200 likes | 360 Views
Trusted Computing for the GRID. Dirk Kuhlmann [dirk.kuhlmann@hp.com] Trusted Systems Lab, HPLabs, Bristol. Platform security concerns for GRID. Large number of dynamically managed nodes Reliably identify a particular node Get reliable information about runtime status
E N D
Trusted Computing for the GRID Dirk Kuhlmann[dirk.kuhlmann@hp.com] Trusted Systems Lab, HPLabs, Bristol
Platform security concerns for GRID • Large number of dynamically managed nodes • Reliably identify a particular node • Get reliable information about runtime status • Protect user data and programs • OS and hardware in GRID scenarios • Commercial ‘off the shelve’ elements to save costs • Subjected to COTS vulnerabilities • ‘Script kiddies’ and worms don’t care whether they attacka private platform or a GRID node • Trusted platforms • Next-generation hardware and software GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
Trusted Nodes as building blocks for Trusted Infrastructure • Are the IT systems on my network the ones I intended to be part of the infrastructure? • Is the software and configuration on IT systems what they are intended it to be? • Is the software I deploy on my IT systems going to behave as intended? Trusted Computing could become a foundational component to address the first two question. TC hardware is no silver bullet! • Secure product development must address the third issue. • Main challenges concern software, in particular OS! GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
Trusted Computing and HPLabs • Trusted Computing Platform Alliance - TCPA • Founded October 1999 • Compaq, HP, IBM, Intel, Microsoft • Created Embedded Security chip Specification v1.1b • Trusted Computing Group - TCG • Founded April 2003 • Build on TCPA • Expands Trusted Computing to other platform categories and infrastructure • HPLabs held HP’s Technical Committee chair for TCPA and now for TCG. GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
Trusted Computing evolution Tier 3 Tier 2 Increased integration Tier 1 Trusted Ecosystems / GRID TC Apps – Enterprise, Biz. Critical, Other Tier 0 TC Operating Environment - Chain-of-Trust HW Platform Root-of-Trust TPM Hardware availability GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
The Trusted Platform Module - TPM - • Trusted Computing builds upon a TPM hardware Root of Trust. Think: smartcard-like hardware component embedded into the platform • Available in D530 series desktops and nc4010, nc6000, nc8000, and nw8000 notebooks GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
Main value-proposition for GRID today: platform authentication • With Trusted Computing Platforms, network resources can be restricted for access from approved devices as well as approved users • Access grantedto devices authenticated using the Trusted Platform Module (TPM – or Embedded Security Chip) • To grant access to sensitive applications and services • To control access to file servers and databases • To control access from peers or remote clients through VPN and segment portions of the network GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
Establish encrypted channel Corporate Gateway Authenticates user AND Authenticates Platform as Corporate IT-maintained platform and/or Databases Services The VPN example ISP Internet TC-enabled Remote Employee Resources GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
Authentication of users and devices User Authentication Device Authentication + Trusted Computing • Creates a Trusted Entity on the network • Provides enhanced network rights, roles, and responsibility • Can be introduced with no disruption to existing IT infrastructure • allows IT managers to dynamically assign granular access control • The device can also now be used as an authentication factor with: • Ease of Use – for the mobile professional • Reduced Total Cost of Ownership – for the IT department GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
Value proposition for GRID tomorrow: trustworthiness of nodes • Research / Development Tier 3 Tier 2 Tier 1 Trusted Ecosystems TC Apps – Enterprise, Biz. Critical, Other Tier 0 TC Operating Environment - Chain-of-Trust HW Platform Root-of-Trust TPM Hardware availability GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
Trusted Node Requirements • Allow for device authentication • Monitor software integrity during boot-up and runtime • Keep node alive and manageable • Support standard operating systems • Current operating systems: • Integrity measurements as such do not enhance security • Typically not geared towards ‘keep alive’ GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
TPM TPM Generic vs. hosted OS • SE Linux • Bastille • Trustix, … • Windows NGSCB? Host OS options: • UM Linux • Micro / Exokernels • Paravirtualization (Xen) • VMware / Plex86 Applications Applications Windows / Linux Virtualization & Mgmt Secuity enhanced OS (Windows / Linux) Hardware (CPU, Disks, Network etc.) Hardware (CPU, Disks, Network etc.) GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
Chain of trust: TPM + hardened OS • List of trusted drivers, libraries, binaries, config, policies • Intercept syscalls open(), exec() etc • OS monitor checks memory image for each ‘trusted’ file • Alternative: check complete boot file system image • Policy: no further LKM-loading after trusted boot-up • OS locked down: restrict raw disk /memory access etc. • Fine grained OS policy to constrain max. possible damage • Compartments: essentially ‘sandboxing’ at user/process group level • Processes subjected to group-specific I/O and IPC policy • No visibility of processes of other compartments, chroot’ed • List of allowed ‘from/to’ addresses for networking GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
TPM + hardened host OS for UM-Linux • Use hardened OS as host OS • Host OS integrity check supported by TC hardware • Guest OS integrity checked by trusted SW in host OS • think tripwire • Guest OS launched inside host OS compartment • Guest OS ‘inherits’ compartment rules • network policy enforced outside the guest OS • can be restricted further, e.g. by netfilter on guest OS • Option: dedicated hosted instances • packet filtering, firewall local to platform or guest OS • monitor, audit, report GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
Challenges • Weak TC notion of ‘expected behaviour’ • SW integrity checking (essentially signed binaries) • Could be extended to binary + policy • No notion of actual runtime behaviour • Borrow concepts: anomaly detection, proof carrying code • Further extension: runtime + policy + runtime signature • ‘Contractual Programming’? ‘Commpacts’? • Management overhead: is it worth it? • Main concern: size of Trusted Computing Base • Huge TCB for User Mode Linux scenario • Who does the validation for OSS? • Favours microkernel/virtualization layer, minimal code base GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
Applications Applications Applications Windowsor Linux Windowsor Linux Windowsor Linux RptgAgent SoftTPM SoftTPM SoftTPM TPM A TCG/Virtualization Artifact Isolated processing environments Trusted Infrastructure Interface (TII) Secure Virtualization Layer + TCG functionality Hardware (CPU, Disks, Network interfaces etc.) GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
Trust Instrumentation: TCG and Secure Audit Query: show me all patching events on my service Accountability System Timestampservice TCGrooted reporting TCGrooted reporting TCGrooted reporting AutomatedTestResults CERTVuln. SWActivityreport Systemconfig.report Process Reports … ExternalService probe agent sensor GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
Trusted Virtualization Layer: Proprietary or Public/Open? • There is a lot of effort going into proprietary solutions, esp. Windows NGSCB … • So far, little complementary efforts in the Open Source field • General scepticism about Trusted Computing approach • Problem space beyond ‘typical’ OSS developer community • Controversial discussion about OSS security in general • Co-ordinated effort for Open Source is necessary • International approach • Academia, industry, and OSS communities • Validation as important as design & implementation ! GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid
Conclusions • Today’s TCG hardware can be the stepping stone for innovative security capabilities. • Trusted Computing is a journey and we are seeing the first technology components appear on the market • It will be a long and difficult way towards trusted GRID nodes and infrastructure. The main challenges are in the area of software: operating systems and management. • Trustworthiness requires peer-review, replicable validation: Open Trusted Computing GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid