Presented by: Michael LeMay University of Illinois Spring 2006 563.8 Remote Attestation
Problem • Software is controlled by machine operator • Machine operator, software distributor, or attacker can maliciously subvert software • Modify binary • Run on untrusted hardware • Attach debugger to monitor operation • Software publisher has no assurance that software is being used in unmodified state, as intended • Problem worsens when network communication is involved
Remote Attestation • Allows changes to computer to be detected by user and remote entities • Hardware generates certificate chain specifying current system configuration • Actually, hardware certifies 2nd-lowest layer, which certifies next layer up, etc.
Trusted Computing • Remote attestation just one piece of TC: • Secure I/O • Memory curtaining/protected execution/process isolation: even OS can’t read everything in memory • Sealed storage • Basic concepts: • Machine-specific public key and cert. chain • Hardware crypto implementations • Common applications: • Digital rights management • System integrity verification • Similar to IBM 4758 coprocessor, but more capable Marchesini, Smith, Wild, MacDonald
Secure I/O • Many ways to compromise user I/O • Screen-scrapers • Keyloggers • TC hardware verifies checksums of software performing I/O, detecting malicious components • Doesn’t address hardware keyloggers, TEMPEST devices, etc.
Sealed Storage • Data can be encrypted using key derived from current software/hardware configuration • Key must be re-derived to decrypt data • Prevents modified configuration from reading data
TC Applications • Online banking: protect PINs, passwords, account numbers using sealed storage • Anonymous networks: process isolation prevents operators from inspecting mix • Mobile agents: protect a software agent from its host using process isolation • Digital rights management: Lock media files to one computer using sealed storage
Remote Attestation Applications • Protection of P2P: only cooperate with remote clients if they are valid • Distributed computing (Folding@Home): ensure participants run valid software • Selling CPU cycles: run an attested process with your idle cycles, get paid • Online shopping: make sure the merchant is really running TRUSTe, etc. • VPNs, online games: more later… Interesting Uses of Trusted Computing
TCG Components TCG 1.0 Architecture Overview
Credential Types • TPM contains 5 types of credentials: • Endorsement or EK credential: uniquely identifies TPM, privacy concern • Conformance credential: Certifies that TPM meets specifications • Platform credential: Identifies TPM manufacturer and capabilities • Validation credential: Associated with peripheral or software to guarantee integrity • Identity or AIK credential: Issued by privacy CA to preserve privacy of EK credential
Opposition • Trusted Computing has many opponents, because it considers the computer operator to be a potential attacker: • EFF: Trust Computing: Promise and Risk • Against-TCPA • LAFKON - A movie about Trusted Computing • And, a rebuttal: • TCPA Misinformation Rebuttal and Linux drivers
Microsoft NGSCB • Microsoft, AMD, HP, IBM, Infineon, Intel, Sun, … all members of TCG • Uses TPM to partitionsystem into two parts:Nexus and L.H.S. • NCAs: Nexus Comput-ing Agents • Only two compartments
NGSCB Architecture – WinHEC 2004 • Little device diversity • Only a few drivers • KLOC • Great device diversity • Thousands of drivers • MLOC • Compartments are Windows-based • Significantly reduced footprint • Strongly Isolated, hardened and armored • Secure device ownership • Nexus or service compartments • Windows • Owns most HW • Only real-time OS • Security benefits via scenarios Biddle, 2004
Terra: A Virtual Machine-Based Platform for Trusted Computing • Similar to 2004 NGSCB architecture, supports multiple, isolated compartments • Terra supports an arbitrary number of user-defined VMs, more flexible than NGSCB • Provides both “open-” and “closed-box” environments • Implemented on VMware but didn’t actually use TPM Garfinkel, Pfaff, Chow, Rosenblum, Boneh, 2003
Closed-box Platforms • Developer has complete control over environment: • Cell phone • Game console • ATM • May contain cryptographic keys • Allows remote attestation to server using pre-shared key • Not every application can run on closed-box platform, expensive!
Virtualization • Hypervisors, or virtual-machine monitors (VMMs), run entire guest operating system on top of host operating system • Xen (open-source) • Requires guest operating system to be modified, but runs with very little slowdown • VMware (now available for free download) • Supports unmodified operating systems, and is reasonably fast • Terra (we’ll be discussing this one) • Not publicly available
Solution • TVMM: Trusted Virtual Machine Monitor • Open-box VMs: • Just like current GP systems, no protection • Closed-box VMs: • VM protected from modification, inspection • Can attest to remote peer that VM is protected • Behaves like true closed-box, but with cost and availability benefits of open-box • Can’t assure availability • Operator can always pull the plug!
TVMM Attestation • Each layer of software has a keypair • Lower layers certify higher layers • Enables attestation ofentire stack VM Application Operating System Hash of Attestable Data TVMM (Terra) Higher Public Key Bootloader Other Application Data Firmware Signed by Lower Level Hardware (TPM) Certificate Layers
Additional Benefits • Software stack can be tailored on per-application basis • Game can run on thin, high-performance OS • Email client can run on highly-secure, locked-down OS • Regular applications can use standard, full-featured and permissively-configured OS • Applications are isolated and protected from each other • Reduces effectiveness of email viruses and spyware against system as a whole • Low-assurance applications can automatically be transformed into medium-assurance applications, since they are protected from external influences
Example #1 • Online gaming: Quake • Players often modify Quake to provide additional capabilities to their characters, or otherwise cheat • Quake can be transformed into a closed-box VM and distributed to players • Remote attestation shows that it is unmodified • Very little performance degradation • Covert channels remain, such as frame rate statistics
Trusted Quake Assurances • Secure Communication: VM can’t be inspected, so shared key can be embedded in VM image to protect network communication • Any software can be reverse engineered, so is this a good idea? • Client Integrity: maps and media files are protected from modification on client • Server Integrity: Bad clients can’t connect
Trusted Quake Weaknesses • Bugs and Undesirable Features: Rendered polygon OSD permits prediction of impending character appearances • Network DoS Attacks: Terra does nothing in this regard • Out-of-Band Collusion: Players can still communicate if they’re sitting together in a basement or using IM
My Research Question • How can remote attestation of virtual machines be used to protect consumer privacy in advanced distribution automation (ADA) systems?
Advanced Distribution Automation • Distributed Energy Resource management • Demand Reducation/Load Management • Automated Meter Reading/Real Time Pricing
Problem • For real-time pricing to work, power company has to know exactly how much power was used by each customer at each point in time • Could be privacy problem • Different rates may apply to devices, but meters don’t have that granularity • Demand reduction should be extended to more devices, but requires individual switching agents
Appendix: Trusted Access Points • VPN client can be implemented as closed-box VM and distributed to visitors when they first connect to a regulated network • VM can attest to VPN gateway that it is operating properly, and will enforce intended traffic regulations
TAP Benefits • Prevents source forgery: TAP can reliably check all outgoing packets • Prevents DoS attacks: TAP can block DoS attacks at their source, before they even reach the network • Scalability: Clients enforce regulations on their own traffic • Network Scalability: TAP can perform local vulnerability scan on host before permitting it to connect