Minimal TCB Code Execution

1
Minimal TCB Code Execution

• Jonathan McCune, Bryan Parno, Adrian Perrig,
• Michael Reiter, and Arvind Seshadri
• Carnegie Mellon University

May 22, 2007
2
Trusted Computing Base (TCB)


App
App 1
App
App 1
S
S
OS
OS
Shim
DMA Devices
DMA Devices
CPU, RAM TPM, Chipset
CPU, RAM TPM, Chipset
(Network, Disk, USB, etc.)
(Network, Disk, USB, etc.)
3
Contributions

• Isolate security-sensitive code execution from
  all other code and devices
• Attest to security-sensitive code and its
  arguments and nothing else
• Convince a remote party that security-sensitive
  code was protected
• Add lt 250 LoC to the software TCB

S
Software TCB
lt 250 LoC
Shim
4
TPM Background

• The Trusted Platform Module (TPM) is a dedicated
  security chip
• It can provide an attestation to remote parties
• Platform Configuration Registers (PCRs) summarize
  the computers software state
• TPM provides a signature over PCR values
• TPM spec v1.2 includes dynamic PCRs
• Values can be reset without a reboot

5
Late Launch Background

• Supported by new commodity CPUs
• SVM for AMD
• TXT (formerly LaGrande) for Intel
• Designed to launch a VMM without a reboot
• Hardware-based protections ensure launch
  integrity
• New CPU instruction (SKINIT/SENTER) accepts a
  memory region as input and atomically
• Resets dynamic PCRs
• Disables interrupts
• Extends a measurement of the region into PCR 17
• Begins executing at the start of the memory region

6
Adversary Capabilities

• Run arbitrary code with maximum privileges
• Subvert any DMA-enabled device
• E.g., network cards, USB devices, hard drives
• Perform limited hardware attacks
• E.g., power cycle the machine
• Excludes physically monitoring/modifying
  CPU-to-RAM communication

App
App 1
OS
S
Shim
DMA Devices
CPU, RAM TPM, Chipset
(Network, Disk, USB, etc.)
7
Architecture Overview

• Core technique
• Pause current execution environment
• Execute security-sensitive code with
  hardware-enforced isolation
• Resume previous execution
• Extensions
• Preserve state securely across invocations
• Attest only to code execution and protection
• Establish secure communication with remote
  parties

8
Execution Flow
App
OS
Outputs
Inputs
0
0
0
Module
S
Module
Shim
TPM

PCRs
CPU
K-1
9
Attestation
TPM
PCRs
Inputs

Outputs
K-1
TPM

PCRs
K-1
10
Attestation
Versus
11
Potential Applications

• Server applications
• Password authentication, SSL keys, Certificate
  Authority (CA), etc.
• Verifiable distributed computing
• SETI_at_Home, Folding_at_Home, distcc, etc.
• Client-side applications
• Secure password entry

12
Ongoing Work

• Extracting security-sensitive code from existing
  applications
• Containing malicious or malfunctioning
  security-sensitive code
• Coping with slow security-sensitive code
• Creating a trusted path to the user

13
Related Work

• Secure coprocessors
• Dyad Yee 1994, IBM 4758 JiSmiMi 2001
• System-wide attestation
• Secure Boot ArFaSm 1997, IMA SaZhJaDo 2004,
  Enforcer MaSmWiStBa 2004
• VMM-based isolation
• BIND ShPeDo2005, AppCores SiPuHaHe 2006,
  Trustworthy Kiosks GaCáBeSaDoZh 2006, Proxos
  TaLiLi 2006

14
Conclusions

• Explore how far an applications TCB can be
  minimized
• Isolate security-sensitive code execution
• Provide fine-grained attestations
• Allow application writers to focus on the
  security of their own code

15
Thank you!
parno_at_cmu.edu