measured boot model n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Measured Boot Model PowerPoint Presentation
Download Presentation
Measured Boot Model

Loading in 2 Seconds...

  share
play fullscreen
1 / 7
madison

Measured Boot Model - PowerPoint PPT Presentation

91 Views
Download Presentation
Measured Boot Model
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Measured Boot Model Jon Millen, Joshua Guttman, John Ramsdell, Justin Sheehy, Brian Sniffen, Lindsay Spriggs MITRE November, 2007

  2. Boot Analysis • Context • Design study for trust research platform • Use of Trusted Platform Module, domain separation VMM • Objective • Verify evidence of proper system initialization

  3. Chain of Trust • The TPM (standard v. 1.2) has Platform Configuration Registers • Each component may measure the next (SHA-1 hash) • Signed "TPM quote" reports PCR contents launch sequence VMM TPM: Trusted Platform Module PCR: Platform Configuration Register SINIT CRTM BIOS TPM PCR 0 PCR 17 PCR 18

  4. Modeling Idea 1 good • Each component has a binary "good" state variable • iff it has an expected (symbolic) measurement hash • A "good" component behaves as expected for • measurement of target component into PCR • transfer of control to next component ("program counter" update) • A "not-good" component is unpredictable (non-deterministic) • It could be malicious and falsify measurements! • TPM properties limit consequences of misbehavior • Extend and Reset operations have access control 0

  5. system = execs || goodness || main || pcr execs goodness main pcr cur_pcr cur_cmd cur_locality target_meas exec[CRTM] good[ ] CRTM xgood pc pcr0_val BIOS protect_control exec[BIOS] xgood pcr17_val pcr18_val

  6. Specifications • The main objective is to show that enough good measurements imply that the measured components are good. • Example spec, for VMM: spec: CLAIM system |- G(pcr17_val = SINITm AND pcr18_val = VMMm AND pc = VMM => G(good[VMM]));

  7. Model Checking Experience • Started with SMV • Tried SAL for language benefits (types, arrays) • As models got bigger, SAL model ran much faster than SMV • Specs take from a few seconds to a few minutes to verify • Some style adjustments were needed