TheTrustedComputing-Coulditbe…SATAN_

1、The Trusted Computing - Could it be. SATAN?Yall remember the Church Lady, right?Bruce PottergdeadDont Believe Anything I SayDo not believe in anything simply because you have heard it. Do not believe in anything simply because it is spoken and rumored by many. Do not believe in anything simply becau

2、se it is found written in your religious books. Do not believe in anything merely on the authority of your teachers and elders. Do not believe in traditions because they have been handed down for many generations. But after observation and analysis, when you find that anything agrees with reason and

3、 is conducive to the good and benefit of one and all, then accept it and live up to it.” - BuddhaBy Day, Senior Associate for Booz Allen HamiltonBy Night, Founder of The Shmoo Group and restorer of hopeless Swedish carsOverview -Two things to accomplish Make the case for trusted computingWhile dodgi

4、ng the beer bottles being thrown at meDemonstrate the TPM on a MacBookRelease some codeSprinkle in some good arguments, and weve got ourselves a partyA Brief History of InfoSecFor at least 50 years, weve been trying to solve the information security problemHowever, at the same time, the problem keep

5、s getting more complexIn the meantime, its made security a profitable and sustainable industry (funny what happens when you chase an impossible dream)Current InfoSec TrendsDefense in Depth The core problem is currently unsolvable So why not throw a giant pile of bandaids at itWith a slick phrase lik

6、e “defense in depth” it even sounds responsibleAccess to systems = Access to dataBoot disks are amazing thingsDavid Hulton et al have even taken malicious slave devices to a new levelTransactions are trusted at a network levelEnd to end security only exists in controlled environmentsSo, How Did We G

7、et Here?The roadmap for secure systems is described in Butler Lampsons “Protection” paper/lampson/09-Protection/WebPage.html“The original motivation for putting protection mechanisms into computer systems was to keep one users malice or error from harming other users. Harm can be inflicted in severa

8、l ways:1.By destroying or modifying another users data.2.By reading or copying another users data without permission.3.By degrading the service another user gets” (sounds pretty good, even though this was 1971)The paper goes on to describe (basically) multilevel security, the need for hardware secur

9、ity to enforce data separation, and object-based access control (again, pretty good for 1971)Guesses on when this was written?“Another major problem is the fact that there are growing pressures to interlink separate but related computer systems into increasingly complex networks”“Underlying most cur

10、rent users problems is the fact that contemporary commercially available hardware and operating systems do no provide adequate support for computer security”“In addition to the experience of accidental disclosure, there has also been a number of successful penetrations of systems where the security

11、was added on or claimed from fixing all known bugs in the operating system. The success of the penetrations, for the most part, has resulted from the inability of the system to adequately isolate a malicious user, and from inadequate access control mechanisms built into the operating system”Computer

12、 Security Technology Planning Study - October 1972, Electronic Systems Division, Air ForceThe Search for the Holy Grail (MLS)The road is littered with corpses/faculty/resmith/r/mls/m2assurance.html has some examplesSome not so surprising results:Operating systems are complicatedSoftware developers d

13、ont know how to write secure codeWithout a piece of trusted hardware onto which you can layer security assertions, the best you can do it a layered defense aka: “defense in depth”DRM UsesFast Forward 2000ishDigital Rights Management emerges on the sceneContent is King. Or so the saying goesDRM is a

14、mechanism for cryptographically protecting the rights of the content creatorMicrosoft is including DRM-like capability into Office to prevent unauthorized sharing of dataDRM is not perfectCan be subverted easily when it is software onlyEven hardware-based systems can be subverted, especially when th

15、eyre badly designed (Thanks DVD Jon)Controlling Music and Video DistributionRestricting email from being forwardedLimiting software use to registered usersLimiting software use to specific hardwarePre-release media distributionGuess what? DRM is CoolAccording to a recent survey, iPods are cooler tha

16、n beerApple made DRM sexy and coolThe iPod begat ITMSITMS was made possible because Apple came up with a rights management scheme that the content providers could deal with at a $1 a popIn Feb 2006, the 1 billionth song was downloaded from ITMS1 billion songs means people things ITMS is coolThrough

17、transitivity, Apple made DRM coolWhat does Apple have to do with Trusted Hardware?orFunny You Should AskApple just made trusted hardware sexy and cool (And you didnt even realize)Enter the MacBook ProWhen Apple switched to Intel, the developed Rosetta an emulator that dynamically translates PPC opco

18、des to x86Apple is using the TPM to protect Rosetta from starting unless the TPM is thereEnsures Apple proprietary SW only runs on Apple HWMaxxuss repeatedly bypassed this protectionLegacy PPCAppApp Translated to x86RosettaIntelProcessorTPMTCG Focus AreasBacking up a StepThe Trusted Computing GroupU

19、sed to be the Trusted Computing Platform AllianceAn industry group (read: you have to buy your way in) that sets standards for trusted computing systems and architecturesUsed to be focused soley on the development of a trusted piece of hardware (TPM)Now has broader scope, including networks, servers

20、, storage, mobility applications, and software APIs135 Members, including most of the Big Boys InfrastructureMobile DevicesPC ClientServerSoftware StackStorageTrusted Network ConnectTrusted Platform ModuleTCG on PrivacyFrom /faq/What has the TCG done to preserve p

21、rivacy?TCG believes that privacy is a necessary element of a trusted system. The system owner has ultimate control and permissions over private information and must opt-in to utilize the TCG subsystem. Integrity metrics can be reported by the TCG subsystem but the specification will not restrict the

22、 choice and options of the owner preserving openness and the ability of the owner to choose. The TCG specification will support privacy principles in a number of ways:The owner controls personalization.The owner controls the trust relationship.The system provides private object storage and digital s

23、ignature capability.Private personalization information is never exposed.Owner keys are encrypted prior to transmission.It is also important to know what the solutions are not:They are not global identifiers.They are not personalized before user interaction.They are not fixed functionsthey can be di

24、sabled permanently.They are not controlled by others (only the owner controls them). controls them).Trusted Platform ModuleChips manufactured by a variety of manufacturesAssured cryptographic operationsTrusted keystoreIntegrity attestationThe TPM, on its own, does not do anythingHigher level systems

25、 (boot managers, operating systems, applications) must use the TPM to do somethingThe TPM spec says that the user _must have_ the ability to turn of the TPM chipThat means the user always has control of their deviceHowever, that doesnt mean that all software will still workInside a TPM ChipNVRAMPlat

26、form Configuration Register (PCR)AttestationIdentityKey (AIK)ProgramCodeRNGSHA-1EngineKeyGenRSAEngineOpt-in(StateMgt)ExecEngineI/O and Comms BusPCR - Sets of information that is unique to the host (manufactures, serial #s, peripherals, etc)AIK - Internal keys used to identify and authenticate the TP

27、M to off-chip entitiesInteracting with the TPMRequest-response model, very similar to smartcardsApplicationTrusted Software StackTPMLibrary callor socketReturn valueTPM DriverDatagram sent0 x00c10 x0000000c0 x000000990 x01Datagram sent0 x00c40 x0000000a0 x00000000High-level Breakdown of TPM Commands

28、AdminInitializing, startup, state saving, self testOpt-in / OwnershipDisable/enable, taking ownership, clearing the chipKey MgtCreate, export, and import keysCryptoBind (encrypt using non-exportable key), sign, seal (Bind + PCR data), sealed sign, hash, and RNGSession ManagementCreating, saving, and

29、 loading contexts, transport managementOthersUpgrades, delegation, NVRAM managementExamining the Apple TPMAll Intel-based Macs make use of an Infineon TPMNo real interface from Apple to examine/use TPM chipBut never fear, weve got code to examine the TPM/MacBook TPM Access ArchitectureUbuntu (modifi

30、ed to boot on a mac byM and customized by The Shmoo Group)Infineon TPM v1.1 (IFX0101)Custom AppsLibtpm (from IBM)tpm-utilstcsdDemo of TPM softwareA live CD for accessing the TPM on a MacBook is available at /It is a bit rough around the edges, but it works (pretty much) right out of t

31、he gateTrusted Network ConnectRather than solving the entire problem from the beginning, TCG is taking baby stepsNetwork access is a problem in nearly every enterpriseAccessing the network should involve three parties authenticating themselves; the user, the users device, and the infrastructureOften

32、times, the device does not strongly authenticate itselfWith a TPM, a device can have a unique cryptographic key to authenticate itself to the infrastructureTNC is basically 802.1xJuniper and others already have solutionsCouple TNC with patching policies, and you can really put a dent in internal net

33、work security issuesOther Capabilities Enabledby Trusted ComputingData at Rest securityVista has the ability to use a TPM for key storage and implements a ecure container (ie: an encrypted file that is protected by the TPM) called BitLockerCan be done on any platform (why doesnt DiskUtility in OS X

34、use the TPM on the Intel-based boxes?)Crypto APINo more confusion if an algorithm is implemented properlyRemote AttestationThe ability to tell a remote system about the local system with some assuranceBasically, you can attest to the integrity or configuration of a machine and cryptographically sign

35、 the whole thingTrusted BootTPM-Secure Boot Loader-Signed kernel-Signed Drivers -Signed Applications (NOTE: Signed != secure) Types of AttestationAttestation by the TPMProves that the TPM is active and knows some secretAttestation to the platformProves the endpoint can be trusted to report its integ

36、rityAttestation of the platformReporting of the integrity of the endpointAuthentication of the platformBasically, this is device authentication (using a secret to authenticate to a network, etc)So. First, the BadOpportunities abound for loss of control content stored on your computerFailed hardware,

37、 systems upgrades have the potential to cause havoc with protected softwareSealed data may become unusableUsers suddenly need to deal with key material backup issuesBecause we all back up our hard drives already, right?Operating system vendors may get territorialFor instance, Windows Genuine Advanta

38、ge could be configured to not upgrade if non-MS approve software is installed (unlikely, but possible)The GoodTrusted boot can make a big dent in controlling malicious code in the enterpriseHost integrity monitoring can become host integrity enforcement (like the migration from IDS to IPS only it wi

39、ll actually work)Trusted network access will tie the security and integrity of an endpoint to the authority to access the networkThe ability to really protect mobile media and other data at rest situationsThe UglyThe distrust of many in the security community is interfering with making productive us

40、e of the TPMHard to see the forest for the treesAlso, the trusted computing represents a massive shift in risks, threats, and operations no small pill for the security community to swallowWhile Vista has TPM “support” the developer interface is not documented enough to be usefulOS X does not provide

41、 ANY public interfaces to the TPMMost chips in deployment are v1.1 Vista wants 1.2Ubiquitous deployment of 1.2 is “only” 3 or so years awayWhere Trusted Computing is GoingTrusted computing is going to happenMany systems shipping with TPMs already just not much software that supports itHUGE capability for InfoSec Even if we dont reach the holy grail of MLS, there are still many positive featuresHowever, if all we do is focus on the privacy concerns and dont figure out a way to use trusted computing to build more secure software, well fail