copyright© 2004 trusted computing group - other names and brands are properties of their respective...

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1

Putting Trust into the Network: Securing Your Network through

Trusted Access ControlNed Smith

Intel NCAC

April 27th, 2005


Agenda• TCG Model for Trusted Computing

• Establishing Endpoint Integrity / Identity

• Access Control Decisions Based on TPM

• Relating XACML with TCG Integrity Schema


Challenges of Trusted Computing

• Assurance of safe computing environments– Viruses, Worms, Rootkits, Spyware, Adware etc… – Identifying the endpoint is ambiguous

• The endpoint has a distinct boundary– Controllers, busses, networks and peripherals associated

with a platform• Authentication protocols presume authorization tokens

are bound to the endpoint

• Control of resources in foreign environments– Infosec policy associated with data as it moves

through different computing environments– The environment must follow the policy


TCG Model of a Trusted Computing Platform

Layer Resources

Measurement Engine

Layer ServicesProvidedServicesStorage Engine

Verification Engine

Reporting Engine

Enforcement Engine

Policies

Protection Domain

Metrics

Dependent

Services

Tru

sted

Eng

ine


ExamplesSecure Boot

– A secure boot service implements Measurement and Reporting engines integrated with a Verification engine

– The Verification engine evaluates measurements according to a policy to determine proper boot sequence

– If the sequence is in error, an Enforcement engine is employed to terminate the boot process

• Trusted Boot– Trusted boot service implements Measurement and

Storage engines following the boot sequence– A Verification engine on a remote node (network server)

evaluates the boot sequence at a later time


PEP Domain

PDP Domain

Decomposition for Network Access Control

Access Requestor Domain

Measurement Engine

Measurement AttestationStorage Engine

Verification Engine

Reporting Engine

Policies

MetricsAccess

Request1

2

6

4

7 NetworkConnect

5

Enforcement Engine Apply Access

3

Access Control


How to Define the Endpoint?• Authentication tokens

– Keys, pass-phrases, certificates etc…

• Boot sequence• Device enumeration• Software install / load• Running processes / threads• Manufacturer intrinsic attributes

– Model, version, quality metrics


Three Vectors of Endpoint Integrity / Identity

• Measurement– Hash of software/firmware captures platform state

• Controllers and processors are enumerated and measured• Executing code may be scanned to determine its present state

• Cryptographic Identity– Authentication keys

• Reporting Engines use cryptographic keys to authenticate the reporting engine that by extension identifies the platform.

• Origin Identity– MMV

• Each component (device, platform, software package) can be identified by its Manufacturer, Model and Version (MMV)

• Credentials issued by manufacturers contain MMV intrinsic assertions– Reference Measurements

• Manufacturer provided signatures


Root of Trust for Measurement

(RTM)Measure

POST Code

Execute

Initial Program Loader (IPL)

Measure

Option Rom(2)

Measure

Option Rom(3)

Measure

Option Rom(1)

Measure

Execute ExecuteExecute

Execute

Operating System

Measure

Execute

Option Rom(3)

ExtensionMeasure

Execute

PCI ConfigCMOS

BIS Certificates...

Measure

Log of Extended

Values

Example: Pre-Boot Integrity Measurement Collection

TPMTPMHash of

ExtendedValues

Measure = Hash of code or dataExecute = Code is loaded into CPU


Platform Configuration Registers (PCRs)

• Stores cumulative configuration• Update is an Extend operation:

– [PCR] = SHA-1 {[PCR] + Extend value}– Value:

• It is infeasible to calculate the value A such that:– PCRdesiredValue = Extend (A)

• PCRs re-initialized at system reset– TPM_Init

• Measurement Log contains


Collecting Measurements After System Boot

• A Platform Trust Service (PTS) can be used to Measure Applications– Files

• Read files from disk; compute a measurement

– Processes• Ring 3 - DLL injection to read another

processes memory• Ring 0 – Access pages in memory / DMA

accesses


Example Platform Trust Service• Integrity of the PTS is established

– Pre-boot by measuring PTS drivers included in OS image

– Post-boot by measuring PTS process memory pages

• PTS may measure processes and files– Determined by policy – e.g. protect integrity reporting infrastructure

– Triggered by request – e.g. measure before connecting to the network

Initial Program Loader (IPL)

Operating System(PTS

Driver)

Measure

Execute

PTS Service

Execute

Measure

Other ServicesOther

ServicesOther

Processes or Files

Measure

Pre-boot


Policy Decision PointAccess Requestor

TCG Model for Exchanging Integrity Data

• IF-IMC & IF-IMV exchange messages containing posture information– Messages are batched for delivery by TNCC / TNCS– Either side may start a batched exchange– IMCs and IMVs may subscribe to multiple message types– Follow-on exchanges may continue indefinitely

• But may be gated by the underlying transport

TNC Client TNC Server

Tunnel Batch

Anti-VirusCollector

FirewallCollector

Patch MgmtCollector

TNC IntegrityCollector

Anti-VirusVerifier

FirewallVerifier

Patch MgmtVerifier

TNC IntegrityVerifier

Sta

tus

OK

!OK

OKOK

!OK!OK

OKOK

OKOKOK

OK

The TNC Server Makes the Final Decision


Evaluation of Integrity Reports

• Integrity Reports ought to be shadowed by a Reference Value– Reference values

• “Normal” boot sequence will have repeatable PCR values• Versioning “freezes” code changes so hash values don’t change

– Authentication keys have trust anchors– Watchdogs have a schedule of expected events

• Reference Values Should Come from an Authoritative Source– Manufacturer – to detect modification due to stolen source– Evaluation labs – who make assertions of quality and

conformance– Platform Owner – the entity taking the risk!


Integrity Measurement

Harvesters

Integrity SignatureDatabase

Value-Added Provider

ReferenceIntegrity

MeasurementsHarvesting Mechanism

Submission Mechanism

= Anticipated TCG specification

Integrity Harvesting Model

• Harvesting gathers Assertions and Values from a trustworthy source

• TCG Integrity Schema defined structure

TCG Certificates

Evaluation Mechanism

Policies / Rules

Verifier(PDP)

Policy Authoring

Mechanism

TCG Integrity Schema

Policy Authors


TCG Integrity Schema• Consists of a tree of Assertions and hash Values

– Reference measurements– Quality assertions– Development / Manufacturing processes– Trust related operations

• E.g. Creation of platform endorsement key• Associated with a Target “Component”

– Composite attributes form its “Identity”• Manufacture name / vendor ID• Model number / name• Version information

– Patch level

– Component Identity is unique with respect to a release• Not necessarily a particular copy or instance


Integrity Schema and XACML• Evaluation correlates reference and actual values

with appropriate consequences – A policy structure such as XACML may be helpful

• An XACML Policy is a tree of– PolicySet

• Contains multiple Policies and policy references– Policy

• Contains multiple Rules– Rule

• Contains decision logic expressed in terms of Conditions and Effect

• TCG Assertions may be mapped to XACML as Condition Attributes


A Conceptual Model

ReferenceIntegrity

Measurements

TCG Certificates

XACMLContext

PDP

Policy Authoring

Mechanism

Policy Authors

PEPAR

PolicyDatabase

Policy Sources


Attribute Sources

XACMLResponse

XACMLRequest

XACML Policy or Attribute References


XACML Condition Attribute

<xs:element name="AttributeValue" type="xacml:AttributeValueType" substitutionGroup="xacml:Expression"/>

<xs:complexType name="AttributeValueType" mixed="true">

<xs:complexContent mixed="true">

<xs:extension base="xacml:ExpressionType">

<xs:sequence>

<xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>

</xs:sequence>

<xs:attribute name="DataType" type="xs:anyURI" use="required"/>

<xs:anyAttribute namespace="##any" processContents="lax"/>

</xs:extension>

</xs:complexContent>

</xs:complexType>


Attribute Sources


Summary• TCG model for Trusted Computing is

centered around collection and verification of trust attributes

• Trust attributes can be applied to network access control

• The TCG is developing infrastructure for collecting reference trust attributes

• XACML may be a viable framework for making access decisions involving TCG trust attributes


Questions?• Contact Information

– The Trusted Computing Group• www.trustedcomputinggroup.org• [email protected]

– Infrastructure Working Group Co-Chairs• Ned Smith / Intel

– [email protected]

• Thomas Hardjono / Verisign– [email protected]


Backup


Steps of a Trusted Network Connection

• Find out the condition of the platform• Communicate platform state when connecting• Decide what level of access is acceptable• Restrict the environment in accordance with access rights• Remediation may be required to reconcile denied access

CollectionCollection

EnforcementEnforcement

Decision MakingDecision Making

ReportingReporting

RemediationRemediation


TCG Trusted Network Connect Architecture

AR PEP

IF-IMC IF-IMV

NetworkAccess

RequestorPolicy Enforcement

Point

Network AccessAuthority

TNCServer

IF-TNCCS

PDP

Supplicant/VPN Client, etc.

Switch/ Firewall/VPN Gateway

IF-Transport

RTM / TPM

Platform Trust

Service

TNCClient

VerifiersVerifiersCollector

CollectorIntegrity Measurement

CollectorsIntegrity Measurement

VerifiersIF-V

Re

me

dia

tio

n

La

ye

r

Inte

gri

ty

Me

as

ure

me

nt

La

ye

r

Inte

gri

ty

Ev

alu

ati

on

L

ay

er

Ne

two

rk

Ac

ce

ss

L

ay

er

VerifiersVerifiersCollector

CollectorRemediationApplications

RemediationResources

Integrity Log

IF-PTSIF-PEP

• PTS protects the integrity of TNC components• RTM protects PTS • TPM protects measurements and keys

• Enforcement mechanisms• Control of network boundary

• Reporting and transfer of integrity information• Access decision making

• Collection of integrity information • Authoring of rules

• Automated response and provisioning

Tru

st

La

ye

r


TNC with 802.1X at Link Layer

Requestor Switch / Access Point

EAP Peer

802.1x Access Agent

802.1x PAE

RADIUS Client RADIUS Server

EAP Peer

Verifier

802.1x RADIUS*

AR PDPPEP

Verifier & Collector exchange posture information over EAP tunnel using EAP inner methods, AVPs or TLVs

AR – Access RequesterAVP – Attribute Value PairEAP – Extensible Authentication ProtocolPAE – Port Access Entity

PDP – Policy Decision PointPEP – Policy Enforcement Point NAC – Network Access ControlTLV – Tag Length Value

Collector VerifierNAC Extensions

EAP

Network Boundary

802.1X

TNC

copyright© 2004 trusted computing group - other names and brands are properties of their respective...

Documents

engine slide

trusted computing group

policy slide

access control slide

respective owners

later time slide

tcg integrity schema

proper boot sequence