Trusted Computing

Trusted Computing Bruce Maggs (with some slides from Bryan Parno)

Bryan Parno’s Travel Story

Attestation • How can we know that a system that we would like to use has not been compromised?

Bootstrapping Trust is Hard! Challenges: App 1 App 4 App 5 App 2 App N App 3 • Hardware assurance • Ephemeral software • User Interaction S2( ) S14( ) S1( ) S15( ) S3( ) S11( ) S5( ) S6( ) S13( ) S12( ) S7( ) S8( ) S9( ) S10( ) S4( ) OS Module 1 Module 3 Module 2 Module 4 ^ Safe? H( ) H( ) Yes!

Bootstrapping Trust is Hard! Challenges: Evil App • Hardware assurance • Ephemeral software • User Interaction Evil OS Safe? Yes!

Trusted Platform Module Components permanent public/private key pair https://en.wikipedia.org/wiki/Trusted_Platform_Module#/media/File:TPM.svg created when TPM first used

TPM Chip Often found in business-class laptops https://en.wikipedia.org/wiki/Trusted_Platform_Module#/media/File:TPM_Asus.jpg

Goal • The goal is to prevent untrusted software from ever running on the computer system. • Trusted software is allowed to make use of the TPM as needed. • But if malware ever begins to execute, all bets are off.

Built-In Unique Identifier • “Endorsement Key” permanently embedded in TPM • RSA public-private key pair • Private key never leaves the TPM chip • Public key can be certified (e.g., TPM may include an EKCERT certificate signed by a TPM CA such as the TPM manufacturer)

Caveat • The TPM is not 100% tamper proof! • Safe use requires physical security • In 2010 Christopher Tarnovsky extracted all keys from an Infineon TPM chip by • soaking the chip in acid to remove plastic • removing RF-shield wire mesh • probing with an extremely small needle

Storage Root Key • Master “storage root key” (SRK) created when TPM first used • Can be changed by clearing the TPM • Protects TPM keys created by other applications that are stored outside the TPM (can’t fit all keys in a TPM!) • The application keys can be used to encrypt data stored outside the TPM • Akamai server clears TPM if lid is opened!

On-Chip Algorithms • RSA key-pair generation • RSA encryption/decryption • RSA signing and signature checking • Random number generation • SHA-1 hashing • Keyed-hash message authentication code (HMAC) (more on this later) • NOT a crypto accelerator

Platform Configuration Registers (PCRs) • A TPM contains several 20-byte PCRs • A PCR is initialized to zero at power on. • The only operation allowed on a PCR is to extend it: • val[PCR] = SHA1(val[PCR] || newval) • At boot time, a TPM-enabled PC takes a series of measurements and stores them in PCRs (more on this later)

HMAC • Hash with two inputs: a key and a block of data • Typically key is randomly generated and secret • Key can be used (for example) to guarantee that the hash was freshly created

How HMAC can be used • TPM can be passed any data that can be loaded into memory, including data from • Disks • Memory • Registers in the CPU • Hardware/software can choose to execute only from known safe states

Applications • Protecting sensitive stored information from modification • Trusted boot • Attestation

TPM-Based Attestation Example • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04] BIOS Bootloader Bootloader BIOS App App App App PCRs App App OS OS Module Module Module Module Module Module KPriv TPM Module Module

Establishing Trust via a TPM • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04] Guarantees freshness random # Accurate! random # Guarantees real TPM BIOS Bootloader BIOS BIOS Bootloader Bootloader App App App ( ) App App App PCRs App App App OS OS OS Module Module Module Sign Module Module Module Module Module Module Guarantees actual TPM logs random # KPriv TPM Kpriv Module Module Module KPub

Static Chain of Trust at Power-On • PCRs set to default values (zero) • Motherboard hardware instructs TPM to measure Authenticated Code Module (ACM) provided by manufacturer on motherboard, extend PCR0 • Hardware instructs TPM to check signature of ACM using manufacturer’s public key stored on motherboard • Processor runs ACM to measure BIOS, i.e., software instructs TPM to extend PCR0 with BIOS • BIOS code extends PCR4 with IPL (initial program loader) from master boot record

then… Dynamic Chain of Trust • OS invokes special security instruction, resetting PCRs 17-22 to default values • Hardware measures SINIT ACM, also provided by hardware manufacturer • SINIT ACM measures OS startup code (Measured Launch Environment MLE), extends PCR18 • Before running MLE, SINIT verifies that MLE and PCRs 0-7 have known good values • MLE measures OS, extends PCRs 19-20 • Before running OS, MLE compares PCRs 19-20 to known good values

Microsoft Secure Boot (Windows 8+) • Enabled by “UEFI” – Unified Extensible Firmware Interface (replacement for traditional BIOS) • Manufacturer’s and Microsoft public keys stored in firmware (can add other OS vendors) • TPM checks that firmware is signed by the manufacturer • TPM checks that hash of boot loader has been signed with Microsoft public key

Microsoft Trusted Boot • Takes over after Secure Boot • Verifies all OS components, starting with Windows kernel • Windows kernel verifies boot drivers, start-up files

Microsoft BitLocker Drive Encryption • Encryption of volume containing Windows OS, user files, e.g., C:\ • Separate unencrypted volume contains files needed to load Windows (MLE) • Volume master encryption key encrypted and stored on volume. • Key to decrypt volume master key can be stored on TPM in storage root key (backup stored elsewhere) • MLE retrieves key from TPM to decrypt OS • OS doesn’t decrypt user files unless a valid password is provided – better password protect your account! • BitLocker can be used without a TPM – user supplies an encryption password

Intel SGX • Intel Software Guard Extensions – new instructions added to x64 instruction set • Incorporated directly into CPU, e.g., Intel i7-6700K, Dell Inspiron 11 i3153 • (Not a separate chip like TPM.) • Application can created trusted memory “enclave” • Only trusted functions (stored in enclave) can see or modify enclave • Processor can sign hash of enclave contents • Application software can be protected from privileged software https://software.intel.com/en-us/sgx/details

Container Virtualization Containers share the host operating system, using less resources, and instances can be created more quickly than VMs. But there is no isolation from the host OS. http://searchservervirtualization.techtarget.com/definition/container-based-virtualization-operating-system-level-virtualization

Secure Containers • SCONE: Secure Linux Containers with Intel SGX (OSDI 16) • Use SGX to protect container processes from outside attacks (e.g., through host OS) • Transparent to Docker

With great power… • Malware could use SGX to create an enclave that anti-virus software could not inspect!

Protection Against Snooping • SGX prevents processor from making unauthorized accesses to protected memory enclave, but what if, e.g., cloud provider can “snoop” on the memory bus (or disk drives)? https://ark.intel.com/products/64582/Intel-Xeon-Processor-E5-2687W-20M-Cache-3_10-GHz-8_00-GTs-Intel-QPI

Encryption Defense • First defense: encrypt data in processor before writing it to memory or disk • But what if memory access pattern itself reveals information about the computation, e.g., its inputs and outputs?

Oblivious RAM (ORAM) • Design the program so that the memory access pattern leaks no information. • Example: replace each memory access in the program with a read followed by a write of every memory location. (Expensive!) • General-purpose ORAM “compiler” generates programs with overhead factor (extra memory accesses) between (log n) and o(log2 n) for a RAM of size n. • Making ORAM practical is an active research area.

Trusted Computing