DOCSLIB.ORG

An Overview of Trusted Computing [Pdf]

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

An Overview of Trusted Computing A Project Report submitted by Saran Neti Maruti Ramanarayana (100841098) as Project 2 for COMP 5407F, Fall 2010 Carleton University Abstract This project report gives a brief overview of the challenges in establishing trust among a network of computers potentially running malicious software. We look at some key features in Trusted Computing including the hardware modications, novel protocols and key management ideas while highlighting various privacy con- cerns and open techincal challenges responsible for its slow adoption. We conclude with a few remarks about the social aspects of it. 1 Introduction 1 1 Introduction The widespread use of desktop applications processing sensitive data (e.g banking or health records) has resulted in an ecosystem based on malware exploiting vulnerabilities in software and compromising millions of comput- ers. Commercial security software, like anti-virus, exist to detect and remove infected les but new vulnerabilities are constantly discovered and exploited. While the cycle of discovering, exploitation and xing of security bugs is a never ending process, billions of dollars are lost every year by companies (e.g nancial institutions), providing services through the Internet, due to malicious activity. A major concern among such service providers is their in- ability to determine if a client machine using their service can be trusted with critical information. In other words, even if the end user and the network can be trusted, there is no easy way to tell if a computer contains malicious software, and hence no way to refuse to serve a request originating from such a computer. Trusted Computing is an umbrella term used to describe security related enhancements to a modern computer to assist in establishing a trust rela- tionship under the assumption that it is potentially running compromised software. This process can be broadly described by Attestation - securely measuring the state of a computer, and Verication - remotely determining if a computer can be trusted using its state information. It is important to observe that Trusted Computing does not aim to re- duce vulnerabilities in software or prevent attacks against individual software components. Instead it aims to make the entire software ecosystem more se- cure by regulating interaction between networked computers and facilitating a universally secure computation of a trust metric. Naturally many privacy and ownership concerns arise when access to services are granted or denied based on judgment calls of whether a particular piece of software is trusted. Moreover, since the root of trust is located in hardware, running an alternate piece of software can be made impossible if desired as noted vociferously by Richard Stallman [7]. Some of these issues have been cleverly addressed [12] but a lot remains to be done for widespread adoption by the community at large. We now look in detail at some of the fundamental problems, existing solutions and possible improvements to establish trust under the Trusted Computing model. 2 Assumptions about Hardware and Software 2 2 Assumptions about Hardware and Software Algorithms to process data can either be implemented in hardware or soft- ware or a combination of both. Functionally, primitives or the building blocks of algorithms are designed on hardware, and are invariant for the lifetime of a physical computer as opposed to the higher layer logic which can be modied, loaded into memory and executed. For example, in a PC the x86 instruc- tion set serves as a layer of abstraction between hardware and software. A modern computer consists of many peripheral devices connected to the CPU, where each device itself has evolved into a complex computational unit. The software running on these devices, e.g. network cards, graphic cards, storage drives, is called rmware and its update cycle can be more frequent than the lifetime of the hardware. In order to make clear assumptions about what is trusted and what isn't, it is important to understand the functionality and security that each layer oers. Hardware Microprocessor, memory, display, keyboard, mice etc. are all types of hard- ware devices which are assumed to be trusted for the following reasons 1. The chips controlling them are manufactured in gigantic quantities; duplicate copies of them are found on millions of machines and modi- cation of their functionality is not typically possible without damaging the device. 2. The chips serve the sole purpose of managing the device, making it almost impossible for malware to make use of them for general purpose computation. 3. The code complexity in the chips is not too high, and hence the chips are not reprogrammable, although they may internally have a clear distinction between rmware and hardware. Software All code executed by the Microprocessor starting from bootloader, kernel to userspace applications is untrusted. This layer implements most of the 2 Assumptions about Hardware and Software 3 functionality of modern computers and its contents are very dynamic and constantly changing. Firmware Network and Graphics cards are examples of devices which contain repro- grammable rmware. Trust in this region is a Grey area, because rmware updates are usually delivered through software which is untrusted. Neverthe- less, rmware is often specialized and has access only to its device, making writing malware for it dicult. BIOS is an example of rmware that is untrusted - as it contains a lot of code [2] to initialize devices before hand- ing over control to the bootloader. Attacks have been devised that install backdoors resilient even to disk wipes [6]. In the Trusted Computing model, a specialized hardware called the TPM chip is introduced in the Hardware layer, and provides a way to measure every software ( and some rmware like BIOS ), that loads into the computer. Trusted Platform Module (TPM) Cryptographic Persistent memory processor Endorsement Key (EK) random number generator t Storage Root Key (SRK) RSA key generator Versatile memory Platform Configuration Registers (PCR) SHA-1 hash generator secured input - outpu Attestation Identity Keys (AIK) encryption-decryption- storage keys signature engine Fig. 2.1: TPM chip The TPM chip includes 3 Measuring the state of a computer 4 1. Endorsement Key - A public/private keypair embedded into the TPM that uniquely identies it. The private key never leaves the chip. 2. Storage Rootkey - Used to protect other keys. This can be erased by wiping the TPM clean to its factory state. 3. Platform Conguration Registers (PCR) - Used to store the platform state. 4. Attestation Identity Key (AIK) - Used to validate the TPM chip during remote attestation. It also includes hardware implementations of common cryptographic func- tions. The key idea is that in any operation output = CryptoF unction(data; key), the key, function and data reside in the same chip. If we can somehow gen- erate data to meaningfully reect the state of software output can be used to convey this information to remote parties securely. 3 Measuring the state of a computer In order to be able to convey state information about a computer, we need to know the hardware conguration of a computer and also all the security relevant software that boots up in that computer, in a way that takes into account our trust model - all software is untrusted and can potentially contain malware. Hardware conguration can be vouched for by the vendor in the form of an Endorsement key in the TPM. TPM chips have been hacked into using electron microscopes [5], but our threat model assumes that the adversary does not have physical access to a computer. Measuring software for signs of infestation of malware is tricky. Design of software is also layered, but the abstractions are not necessarily made with strong security mind. When the process isolation guaranteed by an OS kernel doesn't hold up against attacks, lightweight Virtual Machines (VM) equipped with better isolation provided by hypervisors are employed [11]. And when an application is unable to operate on a collective bunch of VMs, software APIs are provided in the Hypervisor layer as an ecient means of communication. [9, 8]. This constant partitioning up of software into isolated containments, and then creating channels between them for communication in order to nd the optimum balance between security and eciency is a never ending process. But this is of interest to us - we want to determine 3 Measuring the state of a computer 5 that critical layer of software which can guarantee isolation of layers above it enabling in a reduction of the total amount of code needed to be trusted. i.e the Trusted Computing Base (TCB). The objective is to split our software stack into layers L0;L1; :::; Ln, and nd a k such that we 1. Minimize the amount of Trusted Code - Pk is minimized, where 0 jLij jLij is the sum of all lines of code running at layer Li. 2. Isolate higher layer applications - For all i > k, all applications A 2 Li must be able to run in secure isolated execution environments. 3. Maximize Eciency - The performance penalty of applications running in a higher layer due to security must be minimized. Finding this layer Lk is the big challenge. The older Flicker project uses only 250 lines of code in the TCB and makes heavy use of the inecient late launch instructions ( AMD SVM or Intel TXT ) on newer commodity processors [17]. The Trustvisor project attempts to minimize the TCB while maintaining reasonable eciency, by using an easily veriable special-purpose hypervisor with about than 6k lines of code [16]. 3.1 What software to measure? We now look at a simple mechanism using the TPM that will ensure that identity of all software loaded on a computer gets recorded. Let S1;S2;S3:::; Sn be a list of software binaries that gets loaded into a computer in that order.
Recommended publications
  • Trusted Platform Module (TPM) TCG 1.2 / 2.0

    Trusted Platform Module (TPM) TCG 1.2 / 2.0

    Trusted Platform Module (TPM) TCG 1.2 / 2.0 USER GUIDE Revision 1.20 The information in this user's guide has been carefully reviewed and is believed to be accurate. The vendor assumes no responsibility for any inaccuracies that may be contained in this document, and makes no commitment to update or to keep current the information in this manual, or to notify any person or organization of the updates. Please Note: For the most up-to-date version of this manual, please see our website at www.supermicro.com. Super Micro Computer, Inc. ("Supermicro") reserves the right to make changes to the product described in this manual at any time and without notice. This product, including software and documentation, is the property of Supermicro and/ or its licensors, and is supplied only under a license. Any use or reproduction of this product is not allowed, except as expressly permitted by the terms of said license. IN NO EVENT WILL SUPER MICRO COMPUTER, INC. BE LIABLE FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, SPECULATIVE OR CONSEQUENTIAL DAMAGES ARISING FROM THE USE OR INABILITY TO USE THIS PRODUCT OR DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN PARTICULAR, SUPER MICRO COMPUTER, INC. SHALL NOT HAVE LIABILITY FOR ANY HARDWARE, SOFTWARE, OR DATA STORED OR USED WITH THE PRODUCT, INCLUDING THE COSTS OF REPAIRING, REPLACING, INTEGRATING, INSTALLING OR RECOVERING SUCH HARDWARE, SOFTWARE, OR DATA. Any disputes arising between manufacturer and customer shall be governed by the laws of Santa Clara County in the State of California, USA. The State of California, County of Santa Clara shall be the exclusive venue for the resolution of any such disputes.
  • Introduction to Trusted Computing: TPM 101

    Introduction to Trusted Computing: TPM 101

    Introduction to Trusted Computing: TPM 101 Ariel Segall [email protected] Day 1 Approved for Public Release: 12-2749. Distribution unlimited Day 1 Approved for Public Release: 12-2749. Distribution unlimited 1 Ariel Segall [email protected] () TPM 101 / 1 License All materials are licensed under a Creative Commons \Share Alike" license. http://creativecommons.org/licenses/by-sa/3.0 Day 1 Approved for Public Release: 12-2749. Distribution unlimited 2 Ariel Segall [email protected] () TPM 101 / 1 What We'll Be Covering In this section: What is a TPM? What does it do? What's it good for? Some TPM myths (and the truths behind them) Why enterprises should care about TPMs All at a high level{ deep dive this afternoon. Day 1 Approved for Public Release: 12-2749. Distribution unlimited 3 Ariel Segall [email protected] () TPM 101 / 1 What is a TPM? Trusted Platform Module Inexpensive (<$1, usually) chip on almost all motherboards today Not in Macs Only some servers have them{ ask. Hardware basis for platform trust In secrets In platform state Combined with a Root of Trust for Measurement1 In platform identity Current version is 1.2 Unless otherwise specified, we'll always refer to 1.2 TPMs Previous version 1.1; next, 2.0. 1We'll get to these in a little while Day 1 Approved for Public Release: 12-2749. Distribution unlimited 4 Ariel Segall [email protected] () TPM 101 / 1 What's In a TPM? TPM Non−Volatile Memory Cryptographic Co−Processor Volatile Memory Execution Engine (Processor) Random Number Generator Day 1 Approved for Public Release: 12-2749.
  • Trusted Platforms UEFI, PI and TCG-Based Firmware

    Trusted Platforms UEFI, PI and TCG-Based Firmware

    White Paper by Intel Corporation and IBM Corporation Trusted Platforms UEFI, PI and TCG-based firmware Vincent J. Zimmer Intel Corporation Shiva R. Dasari Sean P. Brogan IBM September 2009 Executive Summary This document provides an overview of the interactions of the Trusted Computing Group (TCG) [TCG Overview], the firmware standards work within the Unified Extensible Firmware Interface (UEFI) Forum, and implementation practices of UEFI PI-based [UEFI Book][UEFI Shell Book][UEFI Overview] implementations. In addition, this paper will provide some use-cases and implementation examples of this technology in addition to the industry threats that motivate the design of this class of technology. This paper is mainly intended for Hardware, firmware, software, and BIOS engineers. But beyond this audience, some of the information in this paper will be valuable for IT decision makers, marketing, and other parties. The goal of the paper is to take away an understanding of the motivations behind trusted platform design, the terminology of trust, how to navigate the Trusted Computing Group set of specifications and technology that relate to platform, impact on platform firmware and UEFI, instances of deployment in the market, and some future possible directions for hardware and firmware. ii Table of Contents Overview ............................................................................................................2 Problems to solve ...........................................................................................3 Security architecture
  • "Putting Trust Into Computing: Where Does It Fit?"

    "Putting Trust Into Computing: Where Does It Fit?"

    "Putting Trust Into Computing: Where Does it Fit?" Monday, February 14, 2005 9:00 a.m. – 12:00 p.m. Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Agenda 09:00am Introduction Jim Ward, IBM, TCG Board President / Chair 09:05am Trusted Network Connect Overview Thomas Hardjono, VeriSign 9:45am Open Source Solutions Dr. Dave Safford, IBM 10:25am Writing and Using Trusted Applications Ralph Engers, Utimaco Safeware AG; George Kastrinakis, Wave Systems; William Whyte, NTRU Cryptosystems, Inc. 11:15am Customer Case Studies Stacy Cannady, IBM; Manny Novoa, HP 11:50am Q&A Mark Schiller, HP; Jim Ward, IBM; Brian Berger, Wave Systems Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #2 Agenda 09:00am Introduction Jim Ward, IBM, TCG Board President / Chair Jim Ward is a Senior Technical Staff Member and security architect within the IBM software group division. Ward has been a core contributor in the security standards space and currently serves as the President and Board Chair of the Trusted Computing Group. Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #3 TCG Mission Develop and promote open, vendor-neutral, industry standard specifications for trusted computing building blocks and software interfaces across multiple platforms Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #4 TCG Board of Directors Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #5 TCG Organization Board of Directors Jim Ward, IBM, President and Chairman, Geoffrey Strongin, AMD, Mark Schiller, HP, David Riss, Intel, Steve Heil, Microsoft, Tom Tahan, Sun, Nicholas Szeto, Sony, Bob Thibadeau, Seagate, Thomas Hardjono, VeriSign Marketing Workgroup Technical Committee Advisory Council Administration Brian Berger, Wave Systems Graeme Proudler, HP Invited Participants VTM, Inc.
  • Open Source TPM Support

    Open Source TPM Support

    Open Source TPM support Open source application and support software for TPM is available for several operating systems like Linux, Android and in different programming languages supporting the following scenarios: - embedded Systems - servers - mobile communication and portable devices (e.g. tablet computer or smartphone) Open source implementations can also be ported to other platforms and processors and may be act as a starting point for the development of new applications. Some open source projects from the following list are supported by Infineon while other packages are separately developed by independent parties. The following list of Open Source software utilizing Trusted Computing and/or TPM software makes no claim to be complete and represents a limited number of projects: 1. Linux TPM Driver ( http://www.kernel.org ) Linux device driver for Trusted Platform Modules (TPM) in standard kernel (Vanilla). 2. I2C driver for TPM The driver is available on Linux kernel.org ( https://lkml.org/lkml/2011/7/22/137 ) 3. Trusted GRUB ( http://sourceforge.net/projects/trustedgrub ) Trusted GRUB extends the GRUB bootloader for Linux platforms with TPM support. This makes it possible to provide a secure Bootstrap architecture; Code is in general useful for initializing a Trusted Platform Module and execute integrity measurement based on Trusted Computing. 4. UBoot based on TPM with I2C ( http://git.chromium.org/gitweb/?p=chromiumos/third_party/u- boot.git;a=tree;f=drivers/tpm/slb9635_i2c;hb=chromeos-v2011.03 ) UBoot involving TPM using I2C interface. 5. The TROUSERS project ( http://sourceforge.net/projects/trousers ): An open-source TCG Software Stack implementation created and released by IBM.
  • Inspecting Data from the Safety of Your Trusted Execution Environment

    Inspecting Data from the Safety of Your Trusted Execution Environment

    Inspecting data from the safety of your trusted execution environment John Williams johnwwil [at] u.washington.edu June, 2015 Abstract: This paper presents a proof of concept that uses ARM TrustZone to perform introspection of a Linux kernel running in the normal world from within a secure-world system. Techniques from existing volatile-memory analysis applications are repurposed for application in real-time through asynchronous introspection of the normal world. The solution presented here leverages open-source software that is actively being developed to support additional architectures. 1 INTRODUCTION As technology becomes more prevalent in our day-to-day lives, we increasingly rely on mobile devices for both business and personal purposes. Emerging security threats, such as rootkits that can scan memory for protected PCI information, have been responsible for large-scale breaches. It has been predicted that targeted exploit kits and attack services will soon exist for mobile platforms, which could enable the exploitation of mobile devices on an unprecedented scale [1]. Techniques for mitigating such threats to mobile devices have largely evolved in parallel with industry demand for them. While some companies have indeed made progress through continued addition of product features that increase the security of devices, other companies have simply pivoted their marketing efforts to emphasize or recast certain aspects of their existing capabilities. In order to select the right products and features for protecting sensitive data and activities, effective segmentation is key. While segmentation within devices has traditionally been implemented at the operating system level, in recent years architectural modification at the chip level has emerged as a way to provide hard segmentation between execution environments.
  • Leveraging ARM Trustzone and Verifiable Computing to Provide Auditable Mobile Functions Nuno O

    Leveraging ARM Trustzone and Verifiable Computing to Provide Auditable Mobile Functions Nuno O

    Leveraging ARM TrustZone and Verifiable Computing to Provide Auditable Mobile Functions Nuno O. Duarte Sileshi Demesie Yalew INESC-ID / IST, University of Lisbon KTH Royal Institute of Technology [email protected] [email protected] Nuno Santos Miguel Correia INESC-ID / IST, University of Lisbon INESC-ID / IST, University of Lisbon [email protected] [email protected] ABSTRACT 1 INTRODUCTION The increase of personal data on mobile devices has been fol- For over 30 years [5], an important problem that has fasci- lowed by legislation that forces service providers to process nated the research community is about trusting the result of and maintain users’ data under strict data protection policies. computations performed on untrusted platforms. Since the In this paper, we propose a new primitive for mobile applica- advent of cloud computing, this interest has further grown tions called auditable mobile function (AMF) to help service in obtaining proofs of code execution on untrusted clouds. providers enforcing such policies by enabling them to process An approach to address this problem that has garnered sensitive data within users’ devices and collecting proofs of particular attention is verifiable computing. At a high-level, function execution integrity. We present SafeChecker, a com- verifiable computing consists of studying how a prover can putation verification system that provides mobile application convince a verifier of a mathematical assertion. The main support for AMFs, and evaluate the practicality of different obstacle faced by this field has been practicality, as the costs usage scenario AMFs on TrustZone-enabled hardware. of computing and verifying proofs over general computa- tions tend to be very high [21].
  • Multiple Stakeholder Model Revision 3.40

    Multiple Stakeholder Model Revision 3.40

    R E Multiple Stakeholder Model F Published E Family “2.0” R Level 00 Revision 3.40 2 May 2016 E N C Contact: [email protected] E TCG PUBLISHED Copyright © TCG 2012-2016 TCG Published - Multiple Stakeholder Model Copyright TCG Copyright ©2012-2016 Trusted Computing Group, Incorporated. Disclaimer THIS REFERENCE DOCUMENT IS PROVIDED "AS IS" WITH NO WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY PROPOSAL, WHITE PAPER, OR SAMPLE. Without limitation, TCG disclaims all liability, including liability for infringement of any proprietary rights, relating to use of information in this reference document, and TCG disclaims all liability for cost of procurement of substitute goods or services, lost profits, loss of use, loss of data or any incidental, consequential, direct, indirect, or special damages, whether under contract, tort, warranty or otherwise, arising in any way out of use or reliance upon this document or any information herein. No license, express or implied, by estoppel or otherwise, to any TCG or TCG member intellectual property rights is granted herein. Contact the Trusted Computing Group at www.trustedcomputinggroup.org for information on TCG licensing through membership agreements. Any marks and brands contained herein are the property of their respective owners. Page ii TCG PUBLISHED Family “2.0” 2 May 2016 Copyright © TCG 2012-2016 Level 00 Revision 3.40 Published- Multiple Stakeholder Model Copyright TCG Acknowledgments The TCG wishes to thank all those who contributed to this reference document. Ronald Aigner Microsoft Bo Bjerrum Intel Corporation Alec Brusilovsky InterDigital Communications, LLC David Challener Johns Hopkins University, Applied Physics Lab Michael Chan Samsun Semiconductor Inc.
  • Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

    Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

    Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory Tom Olzak October 2007 If your business is like mine, laptops regularly disappear. Until recently, centrally managed mobile storage encryption solutions for Windows environments were either too costly, required users to carry a key-resident device, or relied on keys residing on local disk. Sometimes the best solution under these circumstances was the presence of administrative controls (i.e. policies) prohibiting users from storing sensitive information on local laptop drives. With the proliferation of TPM 1.2 across most laptop platforms and the release of Microsoft Windows Vista, most roadblocks to laptop data encryption have been removed. In this paper, I explore the challenges facing security managers responsible for laptop data security, TPM technology, and how the features of a TPM can integrate with Microsoft’s Bitlocker and Active Directory technologies to provide for more secure data on the road. The Challenges Vulnerable Laptop Data When a mobile user’s laptop is stolen, a variety of data might be potentially exposed. The following is a short list of some of the most common types of sensitive information that might be found on a laptop drive: ¾ ePHI – Electronic Protected Health Information, protected under the HIPAA, is any information that can be used to uniquely identify a health care recipient. ¾ PII – Essentially, Personally Identifiable Information is any data that can be used to steal a person’s identity. Most states have passed laws requiring businesses to take steps to protect this information as well as to notify and assist victims if this information is compromised.
  • Trusted Computing

    Trusted Computing

    Grazer Linux Tag 2006 Linux Powered Trusted Computing DI Martin Pirker <[email protected]> DI Thomas Winkler <[email protected]> GLT 2006 - Trusted Live Linux - Martin Pirker + Thomas Winkler, IAIK TU Graz 1 Übersicht ● Einführung und Motivation ● Trusted Computing - Geschichte ● TPM Chips: Hardware, Funktion und Anwendungen ● Chain of Trust ● Kryptografische Schlüssel und Schlüsselverwaltung ● Identitäten ● Attestierung ● Virtualisierung ● Stand der Dinge unter Linux: Treiber, Middleware, Anwendungen GLT 2006 - Trusted Live Linux - Martin Pirker + Thomas Winkler, IAIK TU Graz 2 Einführung ● einschlägige Medien voll mit Meldungen über Sicherheitsprobleme ● ständig neue Initiativen um diese Probleme zu lösen ● ein Ansatz: Trusted Computing von der Trusted Computing Group (TCG) ● bietet Möglichkeit festzustellen welche Software auf einem Computer ausgeführt wird ● soll Vertrauen in Computer erhöhen GLT 2006 - Trusted Live Linux - Martin Pirker + Thomas Winkler, IAIK TU Graz 3 Motivation (1/2) ● bis heute mehrere Millionen Rechner mit TPMs ausgeliefert – wer im Publikum hat schon ein TPM in seinem Rechner? – wer weiß was es kann und verwendet ihn? GLT 2006 - Trusted Live Linux - Martin Pirker + Thomas Winkler, IAIK TU Graz 4 Motivation (2/2) ● viele unklare und teilweise einseitige Medienberichte ● nächstes Microsoft Betriebssystem soll Trusted Computing unterstützen ● welche Perspektiven gibt es im Open Source Bereich? ● Ziele des Vortrags: – welche Technologien stecken hinter Trusted Computing? – verstehen der Wechselwirkungen und Konsequenzen – Anwendung(en) und Nutzen im Open Source Bereich GLT 2006 - Trusted Live Linux - Martin Pirker + Thomas Winkler, IAIK TU Graz 5 Trusted Computing - Organisation ● ursprünglich: TCPA – Trusted Computing Platform Alliance ● jetzt: TCG – Trusted Computing Group ● Führungspositionen (Promotors): – AMD, HP, IBM, Infineon, Intel, Lenovo, Microsoft, Sun ● Abstufungen der Mitgliedschaft bis hin zu akademischen Beobachtern (z.B.
  • Trusted Computing Serving an Anonymity Service

    Trusted Computing Serving an Anonymity Service

    Trusted Computing Serving an Anonymity Service Alexander Böttcher Bernhard Kauer Hermann Härtig Technische Universität Dresden Department of Computer Science Operating Systems Group {boettcher, kauer, haertig}@os.inf.tu-dresden.de Abstract [15] in the authors’ group, will show. An unknown crim- inal to be investigated was supposed to use an anonymity We leveraged trusted computing technology to service. The police and later on the German Federal Bu- counteract certain insider attacks. Furthermore, we reau of Criminal Investigation (FBCI) required to investi- show with one of the rare server based scenarios that gate a criminal that uses a known URL. In order to enable an anonymity service can profit from trusted comput- criminal prosecution by a given warrant the software was ing. We based our design on the Nizza Architecture extended to log connection data [6, 5]. This function of [14] with its small kernel and minimal multi-server the anonymity software [3] was used only with a warrant OS. We even avoided Nizza’s legacy container and but without directly notifying the users. After the warrant got a much smaller, robust and hopefully more secure was reversed the FBCI showed up with a delivery warrant system, since we believe that minimizing the trusted for a log record (which were later on reversed illegal [4]), computing base is an essential requirement for trust first at the institute and later on at the institute’s directors into software. private home. This incident shows a whole class of attacks on the 1 Introduction anonymity and more general every computing service. Vendor and providers under constraint can reveal the ser- Anonymity while using the Internet is widely considered vice because of insider knowledge and physical access a legitimate and - for many use cases - essential require- to those services.
  • The Nizza Secure-System Architecture

    The Nizza Secure-System Architecture

    Appears in the proceedings of CollaborateCom 2005, San Jose, CA, USA The Nizza Secure-System Architecture Hermann Härtig Michael Hohmuth Norman Feske Christian Helmuth Adam Lackorzynski Frank Mehnert Michael Peter Technische Universität Dresden Institute for System Architecture D-01062 Dresden, Germany [email protected] Abstract rely on a standard OS (including the kernel) to assure their security properties. The trusted computing bases (TCBs) of applications run- To address the conflicting requirements of complete ning on today’s commodity operating systems have become functionality and the protection of security-sensitive data, extremely large. This paper presents an architecture that researchers have devised system architectures that reduce allows to build applications with a much smaller TCB. It the system’s TCB by running kernels in untrusted mode is based on a kernelized architecture and on the reuse of in a secure compartment on top of a small security kernel; legacy software using trusted wrappers. We discuss the de- security-sensitive services run alongside the OS in isolated sign principles, the architecture and some components, and compartments of their own. This architecture is widely re- a number of usage examples. ferred to as kernelized standard OS or kernelized system. In this paper, we describe Nizza, a new kernelized- system architecture. In the design of Nizza, we set out to answer the question of how small the TCB can be made. 1 Introduction We have argued in previous work that the (hardware and software) technologies needed to build small secure-system Desktop and hand-held computers are used for many platforms have become much more mature since earlier at- functions, often in parallel, some of which are security tempts [8].