Challenges for Trusted Computing

Total Page:16

File Type:pdf, Size:1020Kb

Challenges for Trusted Computing 1 / Ahmad-Reza Sadeghi, ©HGI 2006 Challenges for Trusted Computing Trusted for Challenges Horst Görtz Horst security It for Institute Ruhr-University Bochum Ruhr-University [email protected] CHES, Yokohama 2006 Yokohama CHES, Ahmad-Reza Sadeghi Ahmad-Reza 2 / Ahmad-Reza Sadeghi, ©HGI 2006 o o o o o o o o Summary and Outlook and Summary Some Technical Challenges Technical Some Reactions to the Trusted Computing Group Computing Trusted the to Reactions Selected Research and Development Projects Projects Development and Research Selected Security Architectures Based on Virtualization on Based Architectures Security Trusted Computing Group (TCG) Approach (TCG) Group Computing Trusted Towards Trustworthy Computing Platforms Computing Trustworthy Towards Motivation Motivation o o o o o Concerns, open source, law and politics and law source, open Concerns, Software Desired Primitives and the Need for Secure Hardware and and Hardware Secure for Need the and Primitives Desired Objectives and Primary Goals Primary and Objectives Complications in Distributed Application Distributed in Complications Trust Issues and Vocabulary and Issues Trust Content Content Content Content 3 / Ahmad-Reza Sadeghi, ©HGI 2006 o How could common computing platforms support such support oplatforms computing common could How o How can we determine/verify/measure it? odetermine/verify/measure we can How o open IT environment? environment? IT open functionality and what are the consequences? the are what and functionality How do we define „trustwo define we do How Motivation Motivation Adversary Adversary rthiness“distributed a in 4 / Ahmad-Reza Sadeghi, ©HGI 2006 -control…. updated drive, warp New -configuration advanced more a Has -ship Federation Object: Object: → Trustworthy Trustworthy Future Future … … . 6 0 0 2 I AA MemoMemo …….... G H © , i h g e d o”Trustworthy Computing is the highest priority for all the work we are doing. We a S must lead the industry to a whole new level of trustworthiness in computing” a z e R - d a o “…. Trustworthy Computing is computing that is as available, reliable and m h secure as electricity, water services and telephony.” A / 5 o“Our software should be so fundamentally secure that customers never even worry about it.” o “No Trustworthy Computing platform exists today. It is only in the context of the basic redesign we have done around” o ”Keep our customers' trust at every level -- from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable.” o“Key aspects are availability, security, and privacy“ o Trustworthiness is a much broader concept than security, and winning our customers' trust involves more than just fixing bugs Bill Gates’ email on full-time employees of MS, January 2002 6 / Ahmad-Reza Sadeghi, ©HGI 2006 oIn oIn o psychology, computer science,…) science,…) computer psychology, in different areas (social-sciences, philosophy, philosophy, (social-sciences, areas different in Trust: Trust: oaspects risk has and temporal oan oan oa oa oa Trust Issues and Vocabulary (1) Vocabulary and Issues Trust Trust Issues and Vocabulary (1) Vocabulary and Issues Trust commitment from the trustee [Cole1990] trustee the from commitment temporal) at the disposal of the trustee with no real real no with trustee the of disposal the at temporal) resources (physical, financial, intellectual, or or intellectual, financial, (physical, resources think about the world) [Luhm1979] world) the about think of the intentions or behavior of another [RoSiBuCa98] another of behavior or intentions the of accept vulnerability based upon positive expectations expectations positive upon based vulnerability accept Social Sciences Social mechanism psychological state psychological action Complicated notion studied and debated debated and studied notion Complicated that involves the voluntary placement of of placement voluntary the involves that to reduce social complexity (how we we (how complexity social reduce to , trust is trust , comprising the intention to to intention the comprising 7 / Ahmad-Reza Sadeghi, ©HGI 2006 oIn oIn o oa Trust Issues and Vocabulary (2) Vocabulary and Issues Trust Trust Issues and Vocabulary (2) Vocabulary and Issues Trust [AvLaLaRa2004] or a component will perform as expected expected as perform will component a or Trustworthiness Trustworthiness [Ande2001] whose failure can break the security policy policy security the break can failure whose IT security literature security IT o“Trusted” to Trusted Corresponds by defined as o Number of trusted components should be be should ocomponents trusted of Number Trusted System Trusted Computing Group (TCG) Group Computing minimized minimized is assurance that a system system a that assurance is or component is one one is component or 6 0 0 2 Complications in Distributed Applications I Complications in Distributed Applications G H © , i h g e d a S Input :=(P , D ) a i i i z e R - d a o Multiple parties involved P : (Security) policy m i h A / D : (Secret) data O i 8 o Provide (require) services i (resources) (Secret) o Have different (possibly output conflicting) interests (policies) o Typically distrust each other (minimal TCB) o TCB (Trusted Computing Base) User Adversary 9 / Ahmad-Reza Sadeghi, ©HGI 2006 odevices mobile generation Next oservices of Outsourcing oManagement Document and Rights o E-Services oFirst sale sale oFirst oFair use oFair o Enterprise osignature) digital of ((Non)-enforceability Commerce orecords) medical sensitive of (confidentiality Health o integrity) e-Voting (e.g., Government ocontent digital of Transfer oallowed types platform different among Copies ocopies Private o Chains Supply in distribution and usage Controlled Application Scenarios Application Application Scenarios Application 10 / Ahmad-Reza Sadeghi, ©HGI 2006 Example: Grid Computing Grid Example: Example: Grid Computing Grid Example: 11 / Ahmad-Reza Sadeghi, ©HGI 2006 o o o o Currently used measures used Currently Problem: User-provider trust asymmetry asymmetry trust User-provider Problem: In practice more parties: Middleware provider, application provider application provider, Middleware parties: more practice In Main parties (simplified): resour (simplified): parties Main oauthenticati standard Contracts, o assume often measures Security o(often place to forced users Grid Provider Resource Resource Provider Resource Resource (credentials) MyProxy (credentials) MyProxy Model Model Model Model on and authorization mechanisms authorization and on , unjustifiable) trust on providers on trust unjustifiable) , ce providers (RP) and users (U) users and (RP) providers ce Grid user as potential adversary potential as user Grid Broker Broker [LoRaSaScSt2006, MaJiMa2006] [LoRaSaScSt2006, User User 12 / Ahmad-Reza Sadeghi, ©HGI 2006 o o o Availability and correctness correctness and Availability Security Security Functional Functional oterm long and short Fail-safe o Authorization o Authentication oplatform) underlying (regarding Privacy odata of integrity and Confidentiality obilling and Accounting oon sign single and Delegation o Auditing o Interoperability oplatform one on jobs Grid different among resources Sharing Requirements Requirements preservation of users data users of preservation 13 / Ahmad-Reza Sadeghi, ©HGI 2006 Towards Trustworthy Platforms Trustworthy Towards Towards Trustworthy Platforms Trustworthy Towards 14 / Ahmad-Reza Sadeghi, ©HGI 2006 o o o Main Role of Trusted Computing Computing Trusted of Role Main Problems Multilateral Security Multilateral o …sense contractual in o “trustworthiness”IT the other’s about and own of reasoning the Enable oreasons Main oplatforms computing existing of HW and SW in protection Insufficient o in interest the and privacy for wish the between occurs conflict Typical ointegrity (confidentiality, goals availability) and security (classical) to Refers o of requirements security conflicting possibly and different Considers system (reporting their state) their (reporting system cooperation different parties and strives to balance these requirements these balance to strives and parties different osecu or users of unawareness Security oprotec and functional of Lack osystems operating of isolation fault poor and complexity High ostorage secure No oAccess) Memory (Direct DMA o…) horses, Trojan (viruses, code Malicious [Rann1994] Objectives Objectives tion mechanisms in hardware in mechanisms tion [Kuhl2003, KuGe2003] [Kuhl2003, rity measures still not useable enough useable not still measures rity 15 / Ahmad-Reza Sadeghi, ©HGI 2006 omodels applications/business new of realization Allow oportability Efficient o architecture Open oOS different for Applicable o modules existing Reuse oplatforms computing of security Improve orelations trust and assumptions of sets different on Based otr of misuse potential Avoiding oapplications underlying for needed security multilateral Providing o Trustworthiness/costs/reliability/compatibility o components source open and standards open Use o mid-sized and (small innovation for space monopoly, No oOS common GUI, e.g., companies) Primary Goals Primary Primary Goals Primary usted computing functionalities computing usted 16 / Ahmad-Reza Sadeghi, ©HGI 2006 o o o o Secure I/O Secure Strong process isolation process Strong Sealed/Secure Storage Storage Sealed/Secure Integrity verification (Attestation) (Attestation) verification Integrity
Recommended publications
  • "Putting Trust Into Computing: Where Does It Fit?"
    "Putting Trust Into Computing: Where Does it Fit?" Monday, February 14, 2005 9:00 a.m. – 12:00 p.m. Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Agenda 09:00am Introduction Jim Ward, IBM, TCG Board President / Chair 09:05am Trusted Network Connect Overview Thomas Hardjono, VeriSign 9:45am Open Source Solutions Dr. Dave Safford, IBM 10:25am Writing and Using Trusted Applications Ralph Engers, Utimaco Safeware AG; George Kastrinakis, Wave Systems; William Whyte, NTRU Cryptosystems, Inc. 11:15am Customer Case Studies Stacy Cannady, IBM; Manny Novoa, HP 11:50am Q&A Mark Schiller, HP; Jim Ward, IBM; Brian Berger, Wave Systems Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #2 Agenda 09:00am Introduction Jim Ward, IBM, TCG Board President / Chair Jim Ward is a Senior Technical Staff Member and security architect within the IBM software group division. Ward has been a core contributor in the security standards space and currently serves as the President and Board Chair of the Trusted Computing Group. Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #3 TCG Mission Develop and promote open, vendor-neutral, industry standard specifications for trusted computing building blocks and software interfaces across multiple platforms Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #4 TCG Board of Directors Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #5 TCG Organization Board of Directors Jim Ward, IBM, President and Chairman, Geoffrey Strongin, AMD, Mark Schiller, HP, David Riss, Intel, Steve Heil, Microsoft, Tom Tahan, Sun, Nicholas Szeto, Sony, Bob Thibadeau, Seagate, Thomas Hardjono, VeriSign Marketing Workgroup Technical Committee Advisory Council Administration Brian Berger, Wave Systems Graeme Proudler, HP Invited Participants VTM, Inc.
    [Show full text]
  • Open Source TPM Support
    Open Source TPM support Open source application and support software for TPM is available for several operating systems like Linux, Android and in different programming languages supporting the following scenarios: - embedded Systems - servers - mobile communication and portable devices (e.g. tablet computer or smartphone) Open source implementations can also be ported to other platforms and processors and may be act as a starting point for the development of new applications. Some open source projects from the following list are supported by Infineon while other packages are separately developed by independent parties. The following list of Open Source software utilizing Trusted Computing and/or TPM software makes no claim to be complete and represents a limited number of projects: 1. Linux TPM Driver ( http://www.kernel.org ) Linux device driver for Trusted Platform Modules (TPM) in standard kernel (Vanilla). 2. I2C driver for TPM The driver is available on Linux kernel.org ( https://lkml.org/lkml/2011/7/22/137 ) 3. Trusted GRUB ( http://sourceforge.net/projects/trustedgrub ) Trusted GRUB extends the GRUB bootloader for Linux platforms with TPM support. This makes it possible to provide a secure Bootstrap architecture; Code is in general useful for initializing a Trusted Platform Module and execute integrity measurement based on Trusted Computing. 4. UBoot based on TPM with I2C ( http://git.chromium.org/gitweb/?p=chromiumos/third_party/u- boot.git;a=tree;f=drivers/tpm/slb9635_i2c;hb=chromeos-v2011.03 ) UBoot involving TPM using I2C interface. 5. The TROUSERS project ( http://sourceforge.net/projects/trousers ): An open-source TCG Software Stack implementation created and released by IBM.
    [Show full text]
  • Trusted System Concepts
    Trusted System Concepts Trusted System Concepts Marshall D. Abrams, Ph.D. Michael V. Joyce The MITRE Corporation 7525 Colshire Drive McLean, VA 22102 703-883-6938 [email protected] This is the first of three related papers exploring how contemporary computer architecture affects security. Key issues in this changing environment, such as distributed systems and the need to support multiple access control policies, necessitates a generalization of the Trusted Computing Base paradigm. This paper develops a conceptual framework with which to address the implications of the growing reliance on Policy-Enforcing Applications in distributed environments. 1 INTRODUCTION A significant evolution in computer software architecture has taken place over the last quarter century. The centralized time-sharing systems of the 1970s and early 1980s are rapidly being superseded by the distributed architectures of the 1990s. As an integral part of the architecture evolution, the composition of the system access control policy has changed. Instead of a single policy, the system access control policy is more likely to be a composite of several constituent policies implemented in applications that create objects and enforce their own unique access control policies. This paper first provides a survey that explains how the security community developed the accepted concepts and criteria that addressed the time-shared architectures. Second, the paper focuses on the changes currently ongoing, providing insight into the driving forces and probable directions. This paper presents contemporary thinking; it summarizes and generalizes vertical and horizontal extensions to the Trusted Computing Base (TCB) concept. While attempting to be logical and rigorous, formalism is avoided. This paper was first published in Computers & Security, Vol.
    [Show full text]
  • Inspecting Data from the Safety of Your Trusted Execution Environment
    Inspecting data from the safety of your trusted execution environment John Williams johnwwil [at] u.washington.edu June, 2015 Abstract: This paper presents a proof of concept that uses ARM TrustZone to perform introspection of a Linux kernel running in the normal world from within a secure-world system. Techniques from existing volatile-memory analysis applications are repurposed for application in real-time through asynchronous introspection of the normal world. The solution presented here leverages open-source software that is actively being developed to support additional architectures. 1 INTRODUCTION As technology becomes more prevalent in our day-to-day lives, we increasingly rely on mobile devices for both business and personal purposes. Emerging security threats, such as rootkits that can scan memory for protected PCI information, have been responsible for large-scale breaches. It has been predicted that targeted exploit kits and attack services will soon exist for mobile platforms, which could enable the exploitation of mobile devices on an unprecedented scale [1]. Techniques for mitigating such threats to mobile devices have largely evolved in parallel with industry demand for them. While some companies have indeed made progress through continued addition of product features that increase the security of devices, other companies have simply pivoted their marketing efforts to emphasize or recast certain aspects of their existing capabilities. In order to select the right products and features for protecting sensitive data and activities, effective segmentation is key. While segmentation within devices has traditionally been implemented at the operating system level, in recent years architectural modification at the chip level has emerged as a way to provide hard segmentation between execution environments.
    [Show full text]
  • Leveraging ARM Trustzone and Verifiable Computing to Provide Auditable Mobile Functions Nuno O
    Leveraging ARM TrustZone and Verifiable Computing to Provide Auditable Mobile Functions Nuno O. Duarte Sileshi Demesie Yalew INESC-ID / IST, University of Lisbon KTH Royal Institute of Technology [email protected] [email protected] Nuno Santos Miguel Correia INESC-ID / IST, University of Lisbon INESC-ID / IST, University of Lisbon [email protected] [email protected] ABSTRACT 1 INTRODUCTION The increase of personal data on mobile devices has been fol- For over 30 years [5], an important problem that has fasci- lowed by legislation that forces service providers to process nated the research community is about trusting the result of and maintain users’ data under strict data protection policies. computations performed on untrusted platforms. Since the In this paper, we propose a new primitive for mobile applica- advent of cloud computing, this interest has further grown tions called auditable mobile function (AMF) to help service in obtaining proofs of code execution on untrusted clouds. providers enforcing such policies by enabling them to process An approach to address this problem that has garnered sensitive data within users’ devices and collecting proofs of particular attention is verifiable computing. At a high-level, function execution integrity. We present SafeChecker, a com- verifiable computing consists of studying how a prover can putation verification system that provides mobile application convince a verifier of a mathematical assertion. The main support for AMFs, and evaluate the practicality of different obstacle faced by this field has been practicality, as the costs usage scenario AMFs on TrustZone-enabled hardware. of computing and verifying proofs over general computa- tions tend to be very high [21].
    [Show full text]
  • Multiple Stakeholder Model Revision 3.40
    R E Multiple Stakeholder Model F Published E Family “2.0” R Level 00 Revision 3.40 2 May 2016 E N C Contact: [email protected] E TCG PUBLISHED Copyright © TCG 2012-2016 TCG Published - Multiple Stakeholder Model Copyright TCG Copyright ©2012-2016 Trusted Computing Group, Incorporated. Disclaimer THIS REFERENCE DOCUMENT IS PROVIDED "AS IS" WITH NO WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY PROPOSAL, WHITE PAPER, OR SAMPLE. Without limitation, TCG disclaims all liability, including liability for infringement of any proprietary rights, relating to use of information in this reference document, and TCG disclaims all liability for cost of procurement of substitute goods or services, lost profits, loss of use, loss of data or any incidental, consequential, direct, indirect, or special damages, whether under contract, tort, warranty or otherwise, arising in any way out of use or reliance upon this document or any information herein. No license, express or implied, by estoppel or otherwise, to any TCG or TCG member intellectual property rights is granted herein. Contact the Trusted Computing Group at www.trustedcomputinggroup.org for information on TCG licensing through membership agreements. Any marks and brands contained herein are the property of their respective owners. Page ii TCG PUBLISHED Family “2.0” 2 May 2016 Copyright © TCG 2012-2016 Level 00 Revision 3.40 Published- Multiple Stakeholder Model Copyright TCG Acknowledgments The TCG wishes to thank all those who contributed to this reference document. Ronald Aigner Microsoft Bo Bjerrum Intel Corporation Alec Brusilovsky InterDigital Communications, LLC David Challener Johns Hopkins University, Applied Physics Lab Michael Chan Samsun Semiconductor Inc.
    [Show full text]
  • Trusted Computing
    Grazer Linux Tag 2006 Linux Powered Trusted Computing DI Martin Pirker <[email protected]> DI Thomas Winkler <[email protected]> GLT 2006 - Trusted Live Linux - Martin Pirker + Thomas Winkler, IAIK TU Graz 1 Übersicht ● Einführung und Motivation ● Trusted Computing - Geschichte ● TPM Chips: Hardware, Funktion und Anwendungen ● Chain of Trust ● Kryptografische Schlüssel und Schlüsselverwaltung ● Identitäten ● Attestierung ● Virtualisierung ● Stand der Dinge unter Linux: Treiber, Middleware, Anwendungen GLT 2006 - Trusted Live Linux - Martin Pirker + Thomas Winkler, IAIK TU Graz 2 Einführung ● einschlägige Medien voll mit Meldungen über Sicherheitsprobleme ● ständig neue Initiativen um diese Probleme zu lösen ● ein Ansatz: Trusted Computing von der Trusted Computing Group (TCG) ● bietet Möglichkeit festzustellen welche Software auf einem Computer ausgeführt wird ● soll Vertrauen in Computer erhöhen GLT 2006 - Trusted Live Linux - Martin Pirker + Thomas Winkler, IAIK TU Graz 3 Motivation (1/2) ● bis heute mehrere Millionen Rechner mit TPMs ausgeliefert – wer im Publikum hat schon ein TPM in seinem Rechner? – wer weiß was es kann und verwendet ihn? GLT 2006 - Trusted Live Linux - Martin Pirker + Thomas Winkler, IAIK TU Graz 4 Motivation (2/2) ● viele unklare und teilweise einseitige Medienberichte ● nächstes Microsoft Betriebssystem soll Trusted Computing unterstützen ● welche Perspektiven gibt es im Open Source Bereich? ● Ziele des Vortrags: – welche Technologien stecken hinter Trusted Computing? – verstehen der Wechselwirkungen und Konsequenzen – Anwendung(en) und Nutzen im Open Source Bereich GLT 2006 - Trusted Live Linux - Martin Pirker + Thomas Winkler, IAIK TU Graz 5 Trusted Computing - Organisation ● ursprünglich: TCPA – Trusted Computing Platform Alliance ● jetzt: TCG – Trusted Computing Group ● Führungspositionen (Promotors): – AMD, HP, IBM, Infineon, Intel, Lenovo, Microsoft, Sun ● Abstufungen der Mitgliedschaft bis hin zu akademischen Beobachtern (z.B.
    [Show full text]
  • Trusted Computing Serving an Anonymity Service
    Trusted Computing Serving an Anonymity Service Alexander Böttcher Bernhard Kauer Hermann Härtig Technische Universität Dresden Department of Computer Science Operating Systems Group {boettcher, kauer, haertig}@os.inf.tu-dresden.de Abstract [15] in the authors’ group, will show. An unknown crim- inal to be investigated was supposed to use an anonymity We leveraged trusted computing technology to service. The police and later on the German Federal Bu- counteract certain insider attacks. Furthermore, we reau of Criminal Investigation (FBCI) required to investi- show with one of the rare server based scenarios that gate a criminal that uses a known URL. In order to enable an anonymity service can profit from trusted comput- criminal prosecution by a given warrant the software was ing. We based our design on the Nizza Architecture extended to log connection data [6, 5]. This function of [14] with its small kernel and minimal multi-server the anonymity software [3] was used only with a warrant OS. We even avoided Nizza’s legacy container and but without directly notifying the users. After the warrant got a much smaller, robust and hopefully more secure was reversed the FBCI showed up with a delivery warrant system, since we believe that minimizing the trusted for a log record (which were later on reversed illegal [4]), computing base is an essential requirement for trust first at the institute and later on at the institute’s directors into software. private home. This incident shows a whole class of attacks on the 1 Introduction anonymity and more general every computing service. Vendor and providers under constraint can reveal the ser- Anonymity while using the Internet is widely considered vice because of insider knowledge and physical access a legitimate and - for many use cases - essential require- to those services.
    [Show full text]
  • The Nizza Secure-System Architecture
    Appears in the proceedings of CollaborateCom 2005, San Jose, CA, USA The Nizza Secure-System Architecture Hermann Härtig Michael Hohmuth Norman Feske Christian Helmuth Adam Lackorzynski Frank Mehnert Michael Peter Technische Universität Dresden Institute for System Architecture D-01062 Dresden, Germany [email protected] Abstract rely on a standard OS (including the kernel) to assure their security properties. The trusted computing bases (TCBs) of applications run- To address the conflicting requirements of complete ning on today’s commodity operating systems have become functionality and the protection of security-sensitive data, extremely large. This paper presents an architecture that researchers have devised system architectures that reduce allows to build applications with a much smaller TCB. It the system’s TCB by running kernels in untrusted mode is based on a kernelized architecture and on the reuse of in a secure compartment on top of a small security kernel; legacy software using trusted wrappers. We discuss the de- security-sensitive services run alongside the OS in isolated sign principles, the architecture and some components, and compartments of their own. This architecture is widely re- a number of usage examples. ferred to as kernelized standard OS or kernelized system. In this paper, we describe Nizza, a new kernelized- system architecture. In the design of Nizza, we set out to answer the question of how small the TCB can be made. 1 Introduction We have argued in previous work that the (hardware and software) technologies needed to build small secure-system Desktop and hand-held computers are used for many platforms have become much more mature since earlier at- functions, often in parallel, some of which are security tempts [8].
    [Show full text]
  • TRUSTED COMPUTING GROUP (TCG) TIMELINE February 2011
    TRUSTED COMPUTING GROUP (TCG) TIMELINE February 2011 2003 Trusted Computing Group is announced with membership of 14 companies, including Promoters and board members AMD, Hewlett-Packard, IBM, Intel Corporation, Microsoft, Sony Corporation and Sun Microsystems, Inc. TCG structure and vision are created to enable extension of trusted computing beyond the PC into the enterprise. TCG adopts existing specifications for the Trusted Platform Module (TPM) security chip for clients and publishes as an open industry specification. 2004 TCG announces the Trusted Platform Module (TPM) specification 1.2. Manufacturers begin shipping a variety of enterprise desktop and notebook PCs equipped with TPMs and software to enable applications including data and file encryption, secure email, single sign-on, storage of certificates and passwords and other applications. Members begin participating in work groups to address security in mobile devices, storage, servers, peripherals and infrastructure requirements. TCG also announces the Trusted Network Connect (TNC) subgroup to work on an open specification for network access control and endpoint integrity and the addition of almost 30 new members to focus on the effort. Group starts to define requirements and use cases for an open specification. Membership expands to 98 companies by end of the year, with participation broadening beyond semiconductor and client companies to software developers, networking and storage companies. The group initiates an advisory council of leading IT, privacy, finance and security industry experts. The group also begins a liaison program with other industry standards groups and begins a mentoring program for those researchers and academic institutions doing research on trusted computing and related topics. 2005 The group expands its board of directors.
    [Show full text]
  • Reducing TCB Size by Using Untrusted Components — Small Kernels Versus Virtual-Machine Monitors
    To be published in Proceedings of the 11th ACM SIGOPS European Workshop, Leuven, Belgium, 2004 Reducing TCB size by using untrusted components — small kernels versus virtual-machine monitors Michael Hohmuth Michael Peter Hermann Hartig¨ Jonathan S. Shapiro Technische Universitat¨ Dresden Johns Hopkins University Department of Computer Science Department of Computer Science Operating Systems Group Systems Research Laboratory hohmuth,peter,haertig ¡ @os.inf.tu-dresden.de [email protected] Abstract tems, such as message passing and memory sharing, the overall size of the TCB (which includes all components an Secure systems are best built on top of a small trusted oper- application relies on) can actually be reduced for a large class ating system: The smaller the operating system, the easier it of applications. can be assured or verified for correctness. Another assumption we address in this paper is that all In this paper, we oppose the view that virtual-machine components on which an application has operational depen- monitors (VMMs) are the smallest systems that provide se- dencies must be in this application’s TCB. This presumption cure isolation because they have been specifically designed leads to the unnecessary inclusion of many (protocol and de- to provide little more than this property. The problem with vice) drivers into the TCB. this assertion is that VMMs typically do not support inter- The basic idea for reducing TCB size is to extract sys- process communication, complicating the use of untrusted tem components from the TCB and consider them as un- components inside a secure systems. trusted without violating the security requirements of user We propose extending traditional VMMs with features for applications.
    [Show full text]
  • Trusted Computer System Evaluation Criteria
    DoD 5200.28-STD Supersedes CSC-STD-00l-83, dtd l5 Aug 83 Library No. S225,7ll DEPARTMENT OF DEFENSE STANDARD DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA DECEMBER l985 December 26, l985 Page 1 FOREWORD This publication, DoD 5200.28-STD, "Department of Defense Trusted Computer System Evaluation Criteria," is issued under the authority of an in accordance with DoD Directive 5200.28, "Security Requirements for Automatic Data Processing (ADP) Systems," and in furtherance of responsibilities assigned by DoD Directive 52l5.l, "Computer Security Evaluation Center." Its purpose is to provide technical hardware/firmware/software security criteria and associated technical evaluation methodologies in support of the overall ADP system security policy, evaluation and approval/accreditation responsibilities promulgated by DoD Directive 5200.28. The provisions of this document apply to the Office of the Secretary of Defense (ASD), the Military Departments, the Organization of the Joint Chiefs of Staff, the Unified and Specified Commands, the Defense Agencies and activities administratively supported by OSD (hereafter called "DoD Components"). This publication is effective immediately and is mandatory for use by all DoD Components in carrying out ADP system technical security evaluation activities applicable to the processing and storage of classified and other sensitive DoD information and applications as set forth herein. Recommendations for revisions to this publication are encouraged and will be reviewed biannually by the National Computer Security Center through a formal review process. Address all proposals for revision through appropriate channels to: National Computer Security Center, Attention: Chief, Computer Security Standards. DoD Components may obtain copies of this publication through their own publications channels.
    [Show full text]