Bootstrapping trust in commodity computers
This presentation is the property of its rightful owner.
Sponsored Links
1 / 28

Bootstrapping Trust in Commodity Computers PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on
  • Presentation posted in: General

Bootstrapping Trust in Commodity Computers. Carnegie Mellon University. Bryan Parno , Jonathan McCune, Adrian Perrig. A Travel Story. Trust is Critical. Will I regret having done this?. Software Engineering &. Programming Languages :. Bootstrapping Trust :.

Download Presentation

Bootstrapping Trust in Commodity Computers

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Bootstrapping trust in commodity computers

Bootstrapping Trust in Commodity Computers

Carnegie Mellon University

Bryan Parno, Jonathan McCune, Adrian Perrig


A travel story

A Travel Story


Trust is critical

Trust is Critical

Will I regret

having done this?


Bootstrapping trust in commodity computers

Software Engineering &

Programming Languages:

Bootstrapping Trust:

What F will this machine compute?

Does program P compute F?

Is F what the programmer intended?

Bootstrapping Trust

What F will this machine compute?

XOther

YOther

F

XAlice

YAlice


Bootstrapping trust is hard

Bootstrapping Trust is Hard!

Challenges:

App

1

App

4

App

5

App

N

App

2

App

3

  • Hardware assurance

  • Ephemeral software

  • User Interaction

S2( )

S14( )

S1( )

S15( )

S3( )

S11( )

S5( )

S6( )

S13( )

S12( )

S7( )

S8( )

S9( )

S10( )

S4( )

OS

Module 1

Module 3

Module 4

Module 2

^

Safe?

H( )

H( )

Yes!


Bootstrapping trust is hard1

Bootstrapping Trust is Hard!

Challenges:

Evil

App

  • Hardware assurance

  • Ephemeral software

  • User Interaction

Evil

OS

Safe?

Yes!


In the paper

  • What do we need to know?

  • How can we use it locally?

  • How can we use it remotely?

  • How do we interpret it?

  • What serves as a foundation of trust?

  • How can we validate the bootstrapping?

  • Applications

  • Human factors

  • Limitations

  • Future directions

In the paper…

  • Bootstrapping foundations

  • Transmitting bootstrap data

  • Interpretation

  • Validation

  • Applications

  • Human factors

  • Limitations

  • Future directions

  • … and much more!


1 establish trust in hardware

1) Establish Trust in Hardware

  • Hardware is durable

  • Establish trust via:

    • Trust in the manufacturer

    • Physical security

Open Question: Can we do better?


2 establish trust in software

2) Establish Trust in Software

App

1

App

N

  • Software is ephemeral

  • We care about the software currently in control

  • Many properties matter:

    • Proper control flow

    • Type safety

    • Correct information flow…

Which property matters most?

OS


A simple thought experiment

A Simple Thought Experiment

  • Imagine a perfect algorithm for analyzing control flow

    • Guarantees a program always follows intended control flow

  • Does this suffice to bootstrap trust?

No!

P

We want code identity

Respects control flow

Type Safe


What is code identity

What is Code Identity?

  • An attempt to capture the behavior of a program

  • Current state of the art is the collection of:

    • Program binary

    • Program libraries

    • Program configuration files

    • Initial inputs

  • Often condensed into a hash of the above

Function f

Inputs to f

  • Attempt to capture the f computed by a program

  • Current state of the art is the collection of:

    • Program binary

    • Program libraries

    • Program configuration files

    • Program inputs

  • Often condensed into a hash of the above


Code identity as trust foundation

Code Identity as Trust Foundation

  • From code identity, you may be able to infer:

    • Proper control flow

    • Type safety

    • Correct information flow…

  • Reverse is not true!


What can code identity do for you

What Can Code Identity Do For You?

  • Research applications

  • Commercial applications

  • Secure the boot process

  • Count-limit objects

  • Improve security of network protocols

  • Thwart insider attacks

  • Protect passwords

  • Create a Trusted Third Party

  • Secure disk encryption (e.g., Bitlocker)

  • Improve network access control

  • Secure boot on mobile phones

  • Validate cloud computing platforms


Establishing code identity

Establishing Code Identity

  • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],…

YOther

XOther

F

YAlice

XAlice


Establishing code identity1

Establishing Code Identity

  • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],…

YOther

XOther

f1

f2

fN

XAlice

YAlice


Establishing code identity2

Establishing Code Identity

  • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],…

Chain of Trust

Root of

Trust

?

Software

N

Software

N-1

Software

1

. . .


Trusted boot recording code identity

Trusted Boot: Recording Code Identity

Root of

Trust

  • [Gasser et al. ’89], [England et al. ‘03], [Sailer et al. ‘04],…

Software

N

Software

N-1

Software

1

. . .

SW

2

SW

1

SW

N-1

SW

N


Attestation conveying records to an external entity

Attestation: Conveying Records to an External Entity

  • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [England et al. ‘03], [Sailer et al. ’04]…

Software

N

Software

N-1

Software

1

. . .

random #

(

)

Sign

Kpriv

random #

SW

2

SW

1

SW

N-1

SW

N

SW

1

SW

2

SW

N-1

SW

N

Controls Kpriv


Interpreting code identity

Interpreting Code Identity

Traditional

App 1…N

  • [Gasser et al. ‘89], [Sailer et al. ‘04]

Drivers 1…N

Policy Enforcement

  • [Marchesini et al. ‘04], [Jaeger et al. ’06]

OS

Bootloader

Option ROMs

BIOS


Interpreting code identity1

Interpreting Code Identity

Traditional

  • [Gasser et al. ‘89], [Sailer et al. ‘04]

Virtual

Machine

Policy Enforcement

  • [Marchesini et al. ‘04], [Jaeger et al. ’06]

Virtualization

  • [England et al. ‘03], [Garfinkel et al. ‘03]

Virtual Machine Monitor

Bootloader

Option ROMs

BIOS


Interpreting code identity2

Interpreting Code Identity

Late

Traditional

Launch

Virtual

Machine

  • [Gasser et al. ‘89], [Sailer et al. ‘04]

VMM

Policy Enforcement

  • [Marchesini et al. ‘04], [Jaeger et al. ’06]

OS

Virtualization

  • [England et al. ‘03], [Garfinkel et al. ‘03]

Late Launch

Virtual Machine Monitor

  • [Kauer et al. ‘07], [Grawrock ‘08]

Bootloader

Option ROMs

BIOS


Interpreting code identity3

Interpreting Code Identity

Late

Traditional

Launch

  • [Gasser et al. ‘89], [Sailer et al. ‘04]

Flicker

Policy Enforcement

  • [Marchesini et al. ‘04], [Jaeger et al. ’06]

OS

Virtualization

  • [England et al. ‘03], [Garfinkel et al. ‘03]

S

Late Launch

  • [Kauer et al. ‘07], [Grawrock ‘08]

Flicker

Targeted Late Launch

  • [McCune et al. ‘07]

Attested


Interpreting code identity4

Interpreting Code Identity

App 1…N

Drivers 1…N

OS

S

Flicker

Bootloader

Option ROMs

BIOS


Load time vs run time properties

Load-Time vs. Run-Time Properties

  • Code identity provides load-time guarantees

  • What about run time?

  • Approach #1: Static transformation

  • [Erlingsson et al. ‘06]

Run-Time Policy

Attested

Compiler

Code

Code’


Load time vs run time properties1

Load-Time vs Run-Time Properties

  • Code identity provides load-time guarantees

  • What about run time?

  • Approach #1: Static transformation

  • Approach #2: Run-Time Enforcement layer

Open Question:

How can we get complete run-time properties?

  • [Erlingsson et al. ‘06]

  • [Haldar et al. ‘04], [Kil et al. ‘09]

Code

Run Time

Attested

Load Time

Enforcer


Roots of trust

Roots of Trust

  • General purpose

  • Tamper responding

  • General purpose

  • No physical defenses

  • Specialpurpose

  • Timing-based attestation

  • Require detailed HW knowledge

Open Question:

What functionality do we need in hardware?

0

0

4

2

  • [Weingart ‘87]

  • [White et al. ‘91]

  • [Yee ‘94]

  • [Smith et al. ‘99]

  • [ARM TrustZone ‘04]

  • [TCG ‘04]

  • [Zhuang et al. ‘04]

  • [Chun et al. ‘07]

  • [Levin et al. ‘09]

  • [Spinellis et al. ‘00]

  • [Seshadri et al. ‘05]

Cheaper


Human factors

Open Question:

What does Alice do with a failed attestation?

Open Question:

How can Alice trust her device?

Human Factors

SW

1

SW

2

SW

N-1

SW

N

Open Questions:

How should be communicated to Alice?

What does Alice do with a failed attestation?

How can Alice trust her device?

SW

1

SW

2

SW

N-1

SW

N


Conclusions

Conclusions

  • Code identity is critical to bootstrapping trust

  • Assorted hardware roots of trust available

  • Many open questions remain!

Thank you!

[email protected]


  • Login