property-based tpm virtualization

21
Marcel Winandy  -  Property-Based TPM Virtualization 1 ISC 2008, Taipei/Taiwan Property-Based TPM Virtualization Ahmad-Reza Sadeghi, Christian Stüble*, Marcel Winandy Horst Görtz Institute for IT Security Ruhr-University Bochum, Germany * Sirrix AG security technologies Bochum, Germany

Upload: marcel-winandy

Post on 22-Jan-2015

1.045 views

Category:

Documents


0 download

DESCRIPTION

Presentation of a paper at ISC 2008. Modification of a virtual TPM design to support more flexible key management and migration support for virtual machines.

TRANSCRIPT

  • 1. PropertyBasedTPMVirtualizationAhmadRezaSadeghi,ChristianStble*,MarcelWinandyHorstGrtzInstituteforITSecurity RuhrUniversityBochum,Germany*SirrixAGsecuritytechnologies Bochum,Germany ISC2008,Taipei/TaiwanMarcelWinandyPropertyBasedTPMVirtualization 1

2. Introduction:VirtualizationFeaturesStandardizedoperatingsystemsonvarioushardwareplatformsVirtualmachines:suspend&resume,migrationSecurity:isolationofvirtualmachinesApplicationscenario:corporate/privatecomputing Isolatedworkloadsforprivateandcorporateworking IsolatedworkloadsfordifferentsecuritylevelsLinuxLinux WindowsLinux Windows Hypervisor Hypervisor Hardware HardwareISC2008,Taipei/Taiwan MarcelWinandyPropertyBasedTPMVirtualization 2 3. Introduction:TrustedComputing(TPM)TPM:cheap,tamperevidenthardwaresecuritymodule Cryptographicfunctions(RSA,SHA1,keygeneration,RNG) Protectedstorageforsmalldata(e.g.keys) Specialkeys:EndorsementKey(EK)andStorageRootKey(SRK)AuthenticatedBoot(recordingintegritymeasurements) MeasurementsstoredinPlatformConfigurationRegisters(PCRs) Eachcomponentmeasuresnextcomponent(chainoftrust)hash Appsstorehash hashOSTPM BootLoaderstorehash hashPCRsBIOSstorehash SRK hash storehash EK CRTM AttestationandSealing AttestationIdentityKey(AIK)signsPCRsfor(remote)attestation BindingkeyisusedtoencryptdatatothecurrentPCRvalues(decryptingonlypossiblewithsamePCRstates) ISC2008,Taipei/TaiwanMarcelWinandyPropertyBasedTPMVirtualization 3 4. Introduction:VirtualTPM(vTPM)EachVMshouldbeabletouseTPMProvidingprotectedstorageandcryptocoprocessorAssuranceaboutthebootedhypervisorandvirtualmachinesSupportformigration PrivateWorking UnclassifiedCorporateClassifiedCorporateEnvironmentEnvironmentEnvironment VMVM VMHypervisor TPMHardwareISC2008,Taipei/Taiwan MarcelWinandyPropertyBasedTPMVirtualization 4 5. Introduction:VirtualTPM(vTPM)EachVMshouldbeabletouseTPMProvidingprotectedstorageandcryptocoprocessorAssuranceaboutthebootedhypervisorandvirtualmachinesSupportformigration VirtualizationoftheTPMEmulationinsoftware,butbindingtoVMandhardwareTPMPrivateWorking UnclassifiedCorporate ClassifiedCorporateEnvironmentEnvironment Environment VMVMVMTPMDriver TPMDriverTPMDrivervTPMvTPMvTPM Hypervisor TPM HardwareISC2008,Taipei/TaiwanMarcelWinandyPropertyBasedTPMVirtualization5 6. ShortcomingsofExistingvTPMSolutions MigrationProtecteddataboundtobinaryrepresentationofhypervisor VM'sdatamaybeunavailableaftermigrationtoanotherplatform KeysDifferentiatedstrategiesforkeygenerationmissing someITenvironmentsdemandhardwareprotectedkeys wherasotherswouldbenefitfromflexibilityofsoftwarekeys PrivacyRevealinginformationaboutsystemconfiguration (v)TPMrevealsinformationduringremoteattestationofPCRvalues Profiling(securityrisk)anddiscriminationpossible ISC2008,Taipei/Taiwan MarcelWinandyPropertyBasedTPMVirtualization 6 7. NewvTPMDesignAddingnewcomponentstointernalvTPMdesign:PropertyManagementRepresentationofvirtualPCRsDifferentmechanismstostoreandreadvaluesRealizingpropertybasedattestationandsealingKeyManagementCreatingandloadingcryptographickeysSupportssoftwarekeysorkeysofphysicalTPMvTPMPolicyUserdefinedpolicyofthevTPMinstanceISC2008,Taipei/TaiwanMarcelWinandyPropertyBasedTPMVirtualization 7 8. FlexiblevTPMArchitectureVM TPMDriverTPM_CreateWrapKey()TPM_Extend(i,m)TPM_PCRRead(i) vTPMInterface ManagementInterfaceCreateKey() Extend(i,m) PCRRead(i)crypto... migrate()Key PropertyCryptographicMigrationManagementManagement FunctionsControllerPropertyFilter SoftwareKeyPropertyProvider1HardwareKeyPropertyProvider2 vTPM... ... ...PropertyProviderNvTPMPolicy Hypervisor TPMKeyTPMNovelcomponentsforvTPMISC2008,Taipei/TaiwanMarcelWinandyPropertyBasedTPMVirtualization8 9. PropertyProvidersEachpropertyproviderhasitsownPCRvectorHowtostorevaluesisuptoeachimplementationThisresultsinamatrixofvPCRsvTPMPolicydecideswhichvectortouseonwhichoperationvTPMInstance PropertyProvider1 PropertyProviderjPropertyProviderN vPCR[0] ... ... vPCR[1] ... ... Mapping ...... ... vPCR[n] ... ...Initialization TPM ApplyingallpropertyproviderstobuildthevPCRmatrixPCRs EachPropertyProvidercanimplementadifferentmapping ISC2008,Taipei/TaiwanMarcelWinandyPropertyBasedTPMVirtualization9 10. ChangingtheMeasurementFunctionPCRextensionfunctionoftheTPM:Extend(i,m):PCRiSHA1(PCRi||m)GeneralizingthisforeachProviderj:Providerj.Extend(i,m):vPCRi,jtranslatej(vPCRi,j,m)Examples:translatehash()ishashinglikeinhardwareTPMtranslatecert()looksforacertificateandstoresthepublickey ISC2008,Taipei/Taiwan MarcelWinandyPropertyBasedTPMVirtualization 10 11. PCRExtension:ExampleVMOSmeasuresafileandwantstoextendthemeasurementinPCR10ofthevTPM TPM_Extend(10,f572d396fae9206628714fb2ce00f72e94f2258f) PropertyManagementofvTPMinstancecallseachPropertyProvidervPCR10,hashofProviderhashvPCR10,certofProvidercert09d2af8dd22201dd8d48e5dcfcaed281ff9422c7PKcertAvPCR10,hash:=SHA1(vPCR10,hash|| Lookforcertforhashf572d.... f572d396fae9206628714fb2ce00f72e94f2258f) Iffoundone(e.g.,certB),additsPK vPCR10,hash:vPCR10,cert:3a2fdfb2e10d4286a56715952340177c508b173cPKcertA,PKcertBISC2008,Taipei/TaiwanMarcelWinandyPropertyBasedTPMVirtualization11 12. PropertyBasedAttestationwithvTPM Providercertisoneexampletousepropertycertificates Certificatesdescribethepropertiesforaparticularmeasurement IssuedbyaTrustedThirdParty 1.attest(nonce,i,...,j) VM6.(pcrData,nonce)Verifier 2.quote(vAIKID,nonce,i,...,j)5.(pcrData,nonce) vTPM3.prov=policy.askForProvider(i,...,j)4.sign[vAIKID](nonce,vPCRi,prov,...,vPCRj,prov) ISC2008,Taipei/TaiwanMarcelWinandyPropertyBasedTPMVirtualization12 13. MigrationofVMandvTPMSecuremigrationneeded(confidentiality,integrity,authenticity) Example:moveprivateworkingenvironmenttohomePC PrivateWorkingClassifiedCorporateOnlineGaming EnvironmentEnvironment EnvironmentVMVMVMvTPM vTPM vTPMHypervisor(Xen3.1)Hypervisor(Xen3.2)Hardware(OfficePC) TPMTPMHardware(HomePC) ISC2008,Taipei/TaiwanMarcelWinandyPropertyBasedTPMVirtualization 13 14. TrustedChannelbasedMigrationSourceplatformrequeststrustedchanneltodestinationCreatessecretencryptionkeyboundtoTPMandconfigurationof destinationplatform(assuranceaboutintegrityofendpoints)ConfigurationcanalsobepropertybasedReusableforseveralmigrations PrivateWorkingClassifiedCorporateOnlineGaming EnvironmentEnvironment EnvironmentVMVMVMvTPM vTPM vTPMHypervisor(Xen3.1)Hypervisor(Xen3.2) TrustedChannelHardware(OfficePC) TPMTPMHardware(HomePC) ISC2008,Taipei/TaiwanMarcelWinandyPropertyBasedTPMVirtualization 14 15. TrustedChannelbasedMigrationSourceplatformrequeststrustedchanneltodestinationCreatessecretencryptionkeyboundtoTPMandconfigurationof destinationplatform(assuranceaboutintegrityofendpoints)ConfigurationcanalsobepropertybasedReusableforseveralmigrations PrivateWorkingClassifiedCorporateOnlineGaming EnvironmentEnvironment EnvironmentVMVMVMvTPM vTPM vTPMHypervisor(Xen3.1)Hypervisor(Xen3.2) TrustedChannelHardware(OfficePC) TPMTPMHardware(HomePC)TransferencryptedTPMstateviaTrustedChannel NoremappingofPCRsnecessary(becauseofpropertyproviders) ISC2008,Taipei/TaiwanMarcelWinandyPropertyBasedTPMVirtualization 15 16. TrustedChannelbasedMigrationSourceplatformrequeststrustedchanneltodestinationCreatessecretencryptionkeyboundtoTPMandconfigurationof destinationplatform(assuranceaboutintegrityofendpoints)ConfigurationcanalsobepropertybasedReusableforseveralmigrationsClassifiedCorporatePrivateWorking OnlineGamingEnvironment Environment EnvironmentVM VM VM vTPM vTPMvTPMHypervisor(Xen3.1)Hypervisor(Xen3.2) TrustedChannelHardware(OfficePC) TPMTPMHardware(HomePC)TransferencryptedTPMstateviaTrustedChannel NoremappingofPCRsnecessary(becauseofpropertyproviders) ISC2008,Taipei/TaiwanMarcelWinandyPropertyBasedTPMVirtualization 16 17. SummaryVM NewvTPMDesign TPMDriverTPM_CreateWrapKey() TPM_Extend(i,m) TPM_PCRRead(i) vTPMInterfaceManagementInterface CreateKey()Extend(i,m) PCRRead(i)crypto... migrate() Key Property CryptographicMigration ManagementManagementFunctionsControllerPropertyProviders PropertyFilter SoftwareKeyPropertyProvider1 vTPMKeyManagement HardwareKeyPropertyProvider2 ... ... ... PropertyProviderNvTPMPolicyvTPMPolicy TPMKey TPMNovelcomponentsforvTPM AllowstolinkhypervisortovTPMbasedonpropertiesDataavailabilityaftermigrationorsoftwareupdatesTrustedMigrationprotocolensuresbindingtotrustworthyplatform MoreflexibilityinkeyusageKeyManagementcandelegatekeyrequeststohardwareTPM UserdefinedpolicydecideswhichinformationtorevealPolicydefineswhichPropertyProvidertouseonattestation ISC2008,Taipei/TaiwanMarcelWinandyPropertyBasedTPMVirtualization 17 18. Thankyouforyourattention!Questions?Contact:MarcelWinandy HorstGrtzInstituteforITSecurity RuhrUniversityBochum,Germany [email protected] ISC2008,Taipei/Taiwan MarcelWinandyPropertyBasedTPMVirtualization 18 19. BACKUP ISC2008,Taipei/Taiwan MarcelWinandyPropertyBasedTPMVirtualization 19 20. PropertyBasedSealing ISC2008,Taipei/Taiwan MarcelWinandyPropertyBasedTPMVirtualization 20 21. MigrationProtocolSourceplatformDestinationplatformvTPM MigrationControllingProcess MigrationControllingProcess' initiateMigration()create()vTPM'migrate()requestTrustedChannel() (PKBind,certBind)verify(PKBind,certBind) sk:=createKey()esk:=bind[PKBind](sk) s:=getState()es:=encrypt[sk](s) deleteKey(sk),deleteState()transfer(es,esk)destroy() sk:=unbind[PKBind](esk) s:=decrypt[sk](es) X setState(s)ISC2008,Taipei/Taiwan MarcelWinandyPropertyBasedTPMVirtualization21