the trusted computing could it be satan l.
Skip this Video
Loading SlideShow in 5 Seconds..
The Trusted Computing - Could it be…. SATAN? PowerPoint Presentation
Download Presentation
The Trusted Computing - Could it be…. SATAN?

Loading in 2 Seconds...

play fullscreen
1 / 33

The Trusted Computing - Could it be…. SATAN? - PowerPoint PPT Presentation

  • Uploaded on

The Trusted Computing - Could it be…. SATAN? Y’all remember the Church Lady, right? Bruce Potter Don’t Believe Anything I Say

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The Trusted Computing - Could it be…. SATAN?' - oshin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the trusted computing could it be satan

The Trusted Computing - Could it be…. SATAN?

Y’all remember the Church Lady, right?

Bruce Potter

don t believe anything i say
Don’t Believe Anything I Say
  • "Do not believe in anything simply because you have heard it. Do not believe in anything simply because it is spoken and rumored by many. Do not believe in anything simply because it is found written in your religious books. Do not believe in anything merely on the authority of your teachers and elders. Do not believe in traditions because they have been handed down for many generations. But after observation and analysis, when you find that anything agrees with reason and is conducive to the good and benefit of one and all, then accept it and live up to it.” - Buddha
  • By Day, Senior Associate for Booz Allen Hamilton
  • By Night, Founder of The Shmoo Group and restorer of hopeless Swedish cars
overview two things to accomplish
Overview -Two things to accomplish
  • Make the case for trusted computing
    • While dodging the beer bottles being thrown at me
  • Demonstrate the TPM on a MacBook
    • Release some code
  • Sprinkle in some good arguments, and we’ve got ourselves a party
a brief history of infosec
A Brief History of InfoSec
  • For at least 50 years, we’ve been trying to solve the information security problem
    • However, at the same time, the problem keeps getting more complex
    • In the meantime, it’s made security a profitable and sustainable industry (funny what happens when you chase an impossible dream)
current infosec trends
Current InfoSec Trends
  • Defense in Depth
    • The core problem is currently unsolvable… So why not throw a giant pile of bandaids at it
    • With a slick phrase like “defense in depth” it even sounds responsible
  • Access to systems == Access to data
    • Boot disks are amazing things
    • David Hulton et al have even taken malicious slave devices to a new level
  • Transactions are trusted at a network level
    • End to end security only exists in controlled environments
so how did we get here
So, How Did We Get Here?
  • The roadmap for secure systems is described in Butler Lampson’s “Protection” paper
    • “The original motivation for putting protection mechanisms into computer systems was to keep one user’s malice or error from harming other users. Harm can be inflicted in several ways:1.By destroying or modifying another user’s data.2.By reading or copying another user’s data without permission.3.By degrading the service another user gets” (sounds pretty good, even though this was 1971)
    • The paper goes on to describe (basically) multilevel security, the need for hardware security to enforce data separation, and object-based access control (again, pretty good for 1971)
guesses on when this was written
Guesses on when this was written?
  • “Another major problem is the fact that there are growing pressures to interlink separate but related computer systems into increasingly complex networks”
  • “Underlying most current users’ problems is the fact that contemporary commercially available hardware and operating systems do no provide adequate support for computer security”
  • “In addition to the experience of accidental disclosure, there has also been a number of successful penetrations of systems where the security was ‘added on’ or claimed from fixing all known bugs in the operating system. The success of the penetrations, for the most part, has resulted from the inability of the system to adequately isolate a malicious user, and from inadequate access control mechanisms built into the operating system”
  • Computer Security Technology Planning Study -
  • October 1972, Electronic Systems Division, Air Force
the search for the holy grail mls
The Search for the Holy Grail (MLS)
  • The road is littered with corpses
    • has some examples
  • Some not so surprising results:
    • Operating systems are complicated
    • Software developers don’t know how to write secure code
    • Without a piece of trusted hardware onto which you can layer security assertions, the best you can do it a layered defense… aka: “defense in depth”
fast forward 2000ish
Fast Forward… 2000ish
  • Digital Rights Management emerges on the scene
    • Content is King.. Or so the saying goes
    • DRM is a mechanism for cryptographically protecting the rights of the content creator
    • Microsoft is including DRM-like capability into Office to prevent unauthorized sharing of data
  • DRM is not perfect
    • Can be subverted easily when it is software only
    • Even hardware-based systems can be subverted, especially when they’re badly designed (Thanks DVD Jon)

DRM Uses

guess what drm is cool
Guess what? DRM is Cool
  • According to a recent survey, iPods are cooler than beer
  • Apple made DRM sexy and cool
    • The iPod begat ITMS
    • ITMS was made possible because Apple came up with a rights management scheme that the content providers could deal with at a $1 a pop
    • In Feb 2006, the 1 billionth song was downloaded from ITMS
    • 1 billion songs means people things ITMS is cool
    • Through transitivity, Apple made DRM cool
  • What does Apple have to do with Trusted Hardware?


funny you should ask
Funny You Should Ask
  • Apple just made trusted hardware sexy and cool (And you didn’t even realize)
  • Enter the MacBook Pro
    • When Apple switched to Intel, the developed Rosetta… an emulator that dynamically translates PPC opcodes to x86
    • Apple is using the TPM to protect Rosetta from starting unless the TPM is there
    • Ensures Apple proprietary SW only runs on Apple HW
    • Maxxuss repeatedly bypassed this protection



Legacy PPC



App Translated to x86


backing up a step
Backing up a Step
  • The Trusted Computing Group
    • Used to be the Trusted Computing Platform Alliance
    • An industry group (read: you have to buy your way in) that sets standards for trusted computing systems and architectures
  • Used to be focused soley on the development of a trusted piece of hardware (TPM)
    • Now has broader scope, including networks, servers, storage, mobility applications, and software API’s
  • 135 Members, including most of the Big Boys ™

TCG Focus Areas

tcg on privacy
TCG on Privacy…


What has the TCG done to preserve privacy?

  • TCG believes that privacy is a necessary element of a trusted system. The system owner has ultimate control and permissions over private information and must "opt-in" to utilize the TCG subsystem. Integrity metrics can be reported by the TCG subsystem but the specification will not restrict the choice and options of the owner preserving openness and the ability of the owner to choose.
  • The TCG specification will support privacy principles in a number of ways:
    • The owner controls personalization.
    • The owner controls the trust relationship.
    • The system provides private object storage and digital signature capability.
    • Private personalization information is never exposed.
    • Owner keys areencrypted prior to transmission.
  • It is also important to know what the solutions are not:
    • They are not global identifiers.
    • They are not personalized before user interaction.
    • They are not fixed functions—they can be disabled permanently.
    • They are not controlled by others (only the owner controls them). controls them).
trusted platform module
Trusted Platform Module
  • Chips manufactured by a variety of manufactures
    • Assured cryptographic operations
    • Trusted keystore
    • Integrity attestation
  • The TPM, on it’s own, does not do anything
    • Higher level systems (boot managers, operating systems, applications) must use the TPM to do something
  • The TPM spec says that the user _must have_ the ability to turn of the TPM chip
    • That means the user always has control of their device
    • However, that doesn’t mean that all software will still work
inside a tpm chip
Inside a TPM Chip




Register (PCR)



Key (AIK)



  • PCR - Sets of information that is unique to the host (manufactures, serial #’s, peripherals, etc)
  • AIK - Internal keys used to identify and authenticate the TPM to off-chip entities

I/O and Comms Bus













interacting with the tpm
Interacting with the TPM


  • Request-response model, very similar to smartcards

Library call

or socket

Return value

Trusted Software Stack

TPM Driver

Datagram sent





Datagram sent





examining the apple tpm
Examining the Apple TPM
  • All Intel-based Mac’s make use of an Infineon TPM
  • No real interface from Apple to examine/use TPM chip
  • But never fear, we’ve got code to examine the TPM
macbook tpm access architecture
MacBook TPM Access Architecture

Ubuntu (modified to boot on a mac by and customized by

The Shmoo Group)

Custom Apps


Libtpm (from IBM)


Infineon TPM v1.1 (IFX0101)

demo of tpm software
Demo of TPM software
  • A live CD for accessing the TPM on a MacBook is available at
    • It is a bit rough around the edges, but it works (pretty much) right out of the gate
trusted network connect
Trusted Network Connect
  • Rather than solving the entire problem from the beginning, TCG is taking baby steps
  • Network access is a problem in nearly every enterprise
    • Accessing the network should involve three parties authenticating themselves; the user, the user’s device, and the infrastructure
    • Oftentimes, the device does not strongly authenticate itself
    • With a TPM, a device can have a unique cryptographic key to authenticate itself to the infrastructure
  • TNC is basically 802.1x
    • Juniper and others already have solutions
    • Couple TNC with patching policies, and you can really put a dent in internal network security issues
other capabilities enabled by trusted computing
Other Capabilities Enabledby Trusted Computing
  • Data at Rest security
    • Vista has the ability to use a TPM for key storage and implements a ecure container (ie: an encrypted file that is protected by the TPM) called BitLocker
    • Can be done on any platform (why doesn’t DiskUtility in OS X use the TPM on the Intel-based boxes?)
  • Crypto API
    • No more confusion if an algorithm is implemented properly
  • Remote Attestation
    • The ability to tell a remote system about the local system with some assurance
    • Basically, you can attest to the integrity or configuration of a machine and cryptographically sign the whole thing
  • Trusted Boot
    • TPM->Secure Boot Loader->Signed kernel->Signed Drivers ->Signed Applications (NOTE: Signed != secure)
types of attestation
Types of Attestation
  • Attestation by the TPM
    • Proves that the TPM is active and knows some secret
  • Attestation to the platform
    • Proves the endpoint can be trusted to report its integrity
  • Attestation of the platform
    • Reporting of the integrity of the endpoint
  • Authentication of the platform
    • Basically, this is device authentication (using a secret to authenticate to a network, etc)
so first the bad
So.. First, the Bad
  • Opportunities abound for loss of control content stored on your computer
  • Failed hardware, systems upgrades have the potential to cause havoc with protected software
    • Sealed data may become unusable
  • Users suddenly need to deal with key material backup issues
    • Because we all back up our hard drives already, right?
  • Operating system vendors may get territorial
    • For instance, Windows Genuine Advantage could be configured to not upgrade if non-MS approve software is installed (unlikely, but possible)
the good
The Good
  • Trusted boot can make a big dent in controlling malicious code in the enterprise
    • Host integrity monitoring can become host integrity enforcement (like the migration from IDS to IPS… only it will actually work)
  • Trusted network access will tie the security and integrity of an endpoint to the authority to access the network
  • The ability to really protect mobile media and other data at rest situations
the ugly
The Ugly
  • The distrust of many in the security community is interfering with making productive use of the TPM
    • Hard to see the forest for the trees
    • Also, the trusted computing represents a massive shift in risks, threats, and operations… no small pill for the security community to swallow
  • While Vista has TPM “support” the developer interface is not documented enough to be useful
  • OS X does not provide ANY public interfaces to the TPM
  • Most chips in deployment are v1.1… Vista wants 1.2
    • Ubiquitous deployment of 1.2 is “only” 3 or so years away
where trusted computing is going
Where Trusted Computing is Going
  • Trusted computing is going to happen
    • Many systems shipping with TPM’s already… just not much software that supports it
    • HUGE capability for InfoSec… Even if we don’t reach the holy grail of MLS, there are still many positive features
    • However, if all we do is focus on the privacy concerns and don’t figure out a way to use trusted computing to build more secure software, we’ll fail before we even get out of the gate
    • /rant
shmoocon iii
ShmooCon III
  • Note, it may seem like we had three cons already, but there were seriously only 2
    • We had really, really good beer
  • ShmooCon III - March 23-25, 2007
    • Same place - Wardman Park Marriott, DC
    • Slight changes in structure
      • 20 min sessions all afternoon Friday
      • SC Labs
    • Still going to have contests, hacker arcade, etc
    • CFP out next week
    • Tix on sale end of the month
      • Ticket # breakdown on price, not dates
before we finish up summer of code tsg style
Before We Finish Up.. Summer of Code, TSG Style
  • The Shmoo Group was given the opportunity to mentor 4 projects under the Google Summer of Code
  • Firekeeper (Student: Jan Wrobel, Mentor: Len Sassman)
    • Browser-level Intrusion Detection via rulesets designed to detect and block malicous websites (neat, given Jeremiah Grossman’s talk)
    • Prototype available on
  • GPGGreasemonkey (Student: Kerry McKay, Mentor: Bruce Potter)
    • Client side mail encryption for webmail via FFX ext.
    • Currently have implementation for Gmail and Yahoo
    • svn checkout svn://
  • Online Rainbow Tables Lookup (Student: Keith Larimore, Mentor: Freshman)
    • Focused on increasing speed
    • Completed: Basic search capabilities with Web interface, queuing, completion emails
    • In progress: DNS query Interface
  • Open Security Framework (Student: Soren Bleikertz,Mentor:Pravir Chandra)
    • A framework to simplify network security analysis
    • “Master, client, slave”
  • Bruce Potter
  • Go To ShmooCon - March 23-25, 2007