bootstrapping trust in a “trusted” platform
DESCRIPTION
Bootstrapping Trust in a “Trusted” Platform. Bryan Parno. Carnegie Mellon University. November 11, 2008. A Travel Story. Without trust, you cannot…. Do you trust…. A kiosk computer? A friend’s computer? A relative’s computer? Your own computer?. Check your email Pay bills - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/1.jpg)
1
Bootstrapping Trust in aBootstrapping Trust in a“Trusted” Platform“Trusted” Platform
Carnegie Mellon University
November 11, 2008
Bryan Parno
![Page 2: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/2.jpg)
2
A Travel Story
![Page 3: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/3.jpg)
3
Do you trust…
• A kiosk computer?
• A friend’s computer?
• A relative’s computer?
• Your own computer?
Without trust, you cannot…
• Check your email• Pay bills• Privately surf the web• …How do we bootstrap trust in a computer? How do we bootstrap trust in a computer?
![Page 4: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/4.jpg)
4
Assumptions• User has a trusted, mobile device
• User trusts someone to vouch for the physical security of the computer
![Page 5: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/5.jpg)
5
Bootstrapping Trust
PhysicalSecurity
TrustedHardware
TrustedSoftware
![Page 6: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/6.jpg)
6
CPU, RAMTPM, Chipset
CPU, RAMTPM, Chipset
Trusted Software Using Flicker
DMA Devices (Network, Disk,
USB, etc.)
OS
App
SS
App1 …
DMA Devices (Network, Disk,
USB, etc.)
OS
AppApp1 …
SS
ShimShim
![Page 7: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/7.jpg)
7
Flicker’s Properties• Isolate security-sensitive code execution
from all other code and devices
• Attest to security-sensitive code and its arguments and nothing else
• Convince a remote party that security-sensitive code was protected
• Add < 250 LoC to the software TCB
ShimShim
SSSoftwareTCB < 250 LoC
All relies on bootstrapping trust!All relies on bootstrapping trust!
PhysicalSecurity
TrustedHardware
TrustedSoftware
![Page 8: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/8.jpg)
8
Outline
• Introduction
• Background
• The Cuckoo Attack
• Potential Solutions
• Conclusions
![Page 9: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/9.jpg)
9
TPM Background
• The Trusted Platform Module (TPM) is a dedicated security chip
• Contains a public/private keypair {KPub, KPriv}
• Contains a certificate indicating that KPub belongs to a legitimate TPM
• Not tamper-resistant!
![Page 10: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/10.jpg)
10
BIOSBIOS Boot LoaderBoot Loader OS KernelOS Kernel
conf
Module 2Module 2
Module 1Module 1
TPMTPM
PCRs
BIOSBIOS Boot LoaderBoot Loader
HardwareSoftware
KPriv
AppsApps
App 2App 2
App 1App 1
AppsApps
App 2App 2
App 1App 1
OS KernelOS Kernel
conf
Module 2Module 2
Module 1Module 1
Bootstrapping Trust with a TPM
![Page 11: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/11.jpg)
11
BIOSBIOS Boot LoaderBoot Loader OS KernelOS Kernel
conf
Module 2Module 2
Module 1Module 1
TPMTPM
PCRs
KPriv
AppsApps
App 2App 2
App 1App 1
Bootstrapping Trust with a TPMNonce
Sign( ), KPriv
Nonce
KPub
Guarantees freshness
Guarantees freshnessGuarantees key
originated from a real TPM
Guarantees key originated from a
real TPM
TPM attests to the software
TPM attests to the software
Trustworthy!
![Page 12: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/12.jpg)
12
Outline
• Introduction
• Background
• The Cuckoo Attack
• Potential Solutions
• Conclusions
![Page 13: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/13.jpg)
13
The Cuckoo Attack
Nonce
Sign( ), KPriv
Nonce
KKPrivPriv KKPrivPriv
Nonce
KPub
Guarantees freshness
Guarantees freshness
Guarantees key originated from a
real TPM
Guarantees key originated from a
real TPM
TPM attests to the software
TPM attests to the software
Trustworthy!
![Page 14: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/14.jpg)
14
What went wrong?
• An attestation says that a TPM vouches for a software state, but not which TPM
Sign( ), KPriv
NonceKPub
Sign( ), KPriv
NonceKPub
![Page 15: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/15.jpg)
15
Analyzing the Attack• Paper develops a logical framework for
bootstrapping trust– Allows precise characterization of the
attack
• Framework identifies which solutions work, and which do not
![Page 16: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/16.jpg)
16
Potential Solutions
• Remove the network• Trust the computer• Detect timing
deviations• Make late-launch
data available• Add a special-
purpose button
• Employ SiB• Employ camera-less SiB• Trust the BIOS• Trust a third party• Use an existing interface• Use a special-purpose
interface
Analyze which work, and which don’t Analyze which work, and which don’t
Identify pros and cons of eachIdentify pros and cons of each
![Page 17: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/17.jpg)
17
KKPrivPriv
An Invalid Solution
KKPrivPriv
Sign( ), KPriv
NonceKPub
HWHWViolation!Violation!
HWHWViolation!Violation!
![Page 18: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/18.jpg)
18
High-Level Goal
• Establish a secure channel to the local TPM– Channel must provide authenticity & integrity
• We can instantiate the channel via:– Cryptography– Hardware
![Page 19: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/19.jpg)
19
KKPrivPriv
SHA-1(KPub)camera…
vision…
Cryptographic Secure Channels• Requires authentic public key (or shared
secret)• Use Seeing-is-Believing (SiB) [McCune et al., ‘05]
– Place a barcode on the PC encoding the TPM’s public key
• Trust the BIOS– Reboot and trust BIOS to output public key via
existing interface
![Page 20: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/20.jpg)
20
Hardware Secure Channels
• Reuse an existing interface– Existing interfaces do not support direct
communication with the TPM
• Add a special-purpose interface– Reduces opportunities for user error– Makes manufacturers unhappy
![Page 21: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/21.jpg)
21
Choosing a Solution
• After analyzing 10 potential solutions, none is entirely satisfactory
• Preferred solutions:– Short-term: Seeing-is-Believing– Long-term: Special-purpose Interface
![Page 22: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/22.jpg)
22
Related Work• Device Pairing
– Typically assumes both devices are trusted
• Kiosk Computing [Garriss et al., ‘08]
– Even more difficult, since hardware integrity may not be guaranteed
• Secure Object Identification [Alkassar et al., ‘03], [Brands & Chaum ‘94]
– Solutions inappropriate to TPM setting
![Page 23: Bootstrapping Trust in a “Trusted” Platform](https://reader035.vdocuments.us/reader035/viewer/2022062410/568158b1550346895dc5fe57/html5/thumbnails/23.jpg)
23
Conclusions
• Trust in your local computer is critical
• Due to the cuckoo attack, current techniques cannot bootstrap trust
• Changes are needed to make useful security guarantees