CS155, Spring 2013

Trusted Computing
Dan Boneh

Background
TCG consortium. Founded in 1999. Lots of companies.
Goals: Hardware protected (encrypted) storage: Only authorized software can decrypt data e.g.: protecting key for decrypting file system only authorized software can boot Attestation: Prove to remote server what software started on my machine.
Dan Boneh

TCG: changes to the PC

Extra hardware: Trusted Platform Module (TPM) chip
(33Mhz)

TPM Chip vendors: (~.3$) Atmel, Infineon, Broadcom, STMicro, Intel INTC0102 Software changes: Hardware layer: BIOS, EFI (UEFI) Software: OS and apps

Dan Boneh

TPMs in the real world

TPMs widely available on laptops, desktops and some servers

Software using TPMs:

File/disk encryption: BitLocker, IBM, HP, Sophos Attestation for enterprise login: Cognizance, Wave Client-side single sign on: IBM, Wave

Dan Boneh

This lecture
What is the TPM?

How it is being used for disk encryption

How Windows 8 plans to use it for securing the boot environment

Dan Boneh

Trusted Computing

What is the TPM?

Dan Boneh

Components on TPM chip

Non Volatile Storage
(> 1280 bytes)
I/O

PCR Registers
(16 registers)

Other Junk

Crypto Engine: RSA, SHA1, HMAC, RNG

RSA: 1024, 2048 bit modulus
Dan Boneh

SHA1: Outputs 20 byte digest

Non-volatile storage
1. Endorsement Key (EK) (2048-bit RSA) Created at manufacturing time. Cannot be changed. Used for attestation (described later) 2. Storage Root Key (SRK) (2048-bit RSA) Used for encrypted storage. Created after running TPM_TakeOwnership( OwnerPassword, ) Can be cleared later with TPM_ForceClear from BIOS
3. OwnerPassword (160 bits) and persistent flags

Private: EK, SRK, and OwnerPwd never leave the TPM

Dan Boneh

PCR: the heart of the matter

PCR: Platform Configuration Registers Many PCR registers on chip (at least 16) Contents: 20-byte SHA1 digest (+junk)
Updating PCR #n : TPM_Extend(n,D): PCR[n] SHA1 ( PCR[n] TPM_PcrRead(n): returns value(PCR(n))

ll

D )

PCRs initialized to default value (e.g. 0) at boot time

Dan Boneh

Using PCRs: the TCG boot process

On power-up: TPM receives a TPM_Init signal from LPC bus.
BIOS boot block executes: Calls TPM_Startup (ST_CLEAR) to initialize PCRs to 0 [can only be called once after TPM_Init] Calls PCR_Extend( n, <BIOS code> ) Then loads and runs BIOS post boot code

(SRTM)

BIOS executes: Calls PCR_Extend( n, <MBR code> ) Then runs MBR (master boot record), e.g. GRUB.
MBR executes: Calls PCR_Extend( n, <OS loader code, config> ) Then runs OS loader and so on

Dan Boneh

In a diagram
Hardware

BIOS boot block

Root of trust in integrity measurement

BIOS

OS loader

OS

Application

TPM
Root of trust in integrity reporting

measuring Extend PCR

After boot, PCRs contain hash chains of booted software

Collision resistance of SHA1 (?) ensures commitment
Dan Boneh

Example: Trusted GRUB

Credit: IBM 2005

PCR # to use and what to measure is specified in GRUB config file

Dan Boneh

The main point

After boot completes, PCR registers measure the entire software stack that booted on the machine: BIOS and hardware configuration Boot loader and its configuration

Operating system
Running apps

Dan Boneh

What would go wrong if TPM_Startup (ST_CLEAR)

could be called at any time after boot?

Malicious OS could reset PCRs post-boot and then set them to a valid OS hash. PCRs would then look as if valid OS loaded.

Dan Boneh

TPM Counters
TPM must support at least four hardware counters Increment rate: every 5 seconds for 7 years. Applications: Provide time stamps on blobs. Supports music will pay for 30 days policy.

Dan Boneh

Trusted Computing Using PCRs after boot

Dan Boneh

Using PCRs after boot

Application: encrypted (a.k.a sealed) storage.
Setup step 1: TPM_TakeOwnership( OwnerPassword, ) Creates 2048-bit RSA Storage Root Key (SRK) on TPM Cannot run TPM_TakeOwnership again without OwnerPwd: Ownership Enabled Flag False Done once by IT department or laptop owner. (optional) Step 2: TPM_CreateWrapKey / TPM_LoadKey Create more RSA keys on TPM protected by SRK Each key identified by 32-bit keyhandle
Dan Boneh

Implementing Protected Storage

TPM_Seal: Encrypt data using RSA key on TPM.
keyhandle: which TPM key to encrypt with KeyAuth: Password for using key `keyhandle PcrValues: PCRs to embed in encrypted blob (named by PCR num.) data block: at most 256 bytes [e.g. an AES key] Returns encrypted blob. Main point: blob can only be decrypted with TPM_Unseal when PCR-reg-vals = PCR-vals in blob. TPM_Unseal fails othrwise
Dan Boneh

(some) Arguments:

Protected Storage
Embedding PCR values in blob ensures that only specific apps can decrypt data. Changing MBR or OS kernel will change PCR values data cannot be decrypted

Dan Boneh

Sealed storage: applications

Lock software on machine: Suppose OS and apps are sealed with MBRs PCR value Any changes to MBR will prevent sealed OS from loading Prevents modifying or inspecting OS (or loading other OS) Web server: seal servers SSL private key Goal: only unmodified Apache can access SSL key Problem: updates to Apache or Apache config
Dan Boneh

Example: BitLocker drive encryption

tpm.msc: utility to manage TPM (e.g TakeOwnership) Auto generates 160-bit OwnerPassword Stored on TPM and in file computer_name.tpm Volume Master Key (VMK) encrypts disk volume key VMK is sealed (encrypted) under TPM SRK using BIOS, extensions, and optional ROM (PCR 0 and 2) Master boot record (MBR) (PCR 4)

NTFS Boot Sector and block (PCR 8 and 9)

NTFS Boot Manager (PCR 10), and BitLocker Access Control (PCR 11)
Dan Boneh

BitLocker
Many options for VMK recovery: disk, USB, paper (enc. with pwd) Recovery needed after legitimate system change: Moving disk to a new computer Replacing system board containing TPM Clearing TPM (with TPM_ForceClear) At system boot (before OS boot) Optional: OS loader requests PIN or USB key from user TPM unseals VMK, only if PCR and PIN are correct
Dan Boneh

Suppose BIOS code is updated by a firmware update. How would the system enable access to blobs previously sealed to current BIOS version?

Patch process must re-seal all blobs with new PCR values

Dan Boneh

Trusted Computing

Security?

Dan Boneh

Security?
then extend PCRs arbitrarily Harder in TPM 1.2 due to locality

[Kauer 2007]

Attack 1: reset TPM after boot with a wire Connect LRESET pin to ground -- mimics TPM_Init on LPC bus

Attack 2: block TPM until after boot, then extend PCRs arbitrarily Root of trust: BIOS boot block resets PCRs (calls TPM_Startup) Defeated with one byte change to BIOS boot block !!
Dan Boneh

Better root of trust

DRTM Dynamic Root of Trust Measurement AMD: skinit Intel: senter Atomically does: Reset CPU. Reset PCR 17 to 0. Load the given Secure Loader (SL) code into I-cache (locked) Extend PCR 17 with SL Jump to SL BIOS boot loader is no longer root of trust. Processor microcode is. Avoids TPM_Init attack: TPM_Init sets PCR 17 to -1
Dan Boneh

Other problems
Roll-back attack on encrypted blobs Example: undo security patches without being noticed.

Can be mitigated using Data Integrity Regs. (DIR) Need OwnerPassword to write DIR, anyone can read Stored in NV-RAM

Dan Boneh

Trusted Computing

Attestation

Dan Boneh

Attestation: what it does

Goal: prove to remote party what software loaded on my machine
Good applications: Bank allows money transfer only if customers machine runs up-to-date OS patches Enterprise allows laptop to connect to its network only if laptop runs authorized software Gamers can join network only if their game client is unmodified

DRM:

MusicStore sells content for authorized players only.

Dan Boneh

Attestation: how it works

Recall: EK private key on TPM. Cert for EK public-key issued by TPM vendor. Step 1: Create Attestation Identity Key (AIK) Details not important here AIK Private key known only to TPM AIK public cert issued only if EK cert is valid

Dan Boneh

Attestation: how it works

Step 2: sign PCR values (after boot) with TPM_Quote. Arguments:
keyhandle: which AIK key to sign with KeyAuth: Password for using key `keyhandle PCR List: Which PCRs to sign. Challenge: 20-byte challenge from remote server
Prevents replay of old signatures.

Userdata: additional data to include in sig.

Returns signed data and signature.

Dan Boneh

Attestation: how it works

Attestation Request (20-byte challenge)
App Generate pub/priv key pair TPM_Quote(AIK, PcrList, chal, pub-key) Obtain cert (SSL) Key Exchange using Cert Communicate with app using SSL tunnel

Validate:
1.
2.

Cert issuer,
PCR vals in cert Remote Server

OS
TPM

PC

Attestation typically includes key-exchange App must be isolated from rest of system

Dan Boneh

What would go wrong if communication between app. and server were done in the clear?

User can reboot machine after attestation and run arbitrary software pretending to be app.

Dan Boneh

Trusted Computing

Using Attestation

Dan Boneh

Attesting to VMs: Terra

[GPCRB03]

TVMM Provides isolation between attested applications sample app: secure login into a corporate network
Dan Boneh

Nexus OS

(Sirer et al. 06)

Problem: attesting to hashed application/kernel code Too many possible software configurations
Better approach: attesting to properties Example: application never writes to disk Nexus OS: General attestation statements: TPM says that it booted Nexus, Nexus says that it ran checker with hash X, checker says that isolation domain A has property P
Dan Boneh

EFF: Owner Override

TCG attestation: The good: enables user to prove to remote bank that machine is up-to-date The bad: content owners can release decryption key only to machines running authorized software. Stifles innovation in player design
EFF: allow users to inject chosen values into PCRs. Enables users to conceal changes to their computing environment Defeats malicious software changes to computing platform
Dan Boneh

TCG Alternatives
IBM 4758: Supports all TCG functionality and more. Tamper resistant 486 100MhZ PCI co-processor but expensive ~ $2000. TPM ~ $7.
AEGIS System: Arbaugh, Farber, Smith 97: Secure boot with BIOS changes only. Cannot support sealed storage. SWATT: Seshadri et al., 2004 Attestation w/o extra hardware Server must know precise HW configuration
Dan Boneh

Trusted Computing

Attestation: challenges
Dan Boneh

1. Attesting to Current State

Attestation only attests to what code was loaded.

Does not say whether running code has been compromised. Problem: what if Quake vulnerability exploited after attestation took place?
Can we attest to the current state of a running system? or is there a better way?
Dan Boneh

2. Encrypted viruses
Suppose malicious music file exploits bug in video player. Video file is encrypted. TCG prevents anyone from getting video file in the clear. Can anti-virus companies study virus without seeing its code in the clear? How would you solve this?
Dan Boneh

3. TPM Compromise
Suppose one TPM Endorsement Private Key is exposed

Destroys all attestation infrastructure: Embed private EK in TPM emulator. Now, can attest to anything without running it.
Certificate Revocation is critical for TCG Attestation.

Dan Boneh

Trusted Computing

Window 8 / UEFI trusted boot

Dan Boneh

Pre-boot attacks: attacking firmware

BIOS: test and init hardware. Then launch OS bootloader. BIOS code stored (compressed) on EEPROM or Flash updateable User settings persisted to CMOS
UEFI: modern version of BIOS more modular and extensible Includes new secure boot provisions (Apr. 2011, ch. 27) Why attack BIOS/UEFI: Attacks are OS independent, can be persistent and hard to clean BIOS/UEFI runs before any defenses (e.g. antivirus)
Dan Boneh

Pre-boot attacks: attacking firmware

History of BIOS/EFI malware:
CIH (1998): CIH virus corrupts system BIOS Heasman (2007): abuse System Management Mode (SMM) via EFI Sacco, Ortega (2009): infect BIOS LZH decompressor CoreBOOT: generic BIOS flashing tool
(see CanSecWest09 presentation)

Dan Boneh

Pre-boot attacks: attacking the bootloader

Traditional BIOS boot process:
BIOS OS bootloader (e.g. GRUB) OS start

BIOS will start any bootloader: no authentication Example: Stoned Bootkit. Can be used to steal volume dec. pwd. UEFI 2.3.1 verifies bootloader digital signature:
UEFI

verified bootloader

OS start
Dan Boneh

In more detail
UEFI
(1) only load modules signed by a properly certified key (2) consult revocation list, ignore sigs by revoked keys
vendor sig
vendor sig vendor sig optional ROM #1

optional ROM #2
Windows OS loader

Computer manufacturer places signed firmware modules in Flash prior to shipping machine, including OS loader Vendors update modules by signing them with certified keys
Dan Boneh

Verified boot can be disabled by user

Samsung tablet with Windows 8 Developer Preview.

credit: Steven Sinofsky

Why is this needed?

(answer on next slide)

Dan Boneh

Complaints
How do users install Linux? method 1: user disables verified boot and then install Linux method 2: Linux distro. asks every PC manufacturer to include its signing key in the UEFI KEK database method 3: (Fedora) get Microsoft to sign Fedoras KEK Manufacturer can control what HW devices are allowed: User cannot install signed optional ROMs from other vendors
2013: AMIs UEFI signing key leaked (Ivy Bridge)
Dan Boneh

The next arena: early kernel boot

Rootkit registers as a boot-start driver Win kernel will run rootkit after kernel boots Problem: race condition with anti-malware software Rootkit might start early and evade anti-malware Example (Win7/64): TDL4 rootkit (July 2010) Infects MBR to disable Win/64 driver code signature check
(will be prevented by UEFI verified boot)

Then Win kernel loads infected kdcom.dll before anti-malware

Dan Boneh

Defense 1: Windows 8 ELAM

UEFI boot Win 8 loader Win 8 kernel

ELAM: early launch anti malware

ensures anti-malware starts early Win 8: signed policy file instructs kernel to load ELAM early

Dan Boneh

Defense 2: Win 8 measured boot

UEFI OS loader kernel init post OS boot ELAM boot drivers

ELAM: checks pre-ELAM PCRs Checks subsequent boot drivers Disallow network access if remote attestation fails.

pre-OS measurement

login
post-login

TPM

ELAM

Validate boot PCRs

remote attestation server

Dan Boneh

ELAM and measured boot

If ELAM finds rootkits: calls Tbsi_Revoke_Attestation(); Messes up PCR[12]: extends it by an unspecified value disables blob decryption and attestation Note: w/o remote attestation server, if rootkit can evade ELAM it can still take control of machine.

Dan Boneh

THE END

Dan Boneh