bootstrapping trust in commodity computers
Download
Skip this Video
Download Presentation
Bootstrapping Trust in Commodity Computers

Loading in 2 Seconds...

play fullscreen
1 / 28

Bootstrapping Trust in Commodity Computers - PowerPoint PPT Presentation


  • 257 Views
  • Uploaded on

Bootstrapping Trust in Commodity Computers. Carnegie Mellon University. Bryan Parno , Jonathan McCune, Adrian Perrig. A Travel Story. Trust is Critical. Will I regret having done this?. Software Engineering &. Programming Languages :. Bootstrapping Trust :.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Bootstrapping Trust in Commodity Computers' - dagmar


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
bootstrapping trust in commodity computers

Bootstrapping Trust in Commodity Computers

Carnegie Mellon University

Bryan Parno, Jonathan McCune, Adrian Perrig

trust is critical
Trust is Critical

Will I regret

having done this?

slide4

Software Engineering &

Programming Languages:

Bootstrapping Trust:

What F will this machine compute?

Does program P compute F?

Is F what the programmer intended?

Bootstrapping Trust

What F will this machine compute?

XOther

YOther

F

XAlice

YAlice

bootstrapping trust is hard
Bootstrapping Trust is Hard!

Challenges:

App

1

App

4

App

5

App

N

App

2

App

3

  • Hardware assurance
  • Ephemeral software
  • User Interaction

S2( )

S14( )

S1( )

S15( )

S3( )

S11( )

S5( )

S6( )

S13( )

S12( )

S7( )

S8( )

S9( )

S10( )

S4( )

OS

Module 1

Module 3

Module 4

Module 2

^

Safe?

H( )

H( )

Yes!

bootstrapping trust is hard1
Bootstrapping Trust is Hard!

Challenges:

Evil

App

  • Hardware assurance
  • Ephemeral software
  • User Interaction

Evil

OS

Safe?

Yes!

in the paper

What do we need to know?

  • How can we use it locally?
  • How can we use it remotely?
  • How do we interpret it?
  • What serves as a foundation of trust?
  • How can we validate the bootstrapping?
  • Applications
  • Human factors
  • Limitations
  • Future directions
In the paper…
  • Bootstrapping foundations
  • Transmitting bootstrap data
  • Interpretation
  • Validation
  • Applications
  • Human factors
  • Limitations
  • Future directions
  • … and much more!
1 establish trust in hardware
1) Establish Trust in Hardware
  • Hardware is durable
  • Establish trust via:
    • Trust in the manufacturer
    • Physical security

Open Question: Can we do better?

2 establish trust in software
2) Establish Trust in Software

App

1

App

N

  • Software is ephemeral
  • We care about the software currently in control
  • Many properties matter:
    • Proper control flow
    • Type safety
    • Correct information flow…

Which property matters most?

OS

a simple thought experiment
A Simple Thought Experiment
  • Imagine a perfect algorithm for analyzing control flow
    • Guarantees a program always follows intended control flow
  • Does this suffice to bootstrap trust?

No!

P

We want code identity

Respects control flow

Type Safe

what is code identity
What is Code Identity?
  • An attempt to capture the behavior of a program
  • Current state of the art is the collection of:
    • Program binary
    • Program libraries
    • Program configuration files
    • Initial inputs
  • Often condensed into a hash of the above

Function f

Inputs to f

  • Attempt to capture the f computed by a program
  • Current state of the art is the collection of:
    • Program binary
    • Program libraries
    • Program configuration files
    • Program inputs
  • Often condensed into a hash of the above
code identity as trust foundation
Code Identity as Trust Foundation
  • From code identity, you may be able to infer:
    • Proper control flow
    • Type safety
    • Correct information flow…
  • Reverse is not true!
what can code identity do for you
What Can Code Identity Do For You?
  • Research applications
  • Commercial applications
  • Secure the boot process
  • Count-limit objects
  • Improve security of network protocols
  • Thwart insider attacks
  • Protect passwords
  • Create a Trusted Third Party
  • Secure disk encryption (e.g., Bitlocker)
  • Improve network access control
  • Secure boot on mobile phones
  • Validate cloud computing platforms
establishing code identity
Establishing Code Identity
  • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],…

YOther

XOther

F

YAlice

XAlice

establishing code identity1
Establishing Code Identity
  • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],…

YOther

XOther

f1

f2

fN

XAlice

YAlice

establishing code identity2
Establishing Code Identity
  • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],…

Chain of Trust

Root of

Trust

?

Software

N

Software

N-1

Software

1

. . .

trusted boot recording code identity
Trusted Boot: Recording Code Identity

Root of

Trust

  • [Gasser et al. ’89], [England et al. ‘03], [Sailer et al. ‘04],…

Software

N

Software

N-1

Software

1

. . .

SW

2

SW

1

SW

N-1

SW

N

attestation conveying records to an external entity
Attestation: Conveying Records to an External Entity
  • [Gasser et al. ‘89], [Arbaugh et al. ‘97], [England et al. ‘03], [Sailer et al. ’04]…

Software

N

Software

N-1

Software

1

. . .

random #

(

)

Sign

Kpriv

random #

SW

2

SW

1

SW

N-1

SW

N

SW

1

SW

2

SW

N-1

SW

N

Controls Kpriv

interpreting code identity
Interpreting Code Identity

Traditional

App 1…N

  • [Gasser et al. ‘89], [Sailer et al. ‘04]

Drivers 1…N

Policy Enforcement

  • [Marchesini et al. ‘04], [Jaeger et al. ’06]

OS

Bootloader

Option ROMs

BIOS

interpreting code identity1
Interpreting Code Identity

Traditional

  • [Gasser et al. ‘89], [Sailer et al. ‘04]

Virtual

Machine

Policy Enforcement

  • [Marchesini et al. ‘04], [Jaeger et al. ’06]

Virtualization

  • [England et al. ‘03], [Garfinkel et al. ‘03]

Virtual Machine Monitor

Bootloader

Option ROMs

BIOS

interpreting code identity2
Interpreting Code Identity

Late

Traditional

Launch

Virtual

Machine

  • [Gasser et al. ‘89], [Sailer et al. ‘04]

VMM

Policy Enforcement

  • [Marchesini et al. ‘04], [Jaeger et al. ’06]

OS

Virtualization

  • [England et al. ‘03], [Garfinkel et al. ‘03]

Late Launch

Virtual Machine Monitor

  • [Kauer et al. ‘07], [Grawrock ‘08]

Bootloader

Option ROMs

BIOS

interpreting code identity3
Interpreting Code Identity

Late

Traditional

Launch

  • [Gasser et al. ‘89], [Sailer et al. ‘04]

Flicker

Policy Enforcement

  • [Marchesini et al. ‘04], [Jaeger et al. ’06]

OS

Virtualization

  • [England et al. ‘03], [Garfinkel et al. ‘03]

S

Late Launch

  • [Kauer et al. ‘07], [Grawrock ‘08]

Flicker

Targeted Late Launch

  • [McCune et al. ‘07]

Attested

interpreting code identity4
Interpreting Code Identity

App 1…N

Drivers 1…N

OS

S

Flicker

Bootloader

Option ROMs

BIOS

load time vs run time properties
Load-Time vs. Run-Time Properties
  • Code identity provides load-time guarantees
  • What about run time?
  • Approach #1: Static transformation
  • [Erlingsson et al. ‘06]

Run-Time Policy

Attested

Compiler

Code

Code’

load time vs run time properties1
Load-Time vs Run-Time Properties
  • Code identity provides load-time guarantees
  • What about run time?
  • Approach #1: Static transformation
  • Approach #2: Run-Time Enforcement layer

Open Question:

How can we get complete run-time properties?

  • [Erlingsson et al. ‘06]
  • [Haldar et al. ‘04], [Kil et al. ‘09]

Code

Run Time

Attested

Load Time

Enforcer

roots of trust
Roots of Trust
  • General purpose
  • Tamper responding
  • General purpose
  • No physical defenses
  • Specialpurpose
  • Timing-based attestation
  • Require detailed HW knowledge

Open Question:

What functionality do we need in hardware?

0

0

4

2

  • [Weingart ‘87]
  • [White et al. ‘91]
  • [Yee ‘94]
  • [Smith et al. ‘99]
  • [ARM TrustZone ‘04]
  • [TCG ‘04]
  • [Zhuang et al. ‘04]
  • [Chun et al. ‘07]
  • [Levin et al. ‘09]
  • [Spinellis et al. ‘00]
  • [Seshadri et al. ‘05]

Cheaper

human factors

Open Question:

What does Alice do with a failed attestation?

Open Question:

How can Alice trust her device?

Human Factors

SW

1

SW

2

SW

N-1

SW

N

Open Questions:

How should be communicated to Alice?

What does Alice do with a failed attestation?

How can Alice trust her device?

SW

1

SW

2

SW

N-1

SW

N

conclusions
Conclusions
  • Code identity is critical to bootstrapping trust
  • Assorted hardware roots of trust available
  • Many open questions remain!

Thank you!

parno@cmu.edu

ad