Distributed OS - Operating Systems Group
Distributed OS - Operating Systems Group Distributed OS - Operating Systems Group
30/05/11 Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka „Trusted Computing“
- Page 2 and 3: Goals Understand principles of: ●
- Page 4 and 5: Trusted Computing (Base) Trusted Co
- Page 6 and 7: Trusted Computing Terminology Measu
- Page 8 and 9: An example application: DRM ● „
- Page 10 and 11: Notation ● SK priv SKpub Asymmetr
- Page 12 and 13: Identification of Software ● Prog
- Page 14 and 15: Ways to “burn in” the OS or sec
- Page 16 and 17: Authenticated Booting (AB) CPU Memo
- Page 18 and 19: Booting & Attestation Booting: ●
- Page 20 and 21: AB (Variant 2, allow OS versions) C
- Page 22 and 23: Booting & Attestation (Variant 2) B
- Page 24 and 25: Booting (Variant 3) Booting: ● TR
- Page 26 and 27: Establish Secure Channel to OSRunni
- Page 28 and 29: Software stacks and trees Applicati
- Page 30 and 31: Remote Attestation and Privacy ●
- Page 32 and 33: Remote Attestation and Privacy ●
- Page 34 and 35: Sealed Memory ● Bind sensitive in
- Page 36 and 37: Sealed Memory Tamperresistant black
- Page 38 and 39: Sealed Memory ● Seal(SW config, m
- Page 40 and 41: Migration ? ● How to transfer inf
- Page 42 and 43: TCG PC Platforms CPU Memory BIOS TP
- Page 44 and 45: Usage Scenarios and Technical Risks
- Page 46: References ● Specifications: http
30/05/11<br />
<strong>Distributed</strong> <strong>OS</strong><br />
Hermann Härtig<br />
Authenticated Booting,<br />
Remote Attestation, Sealed Memory<br />
aka „Trusted Computing“
Goals<br />
Understand principles of:<br />
● Authenticated booting<br />
● The difference to (closed) secure booting<br />
● Remote attestation<br />
● Sealed memory<br />
Non-Goal:<br />
● Lots of TPM, TCG-Spec details<br />
→ read the documents once needed<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 2
Some terms<br />
● Secure Booting<br />
● Authenticated Booting<br />
● (Remote) Attestation<br />
● Sealed Memory<br />
● Late Launch / dynamic root of trust<br />
● Trusted Computing / Trusted Computing Base<br />
● Attention: terminology has changed<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 3
Trusted Computing (Base)<br />
Trusted Computing Base (TCB)<br />
● The set off all components, hardware, software, procedures,<br />
that must be relied upon to enforce a securit policy.<br />
Trusted Computing (TC)<br />
● A particular technology compromised of authenticated booting,<br />
remote attestation and sealed memory.<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 4
TC key problems<br />
● Can running certain Software be prevented?<br />
● Which computer system do I communicate with ?<br />
● Which stack of Software is running?<br />
○ In front of me?<br />
○ On my server somewhere?<br />
● Can I restrict access to certain secrets (keys) to certain<br />
programs?<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 5
Trusted Computing Terminology<br />
Measuring<br />
● “process of obtaining metrics of platform characteristics”<br />
● Example for metric: Hash- Codes of SW<br />
Attestation<br />
● “vouching for accuracy of information”<br />
Sealed Memory<br />
● binding information to a configuration<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 6
DRM: Trust ./. No Trust in end user<br />
Internet<br />
{Digital Content}<br />
K Decoder TV<br />
K<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 7
An example application: DRM<br />
● „Digital Content“ is encrypted using symmetric key<br />
● Smart-Card<br />
○ contains key<br />
○ authenticates device<br />
○ delivers key only after successful authentication<br />
● Assumptions<br />
○ Smart Card can protect the key<br />
○ „allowed“ <strong>OS</strong> can protect the key<br />
○ <strong>OS</strong> cannot be exchanged<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 8
Secure Booting / Authenticated Booting<br />
App.<br />
X11<br />
Linux<br />
Mini <strong>OS</strong><br />
Hardware<br />
GUI<br />
DRM<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 9
Notation<br />
● SK priv SKpub Asymmetric key pair of some entity S<br />
○ { M }XK priv Digital Signature for message M<br />
using the private key of signer X<br />
○ { M }YK pub Message encrypted using public concellation key of Y<br />
● H(M) Collision-Resistant Hash Function<br />
● Certificate by authority Ca:<br />
{ ID, SK pub , other properties } CaK priv<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 10
Notation<br />
Note:<br />
● “{ M }Sk priv Digital Signature”<br />
is short for: encrypt(H(M),Sk priv )<br />
● “{ M }Sk pub Message concealed ...”<br />
does not necessarily imply public key encryption for all of<br />
M (rather a combination of symmetric and asymmetric<br />
methods )<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 11
Identification of Software<br />
● Program vendor: Foosoft FS<br />
● Two ways to identify Software:<br />
○ H(Program)<br />
○ {Program, ID- Program}FSK priv<br />
use FSK pub to check the signature must be made available, e.g.<br />
shipped with the Program<br />
● The „ID” of SW must be made available somehow.<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 12
Tamperresistant black box (TRB)<br />
CPU<br />
Memory<br />
Non-Volatile Memory:<br />
Platform Configuration Registers:<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 13
Ways to “burn in” the <strong>OS</strong> or secure booting<br />
● Read- Only Memory<br />
● Allowed H(<strong>OS</strong>) in NV memory preset by manufacturer<br />
○ load <strong>OS</strong>- Code<br />
○ compare H(loaded <strong>OS</strong> code) to preset H(<strong>OS</strong>)<br />
○ abort if different<br />
● Preset FSK pub in NV memory preset by manufacturer<br />
○ load <strong>OS</strong>- Code<br />
○ check signature of loaded <strong>OS</strong>-Code using FSK pub<br />
○ abort if check fails<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 14
Authenticated Booting (AB)<br />
Phases:<br />
● Preparation by Manufacturers (TRB and <strong>OS</strong>)<br />
● Booting & “Measuring”<br />
● Remote attestation<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 15
Authenticated Booting (AB)<br />
CPU<br />
Memory<br />
Non-Volatile Memory:<br />
“Endorsement Key” EK<br />
preset by Manufacturer<br />
Platform Configuration Registers:<br />
Hash-Code obtained during boot<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 16
Vendors of TRB and <strong>OS</strong><br />
● TRB generates key pair: „Endorsement Key“ (EK)<br />
○ stores in TRB NV Memory: EK priv<br />
○ emits: EK pub<br />
● TRB vendor certifies: {“a valid EK”, EK pub }TVK priv<br />
● <strong>OS</strong>-Vendor certifies: {„a valid <strong>OS</strong>“, H(<strong>OS</strong>)}<strong>OS</strong>VK priv<br />
● serve as identifiers: EK pub and H(<strong>OS</strong>)<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 17
Booting & Attestation<br />
Booting:<br />
● TRB “measures” <strong>OS</strong>- Code (computes H(<strong>OS</strong>-Code))<br />
● stores in PCR<br />
● no other way to write PCR<br />
Attestation:<br />
● Challenge: nonce<br />
● TRB generates Response: {PCR, nonce' }EK priv<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 18
Remaining problems<br />
● Now we know identities: H(loaded-<strong>OS</strong>) and EK pub<br />
● Problems to solve:<br />
○ <strong>OS</strong> versioning<br />
○ Remote attestation on each message (what about reboot ?)<br />
○ not only “<strong>OS</strong>” on platform (SW stacks or trees)<br />
○ Privacy: remote attestation always reveals EK pub<br />
○ Black box to big<br />
○ Sealed memory<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 19
AB (Variant 2, allow <strong>OS</strong> versions)<br />
CPU<br />
Memory<br />
Non-Volatile Memory:<br />
“Endorsement Key” EK<br />
preset by Manufacturer<br />
Platform Configuration Registers:<br />
<strong>OS</strong>K pub used to check <strong>OS</strong><br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 20
Vendors of TRB and <strong>OS</strong><br />
● TRB generates key pair:<br />
○ stores in TRB NV Memory: EK priv<br />
○ emits: EK pub<br />
● TRB vendor certifies: {“a valid EK”, EK pub }TVK priv<br />
● <strong>OS</strong>-Vendor certifies: {„a valid <strong>OS</strong>“, <strong>OS</strong>K pub }<strong>OS</strong>VK priv<br />
● and signs <strong>OS</strong>-Code: {<strong>OS</strong>-Code}<strong>OS</strong>K priv<br />
● serve as identifiers: EK pub and <strong>OS</strong>K pub<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 21
Booting & Attestation (Variant 2)<br />
Booting:<br />
● TRB checks <strong>OS</strong>- Code using some <strong>OS</strong>K pub<br />
● pub stores <strong>OS</strong>K in PCR<br />
● no other way to write PCR<br />
Attestation:<br />
● Challenge: nonce<br />
● TRB generates Response: {PCR, nonce' }EK priv<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 22
AB (Variant 3, check for reboot)<br />
● attestation required at each request:<br />
○ {PCR, nonce' }EK priv<br />
○ PCR: H(<strong>OS</strong>) bzw. <strong>OS</strong>K pub<br />
● always requires access to and usage of EK<br />
● race condition!<br />
Instead:<br />
● create new keypair on every reboot:<br />
○ <strong>OS</strong>runningAuthK priv <strong>OS</strong>runningAuthK pub<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 23
Booting (Variant 3)<br />
Booting:<br />
● TRB checks <strong>OS</strong>- Code using some <strong>OS</strong>K pub<br />
● pub stores <strong>OS</strong>K in PCR<br />
● creates <strong>OS</strong>runningAuthK keypair<br />
● certifies: { <strong>OS</strong>runningAuthK pub , <strong>OS</strong>K pub }EK priv<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 24
Attestation (Variant 3)<br />
Attestation:<br />
● Challenge: nonce<br />
● <strong>OS</strong> generates response:<br />
○ { <strong>OS</strong>runningAuthK pub , <strong>OS</strong>K pub }EK priv<br />
○ {nonce'} OsrunningAuthK priv<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 25
Establish Secure Channel to <strong>OS</strong>Running<br />
Booting:<br />
● TRB checks <strong>OS</strong>- Code using some <strong>OS</strong>K pub<br />
● pub stores <strong>OS</strong>K in PCR<br />
● creates <strong>OS</strong>runningAuthK keypair<br />
● creates <strong>OS</strong>runningConsK keypair<br />
● certifies: { <strong>OS</strong>runningAuthK pub , <strong>OS</strong>runningConsKpub,<br />
Secure Channel:<br />
● { message } <strong>OS</strong>runningConsK pub<br />
<strong>OS</strong>K pub }EK priv<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 26
Assumptions<br />
● TRB can protect: EK, PCR<br />
● <strong>OS</strong> can protect: <strong>OS</strong>runningK priv<br />
● Rebooting destroys content of<br />
○ PCR and Memory Holding <strong>OS</strong>runningK priv<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 27
Software stacks and trees<br />
Application<br />
GUI<br />
<strong>OS</strong> Code<br />
<strong>OS</strong> Loader<br />
ROOT<br />
Application<br />
GUI<br />
<strong>OS</strong> Code<br />
<strong>OS</strong> Loader<br />
ROOT<br />
Application<br />
GUI<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 28
Software stacks and trees<br />
● “Extend” Operation<br />
○ stack: PCR n = H(PCR n-1 || next-component )<br />
○ tree: difficult (unpublished ?)<br />
● Key pairs:<br />
○ <strong>OS</strong> controls applications → generate key pair per application<br />
○ <strong>OS</strong> certifies<br />
pub<br />
‒ { Application 1, App1K } OsrunningKpriv<br />
pub<br />
‒ { Application 2, App2K } <strong>OS</strong>runningKpriv<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 29
Remote Attestation and Privacy<br />
● Remote attestation reveals platform identity: EK pub<br />
● add intermediate step:<br />
○ Attestation Identity Key (AIK)<br />
○ Trusted third party as anonymizer (TTP)<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 30
Remote Attestation and Privacy<br />
CPU<br />
Memory<br />
Non-Volatile Memory:<br />
EK preset by Manufacturer<br />
AIK signed by third party<br />
Platform Configuration Registers:<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 31
Remote Attestation and Privacy<br />
● Generate AIK in TRB<br />
● send { AIK } EK priv to trusted third party<br />
● third party certifies: {AIK, “good ID” } TTPK priv<br />
● AIK used instead of EK during remote attestation, response:<br />
○ {AIK, “good ID” } TTPK priv<br />
○ { <strong>OS</strong>runningK pub , H(<strong>OS</strong>)}AIK priv<br />
○ {nonce} <strong>OS</strong>runningK priv<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 32
Late Launch<br />
● Use arbitrary SW to start system and load all SW<br />
● provide specific instruction to enter “secure mode”<br />
○ set HW in specific state (stop all processors, IO, …)<br />
○ Measure “root of trust” SW<br />
○ store measurement in PCR<br />
● AMD: “skinit” (Hash) arbitrary root of trust<br />
● Intel: “senter” (must be signed by chip set manufacturer)<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 33
Sealed Memory<br />
● Bind sensitive information to specific configuration<br />
(for example: keys to specific machine, specific <strong>OS</strong>)<br />
● Provide information using secure channels<br />
● How to store information in the absence of communication<br />
channels?<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 34
Tamperresistant black box (TRB)<br />
CPU<br />
Memory<br />
Non-Volatile Memory:<br />
Storage key<br />
Platform Configuration Registers:<br />
„SW-config“<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 35
Sealed Memory<br />
Tamperresistant black box<br />
PCR:<br />
H(<strong>OS</strong>)<br />
Microsoft<br />
SUSE<br />
MyOwn<br />
Add / delete entry<br />
Read / write<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 36
Sealed Memory<br />
● Seal(PCR, message):<br />
○ encrypt(“PCR, message”, Storage-Key)<br />
→ “sealed message”<br />
● Unseal(sealed message):<br />
○ decrypt( “sealed message”, Storage-Key)<br />
→ “SW config, message”<br />
○ If SW config == PCR then emit message else abort<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 37
Sealed Memory<br />
● Seal(SW config, message):<br />
○ encrypt(“future SW config, message”, Storage-Key)<br />
→ “sealed message”<br />
● “Storage Key” built into TPMs by manufacturer, known to<br />
nobody<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 38
Example<br />
● Win7: Seal („Sony<strong>OS</strong>, Sony-Secret“)<br />
→ SealedMessage (store it on disk)<br />
L4: Unseal (SealedMessage)<br />
→ Sony<strong>OS</strong>, Sony-Secret → PCR#Sony<strong>OS</strong> → abort<br />
Sony<strong>OS</strong>: Unseal(SealedMessage<br />
→ Sony<strong>OS</strong>, Sony-Secret → PCR==Sony<strong>OS</strong> → ok<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 39
Migration ?<br />
● How to transfer information form one TRB to another<br />
for example: key for decryption of videos<br />
● Send information to third party<br />
Destroy information locally and prove to third party<br />
Third party provides information to another entity<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 40
Tamper Resistant Box ?<br />
● Ideally, includes CPU, Memory, …<br />
● In practise<br />
○ very rarely, for example IBM 4758 ...<br />
○ separate “Trusted Platform Modules” replacing BI<strong>OS</strong> breaks TRB<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 41
TCG PC Platforms<br />
CPU Memory<br />
BI<strong>OS</strong> TPM<br />
FSB<br />
PCI<br />
LPC<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 42
TPM<br />
IO<br />
NV Store PCK EK / AIK<br />
SHA-1 RSA Key gen<br />
Internal<br />
Program<br />
Random<br />
number gen<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 43
Usage Scenarios and Technical Risks<br />
* DRM Bank Game<br />
<strong>Operating</strong> System<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 44
Technical Risks<br />
Hardware:<br />
● Authenticity, Integrity, Tamper-Resistance<br />
● Protection of CPU-priv<br />
Integrity of RKey-<strong>OS</strong>-pub<br />
<strong>Operating</strong> System<br />
● Protection of keys (<strong>OS</strong>Running, ...), Content, ...<br />
● Isolation Applications<br />
● Assurance<br />
Side Channels !<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 45
References<br />
● Specifications:<br />
https://www.trustedcomputinggroup.org/<br />
groups/TCG_1_3_Architecture_Overview.pdf<br />
● Important Foundational Paper:<br />
Authentication in distributed systems: theory and practice<br />
Butler Lampson, Martin Abadi, Michael Burrows, Edward<br />
Wobber<br />
ACM Transactions on Computer <strong>Systems</strong> (TOCS)<br />
SS 2011 <strong>Distributed</strong> <strong>OS</strong> / Trusted Computing - Hermann Härtig 46