210 likes | 219 Views
Trusted Computing and the Trusted Platform Module. Bruce Maggs (with some slides from Bryan Parno). Bryan Parno’s Travel Story. Attestation. How can we know that a system that we would like to use has not been compromised?. Bootstrapping Trust is Hard !. Challenges:. App 1. App 4. App
E N D
Trusted Computingand theTrusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
Attestation • How can we know that a system that we would like to use has not been compromised?
Bootstrapping Trust is Hard! Challenges: App 1 App 4 App 5 App 2 App N App 3 • Hardware assurance • Ephemeral software • User Interaction S2( ) S14( ) S1( ) S15( ) S3( ) S11( ) S5( ) S6( ) S13( ) S12( ) S7( ) S8( ) S9( ) S10( ) S4( ) OS Module 1 Module 3 Module 2 Module 4 ^ Safe? H( ) H( ) Yes!
Bootstrapping Trust is Hard! Challenges: Evil App • Hardware assurance • Ephemeral software • User Interaction Evil OS Safe? Yes!
Trusted Platform Module Components https://en.wikipedia.org/wiki/Trusted_Platform_Module#/media/File:TPM.svg
TPM Chip Often found in business-class laptops https://en.wikipedia.org/wiki/Trusted_Platform_Module#/media/File:TPM_Asus.jpg
Caveat • The TPM is not 100% tamper proof! • Safe use requires physical security • In 2010 Christopher Tarnovsky extracted the private key from an Infineon TPM chip by • soaking the chip in acid to remove plastic • removing RF-shield wire mesh • probing with an extremely small needle
Built-In Unique Identifier • “Endorsement Key” permanently embedded in TPM • RSA public-private key pair • Private key never leaves the TPM chip • Public key can be certified (e.g., TPM may include an EKCERT certificate signed by a TPM CA such as the TPM manufacturer) • Master “storage root key” (SRK) created when TPM first used
On-Chip Algorithms • RSA key-pair generation • RSA encryption/decryption • RSA signing • Random number generation • SHA-1 hashing • Keyed-hash message authentication code (HMAC)
Platform Configuration Registers (PCRs) • A TPM contains several 20-byte PCRs • A PCR is initialized to zero at power on. • The only operation allowed on a PCR is to extend it: • val[PCR] = SHA1(val[PCR] . newval) • At boot time, a TPM-enabled PC takes a series of measurements and stores them in PCRs
HMAC • Hash with two inputs: a key and a block of data • Typically key is randomly generated and secret • Key can be used (for example) to guarantee that the hash was freshly created
How HMAC can be used • TPM can hash contents of all storage on computer, or storage in certain places • Disks • Memory • Registers in the CPU • User can choose to execute only from known safe states
Applications • Storing and protecting sensitive information from modification • Trusted boot • Attestation
TPM-Based Attestation Example • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04] BIOS Bootloader Bootloader BIOS App App App App PCRs App App OS OS Module Module Module Module Module Module KPriv TPM Module Module
Establishing Trust via a TPM • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04] Guarantees freshness random # Accurate! random # Guarantees real TPM BIOS Bootloader BIOS BIOS Bootloader Bootloader App App App ( ) App App App PCRs App App App OS OS OS Module Module Module Sign Module Module Module Module Module Module Guarantees actual TPM logs random # KPriv TPM Kpriv Module Module Module KPub
Microsoft BitLocker Drive Encryption • Encryption of volume containing Windows OS, user files, e.g., C:\ • Separate unencrypted volume contains files needed to load Windows • TPM protects disk encryption key by encrypting it • TPM releases key only after comparing hash of early (unencrypted) boot files with previous hash • BitLocker can be used without a TPM – user supplies an encryption password • Relies on user having an OS password!
Microsoft Secure Boot (Windows 8+) • Enabled by “UEFI” – Unified Extensible Firmware Interface (replacement for traditional BIOS) • Manufacturer’s and Microsoft public keys stored in firmware (can add other OS vendors) • TPM checks that firmware is signed by the manufacturer • TPM checks that hash of boot loader has been signed with Microsoft public key
Microsoft Trusted Boot • Takes over after Secure Boot • Verifies all OS components, starting with Windows kernel • Windows kernel verifies boot drivers, start-up files
Microsoft Measured Boot • TPM signs measured boot log file • Remote attestation possible by transmitting signed boot log
Intel SGX • Intel Software Guard Extensions – new instructions added to the x64 instruction set • Incorporated directly into CPU, e.g., Intel i7-6700K, Dell Inspiron 11 i3153 • (Not a separate chip like TPM.) • Application can created trusted memory “enclave” • Only trusted functions (stored in enclave) can see or modify enclave https://software.intel.com/en-us/sgx/details