RE-TRUST Meeting 30 – May – 2005 Trento, Italy

1. RE-TRUST Meeting30 – May – 2005Trento, Italy Outline- List of Participants- Administrative Organization- Draft WPs, Tasks, Gantt- WP components- Meeting Minutes- Functional Descriptions: - Remote Entrusting - SW-based Tamper Resistance – TR - SW/HW-based Tamper Resistance - TR

2. RE-TRUSTList of Participants – 30/5/2005 • P1: UNITN - Universita' di Trento - ITALY • Yoram Ofek - ofek@dit.unitn.it • Fabio Massacci - massacci@dit.unitn.it • Harshit Shah - harshit@tcs.tifr.res.in • P2: POLITO - Politecnico di Torino - ITALY • Mario Baldi – mario.baldi@polito.it; • Riccardo Scandariato - riccardo.scandariato@polito.it • Stefano Di Carlo - dicarlo@polito.it • P3: IBM Research – Zurich - SWITZERLAND • Matthias Schunter - mts@zurich.ibm.com • P4: GP - Gemplus - FRANCE • P5: KUL - Katholieke Universiteit Leuven - BELGIUM • Klaus Kursawe - kkursawe@esat.kuleuven.ac.be;   • P6: VUA – Vrije Universiteit– The NETHERLANDS • Bruno Crispo - crispo@cs.vu.nl • P7: SPIIA - St. Petersburg Institute for Informatics and Automation - RUSSIA

3. List of Project Participants • P1: UNITN - Universita' di Trento - ITALY • Yoram Ofek - ofek@dit.unitn.it • Fabio Massacci - massacci@dit.unitn.it • John Mylopoulos - jm@cs.toronto.edu • P2: POLITO - Politecnico di Torino - ITALY • Paolo Prinetto - Paolo.Prinetto@polito.it • Mario Baldi – mario.baldi@polito.it • Riccardo Scandariato - riccardo.scandariato@polito.it • P3: IBM Research – Zurich - SWITZERLAND • Michael Waidner - wmi@zurich.ibm.com • Matthias Schunter - mts@zurich.ibm.com • Jan Camenisch - jca@zurich.ibm.com • P4: GP - Gemplus - FRANCE • Bruno Rouchouze - Bruno.ROUCHOUZE@gemplus.com • Laurent MANTEAU - Laurent.MANTEAU@gemplus.com (Cooperative R&D Manager Business Development Group) • David NACCACHE - David.NACCACHE@gemplus.com • P5: KUL - Katholieke Universiteit Leuven - BELGIUM • Bart Preneel - bart.preneel@esat.kuleuven.ac.be • Karel Wouters - kwouters@esat.kuleuven.ac.be • Klaus kursawe- kkursawe@esat.kuleuven.ac.be • P6: VUA - Vrije Universiteit – The NETHERLANDS • Andrew Tanenbaum - ast@cs.vu.nl • Bruno Crispo - crispo@cs.vu.nl • Chandana Gamage - chandag@cs.vu.nl • P7: SPIIA - St. Petersburg Institute for Informatics and Automation - RUSSIA • Igor Kotenko -ivkote@mail.iias.spb.su

4. Administrative Organization • Project secretary - Riccardo Scandariato • WPs editors (may change as we progress) • WP0 – UNITN • WP1 – UNITN • WP2 - POLITO • WP3 – KUL • WP4 – UVA • WP5 – IBM • WP6 – UNITN Next on the agenda: - Conference call - Trip to Brussels

5. Draft June 24: WPs, Tasks, Gantt (y1,y2,y3) • WP0: Coordination and Management - UNITN • WP1: Overall architecture (y1, a: initial, y3-b: final) - UNITN • T1.1: Reference Applications and Requirements (grid, chat client, mobile, …) - UNITN • T1.2: SW-app + SW-based tamper resistance (TR) - POLITO • T1.3: SW-app + SW/HW-based tamper resistance (TR) – KUL/UNITN • T1.4: Design of applications using HW/SW methods (y3) – polito • Reference architeture • WP2: SW-based TR (y1-y2); y1: design; y2: PoC - POLITO • T2.1: Replacement – POLITO • T2.2: Obfuscation - KUL • T2.3: Secure interlocking of two programs – POLITO • T2.4: Each includes sec analysis (goals, assumptions, …) – KUL/POLITO • WP3: HW/SW-based TR (y2-y3 ); y2: design; y3: PoC - KUL • T3.1: Using HW to improve SW-based TR – KUL • T3.2: Splitting program into SW/HW parts – KUL/GEMPLUS • T3.3: Security protocols for four-tier trust (entruster, app, SW-TR, HW-TR) – KUL/ ibm 6 pm • T3.4: Using PCs as extension of secure HW - GEMPLUS • T3.5: Secure downloading into OS+SC - GEMPLUS • T3.6: Each includes sec analysis (goals, assumptions, …) – VUA • WP4: Security analysis (y2: SW-based, y3: SW/HW+overall) - VUA • T4.1: Overall Security analysis of the SW-based technology - VUA • T4.2: Security analysis of the SW/HW based technology - VUA • T4.3: Comparison with security achieved by TCG – IBM w-p • T4.4: Implementability of the security assumptions – IBM w-p • WP5: Remote verification and trust management – IBM w-p 2 pp. 14pm tot. • WP6: Dissemination, etc. - UNITN

6. Initial Draft: WPs, Tasks, Gantt (y1,y2,y3) • WP0: Coordination and Management - UNITN • WP1: Overall architecture (y1, a: initial, y3-b: final) - UNITN • T1.1: Reference Applications and Requirements (grid, chat client, mobile, …) - UNITN • T1.2: SW-app + SW-based tamper resistance (TR) - POLITO • T1.3: SW-app + SW/HW-based tamper resistance (TR) – KUL/UNITN • T1.4: Design of applications using HW/SW methods (y3) – polito • Reference architeture • WP2: SW-based TR (y1-y2); y1: design; y2: PoC - POLITO • T2.1: Replacement – POLITO • T2.2: Obfuscation - KUL • T2.3: Secure interlocking of two programs – POLITO • T2.4: Each includes sec analysis (goals, assumptions, …) – KUL/POLITO • WP3: HW/SW-based TR (y2-y3 ); y2: design; y3: PoC - KUL • T3.1: Using HW to improve SW-based TR – KUL • T3.2: Splitting program into SW/HW parts – KUL/GEMPLUS • T3.3: Security protocols for four-tier trust (entruster, app, SW-TR, HW-TR) – KUL/ ibm 6 pm • T3.4: Using PCs as extension of secure HW - GEMPLUS • T3.5: Secure downloading into OS+SC - GEMPLUS • T3.6: Each includes sec analysis (goals, assumptions, …) – VUA • WP4: Security analysis (y2: SW-based, y3: SW/HW+overall) - VUA • T4.1: Overall Security analysis of the SW-based technology - VUA • T4.2: Security analysis of the SW/HW based technology - VUA • T4.3: Comparison with security achieved by TCG – IBM w-p • T4.4: Implementability of the security assumptions – IBM w-p • WP5: Remote verification and trust management – IBM w-p 2 pp. 14pm tot. • WP6: Dissemination, etc. - UNITN

7. WP Components Please use the enclosed WP template • For each WP: • Description of research activities and their inter-relationships: • B.1 Scientific and Technological Objectives of the Project and Comparison to the State of the Art • B.2 Relevance to the Objectives of FET Open • B.3 Potential Impact [Note: selected parts will be moved to the body of the proposal] • Tasks • Deliverables • Papers, reports, • PoC – Proof of Concept – examples: • Software demonstrations • Algorithmic design with formal proofs • Complexity analysis (e.g., “de-hiding”) • … … … • Milestones • {IST Definition: Milestones are control points at which decisions are needed; for example concerning which of several technologies will be adopted as the basis for the next phase of the project.}

8. Minutes by Riccardo – 1/6 • Morning session • --------------- • 1) Ric presentation • Mathias comment: state the assumptions to prove that the approach work • 2) Yoram: explains the reference model • - Method 1 • - Method 2 • - Conditional computing might be easier than conditional playback • Comments • Mathias: • IBM has some work on Grid stuff • Can be simpler than DRM if we only care about integrity of data • Interesting question: which is the minimal TCG h/w you need to build up trust on stacked (s/w) modules • Bruno/Klaus: • this is the level we can push forward with all-software... but can be necessary to introduce h/w • to get bullet-proof security... well, let us find the minimal h/w platform... this type of discussion • must be in the proposal • Yoram: • TCG oblige trust to be extended to the whole platform • we want something than can be tailored, e.g. to the level of a single application (all the rest is untouched) • Mathias/Bruno • look at connections with mobile agents security (similarities with our project) -> protecting agents

9. Minutes by Riccardo – 2/6 • 3) Stefano presentation • Presented three "dependability-related" techniques, which can be applied to the security field: • - invariants over application variables • - variable duplication • - Control flow check by regular expression • Comments • Mathias: concerning PROMON, there's a lot of related work in the area of behavior-based intrusion detection • concerning RECCO, errors during computation are not covered (assumption: CPU is protected) • comments from Bruno/Riccardo : stress of effectiveness and measures • 4) Mathias presentation • Mathias/Ian group working on anonymous attestation for TCG • - idemix: proof of authenticity of machine without revealing any identification info • Direct Anonymous Attestation (DAA) • - now part of TPM chip • - can be done in software • SLA: proof that machine is providing a trusted implementation (e.g. of an API)... • actual implementation does not care (e.g. a Win implementation vs a Lin implementation) • Linux prototype: • Domain: set of corporate machine that are continuously checked by a central server, • to check their configuration • After the fact: log of what happened (the approach does not prevent loading an untrusted module. • Still, it will let you attest that an untrusted module has been loaded, by analyzing the logs) • - You need to know in advance the correct configuration, in order to check that nothing illegal happened

10. Minutes by Riccardo – 3/6 5) Klaus presentation Sobenet: white box crypto, code obfuscation Interests in RE-TRUST - software security - Interface with HW (and HW/SW codesign) MS: secure compartments (microkernel) plus TPM chip used for HD encryption 6) Bruno presentation Distributed system group (50 peoples, 4 full professors) Four sub-groups: Dist Sys, Parallel programming and grid, Intelligent autonomous agents, security group Current activities and Interests for RE-TRUST Secure OS: micro kernel - Drivers - MMU Distributed enforcement: 1) Controlled information dissemination 2) local enforcement Example policies: "Read/write file x only 7 times" or "Read file x only if file y satisfies some properties" (similar to DRM) To enforce such policies, TPM plus the secure OS is not enough (we are in a distributed environment). An additional middleware layer is needed (specifically a reference monitor) - Yoram (general question) Supposing TPM is on a USB device, would it matter? Can we implement the TCG approach with the chip on a USB token? Probably yes (by adapting BIOS), but this is not TCG compliant (standard requires the TCM is bound to a particular machine)

11. Minutes by Riccardo – 4/6 • Original plan was to resort to TC if software, or software plus soft h/w, is not enough. • Probably, we can stick to soft hardware (as far this project is concerned) • We can talk of "security token" or "trusted hardware" (in general) without saying whether • that will be a TPM on a USB device (or smart card) or a "real" TCG-compliant TPM • -> trusted hardware connected to an I/O port (without touching the motherboard) • 7) Massacci presentation • Enforceable security policies (Snider): Enforcer (security monitor) is outside and check • the application by looking at a subset of the application I/O (and temporal dimension) • Afternoon session • ----------------- • Agreement on straw-man scheme (2 levels) • "trusted hardware" (in general) without saying whether that will be a TPM on a device connected • to an I/O port or an on-board TPM • Is it possible to plug in h/w without transitive trust? • I.e. application stacked on secure OS, stacked on TPM () • Focus on applications or on mechanisms? • -> OPEN ISSUE : IDENTIFICATION OF TARGET APPLICATIONS !!!!!

12. Minutes by Riccardo – 5/6 WPs + TASKS + MILESTONES + DELIVERABLES ====================================== => Overall Architecture: (y1, a: initial, y3-b: final) << TRENTO >> -> Reference Applications and Requirements (grid, banking client, mobile) -> SW->Application + SW Based Tamper Resistance -> SW->Application + SW/HW Based Tamper Resistance -> Design of applications using HW/SW methods (Validation ...) <(y3) <IBM>> => SW-Based Tamper Resistance (y1-y2); y1:design; y2: PoC <<TORINO>> -> Replacement <<TORINO>> -> Obfuscation <<LEUVEN>> -> Secure interlocking of two programs -> Something else -> Each includes sec analysis (goals,assumptions) => HW/SW based TR (y2-y3); y2:design; y3:PoC <<LEUVEN>> -> Using HW to improve SW-based TR <<LEUVEN>> -> Splitting program into SW/HW parts <<LEUVEN>> -> Security protocols for four-tier trust (entruster, app, SW-TR, HW-TR) <<LEUVEN>> -> Using PCs as extension of secure HW <<GEMPLUS>> -> Secure downloading into OS+SC <<GEMPLUS>> -> Each includes sec analysis (goals,assumptions) <<VUA*>>

13. Minutes by Riccardo – 6/6 => Security Analysis (y2: sw-based, y3: sw/hw+overall) <<VUA*>> -> Overall Security analysis of the SW-based technology -> Security analysis of the SW/HW based technology <<VUA*>> -> Comparison with security achieved by TCG <<IBM> -> Implementability of the security assumptions <<IBM>> => Remote verification and trust management <<IBM>> * AMSTERDAM OTHER WORKPACKAGES =================== => Coordination/Management <<TRENTO>> => Dissemination <<TRENTO>> REFERENCE MODEL: ================ +------------------+ +---+ +-------+ Public Channel +-----------+ |Trusted Component |---> |APP| ----> |OBF App| -------------------> |Smart Card | | |<--- | | <---- | | <------------------- | | +------------------+ +---+ +-------+ +-----------+

14. Functional Description: Remote Entrusting • 2nd Entrusting Machine is ENTRUSTING the 1stUntrusted machine by verifying the Secure Tags • 1st Untrusted machine emanates Secure Tags from a code/software during execution IP Network Secure Tags Core of Trust 2nd Entrusting Machine 1st Untrusted Machine Entrusting

15. Definition of Trustfor Remote Entrusting A software (code/protocol) is deemed authentic/trustedif and only if its functionality has not been altered/tampered by an untrusted/unauthorized entityprior to or during execution

16. Functional Description: SW-based Tamper Resistance - TR Obfuscating Compiler Secure tag generator Code Replacement Core of Trust 2nd Entrusting Machine Application on 1st untrusted Machine Obfuscated Tag Generator Messages + Tags Observes the application and generates tags securely

17. Functional Description: SW/HW-based - TR Obfuscating Compiler Secure tag generator Code Replacement Untrusted “public” channel: OS, etc. Core of Trust Application on 1st untrusted Machine Secure Hardware: Smart card, etc. Obfuscated Tag Generator 2nd Entrusting Machine Messages + Tags Observes the application and generates tags securely