1 / Ahmad-Reza Sadeghi, ©HGI 2006 Challenges for Trusted Computing Trusted for Challenges Horst Görtz Horst security It for Institute Ruhr-University Bochum Ruhr-University [email protected] CHES, Yokohama 2006 Yokohama CHES, Ahmad-Reza Sadeghi Ahmad-Reza 2 / Ahmad-Reza Sadeghi, ©HGI 2006 o o o o o o o o Summary and Outlook and Summary Some Technical Challenges Technical Some Reactions to the Trusted Computing Group Computing Trusted the to Reactions Selected Research and Development Projects Projects Development and Research Selected Security Architectures Based on Virtualization on Based Architectures Security Trusted Computing Group (TCG) Approach (TCG) Group Computing Trusted Towards Trustworthy Computing Platforms Computing Trustworthy Towards Motivation Motivation o o o o o Concerns, open source, law and politics and law source, open Concerns, Software Desired Primitives and the Need for Secure Hardware and and Hardware Secure for Need the and Primitives Desired Objectives and Primary Goals Primary and Objectives Complications in Distributed Application Distributed in Complications Trust Issues and Vocabulary and Issues Trust Content Content Content Content 3 / Ahmad-Reza Sadeghi, ©HGI 2006 o How could common computing platforms support such support oplatforms computing common could How o How can we determine/verify/measure it? odetermine/verify/measure we can How o open IT environment? environment? IT open functionality and what are the consequences? the are what and functionality How do we define „trustwo define we do How Motivation Motivation Adversary Adversary rthiness“distributed a in 4 / Ahmad-Reza Sadeghi, ©HGI 2006 -control…. updated drive, warp New -configuration advanced more a Has -ship Federation Object: Object: → Trustworthy Trustworthy Future Future … … . 6 0 0 2 I AA MemoMemo …….... G H © , i h g e d o”Trustworthy Computing is the highest priority for all the work we are doing. We a S must lead the industry to a whole new level of trustworthiness in computing” a z e R - d a o “…. Trustworthy Computing is computing that is as available, reliable and m h secure as electricity, water services and telephony.” A / 5 o“Our software should be so fundamentally secure that customers never even worry about it.” o “No Trustworthy Computing platform exists today. It is only in the context of the basic redesign we have done around” o ”Keep our customers' trust at every level -- from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable.” o“Key aspects are availability, security, and privacy“ o Trustworthiness is a much broader concept than security, and winning our customers' trust involves more than just fixing bugs Bill Gates’ email on full-time employees of MS, January 2002 6 / Ahmad-Reza Sadeghi, ©HGI 2006 oIn oIn o psychology, computer science,…) science,…) computer psychology, in different areas (social-sciences, philosophy, philosophy, (social-sciences, areas different in Trust: Trust: oaspects risk has and temporal oan oan oa oa oa Trust Issues and Vocabulary (1) Vocabulary and Issues Trust Trust Issues and Vocabulary (1) Vocabulary and Issues Trust commitment from the trustee [Cole1990] trustee the from commitment temporal) at the disposal of the trustee with no real real no with trustee the of disposal the at temporal) resources (physical, financial, intellectual, or or intellectual, financial, (physical, resources think about the world) [Luhm1979] world) the about think of the intentions or behavior of another [RoSiBuCa98] another of behavior or intentions the of accept vulnerability based upon positive expectations expectations positive upon based vulnerability accept Social Sciences Social mechanism psychological state psychological action Complicated notion studied and debated debated and studied notion Complicated that involves the voluntary placement of of placement voluntary the involves that to reduce social complexity (how we we (how complexity social reduce to , trust is trust , comprising the intention to to intention the comprising 7 / Ahmad-Reza Sadeghi, ©HGI 2006 oIn oIn o oa Trust Issues and Vocabulary (2) Vocabulary and Issues Trust Trust Issues and Vocabulary (2) Vocabulary and Issues Trust [AvLaLaRa2004] or a component will perform as expected expected as perform will component a or Trustworthiness Trustworthiness [Ande2001] whose failure can break the security policy policy security the break can failure whose IT security literature security IT o“Trusted” to Trusted Corresponds by defined as o Number of trusted components should be be should ocomponents trusted of Number Trusted System Trusted Computing Group (TCG) Group Computing minimized minimized is assurance that a system system a that assurance is or component is one one is component or 6 0 0 2 Complications in Distributed Applications I Complications in Distributed Applications G H © , i h g e d a S Input :=(P , D ) a i i i z e R - d a o Multiple parties involved P : (Security) policy m i h A / D : (Secret) data O i 8 o Provide (require) services i (resources) (Secret) o Have different (possibly output conflicting) interests (policies) o Typically distrust each other (minimal TCB) o TCB (Trusted Computing Base) User Adversary 9 / Ahmad-Reza Sadeghi, ©HGI 2006 odevices mobile generation Next oservices of Outsourcing oManagement Document and Rights o E-Services oFirst sale sale oFirst oFair use oFair o Enterprise osignature) digital of ((Non)-enforceability Commerce orecords) medical sensitive of (confidentiality Health o integrity) e-Voting (e.g., Government ocontent digital of Transfer oallowed types platform different among Copies ocopies Private o Chains Supply in distribution and usage Controlled Application Scenarios Application Application Scenarios Application 10 / Ahmad-Reza Sadeghi, ©HGI 2006 Example: Grid Computing Grid Example: Example: Grid Computing Grid Example: 11 / Ahmad-Reza Sadeghi, ©HGI 2006 o o o o Currently used measures used Currently Problem: User-provider trust asymmetry asymmetry trust User-provider Problem: In practice more parties: Middleware provider, application provider application provider, Middleware parties: more practice In Main parties (simplified): resour (simplified): parties Main oauthenticati standard Contracts, o assume often measures Security o(often place to forced users Grid Provider Resource Resource Provider Resource Resource (credentials) MyProxy (credentials) MyProxy Model Model Model Model on and authorization mechanisms authorization and on , unjustifiable) trust on providers on trust unjustifiable) , ce providers (RP) and users (U) users and (RP) providers ce Grid user as potential adversary potential as user Grid Broker Broker [LoRaSaScSt2006, MaJiMa2006] [LoRaSaScSt2006, User User 12 / Ahmad-Reza Sadeghi, ©HGI 2006 o o o Availability and correctness correctness and Availability Security Security Functional Functional oterm long and short Fail-safe o Authorization o Authentication oplatform) underlying (regarding Privacy odata of integrity and Confidentiality obilling and Accounting oon sign single and Delegation o Auditing o Interoperability oplatform one on jobs Grid different among resources Sharing Requirements Requirements preservation of users data users of preservation 13 / Ahmad-Reza Sadeghi, ©HGI 2006 Towards Trustworthy Platforms Trustworthy Towards Towards Trustworthy Platforms Trustworthy Towards 14 / Ahmad-Reza Sadeghi, ©HGI 2006 o o o Main Role of Trusted Computing Computing Trusted of Role Main Problems Multilateral Security Multilateral o …sense contractual in o “trustworthiness”IT the other’s about and own of reasoning the Enable oreasons Main oplatforms computing existing of HW and SW in protection Insufficient o in interest the and privacy for wish the between occurs conflict Typical ointegrity (confidentiality, goals availability) and security (classical) to Refers o of requirements security conflicting possibly and different Considers system (reporting their state) their (reporting system cooperation different parties and strives to balance these requirements these balance to strives and parties different osecu or users of unawareness Security oprotec and functional of Lack osystems operating of isolation fault poor and complexity High ostorage secure No oAccess) Memory (Direct DMA o…) horses, Trojan (viruses, code Malicious [Rann1994] Objectives Objectives tion mechanisms in hardware in mechanisms tion [Kuhl2003, KuGe2003] [Kuhl2003, rity measures still not useable enough useable not still measures rity 15 / Ahmad-Reza Sadeghi, ©HGI 2006 omodels applications/business new of realization Allow oportability Efficient o architecture Open oOS different for Applicable o modules existing Reuse oplatforms computing of security Improve orelations trust and assumptions of sets different on Based otr of misuse potential Avoiding oapplications underlying for needed security multilateral Providing o Trustworthiness/costs/reliability/compatibility o components source open and standards open Use o mid-sized and (small innovation for space monopoly, No oOS common GUI, e.g., companies) Primary Goals Primary Primary Goals Primary usted computing functionalities computing usted 16 / Ahmad-Reza Sadeghi, ©HGI 2006 o o o o Secure I/O Secure Strong process isolation process Strong Sealed/Secure Storage Storage Sealed/Secure Integrity verification (Attestation) (Attestation) verification Integrity