563.8 Remote Attestation

1
563.8 Remote Attestation

• Presented by Michael LeMay
• University of Illinois
• Spring 2006

2
Problem

• Software is controlled by machine operator
• Machine operator, software distributor, or
  attacker can maliciously subvert software
• Modify binary
• Run on untrusted hardware
• Attach debugger to monitor operation
• Software publisher has no assurance that software
  is being used in unmodified state, as intended
• Problem worsens when network communication is
  involved

3
Remote Attestation

• Allows changes to computer to be detected by user
  and remote entities
• Hardware generates certificate chain specifying
  current system configuration
• Actually, hardware certifies 2nd-lowest layer,
  which certifies next layer up, etc.

4
Trusted Computing

• Remote attestation just one piece of TC
• Secure I/O
• Memory curtaining/protected execution/process
  isolation even OS cant read everything in
  memory
• Sealed storage
• Basic concepts
• Machine-specific public key and cert. chain
• Hardware crypto implementations
• Common applications
• Digital rights management
• System integrity verification
• Similar to IBM 4758 coprocessor, but more capable

Marchesini, Smith, Wild, MacDonald
5
Secure I/O

• Many ways to compromise user I/O
• Screen-scrapers
• Keyloggers
• TC hardware verifies checksums of software
  performing I/O, detecting malicious components
• Doesnt address hardware keyloggers, TEMPEST
  devices, etc.

6
Sealed Storage

• Data can be encrypted using key derived from
  current software/hardware configuration
• Key must be re-derived to decrypt data
• Prevents modified configuration from reading data

7
TC Applications

• Online banking protect PINs, passwords, account
  numbers using sealed storage
• Anonymous networks process isolation prevents
  operators from inspecting mix
• Mobile agents protect a software agent from its
  host using process isolation
• Digital rights management Lock media files to
  one computer using sealed storage

8
Remote Attestation Applications

• Protection of P2P only cooperate with remote
  clients if they are valid
• Distributed computing (Folding_at_Home) ensure
  participants run valid software
• Selling CPU cycles run an attested process with
  your idle cycles, get paid
• Online shopping make sure the merchant is really
  running TRUSTe, etc.
• VPNs, online games more later

Interesting Uses of Trusted Computing
9
TCG Layers
10
TCG Components
TCG 1.0 Architecture Overview
11
Credential Types

• TPM contains 5 types of credentials
• Endorsement or EK credential uniquely identifies
  TPM, privacy concern
• Conformance credential Certifies that TPM meets
  specifications
• Platform credential Identifies TPM manufacturer
  and capabilities
• Validation credential Associated with peripheral
  or software to guarantee integrity
• Identity or AIK credential Issued by privacy CA
  to preserve privacy of EK credential

12
Opposition

• Trusted Computing has many opponents, because it
  considers the computer operator to be a potential
  attacker
• EFF Trust Computing Promise and Risk
• Against-TCPA
• LAFKON - A movie about Trusted Computing
• And, a rebuttal
• TCPA Misinformation Rebuttal and Linux drivers

13
Microsoft NGSCB

• Microsoft, AMD, HP, IBM, Infineon, Intel, Sun,
  all members of TCG
• Uses TPM to partitionsystem into two
  partsNexus and L.H.S.
• NCAs Nexus Comput-ing Agents
• Only two compartments

14
NGSCB Architecture WinHEC 2004

• Little device diversity
• Only a few drivers
• KLOC

• Great device diversity
• Thousands of drivers
• MLOC

• Compartments are Windows-based
• Significantly reduced footprint
• Strongly Isolated, hardened and armored
• Secure device ownership
• Nexus or service compartments

• Windows
• Owns most HW
• Only real-time OS
• Security benefits via scenarios

Biddle, 2004
15
Terra A Virtual Machine-Based Platform for
Trusted Computing

• Similar to 2004 NGSCB architecture, supports
  multiple, isolated compartments
• Terra supports an arbitrary number of
  user-defined VMs, more flexible than NGSCB
• Provides both open- and closed-box
  environments
• Implemented on VMware but didnt actually use TPM

Garfinkel, Pfaff, Chow, Rosenblum, Boneh, 2003
16
Closed-box Platforms

• Developer has complete control over environment
• Cell phone
• Game console
• ATM
• May contain cryptographic keys
• Allows remote attestation to server using
  pre-shared key
• Not every application can run on closed-box
  platform, expensive!

17
Virtualization

• Hypervisors, or virtual-machine monitors (VMMs),
  run entire guest operating system on top of host
  operating system
• Xen (open-source)
• Requires guest operating system to be modified,
  but runs with very little slowdown
• VMware (now available for free download)
• Supports unmodified operating systems, and is
  reasonably fast
• Terra (well be discussing this one)
• Not publicly available

18
Terra Architecture
19
Solution

• TVMM Trusted Virtual Machine Monitor
• Open-box VMs
• Just like current GP systems, no protection
• Closed-box VMs
• VM protected from modification, inspection
• Can attest to remote peer that VM is protected
• Behaves like true closed-box, but with cost and
  availability benefits of open-box
• Cant assure availability
• Operator can always pull the plug!

20
TVMM Attestation

• Each layer of software has a keypair
• Lower layers certify higher layers
• Enables attestation ofentire stack

VM
Application
Operating System
Hash of Attestable Data
TVMM (Terra)
Higher Public Key
Bootloader
Firmware
Other Application Data
Signed by Lower Level
Hardware (TPM)
Certificate
Layers
21
Additional Benefits

• Software stack can be tailored on per-application
  basis
• Game can run on thin, high-performance OS
• Email client can run on highly-secure,
  locked-down OS
• Regular applications can use standard,
  full-featured and permissively-configured OS
• Applications are isolated and protected from each
  other
• Reduces effectiveness of email viruses and
  spyware against system as a whole
• Low-assurance applications can automatically be
  transformed into medium-assurance applications,
  since they are protected from external influences

22
Example 1

• Online gaming Quake
• Players often modify Quake to provide additional
  capabilities to their characters, or otherwise
  cheat
• Quake can be transformed into a closed-box VM and
  distributed to players
• Remote attestation shows that it is unmodified
• Very little performance degradation
• Covert channels remain, such as frame rate
  statistics

23
Trusted Quake Assurances

• Secure Communication VM cant be inspected, so
  shared key can be embedded in VM image to protect
  network communication
• Any software can be reverse engineered, so is
  this a good idea?
• Client Integrity maps and media files are
  protected from modification on client
• Server Integrity Bad clients cant connect

24
Trusted Quake Weaknesses

• Bugs and Undesirable Features Rendered polygon
  OSD permits prediction of impending character
  appearances
• Network DoS Attacks Terra does nothing in this
  regard
• Out-of-Band Collusion Players can still
  communicate if theyre sitting together in a
  basement or using IM

25
My Research Question

• How can remote attestation of virtual machines be
  used to protect consumer privacy in advanced
  distribution automation (ADA) systems?

26
Advanced Distribution Automation

• Distributed Energy Resource management
• Demand Reducation/Load Management
• Automated Meter Reading/Real Time Pricing

27
Problem

• For real-time pricing to work, power company has
  to know exactly how much power was used by each
  customer at each point in time
• Could be privacy problem
• Different rates may apply to devices, but meters
  dont have that granularity
• Demand reduction should be extended to more
  devices, but requires individual switching agents

28
Advanced Distribution Automation
29
Appendix Trusted Access Points

• VPN client can be implemented as closed-box VM
  and distributed to visitors when they first
  connect to a regulated network
• VM can attest to VPN gateway that it is operating
  properly, and will enforce intended traffic
  regulations

30
TAP Benefits

• Prevents source forgery TAP can reliably check
  all outgoing packets
• Prevents DoS attacks TAP can block DoS attacks
  at their source, before they even reach the
  network
• Scalability Clients enforce regulations on their
  own traffic
• Network Scalability TAP can perform local
  vulnerability scan on host before permitting it
  to connect