secure computing
TRANSCRIPT
-
7/31/2019 Secure Computing
1/77
Page 1 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Trusted & Secure ComputingIntroduction
-
7/31/2019 Secure Computing
2/77
Page 2 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Plan
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groups
Criticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computingIntroductionSecure co-processorsBus encryption
Conclusion
-
7/31/2019 Secure Computing
3/77
Page 3 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Trusted Computing?
To guarantee that a computing system behaves in a well-defined
way
Applications
Online services (banking, commerce, voting, gaming, gridcomputing...)Disk encryptionVPNDRM
-
7/31/2019 Secure Computing
4/77
Page 4 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Plan
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groups
Criticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computingIntroductionSecure co-processorsBus encryption
Conclusion
-
7/31/2019 Secure Computing
5/77
Page 5 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Plan
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groups
Criticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computingIntroductionSecure co-processorsBus encryption
Conclusion
-
7/31/2019 Secure Computing
6/77
Page 6 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Trusted Computing Group
The Trusted Computing Group (TCG) is a not-for-profit
organization formed to develop, define and promote open,
vendor-neutral, industry standards for trusted computing building
blocks and software interfaces across multiple platforms
(http://www.trustedcomputinggroup.org/)
Founded in 2003 with 14 companies, including AMD, HP, IBM,
Intel, Microsoft, Sony and Sun Microsystems (board members)
The specifications of the Trusted Platform Module (TPM) were
previously developed by the Trusted Computing Platform Alliance(the infamous TCPA) and reused by the TCG
Goal: extend trust to all the components of a computing system
(network, servers, storage, mobiles, etc.)
http://www.trustedcomputinggroup.org/http://www.trustedcomputinggroup.org/ -
7/31/2019 Secure Computing
7/77
Page 7 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Members 1/2
Three levels: Promoter, Contributor et Adopters.
Promoters (beginning 2009)
AMD
FujitsuHewlett-PackardIBMInfineonIntelLenovo
MicrosoftSonySun MicrosystemsWave
-
7/31/2019 Secure Computing
8/77
Page 8 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Members 2/2
Large scope (non-exhaustive list)
Semiconductors: Atmel, STMicroelectronics, Freescale, NXPSmartcards: GemaltoPC: DellMobiles: Nokia, Ericsson MobileNetwork equipments: JuniperStorage: Seagate, Western DigitalNetwork operators: Vodafone, Orange (until 2008)
Security software: McAfee, SymantecCertification organisms: BSI
-
7/31/2019 Secure Computing
9/77
Page 9 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Working groups
Infrastructure
Mobile Phone
PC Client
ServerSoftware Stack
Storage
Trusted Network Connect
Trusted Platform ModuleVirtualization
Hard Copy
Compliance
-
7/31/2019 Secure Computing
10/77
Page 10 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Some dates
2003: Foundation
2004: TPM version 1.2, creation of the Trusted Network Connectworking group, 98 companies
2005: 120 companies, specifications for TPM in servers
2006: MTM (Mobile Trusted Module) specifications
2008: Support for TNC in FreeRADIUS
-
7/31/2019 Secure Computing
11/77
Page 11 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Fundamental Trusted Platform Features
TCG definition: Trust is the expectation that a device will behave in
a particular manner for a specific purpose
According to the TCG, a trusted platform should provide three
basic featuresProtected capabilities: functions that have exclusive permission toaccess shielded locations (where sensitive data are stored andmanipulated)Attestation: process of vouching for the accuracy of information
Integrity measurement, logging and reporting: process of obtaining,storing and attesting metrics of the platform characteristics thataffect its trustworthiness
-
7/31/2019 Secure Computing
12/77
Page 12 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Roots of Trust
Roots of trust are components that must be trusted
Three roots of trust are defined by the TCG
Root of trust for measurement (RTM): performs integritymeasurementsRoot of trust for storage (RTS): securely stores integritymeasurementsRoot of trust for reporting (RTR): reports information stored in the
RTS
-
7/31/2019 Secure Computing
13/77
Page 13 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Trusted Building Blocks
Trusted Building Blocks (TBB): parts of the Roots of Trust that are
not implemented as shielded locations or protected capabilities
ExampleCore Root of Trust for Measurement (part of the BIOS)Physical link between the CRTM storage and the motherboardPhysical link between the TPM and the motherboard
TBB must be trusted (no way to detect if they are corrupted) but
are not protected
-
7/31/2019 Secure Computing
14/77
Page 14 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Plan
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groups
Criticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computingIntroductionSecure co-processorsBus encryption
Conclusion
-
7/31/2019 Secure Computing
15/77
-
7/31/2019 Secure Computing
16/77
Page 16 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Inside the TPM Components
I/O
Cryptographic co-processor (RSA and symmetric encryption)
RSA key generator
SHA-1 engine
HMAC engine
Random number generator (RNG)
Opt-In
Execution engine
Volatile and non-volatile memory
-
7/31/2019 Secure Computing
17/77
Page 17 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Integrity storage PCR
Platform Configuration Register: 160-bit storage location inside
the TPM
Used to store measurement values
Minimum 16 PCR in a TPM (usually 32)
To allow the TPM to store more than 16 measurement values,
extension mechanism: PCRi = H(PCRimeasure), where H is a
collision-resistant hash function (SHA-1)
-
7/31/2019 Secure Computing
18/77
Page 18 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Integrity measurement Principles
Measurement value: value and/or state of something that may
impact the trustworthiness of the platform (e.g. the code of the
BIOS, the bootloader, the kernel...)
The measurement agent computes a hash of the measurementvalue, sends the hash to the TPM which stores it in a PCR
(extension mechanism), and stores the value in a log (Stored
Measurement Log)
With the SML, one can compute the theoretical values of the PCR
and compare them with the real values in the TPM
Impossible to forge a SML which matches the values of the PCR
(strong hash function)
-
7/31/2019 Secure Computing
19/77
Page 19 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Integrity measurement PC
Transitive trust
BIOS = CRTM
CRTM measures itself and sends the measure to PCR[0]CRTM measures other low-level pieces of software (CPUmicrocode, PCI option ROM code, first part of the MBR(bootloader)...) and sends them to PCR[17]The bootloader may measure the first part of the OS kernel andsend the measure to the TPMThe kernel may measure other OS parts...
I t it ti ( tt t ti )
-
7/31/2019 Secure Computing
20/77
Page 20 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Integrity reporting (attestation)
Principles
A challenger requests one or more PCR value from a platform
An agent on the platform collects corresponding SML entries
The TPM signs the values of the PCR with a key
The agent sends the signed PCR values, SML entries andcredentials to the challenger
The challenger verifies the signature on the PCR values with the
credentials of the TPM and verifies the SML entries with the PCR
values
Problem: privacy (if all the signatures are performed using the
same private key, it is possible to link all the attestations
performed by one TPM)
-
7/31/2019 Secure Computing
21/77
Page 21 / 77 Guillaume Duc
May 2009
Licence de droits dusage
TPM Credentials
Each TPM has a unique Endorsement Key (2048-bit RSA key)
Credentials (equivalent to certificates)
Endorsement credential issued by the entity which generates theEK and contains the TPM manufacturer name, the version and the
model number of the TPM and the EK public keyConformance credential issued by the entity which has evaluatedthe TPM and contains the name of the evaluator, the platformmanufacturer, model number and version, and the TPMmanufacturer, model number and version
Platform credential issued by the platform manufacturer andcontains the platform manufacturer, model number and version, theendorsement credential and the conformance credentialValidation credentialsissued by the manufacturers of measurablecomponents and contains reference measurements
-
7/31/2019 Secure Computing
22/77
Page 22 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Attestation Identity Keys
Attestation Identity Keys (RSA 2048) are used to sign PCR values
Attestation Identity Credential contains an AIK public key and is
issued by a service that is trusted to verify the various credentials
and preserve privacy policies of the client
Unlimited number of AIK in order to use different keys to perform
attestations (privacy)
The TPM generates an AIK, signs the public part with the EK and
sends it to a Privacy Certification Authority (Privacy CA)
The privacy CA checks the signature, generates the Attestation
Identity Credential and sends it back to the TPM
Solution developed in TPM version 1.1
-
7/31/2019 Secure Computing
23/77
Page 23 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Direct Anonymous Attestation (DAA)
Problem with AIK: need for trusted Privacy CA (collusion,
saturation...)
Solution in TPM 1.2: Direct Anonymous Attestation (DAA)
E. Brickell, J. Camenisch, L. Chen, Direct Anonymous Attestation,
Proceedings of the 11th ACM conference on Computer and
Communications Security, oct. 2004,
http://www.zurich.ibm.com/~jca/papers/brcach04.pdf
Complex cryptographic protocol based on group signatures and
zero-knowledge proofs that allows the TPM to prove that it is agenuine one without disclosing its EK or relying on a third party
Choice possible between full anonymity and traceability (variable
in the original paper, in the TPM specs)
http://www.zurich.ibm.com/~jca/papers/brcach04.pdfhttp://www.zurich.ibm.com/~jca/papers/brcach04.pdf -
7/31/2019 Secure Computing
24/77
Page 24 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Secure storage Sealing
Sealing: encrypt a message so that it could only be decrypted if a
selected set of PCR takes values decided when the encryption
was performed
SealingThe message is encrypted with a symmetric keyThe TPM encrypts the symmetric key and a structure storing thevalues of the selected PCR with an asymmetric storage key
Unsealing
The TPM decrypts the data structure and checks whether theselected PCR have correct valuesThe TPM releases the symmetric key to the application
-
7/31/2019 Secure Computing
25/77
Page 25 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Secure storage
Used to securely store small pieces of data (mainly
symmetric/asymmetric keys used by the TPM or applications)
Data organized in a tree structureThe first level of the tree (nodes or leaves) is encrypted using thestorage root key embedded inside the TPMNodes: storage keys used to encrypt the sonsLeaves: data securely stored
The TPM does not need to store all the data, thanks to theencryption tree structure
-
7/31/2019 Secure Computing
26/77
Page 26 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Secure storage
(figure from TCG Specification Architecture Overview, revision 1.4)
-
7/31/2019 Secure Computing
27/77
Page 27 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Secure storage Key types
Signing keys: asymmetric keys used to sign application data and
messages
Storage keys: asymmetric keys used to encrypt data or other keys
Identity keys (AIK): signing keys exclusively used to sign data
originated by the TPM
Endorsement keys (EK)
Bind key: used to encrypt small amounts of data on one platform
and decrypt it on another
Legacy keys: keys created outside of the TPM and imported to theTPM to be used to sign and encrypt
Authentication keys: symmetric keys used to protect transport
sessions involving the TPM
-
7/31/2019 Secure Computing
28/77
Page 28 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Authentication
Each object in the TPM contains a 160-bit shared secret
(AuthData)The user who knows this shared secret is granted the full usage
on the object
TPM 1.2: Delegation mechanism
-
7/31/2019 Secure Computing
29/77
Page 29 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Misc
Monotonic counters
Counters provided by the TPM that can only be incrementedLimited number but more can be provided by the OS using only onephysical monotonic counter (virtual monotonic counters)Used in DRM for instance
-
7/31/2019 Secure Computing
30/77
Page 30 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Software stack (TSS)
(figure from TCG Specification Architecture Overview, revision 1.4)
-
7/31/2019 Secure Computing
31/77
Page 31 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Software stack Interaction
(figure from TCG Specification Architecture Overview, revision 1.4)
-
7/31/2019 Secure Computing
32/77
Page 32 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Plan
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groupsCriticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computingIntroductionSecure co-processorsBus encryption
Conclusion
-
7/31/2019 Secure Computing
33/77
Page 33 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Mobile Phone Working Group
Adapt the TPM specifications to mobile phone and PDA
Constraints
Multiple owners (radio = MNO, main firmware = handsetmanufacturer, data = user)Some owners are distant (MNO, manufacturer) and some are local(user)Size and cost
Result: the MTM (Mobile Trusted Module)
-
7/31/2019 Secure Computing
34/77
Page 34 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Mobile Phone Working Group MTM
Can be implemented as a separate chip (like the TPM), a module
inside the application processor or a software
Multiple engines, one per owner (two mandatory: handset
manufacturer and user, other optional: MNO, service provider,etc.)
Big feature: Secure boot
During the boot, the MTM takes and stores measurements but alsocompares them to Reference Integrity Measurements (stored asRIM certificates) and halts the boot process if they are not correctSo if the OS is booted, it can be trusted
-
7/31/2019 Secure Computing
35/77
Page 35 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Trusted Network Connect
The TNC WG is working to define and promote an open solution
architecture that enables network operators to enforce policies
regarding the security state of endpoints in order to determine
whether to grant access to a requested network infrastructureCompared to current network access control technologies
Add Platform Credential Authentication using certificates storedinside the TPMAdd Integrity Verification Handshake using the values of the PCR of
the clients TPME.g. define an EAP method to transport integrity measurements
and platform credentials
-
7/31/2019 Secure Computing
36/77
Page 36 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Plan
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groupsCriticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computingIntroductionSecure co-processorsBus encryption
Conclusion
-
7/31/2019 Secure Computing
37/77
Page 37 / 77 Guillaume Duc
May 2009
Licence de droits dusage
True/False 1
TPM will prevent me from running my OS/application (e.g. Linux):
falseThe TPM, when enabled, just takes measurements but does notprevent an OS or an application from booting (contrary to the MTM)The TPM can be deactivated
-
7/31/2019 Secure Computing
38/77
Page 38 / 77 Guillaume Duc
May 2009
Licence de droits dusage
True/False 2
Someone may oblige me to run a specific OS/application: true
A service provider who wants to use the TPM to check the integrityof platforms used by its clients will have to decide whichmeasurements are considered as trustworthy and which are notFor instance, if the service provider decides to only acceptmeasurements indicating that a specific OS is loaded, other OS willnot be able to access the serviceBig question: how these lists of reference measurements will be
defined?
-
7/31/2019 Secure Computing
39/77
Page 39 / 77 Guillaume Duc
May 2009
Licence de droits dusage
True/False 3
TPM may prevent interoperability between applications: true
Using sealed storage, an application can store a document in a waythat it can only be accessed using the same application and not acompatible applicationPotential threat
-
7/31/2019 Secure Computing
40/77
Page 40 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Compatibility with Free Software
Support for TPM exists in several free software projects (e.g. the
Linux kernel)
However, the concept of integrity measurement is not totallycompatible with free software model
Free software are often distributed as source code (BSDs ports,meta-distribution such as Gentoo, etc.)However, two compilations of the same application is likely to givedifferent binaries, even on the same machine (the date/time ofcompilation are often embedded into the binary)
So the measure (hash) of two instances of the same version of anapplication may be differentDifficult (impossible ?) to build reference integrity measurements ofFOSS applications
-
7/31/2019 Secure Computing
41/77
Page 41 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Problems for the TCG
Infamous TCPA/Palladium: bad reputation among computer
scientists and free software community (Treacherous computing),
so the main target of TCG is, for the moment, companies and not
individualsTPM are largely deployed in PC but most of the time they are not
activated by their owners
Very few applications use TPM (mainly BitLocker, some VPN and
some disk encryption software; and only to store keys)
20092010 may be critical years for the success of the
deployment of TCG technologies
-
7/31/2019 Secure Computing
42/77
Page 42 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Plan
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groupsCriticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computingIntroductionSecure co-processorsBus encryption
Conclusion
-
7/31/2019 Secure Computing
43/77
Page 43 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Plan
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groupsCriticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computingIntroductionSecure co-processorsBus encryption
Conclusion
-
7/31/2019 Secure Computing
44/77
Page 44 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Introduction
Intel Trusted Execution Technology (TXT)
Formerly known as LaGrande Technology
Versatile set of hardware extensions to Intel processors and
chipsets that enhance the digital office platform with security
capabilities such as measured launch and protected execution
(http://developer.intel.com/technology/security/index.htm)
Relies on the TPM for basic services
Already available on high-end motherboards (part of the vProbrand)
Pl
http://developer.intel.com/technology/security/index.htmhttp://developer.intel.com/technology/security/index.htm -
7/31/2019 Secure Computing
45/77
Page 45 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Plan
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groupsCriticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computingIntroductionSecure co-processorsBus encryption
Conclusion
M d L h d E i t
-
7/31/2019 Secure Computing
46/77
Page 46 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Measured Launched Environment
Main objective: Protected Execution, i.e. provide applications with
an execution environment where they can be executed without
being observed or compromised by untrusted applications
This environment is called Measured Launched Environment
TXT protects the launch and the execution of this MLE
MLE can be launch at anytime, including long after the boot
L h f th MLE DRTM
-
7/31/2019 Secure Computing
47/77
Page 47 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Launch of the MLE DRTM
As the MLE can be launched at anytime, it is difficult to rely on the
measurements performed since the boot and stored in the TPM
Solution: Dynamic Root of Trust for Measurement (DRTM)
provided by TXT (also called late launch)
L h f th MLE P
-
7/31/2019 Secure Computing
48/77
Page 48 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Launch of the MLE Process
The launching environment loads the MLE and Authenticated
Code (AC) in memory
The launching environment calls the GETSEC[SENTER] instruction
The processor loads, authenticates (digital signature) and
executes the AC (the execution happens in internal SRAM inside
the processor)
The AC checks the configuration of the chipset and the processors
The AC measures the MLE, sends the measurements to the TPMand launches the MLE
Protection of the MLE DMA
-
7/31/2019 Secure Computing
49/77
Page 49 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Protection of the MLE DMA
Need to protect the MLE against unauthorized modifications
DMA: protection using the Intel VT-d technology (requires chipset
modifications) to prevent unauthorized DMA transfers to/from a
memory area belonging to the MLE
Protection of the MLE Misc
-
7/31/2019 Secure Computing
50/77
Page 50 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Protection of the MLE Misc.
Protected Input/Output: data encryption between the driver in the
MLE and the I/O device (e.g. mouse, keyboard...)
Protected GraphicsData encryption between the driver in the MLE and the graphic cardProof to the user that what is displayed in a part of the screen reallycomes from the MLE
Not deployed yet
Plan
-
7/31/2019 Secure Computing
51/77
Page 51 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Plan
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groupsCriticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computingIntroductionSecure co-processorsBus encryption
Conclusion
Already attacked!
-
7/31/2019 Secure Computing
52/77
Page 52 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Already attacked!
Interesting technology
But already attacked using a flaw in the System Management
Mode (SMM, ring -2) of x86 architecture
More details: R. Wojtczuk and J. Rutkowska, Attacking Intel
Trusted Execution Technology, Black Hat DC, Feb 2009,
http://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20paper.pdf
Plan
http://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20paper.pdfhttp://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20paper.pdf -
7/31/2019 Secure Computing
53/77
Page 53 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Plan
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groupsCriticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computingIntroductionSecure co-processorsBus encryption
Conclusion
Plan
-
7/31/2019 Secure Computing
54/77
Page 54 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Plan
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groupsCriticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computingIntroductionSecure co-processorsBus encryption
Conclusion
Attack model TCG
-
7/31/2019 Secure Computing
55/77
Page 55 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Attack model TCG
Some software attacks
Some physical attacks against the TPM itself (the TPM chip often
uses a smartcard core)
But does not resist to some hardware attacks against othercomponents
Bus snoopingMemory
Some secure computing architectures have been developed to tryto prevent these hardware attacks
Motivations
-
7/31/2019 Secure Computing
56/77
Page 56 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Motivations
Hardware attacks
Read or modification of the content of the RAMAddress and data buses snoopingDirect attacks against the CPU
Fault injection
Power analysis (side channel attacks)
Need sophisticated tools and knowledges but not unrealistic (e.g.
X-BOX
break)
A security model
-
7/31/2019 Secure Computing
57/77
Page 57 / 77 Guillaume Duc
May 2009
Licence de droits dusage
A security model
Guaranteed properties
Confidentiality: an attacker shall obtain as little information aspossible about the code or the data of a processIntegrity: the correct execution of a process shall not be altered by
an attackerAttacker
Total control on the CPU externals (buses, memory, storage, etc.)The CPU itself cannot be attacked (this excludes side channelattacks)
Denial of service excluded
Problem: keep good performances
-
7/31/2019 Secure Computing
58/77
Secure computing
-
7/31/2019 Secure Computing
59/77
Page 59 / 77Guillaume Duc
May 2009
Licence de droits dusage
Secure computing
Two approaches
Secure co-processorBus encryption architecture
Plan
-
7/31/2019 Secure Computing
60/77
Page 60 / 77Guillaume Duc
May 2009
Licence de droits dusage
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groupsCriticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computing
IntroductionSecure co-processorsBus encryption
Conclusion
Coprocessors
-
7/31/2019 Secure Computing
61/77
Page 61 / 77
Guillaume Duc
May 2009
Licence de droits dusage
p
First solution: shielded execution environment (processor,memory, bus, etc.) to run secure processes
SmartcardsIBM 4758/4764 (processor, RAM, flash)
Problems
Performances (smartcards)Difficult to upgrade
Plan
-
7/31/2019 Secure Computing
62/77
Page 62 / 77
Guillaume Duc
May 2009
Licence de droits dusage
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groupsCriticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computing
IntroductionSecure co-processorsBus encryption
Conclusion
Secure architecture
-
7/31/2019 Secure Computing
63/77
Page 63 / 77
Guillaume Duc
May 2009
Licence de droits dusage
Second solution: execute encrypted programs
Encryption
DecryptionProcessor
Data bus
Address bus
Memory
Key dates
-
7/31/2019 Secure Computing
64/77
Page 64 / 77
Guillaume Duc
May 2009
Licence de droits dusage
Confidentiality
BES T, 1979DALLAS DS500x, 1995 (commercialized, broken by KUHN in 1998)KUH N (TrustNo 1), 1997: asymmetric encryption and OS support
GILMONT, LEGAT et QUISQUATER, 1998: hybrid encryption
Confidentiality and integrity
LIE, THEKKATH, MITCHELL, LINCOLN (XOM), 2000KERYELL (CRYPTOPAGE), 2000SUH, CLARKE, GASSEND, DIJK et DEVADAS (Aegis), 2003:
protection against replay attacksKERYELL, LAURADOUX (CRYPTOPAGE 2), 2003
Confidentiality
-
7/31/2019 Secure Computing
65/77
Page 65 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Confidentiality is not very difficult (the main problem is to optimize
the decryption part)
During execution: everything outside of the processor is encrypted
Interrupts: the CPU cleans the registers before running the
interrupt handler
Memory integrity
-
7/31/2019 Secure Computing
66/77
Page 66 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Property to guarantee
The value read at a given address from memory must be the latestvalue stored by the processor at this address
Attacks
InjectionSpatial permutationReplay
Much more expensive...
Message Authentication Codes (MAC)
-
7/31/2019 Secure Computing
67/77
Page 67 / 77 Guillaume Duc
May 2009
Licence de droits dusage
L hK(L)
hK A
Message Authentication Codes (MAC)
-
7/31/2019 Secure Computing
68/77
Page 68 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Vulnerable to replay attacks
L1 hK(L1)
t1
L2 hK(L2)
t2
L1 hK(L1)
t3
Solution: add counters?
Problem: We have to securely store them
MAC must be computed again when the counter is modified
-
7/31/2019 Secure Computing
69/77
Example: DS5002FP
-
7/31/2019 Secure Computing
70/77
Page 70 / 77 Guillaume Duc
May 2009
Licence de droits dusage
8-bit microcontroller from Dallas SemiconductorData bus (8 bits) is encrypted (d = EDK,a(d))
Address bus (16 bits) is encrypted (a = EAK(a))
K (64 bits) is stored in a small battery-backuped SRAM inside the
microcontrollerProgram loaded using a special mode (the microcontroller
generates a key, loads the program in clear from the serial port,
encrypts and stores it in memory)
Random dummy memory access to hide memory access patternsBroken: M. Kuhn, Cipher Instruction Search Attack on the
Bus-Encryption Security Microcontroller DS5002FP, IEEE
Transactions on Computers, 47(10), pp. 11531157, october 1998
Example: DS5002FP
-
7/31/2019 Secure Computing
71/77
Page 71 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Example: CRYPTOPAGE
-
7/31/2019 Secure Computing
72/77
Page 72 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Memory encryption
Memory integrity protection (including against replay attacks)
Reduction of information leakages on the address busNo need for a trusted operating system
Good performances (simulations: less than 10 % compared to a
normal architecture)
Still on paper, no prototype yet...
Example: CRYPTOPAGE
-
7/31/2019 Secure Computing
73/77
Page 73 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Chip
Processor
Identification
buffer
SHA -1
unit
DataCaches Permutation
unit
AES CM +
CBC -MAC
MM UAdresses
Permutation
buffer
TLB ETLB
Permutation
R(e)c,p, R
(i)c,p
AES CBC
MERKLE
tree
verifier
MERKLE
tree
verifier
Kpid,i, Kpid,d, Kpid,m
Plaintext
hardware
context
buffer
AES CBC
Verifier
Kproc,e Kproc,m
Encrypted
hardware
context
buffer
Encrypted
initial
context
buffer
AES
RSA
SKproc
Random
number
generatpr
Securestorage
tree
verifier
RootKproc,s
Databus
Addressbus
Plan
-
7/31/2019 Secure Computing
74/77
Page 74 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Introduction
Trusted Computing Group (TCG)IntroductionTrusted Platform Module (TPM)Other working groupsCriticism
Intel Trusted eXecution Technology (TXT)IntroductionMeasured Launched EnvironmentConclusion
Secure computing
IntroductionSecure co-processorsBus encryption
Conclusion
Conclusion
-
7/31/2019 Secure Computing
75/77
Page 75 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Trusted computing: existing industrial solutions (TCG, Intel TXT...)
Secure computing: more difficult (attacker much more powerful)
and expensive, some industrial solutions but still largely inacademic field
Before choosing a solution: check the security model and the
attacker model to see if they match your needs
As always, these technologies are double-edged...
-
7/31/2019 Secure Computing
76/77
Licence de droits dusage
-
7/31/2019 Secure Computing
77/77
Page 77 / 77 Guillaume Duc
May 2009
Licence de droits dusage
Contexte public } sans modifications
Par le tlchargement ou la consultation de ce document, lutilisateur accepte la licence dutilisation qui y est attache, telle que dtaille dansles dispositions suivantes, et sengage la respecter intgralement.
La licence confre lutilisateur un droit dusage sur le document consult ou tlcharg, totalement ou en partie, dans les conditions dfinies ci-aprs et lexclusion expresse de toute utilisation commerciale.
Le droit dusage dfini par la licence autorise un usage destination de tout public qui comprend : Le droit de reproduire tout ou partie du document sur support informatique ou papier, Le droit de diffuser tout ou partie du document au public sur support papier ou informatique, y compris par la mise la disposition du public sur un rseaunumrique.
Aucune modification du document dans son contenu, sa forme ou sa prsentation nest autorise.
Les mentions relatives la source du document et/ou son auteur doivent tre conserves dans leur intgralit.
Le droit dusage dfini par la licence est personnel, non exclusif et non transmissible.
Tout autre usage que ceux prvus par la licence est soumis autorisation pralable et expresse de lauteur : [email protected]