463.7 Remote Attestation Computer Security II CS463/ECE424 University of Illinois
Overview • Discussion in two parts: • Motivation and Approaches • Assessment and Applications
Introduction • Remote attestation is a trusted computing technology that permits a computer to measure properties of a remote system in such a way that the remote system will be detected if it is lying
What Gets Measured? Process Process Configur-ation Data Configur-ation Data Security Module Kernel Device Driver Module Configuration Data Security Policy BIOS Bootloader
Motivating Applications • Online banking • Vulnerable to rootkits sniffing passwords or undermining browser security mechanisms • Anonymous networks • Mix node running on untrusted base can have its internal operation inspected by operator • Mobile agents • Similar to online banking (web browser is essentially a non-mobile agent of the bank with a user interface) • DRM • Data can be replicated or access controls undermined
Motivating Applications (cont.) • Online Games • Players have incentive (often financial) to enhance their avatars’ performance • Corporate Network Clients (laptops, smart phones, etc.) • Particularly prone to introduce malware into the network since they are not administered internally • P2P, Distributed Computing, and Cycle-Selling • Some peers may undetectably cheat • Online Shopping • Website bearing TRUSTe logo may not actually be running privacy-preserving systems
Remote Attestation Objectives • Objective: Verifier determines whether a remote system satisfies some property • Example: Is the remote system running the standard Ubuntu Linux v.2.6.18 kernel? • Problem: Can’t just ask the system, since it could lie!
Remote Attestation Process • Three phases: • Measurement: machine to be attested must measure its properties locally • Attestation: transfer measurements from machine being attested to remote machine • Verification: remote machine examines measurements transferred during attestation and decides whether they are valid and acceptable
Sample Approach: Blizzard Warden • Anti-cheating tool used in several Blizzard games to enforce the EULA • Detected cheaters are sometimes stripped of their account access • Monitors or has monitored: • All window titles on desktop • Process names • Communicates “cheater” or “non-cheater” back to central system using encrypted channel • Switched to apparently randomized encryption scheme in late 2007, locking out reverse engineers • Bots still exist for WoW, so either they are not detected or Blizzard is not penalizing their users • Drawbacks of this approach: • Privacy violations due to access to all processes and windows • Unreliable assurances to Blizzard: Sony music rootkit allowed arbitrary files to be hidden from Warden by simply renaming them [“On Warden” Blog] [Lemos03]
Hardware TTP for Remote Attestation: TPM • Pure software TTPs impose severe restrictions on remote attestation assurances, so hardware solutions are an alternative • Most popular: Trusted Platform Module (TPM)
TPM 1.0 Components [TCG]
Credential Types • TPM contains 5 types of credentials: • Commonly-used: • Endorsement or EK credential: uniquely identifies TPM, privacy concern • Identity or AIK credential: Issued by privacy CA to preserve privacy of EK credential • Less commonly-used: • Conformance credential: Certifies that TPM meets specifications • Platform credential: Identifies TPM manufacturer and capabilities • Validation credential: Associated with peripheral or software to guarantee integrity
Threat Model • Threat model dictated by hardware capabilities: • Tamper-evident, not tamper-resistant TPM • Not required to zero information when compromised • CPU and memory protected against tampering • Unprotected disk • Can be removed and inserted into new machine • Threat model has been demonstrated to be too weak to defend against moderately-skilled attackers http://www.youtube.com/watch?v=f_Zx8sKCiTo
Linux Integrity Measurement [Sailer IMA]
How Does It Get Measured? Program code: BIOS Bootloader Kernel Module Module App App SHA1 Hash function: Hashes: BIOS Bootloader Kernel Module Module App App SHA1 SHA1 SHA1 … H1 H2 PCR
Attestation Challenges • Attestation results may lack significance • Chain may be too complex to analyze • Element within chain may be unverified, invalidating entire result • Even a simple software patch requires re-verification • Identity may be less significant than a higher-level security property corresponding to information flow or some other metric
Policy-Reduced Integrity Measurement Architecture [JaegerSS06]
Simplification • Practically necessary to obtain significant attestation results • Operating systems: • Microkernels • Hypervisors • Kernels in safe languages • Simplifies analysis by providing strong isolation between portions of kernel, even if kernel is still complex • Applications: • Use of safe programming languages and/or modularization
Monolithic Kernel Case Study: Linux • SLOC for Linux as of Oct. 2008: ~6.4 million • Kernel Interfaces: • Filesystems • Networking • Individual hardware drivers • Security hooks for fine-grained access control instantiated by in-kernel modules • Audio • Video • … • All in the same address space, with few access restrictions Process Process Process Kernel FS, Net, Drivers, Access, Audio, Video, …
Microkernel Case Study: seL4 • Based on L4 microkernel • Very simple API: • Capabilities for access control • Threads • IPC between threads • Other interfaces provided by userspace “servers” that are only permitted to access specific hardware and software resources • Adheres more closely to principle of least privilege Application Application Video Driver Kernel Audio Net Driver FS [seL4]
Hypervisor Case Study: Xen • Attempts to export an interface to userspace that resembles the underlying hardware • Deviates from hardware whenever such a deviation provides sufficiently improved performance • E.g. special functions for manipulating page tables and communicating between VMs Process Process Isolated Process Kernel FS, Net, Drivers, … Kernel Hypervisor
Formal Verification • Step 1: Formalize the system • E.g. translate its code into a logic that is easily analyzed • Step 2: Express a mathematical theorem about a system: “If process A is granted exclusive access to memory region M, then all other processes are prevented from accessing M” • Step 3: Prove the theorem using whatever logic the system was formalized in using model checker or theorem prover • Only feasible if system is simple. See link below for summary of OS verification efforts to date. [Klein 08]
Attestation Challenges (cont.) • May lack firm root-of-trust • Chain of trust may start at OS kernel, permitting malicious BIOS or bootloader to remain undetected
Reading [Sailer IMA] Integrity Measurement Architecture (IMA) http://domino.research.ibm.com/comm/research_people.nsf/pages/sailer.ima.html [Klein08] Operating System Verification—An Overviewhttp://ertos.nicta.com.au/publications/papers/Klein_08.pdf
Discussion Questions • What dis/advantages do hardware attestation solutions exhibit compared to software solutions like Warden? • What other applications could benefit from remote attestation?
Motivating Applications (cont.) • Pay-As-You-Drive Insurance • Customers have financial incentive to falsify data from device that records driving behavior • Transportation Loggers • Transportation company has incentive to falsify data if expensive shipment is mishandled • Advanced Electric Meters • Customers have financial incentive to reduce their recorded consumption
Intel Trusted Execution Technology (TET) [Intel TET Overview]
TET System Implementation • Enter VMM mode using GETSEC[SENTER] instruction, measures VMM before transferring control • Enables the attestation chain to that point to be discarded, giving a fresh reset. Referred to as Dynamic Root of Trust for Measurement (DRTM) • CPU provides internal RAM that can execute code after hashing code and verifying against embedded digital signature. Enter Authenticated Code (AC) mode using GETSEC[ENTERACCS] instruction. • Will only run software signed by Intel using a private key corresponding to a public key in the chipset itself [Intel TET Implementation]
ARM TrustZone [ARM TrustZone Home]
Attestation Limitations • Compromising a TPM key undermines entire process • Difficult to maintain CRLs • Attestation can only guarantee past and present system properties, it can say very little about the future. • Owner can always turn machine off • Operator can often load new software that violates trust (can be prevented) • Must decide how much state to attest. Should saving a new cookie in your browser invalidate its security?
Attestation Limitations (cont.) • Can’t directly detect MITM exploits • Attestation simply tells you what software is running on system, not the identity of the system (for privacy reasons) • Can you solve this? • Useful for clients attempting to verify security of servers? • Only if attestation result has semantic meaning (e.g. verified by TRUSTe) • Only if server operator lacks resources to compromise TPM • Might be worth it for him to spend a lot of money doing so if it enables him to perpetrate lucrative crime
Attestation Drawbacks • Platform privacy compromised by some attestation protocols • Endorsement Key uniquely identifies platform • Privacy CAs can issue alternative anonymous keys (AIKs), but have a difficult business model • Involved in every transaction to verify certificates against CRLs, requiring high availability and confidentiality, two requirements often in opposition • Direct Anonymous Attestation based on group signatures • Compromised TPM keys are distributed to all verifiers without necessarily using a centralized CA • Attestation can increase vendor lock-in and platform discrimination by permitting verifying entities to check the exact, complete software stack of the system. [IBM DAA]
Attestation-Based DRM • Refuse to provide content to network client until it proves that it is running a configuration that will not misuse that content • High-bandwidth Digital Content Protection (HDCP) is a weak example • Relies upon pre-installed private keys and revocation lists. • If the keys of a device are compromised, it is place on the revocation list and compliant devices will no longer communicate with it. • Note: If you purchase an HDCP-enabled device, and someone else cracks the same model and publicly distributes the keys, your device may be blacklisted! • Otherwise, it is assumed to have an acceptable configuration without further verification.
Attestation-Based DRM Concept Music Server Music Client Listener No. Will the computer let the Listener copy the music?
Bringing it All Together: Terra Architecture [GarfinkelPCRB03]
Terra Attestation Process • Lower layers certify higher layers: • TPM → Firmware → Boot Loader → TVMM → VM → Application • For each layer above TPM: • Upper layer generates public/private keypair • Upper layer requests that lower layer certify its public key and perhaps other data • Lower layer signs certificate with hash over attestable parts of requests as the common name (main identifier) and the hashed data as auxiliary information
TVMM Attestation (cont.) • VM disk contents included in attestation • Simple hash tree used to optimize performance • Permits VM to run for indefinite time using false disk hash • Encrypted, integrity-protected, and non-encrypted disks all supported • Keys used to protect disks placed in sealed storage, to prevent attackers from removing disks and performing an offline compromise
Attestation Verification • Verify certificate in each layer by ensuring that it is signed by lower layer • TPM certificate is signed by TPM manufacturer, which is also responsible for issuing CRLs • No TPM manufacturer currently does this that I am aware of • Check software hashes and attested data contained within certificates, ensure they are all trusted.
Attestation Binding • Verification must be bound to attested process in some way • Exchange certificate chains inside SSL tunnel • If software is good, it will not persist session key • Prevents system from rebooting and continuing execution in unattested state
Trusted Quake • Game clients and servers can be modified to provide additional functionality to players • Aiming proxies: modify network commands to stabilize or otherwise assist in aiming weapons • Eavesdropping: determine information about other players’ activities • Puts other players at disadvantage
Implementation Performance • Trusted Quake: • Direct boot (no attestation): 26.6 seconds • Optimistic attestation: 27.1 seconds • Encrypted optimistic attestation: 29.1 seconds • Ahead-of-time attestation: 57.1 seconds • Interactive performance apparently equal across the board (but much slower than native I’m sure!)
Trusted Quake Weaknesses • Bugs and Undesirable Features: Rendered polygon OSD permits prediction of impending character appearances • Network DoS Attacks: Terra does nothing in this regard • Out-of-Band Collusion: Players can still communicate if they’re sitting together in a basement and glancing at each others’ monitors
In the Real World: Security-Enhanced Xen • Similar to Terra in many ways • Mandatory Access Control (MAC) for VM objects and commands • Permits controlled data sharing between VMs, using shared memory buffers • Originally implemented by IBM as sHype • Xen Security Modules (XSM) provides extended hooks, backwards compatibility with sHype, and support for SELinux-style Type Enforcement policies
Security-Enhanced Xen (cont.) • Support for TPM virtualization • VM decomposition • Break management interface into pieces, allow different domains to use various parts • Run drivers in separate domains • More like a microkernel than traditional VM-based system • Secure I/O • IO-MMU support [Hand05]
Windows BitLocker • Volume encryption • Encryption key can be stored in TPM and only released if TPM detects unmodified Windows instance booting [Hensing09]