1 / 28

Bootstrapping Trust in Commodity Computers

Bootstrapping Trust in Commodity Computers. Carnegie Mellon University. Bryan Parno , Jonathan McCune, Adrian Perrig. A Travel Story. Trust is Critical. Will I regret having done this?. Software Engineering &. Programming Languages :. Bootstrapping Trust :.

dagmar
Download Presentation

Bootstrapping Trust in Commodity Computers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bootstrapping Trust in Commodity Computers Carnegie Mellon University Bryan Parno, Jonathan McCune, Adrian Perrig

  2. A Travel Story

  3. Trust is Critical Will I regret having done this?

  4. Software Engineering & Programming Languages: Bootstrapping Trust: What F will this machine compute? Does program P compute F? Is F what the programmer intended? Bootstrapping Trust What F will this machine compute? XOther YOther F XAlice YAlice

  5. Bootstrapping Trust is Hard! Challenges: App 1 App 4 App 5 App N App 2 App 3 • Hardware assurance • Ephemeral software • User Interaction S2( ) S14( ) S1( ) S15( ) S3( ) S11( ) S5( ) S6( ) S13( ) S12( ) S7( ) S8( ) S9( ) S10( ) S4( ) OS Module 1 Module 3 Module 4 Module 2 ^ Safe? H( ) H( ) Yes!

  6. Bootstrapping Trust is Hard! Challenges: Evil App • Hardware assurance • Ephemeral software • User Interaction Evil OS Safe? Yes!

  7. What do we need to know? • How can we use it locally? • How can we use it remotely? • How do we interpret it? • What serves as a foundation of trust? • How can we validate the bootstrapping? • Applications • Human factors • Limitations • Future directions In the paper… • Bootstrapping foundations • Transmitting bootstrap data • Interpretation • Validation • Applications • Human factors • Limitations • Future directions • … and much more!

  8. 1) Establish Trust in Hardware • Hardware is durable • Establish trust via: • Trust in the manufacturer • Physical security Open Question: Can we do better?

  9. 2) Establish Trust in Software App 1 App N … • Software is ephemeral • We care about the software currently in control • Many properties matter: • Proper control flow • Type safety • Correct information flow… Which property matters most? OS

  10. A Simple Thought Experiment • Imagine a perfect algorithm for analyzing control flow • Guarantees a program always follows intended control flow • Does this suffice to bootstrap trust? No! P We want code identity Respects control flow Type Safe

  11. What is Code Identity? • An attempt to capture the behavior of a program • Current state of the art is the collection of: • Program binary • Program libraries • Program configuration files • Initial inputs • Often condensed into a hash of the above Function f Inputs to f • Attempt to capture the f computed by a program • Current state of the art is the collection of: • Program binary • Program libraries • Program configuration files • Program inputs • Often condensed into a hash of the above

  12. Code Identity as Trust Foundation • From code identity, you may be able to infer: • Proper control flow • Type safety • Correct information flow… • Reverse is not true!

  13. What Can Code Identity Do For You? • Research applications • Commercial applications • Secure the boot process • Count-limit objects • Improve security of network protocols • Thwart insider attacks • Protect passwords • Create a Trusted Third Party • Secure disk encryption (e.g., Bitlocker) • Improve network access control • Secure boot on mobile phones • Validate cloud computing platforms

  14. Establishing Code Identity • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],… YOther XOther F YAlice XAlice

  15. Establishing Code Identity • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],… YOther XOther … f1 f2 fN XAlice YAlice

  16. Establishing Code Identity • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],… Chain of Trust Root of Trust ? Software N Software N-1 Software 1 . . .

  17. Trusted Boot: Recording Code Identity Root of Trust • [Gasser et al. ’89], [England et al. ‘03], [Sailer et al. ‘04],… Software N Software N-1 Software 1 . . . SW 2 SW 1 SW N-1 SW N

  18. Attestation: Conveying Records to an External Entity • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [England et al. ‘03], [Sailer et al. ’04]… Software N Software N-1 Software 1 . . . random # ( ) Sign Kpriv random # SW 2 SW 1 SW N-1 SW N SW 1 SW 2 SW N-1 SW N Controls Kpriv

  19. Interpreting Code Identity Traditional App 1…N • [Gasser et al. ‘89], [Sailer et al. ‘04] Drivers 1…N Policy Enforcement • [Marchesini et al. ‘04], [Jaeger et al. ’06] OS Bootloader Option ROMs BIOS

  20. Interpreting Code Identity Traditional • [Gasser et al. ‘89], [Sailer et al. ‘04] Virtual Machine Policy Enforcement • [Marchesini et al. ‘04], [Jaeger et al. ’06] Virtualization • [England et al. ‘03], [Garfinkel et al. ‘03] Virtual Machine Monitor Bootloader Option ROMs BIOS

  21. Interpreting Code Identity Late Traditional Launch Virtual Machine • [Gasser et al. ‘89], [Sailer et al. ‘04] VMM Policy Enforcement • [Marchesini et al. ‘04], [Jaeger et al. ’06] OS Virtualization • [England et al. ‘03], [Garfinkel et al. ‘03] Late Launch Virtual Machine Monitor • [Kauer et al. ‘07], [Grawrock ‘08] Bootloader Option ROMs BIOS

  22. Interpreting Code Identity Late Traditional Launch • [Gasser et al. ‘89], [Sailer et al. ‘04] Flicker Policy Enforcement • [Marchesini et al. ‘04], [Jaeger et al. ’06] OS Virtualization • [England et al. ‘03], [Garfinkel et al. ‘03] S Late Launch • [Kauer et al. ‘07], [Grawrock ‘08] Flicker Targeted Late Launch • [McCune et al. ‘07] Attested

  23. Interpreting Code Identity App 1…N Drivers 1…N OS S Flicker Bootloader Option ROMs BIOS

  24. Load-Time vs. Run-Time Properties • Code identity provides load-time guarantees • What about run time? • Approach #1: Static transformation • [Erlingsson et al. ‘06] Run-Time Policy Attested Compiler Code Code’

  25. Load-Time vs Run-Time Properties • Code identity provides load-time guarantees • What about run time? • Approach #1: Static transformation • Approach #2: Run-Time Enforcement layer Open Question: How can we get complete run-time properties? • [Erlingsson et al. ‘06] • [Haldar et al. ‘04], [Kil et al. ‘09] Code Run Time Attested Load Time Enforcer

  26. Roots of Trust • General purpose • Tamper responding • General purpose • No physical defenses • Specialpurpose • Timing-based attestation • Require detailed HW knowledge Open Question: What functionality do we need in hardware? 0 0 4 2 • [Weingart ‘87] • [White et al. ‘91] • [Yee ‘94] • [Smith et al. ‘99] • … • [ARM TrustZone ‘04] • [TCG ‘04] • [Zhuang et al. ‘04] • … • [Chun et al. ‘07] • [Levin et al. ‘09] • [Spinellis et al. ‘00] • [Seshadri et al. ‘05] • … Cheaper

  27. Open Question: What does Alice do with a failed attestation? Open Question: How can Alice trust her device? Human Factors SW 1 SW 2 SW N-1 SW N Open Questions: How should be communicated to Alice? What does Alice do with a failed attestation? How can Alice trust her device? SW 1 SW 2 SW N-1 SW N

  28. Conclusions • Code identity is critical to bootstrapping trust • Assorted hardware roots of trust available • Many open questions remain! Thank you! parno@cmu.edu

More Related