Download - TrustedComputing_SecurityFromGroundUp
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 1/88
Tr usted ComputingSecurity from the ground up
Danny Fullerton – 2011/11/04
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 2/88
Why I used to hate TC
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 3/88
Palladium ®
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 4/88
a chip soldered to our motherboard
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 5/88
all of your actions had to be approved by Microsoft ®
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 6/88
I was some kind of frustrated liberal punk...
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 7/88
… there’s no way I’ve could accept this
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 8/88
I’ve decided to fight this however I’ve could:
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 9/88
tell everyone how this would affect us
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 10/88
swore to never buy a motherboard with this chip
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 11/88
…and learn about it
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 12/88
How I came to love TC
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 13/88
Trusted Computing != Palladium
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 14/88
it has very interesting security properties
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 15/88
breaks the status quo
Hackfest 2010 – Broken by Design
No comments on the background
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 16/88
well, I’m still a liberal punk but *paranoiac* too
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 17/88
What went wrong?
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 18/88
My guess :
Trusted Computing is a disruptive innovation
I just didn't understood the technology
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 19/88
What is it?
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 20/88
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 21/88
Protection objectives
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 22/88
software based attack
open case
sophisticated local attack
High :
Medium :
Low :
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 23/88
The basic idea
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 24/88
We cannot trust the entire platform…
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 25/88
…but only a very small part of it
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 26/88
…and build a chain of trust
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 27/88
Root of Trust for Measurements
+Trusted Platform Module
Not entirely true since we have to trust the MLE, and the hardware.
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 28/88
Core Root Of Trust for Measurements
MCH
CPU
TPMICH
Memory
BIOS
Bios Boot
Block
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 29/88
Tr usted P latform Module
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 30/88
secure
I/O
Endorsement Key (EK)
Storage Root Key (SRK)
processor
persistent memory volatile memory
Execution engine
Typical TPM
RSA
engine
SHA1hash
engine
RSA key
generator
RandomNumber
Generator
Prog
CodeOpt-in
Attestation
Identity
Keys (AIK)
LoadedKeys
Opt-in
Platform Configuration
Registers (PRC)
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 31/88
secure
I/Oprocessor
Execution engine
Orchestrator: receive request and dispatch
RSA
engine
RSA key
generator
RandomNumber
Generator
Prog
CodeOpt-in
Endorsement Key (EK)
Storage Root Key (SRK)
persistent memory volatile memory
SHA1hash
engine
Attestation
Identity
Keys (AIK)
LoadedKeys
Opt-in
Platform Configuration
Registers (PRC)
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 32/88
processor
Execution engine
Implement the specs: validation, execute request, respond
secure
I/O
RSA
engine
RSA key
generator
RandomNumber
Generator
Opt-inProg
Code
Endorsement Key (EK)
Storage Root Key (SRK)
persistent memory volatile memory
SHA1hash
engine
Attestation
Identity
Keys (AIK)
LoadedKeys
Opt-in
Platform Configuration
Registers (PRC)
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 33/88
processor
Execution engine
Create good random data for symmetric, asymmetric, nonce
secure
I/O
RSA
engine
RSA key
generator
Prog
CodeOpt-in
RandomNumber
Generator
Endorsement Key (EK)
Storage Root Key (SRK)
persistent memory volatile memory
SHA1hash
engine
Attestation
Identity
Keys (AIK)
LoadedKeys
Opt-in
Platform Configuration
Registers (PRC)
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 34/88
processor
Execution engine
Securely create RSA key pairs: public, private
secure
I/O
RSA
engine
RandomNumber
Generator
Prog
CodeOpt-in
RSA key
generator
Endorsement Key (EK)
Storage Root Key (SRK)
persistent memory volatile memory
SHA1hash
engine
Attestation
Identity
Keys (AIK)
LoadedKeys
Opt-in
Platform Configuration
Registers (PRC)
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 35/88
processor
Execution engine
RSA encryption, decryption, signature, verification
secure
I/O
RSA key
generator
RandomNumber
Generator
Prog
CodeOpt-in
Endorsement Key (EK)
Storage Root Key (SRK)
persistent memory volatile memory
SHA1hash
engine
Attestation
Identity
Keys (AIK)
LoadedKeys
Opt-in
Platform Configuration
Registers (PRC)
RSA
engine
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 36/88
processor
Execution engine
Authorization values, HMAC, etc
secure
I/O
RSA
engine
RSA key
generator
RandomNumber
Generator
Prog
CodeOpt-in
Endorsement Key (EK)
Storage Root Key (SRK)
persistent memory volatile memory
SHA1hash
engine
Attestation
Identity
Keys (AIK)
LoadedKeys
Opt-in
Platform Configuration
Registers (PRC)
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 37/88
processor
Execution engine
Keep track of internal state: sessions, etc
secure
I/O
RSA
engine
RSA key
generator
RandomNumber
Generator
Prog
CodeOpt-in
Endorsement Key (EK)
Storage Root Key (SRK)
persistent memory volatile memory
SHA1hash
engine
Attestation
Identity
Keys (AIK)
LoadedKeys
Opt-in
Platform Configuration
Registers (PRC)
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 38/88
processor
Execution engine
Power cycle resistant memory
secure
I/O
RSA
engine
RSA key
generator
RandomNumber
Generator
Prog
CodeOpt-in
Endorsement Key (EK)
Storage Root Key (SRK)
persistent memory volatile memory
SHA1hash
engine
Attestation
Identity
Keys (AIK)
LoadedKeys
Opt-in
Platform Configuration
Registers (PRC)
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 39/88
RSA
engine
RSA key
generator
RandomNumber
Generator
processor
Execution engine
Prog
Code
Enforce user’s choice
secure
I/O
Opt-in
Endorsement Key (EK)
Storage Root Key (SRK)
persistent memory volatile memory
SHA1hash
engine
Attestation
Identity
Keys (AIK)
LoadedKeys
Opt-in
Platform Configuration
Registers (PRC)
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 40/88
at purchase time, TPMs are not operational
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 41/88
processor
Execution engine
Root of all storage keys
secure
I/O
RSA
engine
RSA key
generator
RandomNumber
Generator
Prog
CodeOpt-in
Endorsement Key (EK)
Storage Root Key (SRK)
persistent memory volatile memory
SHA1hash
engine
Attestation
Identity
Keys (AIK)
LoadedKeys
Opt-in
Platform Configuration
Registers (PRC)
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 42/88
created when owner activate the TPM
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 43/88
used to create secure key trees
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 44/88
provide, virtually, unlimited secure storage
Storage Root Keyinside
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 45/88
Storage Root Key
Storage KeyUser1
Binding Key
Signing Key
Storage KeyUser2
Binding Key
Signing Key
the TPM
outsidethe TPM
The actual structure is malleable and can be very different.
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 46/88
Processor
Execution engine
TCG specifications assertion
Secured
I/O
RSA
engine
RSA key
generator
RandomNumber
Generator
Prog
CodeOpt-in
Endorsement Key (EK)
Storage Root Key (SRK)
persistent memory volatile memory
SHA1hash
engine
Attestation
IdentityKeys (AIK)
LoadedKeys
Opt-in
Platform Configuration
Registers (PRC)
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 47/88
endorsement certificate sign by the TPM manufacturer
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 48/88
uniquely identify the platform
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 49/88
privacy concerns
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 50/88
well yes… but no
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 51/88
EK is only used in conjunction with something else
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 52/88
Processor
Execution engine
Some kind of privacy protector
SecuredI/O
RSA
engine
RSA key
generator
RandomNumber
Generator
Prog
CodeOpt-in
Endorsement Key (EK)
Storage Root Key (SRK)
persistent memory volatile memory
SHA1hash
engine
LoadedKeys
Opt-in
Platform Configuration
Registers (PRC)
Attestation
IdentityKeys (AIK)
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 53/88
privacy CA
challengeryou
mutual trust of the CA – signed AIK satisfy challenger
Privacy
EK
AIK
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 54/88
What if collusion arise?
Privacy
privacy CA
challengeryou AIK
EK
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 55/88
Direct Anonymous Attestation (DAA)
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 56/88
Zero Knowledge Proof
S S
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 57/88
Processor
Execution engine
Store system measurements: SHA-1 hash
SecuredI/O
RSA
engine
RSA key
generator
RandomNumber
Generator
Prog
CodeOpt-in
Endorsement Key (EK)
Storage Root Key (SRK)
persistent memory volatile memory
SHA1hash
engine
Attestation
IdentityKeys (AIK)
Loaded
Keys
Opt-in
Platform Configuration
Registers (PRC)
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 58/88
Static Root of Trust for Measurements (SRTM)
L h ti t
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 59/88
TPM
CRTMBIOSROM
BIOSFLASH
BootLoader
OSKernel …
PCR 0
PCR 1
PCR 2
PCR 3
PCR 4
…
Boot process and PCRs attribution not accurate (highly simplified).
pass execution:
3
2
1
Launch time measurements
store measurement:
measurement:
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 60/88
one PCR can be used to measure multiple elements
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 61/88
TPM_Extend()
PCR = hash( old value, new value )
0xAAAA = hash( 0x0000, 0x1111 )0xBBBB = hash( 0xAAAA, 0x2222 )0xCCCC = hash( 0xBBBB, 0x3333 )
0x0000 = boot()
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 62/88
TPM doesn’t act upon PCRs
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 63/88
PCRs are stored whether they’re bad or good
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 64/88
Dynamic Root of Trust for Measurements (DRTM)
Late launch measurements
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 65/88
TPMICH
P C R 1
8
P C R 1
9
…
P C R 1
7
Late launch measurements
measurement:
MCH
CPU
SMX
store measurement:
Memory
OSKernel
…
pass execution:
Process not accurate (highly simplified).
Late launch measurements
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 66/88
Late launch measurements
MCH
CPUSMX
Process not accurate (highly simplified).
TPMICH
P C R 1
8
P C R 1
9
…
P C R 1
7
measurement:
store measurement:
Memory
OSKernel
…
pass execution:
Late launch measurements
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 67/88
Late launch measurements
MCH
CPUSMX
Process not accurate (highly simplified).
TPMICH
P C R 1
8
P C R 1
9
…
P C R 1
7
measurement:
store measurement:
Memory
OSKernel
…
pass execution:
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 68/88
Security Enhancements
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 69/88
RTM – Root of Trust for MeasurementCRTM + TPM (SRTM) || SMX + TPM (DRTM)
Measurements
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 70/88
Sealed storage
TPM Seal(): Encrypt data to a specific environment
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 71/88
TPM
data
_ () yp p
encrypteddata
PCR X: f56b7e4d5e065214afa5cc8b86897d7a4cbffb14
PCR Y: 7cb06027e87e7d848d8576d8fef5f76256f41cee
PCR Z: 38464bf083d958b53580c63c01e56707fd043588
TPM Unseal(): Decrypt if a specific environment is active
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 72/88
TPM
encrypteddata
PCR xPCR y
_ () yp p
PCR z
data
PCR X: f56b7e4d5e065214afa5cc8b86897d7a4cbffb14
PCR Y: 7cb06027e87e7d848d8576d8fef5f76256f41cee
PCR Z: 38464bf083d958b53580c63c01e56707fd043588
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 73/88
Detect malwareKeylogger / Meterpreter / KonBootRootkits (user/kernel, MBR, BIOS)
Protect dataKeys, BitLocker, etc
manipulate confidential db
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 74/88
Time
block I/O unblock I/O
DRTM
measurement
TPM_unseal db key erase db key
A t t a c k
S u r f a c e
manipulate confidential db
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 75/88
Time
block I/O unblock I/O
DRTM
measurement
TPM_unseal db key erase db key
A t t a c k
S u r f a c e
attack
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 76/88
Remote Attestation
TPM_Quote(): Sign PCRs with AIK
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 77/88
TPM
AIK
PCR x
PCR y
PCR zPCR x
PCR y
PCR z
AIK signature
AttestationRSA
engine
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 78/88
Strong Network Access Control (NAC)Trusted Network Connect
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 79/88
assess the security of a kiosk with your mobile device
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 80/88
Conclusion
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 81/88
a TPM is a passive device
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 82/88
it cannot take over your platform by itself
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 83/88
at this point, there’s no battle about
keeping our freedom / rights
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 84/88
Trusted Computing is a tool…
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 85/88
…nothing else
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 86/88
…and it’s about time we start using it
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 87/88
Thanks!
8/3/2019 TrustedComputing_SecurityFromGroundUp
http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 88/88