Enhancing Security in Distributed Systems with Trusted Computing Hardware by Jason Reid Bachelor of Commerce, UQ Australia 1994 Master of Information Technology, QUT Australia 1999 Thesis submitted in accordance with the regulations for Degree of Doctor of Philosophy Information Security Institute Queensland University of Technology 2007 ii Keywords Trusted computing, trusted computing hardware, trusted systems, operating sys- tem security, distributed systems security, smart card, security evaluation, tam- per resistance, distance bounding protocol, side channel leakage, electronic cash, electronic health records, role-based access control. iii iv Abstract The need to increase the hostile attack resilience of distributed and internet- worked computer systems is critical and pressing. This thesis contributes to con- crete improvements in distributed systems trustworthiness through an enhanced understanding of a technical approach known as trusted computing hardware. Because of its physical and logical protection features, trusted computing hard- ware can reliably enforce a security policy in a threat model where the authorised user is untrusted or when the device is placed in a hostile environment. We present a critical analysis of vulnerabilities in current systems, and argue that current industry-driven trusted computing initiatives will fail in efforts to retrofit security into inherently flawed operating system designs, since there is no substitute for a sound protection architecture grounded in hardware-enforced domain isolation. In doing so we identify the limitations of hardware-based ap- proaches. We argue that the current emphasis of these programs does not give sufficient weight to the role that operating system security plays in overall system security. New processor features that provide hardware support for virtualisation will contribute more to practical security improvement because they will allow multiple operating systems to concurrently share the same processor. New oper- ating systems that implement a sound protection architecture will thus be able to be introduced to support applications with stringent security requirements. These can coexist alongside inherently less secure mainstream operating systems, allowing a gradual migration to less vulnerable alternatives. We examine the effectiveness of the ITSEC and Common Criteria evaluation and certification schemes as a basis for establishing assurance in trusted comput- ing hardware. Based on a survey of smart card certifications, we contend that the practice of artificially limiting the scope of an evaluation in order to gain a higher assurance rating is quite common. Due to a general lack of understanding in the marketplace as to how the schemes work, high evaluation assurance levels v are confused with a general notion of ‘high security strength’. Vendors invest little effort in correcting the misconception since they benefit from it and this has arguably undermined the value of the whole certification process. We contribute practical techniques for securing personal trusted hardware de- vices against a type of attack known as a relay attack. Our method is based on a novel application of a phenomenon known as side channel leakage, heretofore considered exclusively as a security vulnerability. We exploit the low latency of side channel information transfer to deliver a communication channel with timing resolution that is fine enough to detect sophisticated relay attacks. We avoid the cost and complexity associated with alternative communication techniques sug- gested in previous proposals. We also propose the first terrorist attack resistant distance bounding protocol that is efficient enough to be implemented on resource constrained devices. We propose a design for a privacy sensitive electronic cash scheme that lever- ages the confidentiality and integrity protection features of trusted computing hardware. We specify the command set and message structures and implement these in a prototype that uses Dallas Semiconductor iButtons. We consider the access control requirements for a national scale electronic health records system of the type that Australia is currently developing. We ar- gue that an access control model capable of supporting explicit denial of privileges is required to ensure that consumers maintain their right to grant or withhold consent to disclosure of their sensitive health information in an electronic system. Finding this feature absent in standard role-based access control models, we pro- pose a modification to role-based access control that supports policy constructs of this type. Explicit denial is difficult to enforce in a large scale system with- out an active central authority but centralisation impacts negatively on system scalability. We show how the unique properties of trusted computing hardware can address this problem. We outline a conceptual architecture for an electronic health records access control system that leverages hardware level CPU virtu- alisation, trusted platform modules, personal cryptographic tokens and secure coprocessors to implement role based cryptographic access control. We argue that the design delivers important scalability benefits because it enables access control decisions to be made and enforced locally on a user’s computing platform in a reliable way. vi Contents Keywords iii Abstract v List of Abbreviations xvii Declaration xxi Previously Published Material xxiii Acknowledgements xxv 1 Introduction & overview 1 1.1 Aims and objectives . 3 1.2 Outline of the thesis . 4 1.3 Contributions and achievements . 7 2 Background 9 2.1 Introduction . 9 2.2 Assets: threats and vulnerabilities . 10 2.3 What is trusted computing hardware? . 11 2.3.1 Tamper resistance . 11 2.3.2 Tamper detection and response . 13 2.3.3 Hardware types . 14 2.4 Attack methods . 18 2.5 Security services provided by trusted computing hardware . 19 2.5.1 Data confidentiality . 19 2.5.2 Code confidentiality . 20 2.5.3 Data integrity . 20 vii 2.5.4 Code integrity . 22 2.5.5 Confidentiality and integrity - authentication . 23 2.5.6 Availability . 24 2.6 Applications . 28 2.7 Conclusion . 28 3 Trusted computing and trusted systems 31 3.1 Introduction . 31 3.2 Vulnerabilities in distributed computing infrastructure . 34 3.3 Trusted systems . 37 3.3.1 Historical background and context . 37 3.3.2 Properties of trusted systems . 39 3.4 Protection architecture flaws in mainstream operating systems . 43 3.4.1 No least privilege or MAC . 43 3.4.2 Lack of assurance . 44 3.4.3 Memory architecture - no reference monitor . 45 3.4.4 Trustworthiness of mainstream operating systems . 47 3.4.5 Trusted Operating Systems . 48 3.4.6 Trusted systems - barriers to adoption . 48 3.5 TCG Scheme - description . 49 3.5.1 Key features . 49 3.5.2 The trusted computing controversy . 50 3.5.3 Background and relationship to prior work . 51 3.5.4 TCG trusted platform module . 53 3.5.5 Integrity measurement and reporting . 54 3.5.6 Protected storage . 55 3.5.7 Sealed storage . 56 3.6 Analysis of TCG remote attestation and privacy model . 56 3.6.1 Identity credentials . 58 3.6.2 Credential revocation requirements . 59 3.6.3 Minimising the trust on the privacy CA . 62 3.7 Integrating TCG with mainstream operating systems . 64 3.7.1 DRM case study introduction . 65 3.7.2 Relevance of trusted systems to DRM . 66 3.7.3 Policy enforcement on a DRM client platform . 67 3.7.4 Maintaining integrity assurance . 70 viii 3.7.5 Privacy impacts . 73 3.8 Next Generation Secure Computing Base (NGSCB) . 74 3.8.1 NGSCB and virtual machine monitors . 75 3.8.2 Trusted systems properties of NGSCB . 76 3.8.3 Microsoft delays NGSCB . 76 3.8.4 The significance of virtual machine technology . 77 3.9 Conclusion . 79 4 Certification - Trusted and Trustworthy? 81 4.1 Introduction . 81 4.2 How certification works . 83 4.2.1 ITSEC . 83 4.2.2 The Common Criteria . 88 4.2.3 FIPS 140 . 90 4.3 A survey of smart card certifications . 91 4.3.1 Mondex - E6 High or EAL 1 Low . 93 4.3.2 Justification for a MULTOS High SoM . 95 4.3.3 Motivations to exclude hardware from the TOE . 97 4.4 Evaluation by composition . 101 4.5 Conclusion . 103 5 Side channel leakage 105 5.1 Introduction . 105 5.2 Attacking trusted hardware with side channel analysis . 107 5.2.1 CMOS power consumption and side channel leakage . 107 5.2.2 A correlation power analysis attack on DES . 109 5.2.3 Current practical significance of power analysis attacks . 114 5.3 Applying side channel leakage to distance bounding protocols . 116 5.3.1 Introduction to relay attacks and distance bounding . 117 5.3.2 Distance-bounding protocols . 118 5.3.3 Hancke and Kuhn’s distance-bounding protocol . 122 5.3.4 New distance-bounding protocol . 124 5.4 Security of new protocol . 126 5.4.1 Comparison with existing schemes . 127 5.4.2 Communications requirements for distance bounding . 128 5.4.3 Timing Resolution for relay attack detection . 130 ix 5.4.4 Timing resolution for contactless card communication . 131 5.4.5 A new approach to low latency communication . 135 5.4.6 Experimental results . 136 5.4.7 Investigations into modulation latency . 138 5.5 Conclusion . 143 6 An electronic cash scheme based on trusted computing hardware145 6.1 Introduction . 145 6.2 Background and design issues . 147 6.2.1 Desirable scheme properties . 149 6.2.2 Common approaches to representing electronic value . 149 6.3 Outline of the proposed scheme . 157 6.3.1 Left cash . 158 6.3.2 Right cash . 158 6.4 Scheme design and implementation . 159 6.4.1 Overview and design principles . 159 6.4.2 Payment protocol . 163 6.4.3 Fraud and counterfeit detection . 167 6.4.4 Non-repudiation . 168 6.4.5 Public key authentication framework . 170 6.4.6 Timing of left for right exchange . 171 6.4.7 Divisible instruments allow linking . 172 6.4.8 Summary .