1 / 24

Bootstrapping Trust in a “Trusted” Platform

Bootstrapping Trust in a “Trusted” Platform. Bryan Parno. Carnegie Mellon University. November 11, 2008. A Travel Story. Without trust, you cannot…. Do you trust…. A kiosk computer? A friend’s computer? A relative’s computer? Your own computer?. Check your email Pay bills

adeola
Download Presentation

Bootstrapping Trust in a “Trusted” Platform

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bootstrapping Trust in a“Trusted” Platform Bryan Parno Carnegie Mellon University November 11, 2008

  2. A Travel Story

  3. Without trust, you cannot… Do you trust… • A kiosk computer? • A friend’s computer? • A relative’s computer? • Your own computer? • Check your email • Pay bills • Privately surf the web • … How do we bootstrap trust in a computer?

  4. Assumptions • User has a trusted, mobile device • User trusts someone to vouch for the physical security of the computer

  5. Bootstrapping Trust Physical Security Trusted Hardware Trusted Software

  6. Trusted Software Using Flicker … … App 1 App App 1 App S S OS OS Shim DMA Devices DMA Devices CPU, RAM TPM, Chipset CPU, RAM TPM, Chipset (Network, Disk, USB, etc.) (Network, Disk, USB, etc.)

  7. Flicker’s Properties All relies on bootstrapping trust! • Isolate security-sensitive code execution from all other code and devices • Attest to security-sensitive code and its arguments and nothing else • Convince a remote party that security-sensitive code was protected • Add < 250 LoC to the software TCB Physical Security Trusted Hardware Trusted Software S Software TCB < 250 LoC Shim

  8. Outline • Introduction • Background • The Cuckoo Attack • Potential Solutions • Conclusions

  9. TPM Background • The Trusted Platform Module (TPM) is a dedicated security chip • Contains a public/private keypair {KPub, KPriv} • Contains a certificate indicating that KPub belongs to a legitimate TPM • Not tamper-resistant!

  10. OS Kernel OS Kernel Apps Apps Module 1 Module 1 App 1 App 1 Module 2 Module 2 App 2 App 2 TPM conf conf PCRs Bootstrapping Trust with a TPM BIOS Boot Loader Boot Loader BIOS Hardware Software KPriv

  11. Trustworthy! Nonce OS Kernel Apps Module 1 App 1 Module 2 ( ) Boot Loader App 2 Sign TPM BIOS conf , KPriv PCRs Nonce KPub KPriv Bootstrapping Trust with a TPM Guarantees freshness Guarantees key originated from a real TPM TPM attests to the software

  12. Outline • Introduction • Background • The Cuckoo Attack • Potential Solutions • Conclusions

  13. Trustworthy! KPriv Nonce KPriv Nonce KPub ( ) Sign ,KPriv Nonce The Cuckoo Attack Guarantees freshness TPM attests to the software Guarantees key originated from a real TPM

  14. KPub KPub ( ( ) ) Sign Sign ,KPriv ,KPriv Nonce Nonce What went wrong? • An attestation says that a TPM vouches for a software state, but not which TPM

  15. Analyzing the Attack • Paper develops a logical framework for bootstrapping trust • Allows precise characterization of the attack • Framework identifies which solutions work, and which do not

  16. Potential Solutions • Employ SiB • Employ camera-less SiB • Trust the BIOS • Trust a third party • Use an existing interface • Use a special-purpose interface • Remove the network • Trust the computer • Detect timing deviations • Make late-launch data available • Add a special-purpose button Analyze which work, and which don’t Identify pros and cons of each

  17. KPriv KPub ( ) Sign ,KPriv Nonce An Invalid Solution HW Violation! KPriv

  18. High-Level Goal • Establish a secure channel to the local TPM • Channel must provide authenticity & integrity • We can instantiate the channel via: • Cryptography • Hardware

  19. KPriv SHA-1(KPub) Cryptographic Secure Channels • Requires authentic public key (or shared secret) • Use Seeing-is-Believing (SiB) [McCune et al., ‘05] • Place a barcode on the PC encoding the TPM’s public key • Trust the BIOS • Reboot and trust BIOS to output public key via existing interface vision… camera…

  20. Hardware Secure Channels • Reuse an existing interface • Existing interfaces do not support direct communication with the TPM • Add a special-purpose interface • Reduces opportunities for user error • Makes manufacturers unhappy

  21. Choosing a Solution • After analyzing 10 potential solutions, none is entirely satisfactory • Preferred solutions: • Short-term: Seeing-is-Believing • Long-term: Special-purpose Interface

  22. Related Work • Device Pairing • Typically assumes both devices are trusted • Kiosk Computing [Garriss et al., ‘08] • Even more difficult, since hardware integrity may not be guaranteed • Secure Object Identification [Alkassar et al., ‘03], [Brands & Chaum ‘94] • Solutions inappropriate to TPM setting

  23. Conclusions • Trust in your local computer is critical • Due to the cuckoo attack, current techniques cannot bootstrap trust • Changes are needed to make useful security guarantees

  24. Thanks! parno@cmu.edu

More Related