trustedcomputing_securityfromgroundup

8/3/2019 TrustedComputing_SecurityFromGroundUp

http://slidepdf.com/reader/full/trustedcomputingsecurityfromgroundup 1/88

Tr usted ComputingSecurity from the ground up

Danny Fullerton – 2011/11/04



Why I used to hate TC



Palladium ®



a chip soldered to our motherboard



all of your actions had to be approved by Microsoft ®



I was some kind of frustrated liberal punk...



… there’s no way I’ve could accept this



I’ve decided to fight this however I’ve could:



tell everyone how this would affect us



swore to never buy a motherboard with this chip



…and learn about it



How I came to love TC



Trusted Computing != Palladium



it has very interesting security properties



breaks the status quo

Hackfest 2010 – Broken by Design

No comments on the background



well, I’m still a liberal punk but *paranoiac* too



What went wrong?



My guess :

Trusted Computing is a disruptive innovation

I just didn't understood the technology



What is it?



Protection objectives



software based attack

open case

sophisticated local attack

High :

Medium :

Low :



The basic idea



We cannot trust the entire platform…



…but only a very small part of it



…and build a chain of trust



Root of Trust for Measurements

+Trusted Platform Module

Not entirely true since we have to trust the MLE, and the hardware.



Core Root Of Trust for Measurements

MCH

CPU

TPMICH

Memory

BIOS

Bios Boot

Block



Tr usted P latform Module



secure

I/O

Endorsement Key (EK)

Storage Root Key (SRK)

processor

persistent memory volatile memory

Execution engine

Typical TPM

RSA

engine

SHA1hash

engine

RSA key

generator

RandomNumber

Generator

Prog

CodeOpt-in

Attestation

Identity

Keys (AIK)

LoadedKeys

Opt-in

Platform Configuration

Registers (PRC)



secure

I/Oprocessor

Execution engine

Orchestrator: receive request and dispatch

RSA

engine

RSA key

generator

RandomNumber

Generator

Prog

CodeOpt-in




SHA1hash

engine

Attestation

Identity

Keys (AIK)

LoadedKeys

Opt-in


Registers (PRC)



processor

Execution engine

Implement the specs: validation, execute request, respond

secure

I/O

RSA

engine

RSA key

generator

RandomNumber

Generator

Opt-inProg

Code




SHA1hash

engine

Attestation

Identity

Keys (AIK)

LoadedKeys

Opt-in


Registers (PRC)



processor

Execution engine

Create good random data for symmetric, asymmetric, nonce

secure

I/O

RSA

engine

RSA key

generator

Prog

CodeOpt-in

RandomNumber

Generator




SHA1hash

engine

Attestation

Identity

Keys (AIK)

LoadedKeys

Opt-in


Registers (PRC)



processor

Execution engine

Securely create RSA key pairs: public, private

secure

I/O

RSA

engine

RandomNumber

Generator

Prog

CodeOpt-in

RSA key

generator




SHA1hash

engine

Attestation

Identity

Keys (AIK)

LoadedKeys

Opt-in


Registers (PRC)



processor

Execution engine

RSA encryption, decryption, signature, verification

secure

I/O

RSA key

generator

RandomNumber

Generator

Prog

CodeOpt-in




SHA1hash

engine

Attestation

Identity

Keys (AIK)

LoadedKeys

Opt-in


Registers (PRC)

RSA

engine



processor

Execution engine

Authorization values, HMAC, etc

secure

I/O

RSA

engine

RSA key

generator

RandomNumber

Generator

Prog

CodeOpt-in




SHA1hash

engine

Attestation

Identity

Keys (AIK)

LoadedKeys

Opt-in


Registers (PRC)



processor

Execution engine

Keep track of internal state: sessions, etc

secure

I/O

RSA

engine

RSA key

generator

RandomNumber

Generator

Prog

CodeOpt-in




SHA1hash

engine

Attestation

Identity

Keys (AIK)

LoadedKeys

Opt-in


Registers (PRC)



processor

Execution engine

Power cycle resistant memory

secure

I/O

RSA

engine

RSA key

generator

RandomNumber

Generator

Prog

CodeOpt-in




SHA1hash

engine

Attestation

Identity

Keys (AIK)

LoadedKeys

Opt-in


Registers (PRC)



RSA

engine

RSA key

generator

RandomNumber

Generator

processor

Execution engine

Prog

Code

Enforce user’s choice

secure

I/O

Opt-in




SHA1hash

engine

Attestation

Identity

Keys (AIK)

LoadedKeys

Opt-in


Registers (PRC)



at purchase time, TPMs are not operational



processor

Execution engine

Root of all storage keys

secure

I/O

RSA

engine

RSA key

generator

RandomNumber

Generator

Prog

CodeOpt-in




SHA1hash

engine

Attestation

Identity

Keys (AIK)

LoadedKeys

Opt-in


Registers (PRC)



created when owner activate the TPM



used to create secure key trees



provide, virtually, unlimited secure storage

Storage Root Keyinside



Storage Root Key

Storage KeyUser1

Binding Key

Signing Key

Storage KeyUser2

Binding Key

Signing Key

the TPM

outsidethe TPM

The actual structure is malleable and can be very different.



Processor

Execution engine

TCG specifications assertion

Secured

I/O

RSA

engine

RSA key

generator

RandomNumber

Generator

Prog

CodeOpt-in




SHA1hash

engine

Attestation

IdentityKeys (AIK)

LoadedKeys

Opt-in


Registers (PRC)



endorsement certificate sign by the TPM manufacturer



uniquely identify the platform



privacy concerns



well yes… but no



EK is only used in conjunction with something else



Processor

Execution engine

Some kind of privacy protector

SecuredI/O

RSA

engine

RSA key

generator

RandomNumber

Generator

Prog

CodeOpt-in




SHA1hash

engine

LoadedKeys

Opt-in


Registers (PRC)

Attestation

IdentityKeys (AIK)



privacy CA

challengeryou

mutual trust of the CA – signed AIK satisfy challenger

Privacy

EK

AIK



What if collusion arise?

Privacy

privacy CA

challengeryou AIK

EK



Direct Anonymous Attestation (DAA)



Zero Knowledge Proof

S S



Processor

Execution engine

Store system measurements: SHA-1 hash

SecuredI/O

RSA

engine

RSA key

generator

RandomNumber

Generator

Prog

CodeOpt-in




SHA1hash

engine

Attestation

IdentityKeys (AIK)

Loaded

Keys

Opt-in


Registers (PRC)



Static Root of Trust for Measurements (SRTM)

L h ti t



TPM

CRTMBIOSROM

BIOSFLASH

BootLoader

OSKernel …

PCR 0

PCR 1

PCR 2

PCR 3

PCR 4

…

Boot process and PCRs attribution not accurate (highly simplified).

pass execution:

3

2

1

Launch time measurements

store measurement:

measurement:



one PCR can be used to measure multiple elements



TPM_Extend()

PCR = hash( old value, new value )

0xAAAA = hash( 0x0000, 0x1111 )0xBBBB = hash( 0xAAAA, 0x2222 )0xCCCC = hash( 0xBBBB, 0x3333 )

0x0000 = boot()



TPM doesn’t act upon PCRs



PCRs are stored whether they’re bad or good



Dynamic Root of Trust for Measurements (DRTM)

Late launch measurements



TPMICH

P C R 1

8

P C R 1

9

…

P C R 1

7


measurement:

MCH

CPU

SMX

store measurement:

Memory

OSKernel

…

pass execution:

Process not accurate (highly simplified).





MCH

CPUSMX


TPMICH

P C R 1

8

P C R 1

9

…

P C R 1

7

measurement:

store measurement:

Memory

OSKernel

…

pass execution:




Security Enhancements



RTM – Root of Trust for MeasurementCRTM + TPM (SRTM) || SMX + TPM (DRTM)

Measurements



Sealed storage

TPM Seal(): Encrypt data to a specific environment



TPM

data

_ () yp p

encrypteddata

PCR X: f56b7e4d5e065214afa5cc8b86897d7a4cbffb14

PCR Y: 7cb06027e87e7d848d8576d8fef5f76256f41cee

PCR Z: 38464bf083d958b53580c63c01e56707fd043588

TPM Unseal(): Decrypt if a specific environment is active



TPM

encrypteddata

PCR xPCR y

_ () yp p

PCR z

data

PCR X: f56b7e4d5e065214afa5cc8b86897d7a4cbffb14

PCR Y: 7cb06027e87e7d848d8576d8fef5f76256f41cee

PCR Z: 38464bf083d958b53580c63c01e56707fd043588



Detect malwareKeylogger / Meterpreter / KonBootRootkits (user/kernel, MBR, BIOS)

Protect dataKeys, BitLocker, etc

manipulate confidential db



Time

block I/O unblock I/O

DRTM

measurement

TPM_unseal db key erase db key

A t t a c k

S u r f a c e

manipulate confidential db



Time

block I/O unblock I/O

DRTM

measurement

TPM_unseal db key erase db key

A t t a c k

S u r f a c e

attack



Remote Attestation

TPM_Quote(): Sign PCRs with AIK



TPM

AIK

PCR x

PCR y

PCR zPCR x

PCR y

PCR z

AIK signature

AttestationRSA

engine



Strong Network Access Control (NAC)Trusted Network Connect



assess the security of a kiosk with your mobile device



Conclusion



a TPM is a passive device



it cannot take over your platform by itself



at this point, there’s no battle about

keeping our freedom / rights



Trusted Computing is a tool…



…nothing else



…and it’s about time we start using it



Thanks!

trustedcomputing_securityfromgroundup

Documents