240 likes | 447 Views
Bootstrapping Trust in a “Trusted” Platform. Bryan Parno. Carnegie Mellon University. November 11, 2008. A Travel Story. Without trust, you cannot…. Do you trust…. A kiosk computer? A friend’s computer? A relative’s computer? Your own computer?. Check your email Pay bills
E N D
Bootstrapping Trust in a“Trusted” Platform Bryan Parno Carnegie Mellon University November 11, 2008
Without trust, you cannot… Do you trust… • A kiosk computer? • A friend’s computer? • A relative’s computer? • Your own computer? • Check your email • Pay bills • Privately surf the web • … How do we bootstrap trust in a computer?
Assumptions • User has a trusted, mobile device • User trusts someone to vouch for the physical security of the computer
Bootstrapping Trust Physical Security Trusted Hardware Trusted Software
Trusted Software Using Flicker … … App 1 App App 1 App S S OS OS Shim DMA Devices DMA Devices CPU, RAM TPM, Chipset CPU, RAM TPM, Chipset (Network, Disk, USB, etc.) (Network, Disk, USB, etc.)
Flicker’s Properties All relies on bootstrapping trust! • Isolate security-sensitive code execution from all other code and devices • Attest to security-sensitive code and its arguments and nothing else • Convince a remote party that security-sensitive code was protected • Add < 250 LoC to the software TCB Physical Security Trusted Hardware Trusted Software S Software TCB < 250 LoC Shim
Outline • Introduction • Background • The Cuckoo Attack • Potential Solutions • Conclusions
TPM Background • The Trusted Platform Module (TPM) is a dedicated security chip • Contains a public/private keypair {KPub, KPriv} • Contains a certificate indicating that KPub belongs to a legitimate TPM • Not tamper-resistant!
OS Kernel OS Kernel Apps Apps Module 1 Module 1 App 1 App 1 Module 2 Module 2 App 2 App 2 TPM conf conf PCRs Bootstrapping Trust with a TPM BIOS Boot Loader Boot Loader BIOS Hardware Software KPriv
Trustworthy! Nonce OS Kernel Apps Module 1 App 1 Module 2 ( ) Boot Loader App 2 Sign TPM BIOS conf , KPriv PCRs Nonce KPub KPriv Bootstrapping Trust with a TPM Guarantees freshness Guarantees key originated from a real TPM TPM attests to the software
Outline • Introduction • Background • The Cuckoo Attack • Potential Solutions • Conclusions
Trustworthy! KPriv Nonce KPriv Nonce KPub ( ) Sign ,KPriv Nonce The Cuckoo Attack Guarantees freshness TPM attests to the software Guarantees key originated from a real TPM
KPub KPub ( ( ) ) Sign Sign ,KPriv ,KPriv Nonce Nonce What went wrong? • An attestation says that a TPM vouches for a software state, but not which TPM
Analyzing the Attack • Paper develops a logical framework for bootstrapping trust • Allows precise characterization of the attack • Framework identifies which solutions work, and which do not
Potential Solutions • Employ SiB • Employ camera-less SiB • Trust the BIOS • Trust a third party • Use an existing interface • Use a special-purpose interface • Remove the network • Trust the computer • Detect timing deviations • Make late-launch data available • Add a special-purpose button Analyze which work, and which don’t Identify pros and cons of each
KPriv KPub ( ) Sign ,KPriv Nonce An Invalid Solution HW Violation! KPriv
High-Level Goal • Establish a secure channel to the local TPM • Channel must provide authenticity & integrity • We can instantiate the channel via: • Cryptography • Hardware
KPriv SHA-1(KPub) Cryptographic Secure Channels • Requires authentic public key (or shared secret) • Use Seeing-is-Believing (SiB) [McCune et al., ‘05] • Place a barcode on the PC encoding the TPM’s public key • Trust the BIOS • Reboot and trust BIOS to output public key via existing interface vision… camera…
Hardware Secure Channels • Reuse an existing interface • Existing interfaces do not support direct communication with the TPM • Add a special-purpose interface • Reduces opportunities for user error • Makes manufacturers unhappy
Choosing a Solution • After analyzing 10 potential solutions, none is entirely satisfactory • Preferred solutions: • Short-term: Seeing-is-Believing • Long-term: Special-purpose Interface
Related Work • Device Pairing • Typically assumes both devices are trusted • Kiosk Computing [Garriss et al., ‘08] • Even more difficult, since hardware integrity may not be guaranteed • Secure Object Identification [Alkassar et al., ‘03], [Brands & Chaum ‘94] • Solutions inappropriate to TPM setting
Conclusions • Trust in your local computer is critical • Due to the cuckoo attack, current techniques cannot bootstrap trust • Changes are needed to make useful security guarantees
Thanks! parno@cmu.edu