hardware security · tpm capabilities [3] • provides three root of trusts: • root of trust for...
TRANSCRIPT
![Page 1: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/1.jpg)
Hardware SecurityAsst. Prof. Mihai Chiroiu
![Page 2: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/2.jpg)
This lecture
• Is not about:• Hardware Trojan• Side-channel attacks on hardware• Physically Unclonable Function• Other: e.g., Cold boot attack
• Is about:• Root-of-trust• Hardware- assisted computer security: TPM, ArmTrustZone, IntelSGX
© Mihai Chiroiu 2
![Page 3: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/3.jpg)
Trustworthy Computing
• Goal: Protect data from misuse
• Approach: Turn a portion of a platform into a trustworthy environment
• TCB is not sufficient
© Mihai Chiroiu 3
![Page 4: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/4.jpg)
Security Properties [1]
• Isolated Execution• Inside a Trusted Execution Environment (TEE)
• Secure Storage• Integrity, confidentiality
• Attestation (remote and local)• Data given only to the trusted machine
• Secure Provisioning• Channel for sending data
• Trusted Path• Communication channel for peripherals (Secure I/O)
© Mihai Chiroiu 4
![Page 5: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/5.jpg)
Trusted Platform Module (TPM)
© Mihai Chiroiu 5
![Page 6: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/6.jpg)
Why?
• “For years Bill Gates has dreamed of finding a way to make the Chinese pay for software, TC looks like being the answer to his prayer.” by Ross Anderson
© Mihai Chiroiu 6
![Page 7: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/7.jpg)
TPM history [2]
• The Trusted Computing Platform Alliance (TCPA) The Trusted Computing Platform Alliance (TCPA)
• Established by the 5 founders in 1999: Intel, AMD, IBM, HP and MSFT• TPM v1
• The Trusted Computing Group (TCG) • Established in March 2003 as continuation of TCPA• TPM v2
© Mihai Chiroiu 7
![Page 8: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/8.jpg)
TPM Capabilities [3]
• Provides three root of trusts:• Root of trust for measurement (RTM) a trusted implementation of a hash
algorithm
• Root of trust for storage (RTS) a trusted implementation for one or more secret keys —the storage root key (SRK)
• Root of trust for reporting (RTR) a trusted implementation for a secret key representing a unique platform identity, the endorsement key, (EK).
• Signed by the platform vendor.
© Mihai Chiroiu 8
![Page 9: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/9.jpg)
TPM Capabilities
• ‘Platform Configuration Registers’ (PCR)• Can be read• Can only be extended, not writable
• Migratable vs non-migratable keys• EK and SRK never leave TPM
© Mihai Chiroiu 9
![Page 10: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/10.jpg)
Trusted/Secure Boot
• After boot, PCRs contain hash chain of booted software
© Mihai Chiroiu 10
BIOS boot block
BIOSOS
loader OS Application
TPM
Hardware
Root of trust in integrity measurement
Root of trust in integrity reporting
measuring
Extend PCR
![Page 11: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/11.jpg)
Secure Storage
• Step 1: TPM_TakeOwnership( OwnerPassword, … )• The SRK is created and can be deleted
• Binding/Unbind vs Sealing/Unsealing• Sealing is an extension to binding. • Contrary to binding, only non-migratable storage keys can be used to seal
data. • Consequently, the encrypted data is always bound to a specific platform.
© Mihai Chiroiu 11
![Page 12: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/12.jpg)
Attestation (remote and local)
• Why is remote attestation different from local attestation?• Answer: Because one’s computation capabilities (i.e., local one has do to the
cryptographic part on paper)
© Mihai Chiroiu 12
![Page 13: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/13.jpg)
Attestation (remote and local)
• Step 1: Create Attestation Identity Key (AIK)• Step 2: Sign PCR values (after boot)• Step 3: Validate signed PCRs
• How to do that for local attestation?
• Problems?• It only validates the loaded code, not the running one• Private attestation (cannot tell what machine it came from)
• Privacy CA
© Mihai Chiroiu 13
![Page 14: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/14.jpg)
Secure Provisioning
• Can be done using sealing
• Similar to local attestation
© Mihai Chiroiu 14
![Page 15: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/15.jpg)
Trusted Path
• No real support from TPM
• Using Dynamic Root of Trust
© Mihai Chiroiu 15
![Page 16: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/16.jpg)
TPM Controversy
• Could be used quite coercively• E.g., web pages only readable by browser X• Documents only usable with word processor Y
• Vendor lock-in
© Mihai Chiroiu 16
![Page 17: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/17.jpg)
ARM TrustZone
© Mihai Chiroiu 17
![Page 18: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/18.jpg)
TrustZone Capabilities
• The entry to monitor execute the Secure Monitor Call (SMC)
© Mihai Chiroiu 18
Normal World (NW) Secure World (SW)
User mode User mode
Priviledged modePriviledged mode
Monitor mode
Boot sequence
![Page 19: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/19.jpg)
Isolated Execution
• By design
• Two virtual Memory Management Units (one for each state)• The secure world can access the normal world data
• Can also implement secure boot
© Mihai Chiroiu 19
![Page 20: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/20.jpg)
Attestation – Case Study KNOX
• Samsung’s TrustZone-based Integrity Measurement Architecture (TIMA)
• TIMA Periodic Kernel Measurement (PKM)
• TIMA Real-time Kernel Protection (RKP)• intercepts critical kernel events, which are then inspected in TrustZone
© Mihai Chiroiu 20
![Page 21: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/21.jpg)
Attestation – Case Study KNOX
• Attestation Blobs are signed by TIMA• Unique device public/private key pair (starting with the Note 3)• Certificate for device key is signed with Samsung root key• TIMA generates an attestation public/private key pair, and signs a
certificate for the attestation key using the device private key• Attestation private key is used to sign data inside attestation blob
© Mihai Chiroiu 21
![Page 22: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/22.jpg)
Attestation – Case Study KNOX
© Mihai Chiroiu 22
TrustZone AttestationAgent
MDM Agent
MDM Server
Start attestation (Nonce)
Start attestation (Nonce)
Attest (nonce)
Blob
Attestation complete
Attestation complete
![Page 23: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/23.jpg)
Other capabilities
• Secure Storage and Provisioning can be implemented using TIMA
© Mihai Chiroiu 23
![Page 24: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/24.jpg)
Trusted Path
• The ability to trap IRQ and FIQ directly to the monitor
© Mihai Chiroiu 24
NW SW
Monitor
SystemSystem
IRQ IRQ
IRQIRQ
![Page 25: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/25.jpg)
TrustZone Discussion
• Vulnerabilities in the TEEOS (CVE-2015-4421)
• Closed system for third application development
• Only one compartment for TCB
• No Virtualization support
© Mihai Chiroiu 25
![Page 26: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/26.jpg)
Intel Software Guard Extensions (SGX)
© Mihai Chiroiu 26
![Page 27: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/27.jpg)
SGX Capabilities
• Security critical code isolated in enclave• Only CPU is trusted
• Transparent memory encryption• Enclaves cannot harm the system
• Only unprivileged code (CPU ring3)• Memory protection
• Designed for Multi-Core systems• Multi-threaded execution of enclaves• Parallel execution of enclaves and untrusted code• Enclaves are interruptible
© Mihai Chiroiu 27
![Page 28: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/28.jpg)
Isolated Execution
© Mihai Chiroiu 28
Trusted Untrusted
APP2
Hardware
APP1 EnclaveSecurityService
Operating System
CPUSGX
![Page 29: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/29.jpg)
© Mihai Chiroiu 29
Hardware
1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader
SGX
User space
Operating system
SGXdriver
5EnclaveLoader
5. Allocate enclave pages 6. Load & Measure App 7. Validate certificate and enclave integrity
1
2
3
4
4. Create enclave
6
5
8. Generate enclave K key
7
9. Protect enclave
8K
Trusted Untrusted
Client
SK/PK
![Page 30: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/30.jpg)
Attestation (remote and local)
• Yes, built-in with SGX
• An enclave can request a HW-signed REPORT
• In local attestation, one enclave can attest its TCB to another one
© Mihai Chiroiu 30
![Page 31: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/31.jpg)
Secure Provisioning – Use Case VMM
© Mihai Chiroiu 31
Hypervisor
Hardware
DomU
Cloud Storage
DomU LoaderPublic Cloud API
SGX
2. Generate PKE/SKE
3a. SignSGX(PKE+HASH)
3b. Get PKE
5. Upload DomU
1. Start Loader
4. Encrypt DomU
6. Start DomU
Loader
Enclave
Client
Trusted Untrusted
![Page 32: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/32.jpg)
Secure Storage
• Based on the Secure Provisioning of Key
© Mihai Chiroiu 32
![Page 33: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/33.jpg)
Trusted Path
• Open research question
© Mihai Chiroiu 33
![Page 34: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/34.jpg)
Open Challenges for SGX
• Malware in enclave• Check against blacklist before loading• White listed code can be exploited
• Runtime attacks possible
• Detect malicious behavior → block enclave• Enclave by itself cannot do much harm (memory protection)
© Mihai Chiroiu 34
![Page 35: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/35.jpg)
Open Challenges for SGX
• VM Migration in the cloud• How can it be done transparent to the VM (the VMs OS)
• Side Channel attacks• Enclaves are interruptible• Caches are not flushed on switching between SGX and non-SGX
mode• Data oblivious algorithms required [Kreuter et al., USENIX’13]
© Mihai Chiroiu 35
![Page 36: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/36.jpg)
Comparation
IsolatedExecution
Secure Storage
Remote Attestation
Secure provisioning
Trusted Path
TPM No Yes (limited) Yes Yes NoTrustZone Yes Yes Yes Yes YesSGX Yes Yes Yes Yes Probably
© Mihai Chiroiu 36
![Page 37: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/37.jpg)
Hardware Security Modules (HSM)
© Mihai Chiroiu 37
![Page 38: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/38.jpg)
HSM functionalities
• A piece of hardware and associated software/firmware that usually attaches to the inside of a PC or server and provides at least the minimum of cryptographic functions.
• Strong random number generation• A secure time source• Tamper-resistance
© Mihai Chiroiu 38
![Page 39: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/39.jpg)
Security Keys [6]
• HSM are exposed to direct access attacks
• Already available in Chrome
© Mihai Chiroiu 39
![Page 40: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/40.jpg)
References
1. http://repository.cmu.edu/cgi/viewcontent.cgi?article=1096&context=cylab
2. IBM.Press.A.Practical.Guide.to.Trusted.Computing.Jan.20083. https://www.cs.ox.ac.uk/files/1873/RR-08-11.PDF4. http://asokan.org/asokan/Padova2014/tutorial-mobileplatsec.pdf5. http://resources.infosecinstitute.com/uefi-and-tpm/6. http://fc16.ifca.ai/preproceedings/25_Lang.pdf
© Mihai Chiroiu 40
![Page 41: Hardware Security · TPM Capabilities [3] • Provides three root of trusts: • Root of trust for measurement (RTM) a trusted implementation of a hash algorithm • Root of trust](https://reader033.vdocuments.mx/reader033/viewer/2022041918/5e6a903714661d58753a312a/html5/thumbnails/41.jpg)
References
7. http://www.cse.unsw.edu.au/~cs9242/15/exam/paper2.pdf8. http://www.samsung.com/ro/business-
images/insights/2015/An_Overview_of_the_Samsung_KNOX_Platform_V1.11-0-0.pdf
© Mihai Chiroiu 41