Post on 25-Feb-2016
description
Trusted Platform Modules: Building a Trusted Software Stack and Remote AttestationDane Brandon, Hardeep UppalCSE551University of Washington
OverviewMotivationTrusted Computing and Trusted
Platform Modules (TPM)Trusted Software StacksAttestationMeasurementsFuture Work and Conclusion
MotivationAn End to the Middle
◦Our ongoing research.◦Networked computers and trust.◦How can we validate a computer?◦Even with a password, can we trust
they are who they say they are?
Hardware offers a potential solution…
Trusted Computing and TPMsTrusted Computing Group
◦Spec for TPM and trusted software stack.
TPM - Hardware chip on most new business laptops and some other PCs.◦Dell Latitude, Lenovo ThinkPad, etc…
Offers some help that software can’t.
NOT protection against physical attacks.
TPM Functionality
TPM FunctionalityPersistent memory
◦Endorsement key (EK) Permanent private unique key
◦Storage Root Key (SRK) Encrypts other keys, data with pub key out
to disk.Volatile memory
◦Platform Configuration Registers (PCR)◦Attestation identity keys◦Storage keys
TPM FunctionalityCrypto-processor
◦RSA key generator◦Random number generator◦Encryption / decryption◦SHA-1 hash and append
PCRs are append only. PCR[i] = SHA-1(PCR[i] | new value)
Trusted Software StacksCore root of trust for
measurement (CRTM).◦Boot block in BIOS. Never changes.
Chain of trust.◦Each software component measures
the next.◦Append measurements to PCRs.
TrustedGRUBTrouSerS (TSS API)
Trusted Software Stacks
AttestationWe have a snapshot of state
which can be signed.How do we deliver it?We can’t just send it over…
◦Replay attacks
AttestationWe have a snapshot of state
which can be signed.How do we deliver it?We can’t just send it over…
◦Replay attacks
AttestationUse a nonce
◦When request to join comes, challenge with a random number.
◦Append to PCRs and sign. Funky fresh.Note: Measurements only represent
state immediately after boot.◦No guarantees of events after boot!
Still need to prove that the TPM is a TPMCertificate Authority
◦Validate TPM
Attestation
AIKAIKEKEK
EK AIK
Privacy CA
Trusted Nodes
New Node
Manf.Cert.
PCA Cert.
Attestation
AIKAIKEKEK
EK AIK
Privacy CA
Trusted Nodes
New Node
Manf.Cert.
PCA Cert.
Attestation
AIKAIKEKEK
EK AIK
Privacy CA
Trusted Nodes
New Node
Manf.Cert.
PCA Cert.
Attestation
AIKAIKEKEK
AIK
Privacy CA
Trusted Nodes
New Node
Manf.Cert.
PCA Cert.
Attestation
AIKAIKEKEK
AIK
Privacy CA
Trusted Nodes
New Node
Manf.Cert.
PCA Cert.
Attestation
?AIKAIKEKEK
Challenge!AIK
Privacy CA
Trusted Nodes
New Node
Manf.Cert.
PCA Cert.
Attestation
02895…
AIKAIKEKEK
AIK
Privacy CA
Trusted Nodes
New Node
Manf.Cert.
PCA Cert.
Attestation
10110…
AIKAIKEKEK
AIK
Append nonce and sign PCRs with priv_AIK
Privacy CA
Trusted Nodes
New Node
Manf.Cert.
PCA Cert.
Attestation
10110…
AIKAIKEKEK
AIKAIK
Privacy CA
Trusted Nodes
New Node
Manf.Cert.
PCA Cert.
Attestation
AIKAIKEKEK
AIK
10110…
AIK
Privacy CA
Trusted Nodes
New Node
Manf.Cert.
PCA Cert.
Attestation
AIKAIKEKEK
AIK
10110…
AIK
Privacy CA
Trusted Nodes
New Node
Manf.Cert.
PCA Cert.
Attestation
AIKAIKEKEK
AIK
10110…
AIK
Verify bits match:SHA-1(expected PCRs |
nonce)SUCCESS!Privacy CA
Trusted Nodes
New Node
Manf.Cert.
PCA Cert.
MeasurementsVerify
PCRvalues change
Measurements
Time in seconds
Extends are fastCreating keys is very slowLoad and sign, not too bad…
Future WorkCreate a privacy CA.Implement complete attestation
process and benchmark major components.
Put Xen in the middle of the chain of trust.
Add trusted software stack to ETTM project.
ConclusionTPMs show promise.Building a trusted software stack
is possible with open-source software.
Time cost not negligible, but reasonable.
Hardware should get better.Need more software support.
Other ThoughtsLots of laptops have TPMs, no
one uses them.TrustedGRUB has 5400+ extra
lines of code. We didn’t write them.
The Dell Latitude e5400 is garbage.◦Two thumbs down!