Title: The Trusted Computing Could it be' SATAN
1The Trusted Computing - Could it be. SATAN?
- Yall remember the Church Lady, right?
- Bruce Potter
- gdead_at_shmoo.com
2Dont Believe Anything I Say
- "Do not believe in anything simply because you
have heard it. Do not believe in anything simply
because it is spoken and rumored by many. Do not
believe in anything simply because it is found
written in your religious books. Do not believe
in anything merely on the authority of your
teachers and elders. Do not believe in traditions
because they have been handed down for many
generations. But after observation and analysis,
when you find that anything agrees with reason
and is conducive to the good and benefit of one
and all, then accept it and live up to it. -
Buddha - By Day, Senior Associate for Booz Allen Hamilton
- By Night, Founder of The Shmoo Group and restorer
of hopeless Swedish cars
3Overview -Two things to accomplish
- Make the case for trusted computing
- While dodging the beer bottles being thrown at me
- Demonstrate the TPM on a MacBook
- Release some code
- Sprinkle in some good arguments, and weve got
ourselves a party
4A Brief History of InfoSec
- For at least 50 years, weve been trying to solve
the information security problem - However, at the same time, the problem keeps
getting more complex - In the meantime, its made security a profitable
and sustainable industry (funny what happens when
you chase an impossible dream)
5Current InfoSec Trends
- Defense in Depth
- The core problem is currently unsolvable So why
not throw a giant pile of bandaids at it - With a slick phrase like defense in depth it
even sounds responsible - Access to systems Access to data
- Boot disks are amazing things
- David Hulton et al have even taken malicious
slave devices to a new level - Transactions are trusted at a network level
- End to end security only exists in controlled
environments
6So, How Did We Get Here?
- The roadmap for secure systems is described in
Butler Lampsons Protection paper - http//research.microsoft.com/lampson/09-Protecti
on/WebPage.html - The original motivation for putting protection
mechanisms into computer systems was to keep one
users malice or error from harming other users.
Harm can be inflicted in several ways1.By
destroying or modifying another users data.2.By
reading or copying another users data without
permission.3.By degrading the service another
user gets (sounds pretty good, even though this
was 1971) - The paper goes on to describe (basically)
multilevel security, the need for hardware
security to enforce data separation, and
object-based access control (again, pretty good
for 1971)
7Guesses on when this was written?
- Another major problem is the fact that there are
growing pressures to interlink separate but
related computer systems into increasingly
complex networks - Underlying most current users problems is the
fact that contemporary commercially available
hardware and operating systems do no provide
adequate support for computer security - In addition to the experience of accidental
disclosure, there has also been a number of
successful penetrations of systems where the
security was added on or claimed from fixing
all known bugs in the operating system. The
success of the penetrations, for the most part,
has resulted from the inability of the system to
adequately isolate a malicious user, and from
inadequate access control mechanisms built into
the operating system
- Computer Security Technology Planning Study -
- October 1972, Electronic Systems Division, Air
Force
8The Search for the Holy Grail (MLS)
- The road is littered with corpses
- http//www.cs.stthomas.edu/faculty/resmith/r/mls/m
2assurance.html has some examples - Some not so surprising results
- Operating systems are complicated
- Software developers dont know how to write
secure code - Without a piece of trusted hardware onto which
you can layer security assertions, the best you
can do it a layered defense aka defense in
depth
9Fast Forward 2000ish
- Digital Rights Management emerges on the scene
- Content is King.. Or so the saying goes
- DRM is a mechanism for cryptographically
protecting the rights of the content creator - Microsoft is including DRM-like capability into
Office to prevent unauthorized sharing of data - DRM is not perfect
- Can be subverted easily when it is software only
- Even hardware-based systems can be subverted,
especially when theyre badly designed (Thanks
DVD Jon)
DRM Uses
10Guess what? DRM is Cool
- According to a recent survey, iPods are cooler
than beer - Apple made DRM sexy and cool
- The iPod begat ITMS
- ITMS was made possible because Apple came up with
a rights management scheme that the content
providers could deal with at a 1 a pop - In Feb 2006, the 1 billionth song was downloaded
from ITMS - 1 billion songs means people things ITMS is cool
- Through transitivity, Apple made DRM cool
- What does Apple have to do with Trusted Hardware?
or
11Funny You Should Ask
- Apple just made trusted hardware sexy and cool
(And you didnt even realize) - Enter the MacBook Pro
- When Apple switched to Intel, the developed
Rosetta an emulator that dynamically translates
PPC opcodes to x86 - Apple is using the TPM to protect Rosetta from
starting unless the TPM is there - Ensures Apple proprietary SW only runs on Apple
HW - Maxxuss repeatedly bypassed this protection
Intel Processor
Legacy PPC App
App Translated to x86
Rosetta
TPM
12Backing up a Step
- The Trusted Computing Group
- Used to be the Trusted Computing Platform
Alliance - An industry group (read you have to buy your way
in) that sets standards for trusted computing
systems and architectures - Used to be focused soley on the development of a
trusted piece of hardware (TPM) - Now has broader scope, including networks,
servers, storage, mobility applications, and
software APIs - 135 Members, including most of the Big Boys
TCG Focus Areas
13TCG on Privacy
- From https//www.trustedcomputinggroup.org/faq/
- What has the TCG done to preserve privacy?
- TCG believes that privacy is a necessary element
of a trusted system. The system owner has
ultimate control and permissions over private
information and must "opt-in" to utilize the TCG
subsystem. Integrity metrics can be reported by
the TCG subsystem but the specification will not
restrict the choice and options of the owner
preserving openness and the ability of the owner
to choose. - The TCG specification will support privacy
principles in a number of ways - The owner controls personalization.
- The owner controls the trust relationship.
- The system provides private object storage and
digital signature capability. - Private personalization information is never
exposed. - Owner keys are encrypted prior to transmission.
- It is also important to know what the solutions
are not - They are not global identifiers.
- They are not personalized before user
interaction. - They are not fixed functionsthey can be disabled
permanently. - They are not controlled by others (only the owner
controls them). controls them).
14Trusted Platform Module
- Chips manufactured by a variety of manufactures
- Assured cryptographic operations
- Trusted keystore
- Integrity attestation
- The TPM, on its own, does not do anything
- Higher level systems (boot managers, operating
systems, applications) must use the TPM to do
something - The TPM spec says that the user _must have_ the
ability to turn of the TPM chip - That means the user always has control of their
device - However, that doesnt mean that all software will
still work
15Inside a TPM Chip
NVRAM
Platform Configuration Register (PCR)
Attestation Identity Key (AIK)
Program Code
I/O and Comms Bus
RNG
SHA-1 Engine
Key Gen
RSA Engine
Opt-in (State Mgt)
Exec Engine
- PCR - Sets of information that is unique to the
host (manufactures, serial s, peripherals, etc) - AIK - Internal keys used to identify and
authenticate the TPM to off-chip entities
16Interacting with the TPM
- Request-response model, very similar to smartcards
Application
Library call or socket
Return value
Trusted Software Stack
TPM Driver
Datagram sent 0x00c1 0x0000000c 0x00000099 0x01
Datagram sent 0x00c4 0x0000000a 0x00000000
TPM
17High-level Breakdown of TPM Commands
18Examining the Apple TPM
- All Intel-based Macs make use of an Infineon TPM
- No real interface from Apple to examine/use TPM
chip - But never fear, weve got code to examine the TPM
- http//tpm.shmoo.com/
19MacBook TPM Access Architecture
Ubuntu (modified to boot on a mac
by Mactel-linux.org and customized by The Shmoo
Group)
Custom Apps
tpm-utils
Libtpm (from IBM)
tcsd
Infineon TPM v1.1 (IFX0101)
20Demo of TPM software
- A live CD for accessing the TPM on a MacBook is
available at http//tpm.shmoo.com/ - It is a bit rough around the edges, but it works
(pretty much) right out of the gate
21Trusted Network Connect
- Rather than solving the entire problem from the
beginning, TCG is taking baby steps - Network access is a problem in nearly every
enterprise - Accessing the network should involve three
parties authenticating themselves the user, the
users device, and the infrastructure - Oftentimes, the device does not strongly
authenticate itself - With a TPM, a device can have a unique
cryptographic key to authenticate itself to the
infrastructure - TNC is basically 802.1x
- Juniper and others already have solutions
- Couple TNC with patching policies, and you can
really put a dent in internal network security
issues
22(No Transcript)
23Other Capabilities Enabledby Trusted Computing
- Data at Rest security
- Vista has the ability to use a TPM for key
storage and implements a ecure container (ie an
encrypted file that is protected by the TPM)
called BitLocker - Can be done on any platform (why doesnt
DiskUtility in OS X use the TPM on the
Intel-based boxes?) - Crypto API
- No more confusion if an algorithm is implemented
properly - Remote Attestation
- The ability to tell a remote system about the
local system with some assurance - Basically, you can attest to the integrity or
configuration of a machine and cryptographically
sign the whole thing - Trusted Boot
- TPM-gtSecure Boot Loader-gtSigned kernel-gtSigned
Drivers -gtSigned Applications (NOTE Signed !
secure)
24Types of Attestation
- Attestation by the TPM
- Proves that the TPM is active and knows some
secret - Attestation to the platform
- Proves the endpoint can be trusted to report its
integrity - Attestation of the platform
- Reporting of the integrity of the endpoint
- Authentication of the platform
- Basically, this is device authentication (using a
secret to authenticate to a network, etc)
25So.. First, the Bad
- Opportunities abound for loss of control content
stored on your computer - Failed hardware, systems upgrades have the
potential to cause havoc with protected software - Sealed data may become unusable
- Users suddenly need to deal with key material
backup issues - Because we all back up our hard drives already,
right? - Operating system vendors may get territorial
- For instance, Windows Genuine Advantage could be
configured to not upgrade if non-MS approve
software is installed (unlikely, but possible)
26The Good
- Trusted boot can make a big dent in controlling
malicious code in the enterprise - Host integrity monitoring can become host
integrity enforcement (like the migration from
IDS to IPS only it will actually work) - Trusted network access will tie the security and
integrity of an endpoint to the authority to
access the network - The ability to really protect mobile media and
other data at rest situations
27The Ugly
- The distrust of many in the security community is
interfering with making productive use of the TPM - Hard to see the forest for the trees
- Also, the trusted computing represents a massive
shift in risks, threats, and operations no small
pill for the security community to swallow - While Vista has TPM support the developer
interface is not documented enough to be useful - OS X does not provide ANY public interfaces to
the TPM - Most chips in deployment are v1.1 Vista wants
1.2 - Ubiquitous deployment of 1.2 is only 3 or so
years away
28Where Trusted Computing is Going
- Trusted computing is going to happen
- Many systems shipping with TPMs already just
not much software that supports it - HUGE capability for InfoSec Even if we dont
reach the holy grail of MLS, there are still many
positive features - However, if all we do is focus on the privacy
concerns and dont figure out a way to use
trusted computing to build more secure software,
well fail before we even get out of the gate - /rant
29ShmooCon III
- Note, it may seem like we had three cons already,
but there were seriously only 2 - We had really, really good beer
- ShmooCon III - March 23-25, 2007
- Same place - Wardman Park Marriott, DC
- Slight changes in structure
- 20 min sessions all afternoon Friday
- SC Labs
- Still going to have contests, hacker arcade, etc
- CFP out next week
- Tix on sale end of the month
- Ticket breakdown on price, not dates
30Before We Finish Up.. Summer of Code, TSG Style
- The Shmoo Group was given the opportunity to
mentor 4 projects under the Google Summer of Code - http//code.google.com/soc/
- Firekeeper (Student Jan Wrobel, Mentor Len
Sassman) - Browser-level Intrusion Detection via rulesets
designed to detect and block malicous websites
(neat, given Jeremiah Grossmans talk) - Prototype available on firekeeper.mozdev.org
- GPGGreasemonkey (Student Kerry McKay, Mentor
Bruce Potter) - Client side mail encryption for webmail via FFX
ext. - Currently have implementation for Gmail and Yahoo
- svn checkout svn//e.shmoo.com/var/repos/gpgwebma
il
31(No Transcript)
32SOC
- Online Rainbow Tables Lookup (Student Keith
Larimore, Mentor Freshman) - Focused on increasing speed
- Completed Basic search capabilities with Web
interface, queuing, completion emails - In progress DNS query Interface
- Open Security Framework (Student Soren
Bleikertz,MentorPravir Chandra) - A framework to simplify network security analysis
- Master, client, slave
33Questions?
- Bruce Potter
- gdead_at_shmoo.com
- http//tpm.shmoo.com/
- Go To ShmooCon - March 23-25, 2007