Client System



OS

CPU


ServerUser

I/O Devices UTP Agent(conf. message)


System Security Lab



11

Browser

Client System



OS

CPU


ServerUser

I/O Devices

4. show conf. message+ request confirmation

UTP Agent(conf. message)


System Security Lab



11

Browser

Client System



OS

CPU


ServerUser

I/O Devices


5. confirm/abort



System Security Lab



11

Browser

Client System



OS

CPU


ServerUser

I/O Devices


5. confirm/abort


confirm/abort


System Security Lab



11

Browser

Client System



OS

CPU


ServerUser

I/O Devices


5. confirm/abort

6. attestation evidence:- UTP Agent integrity measurement- conf. message from server- confirm/abort from user


confirm/abort


System Security Lab



11

Browser

Client System



OS

CPU


ServerUser

I/O Devices


5. confirm/abort



confirm/abort

Uni-directional Trusted Path


System Security Lab



11

Browser

Client System



OS

CPU


ServerUser

I/O Devices


5. confirm/abort



confirm/abort


System Security Lab



11

Browser

Client System



OS

CPU


ServerUser

I/O Devices


5. confirm/abort


7. accept/discard


confirm/abort


System Security Lab



11

Browser

Client System



OS

CPU


ServerUser

I/O Devices


5. confirm/abort


7. accept/discard


System Security Lab



11

Browser

Client System



OS

CPU


ServerUser

I/O Devices


5. confirm/abort


7. accept/discard

8. show result


System Security Lab


Security Considerations• Transaction generated by malware

12

Browser

Client System



OS

CPU

UTP Agent



ServerUser

I/O Devices(conf. message)


System Security Lab



12

Browser

Client System



OS

CPU

UTP Agent



ServerUser

I/O Devices

unexpected(conf. message)

(conf. message)


System Security Lab



12

Browser

Client System



OS

CPU

UTP Agent



ServerUser

I/O Devices

unexpected(conf. message)

(conf. message)

User will notice(unexpected transaction)


System Security Lab


UTP Agent

Security Considerations• Transaction manipulation + manipulated UTP agent

13

Browser

Client System



OS

CPU 2. requests transaction


ServerUser

I/O Devices

(conf. message)



System Security Lab


UTP Agent


13

Browser

Client System



OS

CPU

UTP Agent



ServerUser

I/O Devices

(conf. message)



System Security Lab


UTP Agent


13

Browser

Client System



OS

CPU

UTP Agent



ServerUser

I/O Devices(conf. message)



System Security Lab


UTP Agent


13

Browser

Client System



OS

CPU

UTP Agent



ServerUser

I/O Devices

expected(conf. message)

(conf. message)



System Security Lab


UTP Agent


13

Browser

Client System



OS

CPU

UTP Agent



ServerUser

I/O Devices


(conf. message) 6. attestation evidence:- UTP Agent integrity measurement- conf. message from server- confirm/abort from user



System Security Lab


UTP Agent


13

Browser

Client System



OS

CPU

UTP Agent



ServerUser

I/O Devices


(conf. message)

Server will notice and reject(UTP integrity violation)




System Security Lab


Security Considerations• Transaction manipulation + faked confirmation dialog

14

Browser

Client System



OS



ServerUser

I/O Devices



System Security Lab



14

Browser

Client System



OS



ServerUser

I/O Devices


4. faked conf. message


System Security Lab



14

Browser

Client System



OS



ServerUser

I/O Devices 6. attestation evidence:- ???




System Security Lab



14

Browser

Client System



OS



ServerUser

I/O Devices

Server will notice and reject(no UTP execution)

6. attestation evidence:- ???




System Security Lab


Setup: Device Enrollment

• Server knows that a human confirmed a transaction

• But how does the server know which user?

• Solution: binding the device to the user account

• Requires to register user devices in a setup phase

• Establishes a cryptographic credential to perform login(e.g. public key protected by Secure Execution Mode)

• Protects against misuse of stolen account data!

• Attackers cannot use data (e.g. credit card number) becausetheir devices are not registered with that account at the server

15


Realization of UTP


System Security Lab


PC-Based Implementation• Evidence attestation: Trusted Platform Module (TPM)

• Hardware root of trust (secure storage for keys; cryptographic operations)

• PCRs: registers that can be extended with integrity measurements of code

• Attestation: cryptographic signature of PCRs with a TPM-protected key

• Secure Execution Mode: Intel Trusted Execution Technology (TXT)

• Late Launch creates dynamic root of trust (DRTM)

• Reinitializes CPU and memory controller into known-good state

• Resets dynamic PCRs of the TPM (only CPU can reset these registers)

• Software framework: Flicker

• Allows to execute very small code in DRTM mode (without any OS)

• During DRTM mode, normal OS is halted; after switch back, OS is resumed

17


System Security Lab


Implementation Architecture

18

Web Browser

Client Utility Program

CPU Secure Mode

ServerClient

Verification Program

OS FlickerLaunch

UTP Agent

TPM

HTTPS

Extension

CPU (Intel TXT) Webserver Application

Script Extension


System Security Lab



18

Web Browser


CPU Secure Mode

ServerClient


OS FlickerLaunch

UTP Agent

TPM

HTTPS

Extension


Script Extension

+ 488 LOC


System Security Lab



18

Web Browser


CPU Secure Mode

ServerClient


OS FlickerLaunch

UTP Agent

TPM

HTTPS

Extension


Script Extension

+ 488 LOC

+ 956 LOC(non-TCB)}


System Security Lab



18

Web Browser


CPU Secure Mode

ServerClient


OS FlickerLaunch

UTP Agent

TPM

HTTPS

Extension


Script Extension

+ 488 LOC

+ 956 LOC(non-TCB)}2335 LOC

(TCB)


System Security Lab


Screenshot (Transaction Initiation)

19


System Security Lab


Screenshot (Transaction Confirmation)

20


System Security Lab


Evaluation• Code complexity:

• Very small total TCB: 2335 LOC (seL4 about 9000 [Klein et al. SOSP 2009])

• Including VGA and PS/2 keyboard driver (USB would add another 2000)

• Deployment:

• Server-side: only minor modifications necessary

• Client-side: users just need to download UTP software

• Performance:

• Switching time about 1 sec

• Remaining actions: waiting for user input, or in untrusted mode

• Usability:

• Confirmation message should not be simply "Press OK" (user tend to ignore)

• UTP is generic, confirmation message can be provided by service providers

21


System Security Lab


Conclusion

• Existing solutions against transaction generators are inconvenient or not widely deployed

• Our proposal: a one-way trusted path to enable service providers to gain assurance about user-initiated transactions

• Realization based on on-demand isolated execution environment and temporal control of user I/O devices

• Very small TCB and compatible to existing software

• Deployable on commodity systems today

22


System Security Lab


Questions?

Contact:

Marcel WinandyRuhr-University Bochum

[email protected]://www.trust.rub.deTwitter: @mwinandy

23


mailto:[email protected]

mailto:[email protected]

http://www.trust.rub.de

http://www.trust.rub.de

BACKUP


System Security Lab


Implementation of UTP with Flicker

25


Uni-directional Trusted Path: Transaction Confirmation on Just One Device

Technology

Transcript of Uni-directional Trusted Path: Transaction Confirmation on Just One Device