CS598STK Terra

Views:
 
Category: Entertainment
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

Slashdot Treat: 

Slashdot Treat

Terra: A Virtual Machine-Based Platform for Trusted Computing: 

Terra: A Virtual Machine-Based Platform for Trusted Computing Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, Dan Boneh (Stanford) SOSP’03 Presented by: Michael LeMay

Introduction: 

Introduction

Outline: 

Outline

Standard Operating Systems: 

Standard Operating Systems

Closed-Box Platforms: 

Closed-Box Platforms

Example Closed Boxes: 

Example Closed Boxes

What is a closed-box, really?: 

What is a closed-box, really?

Terra Objectives: 

Terra Objectives

Realization: 

Realization

Terra Architecture: 

Terra Architecture

Trusted Platform Module: 

Trusted Platform Module

TPM Interconnection: 

TPM Interconnection

TPM 1.0 Components: 

14 TPM 1.0 Components TCG 1.0 Architecture Overview

Credential Types: 

15 Credential Types TPM contains 5 types of credentials: Important: Endorsement or EK credential: uniquely identifies TPM, privacy concern Identity or AIK credential: Issued by privacy CA to preserve privacy of EK credential Not-so-important: Conformance credential: Certifies that TPM meets specifications Platform credential: Identifies TPM manufacturer and capabilities Validation credential: Associated with peripheral or software to guarantee integrity

Threat Model: 

Threat Model

Remote Attestation: 

Remote Attestation

Linux Integrity Measurement: 

Linux Integrity Measurement

Linux Attestation: 

Linux Attestation

Linux Verification: 

Linux Verification

Terra Attestation Process: 

Terra Attestation Process

TVMM Attestation (cont.): 

TVMM Attestation (cont.)

Attestation Verification: 

Attestation Verification

Attestation Binding: 

Attestation Binding

Attestation Limitations: 

Attestation Limitations

Policy-Reduced Integrity Measurement Architecture: 

Policy-Reduced Integrity Measurement Architecture JaegerSS 2006

Attestation Limitations (cont.): 

Attestation Limitations (cont.)

Attestation Limitations (cont.): 

Attestation Limitations (cont.)

Attestation Limitations (cont.): 

Attestation Limitations (cont.)

Attestation Limitations (cont.): 

Attestation Limitations (cont.)

Attestation Limitations (cont.): 

Attestation Limitations (cont.)

Management VM: 

Management VM

Driver Security: 

Driver Security

Security-Enhanced Xen: 

Security-Enhanced Xen

Security-Enhanced Xen (cont.): 

Security-Enhanced Xen (cont.) http://www.xensource.com/files/xs0106_intel_xen_security.pdf, http://www.xensource.com/files/XenSecurity_SHand.pdf

TPM Virtualization: 

TPM Virtualization http://www.xensource.com/files/XenSecurity_Intel_CRozas.pdf

Intel LaGrande: 

Intel LaGrande

Intel Trusted Execution Technology (TET): 

Intel Trusted Execution Technology (TET) http://www.intel.com/technology/security/downloads/arch-overview.pdf

TET System Architecture: 

TET System Architecture

TET System Implementation: 

TET System Implementation http://download.intel.com/technology/security/downloads/31516803.pdf

ARM TrustZone: 

ARM TrustZone http://www.arm.com/products/esd/trustzone_home.html

Microsoft NGSCB: 

42 Microsoft NGSCB Microsoft, AMD, HP, IBM, Infineon, Intel, Sun, … all members of TCG Uses TPM to partition system into two parts: Nexus and L.H.S. NCAs: Nexus Comput- ing Agents Only two compartments

NGSCB Architecture – WinHEC 2004: 

43 NGSCB Architecture – WinHEC 2004 Windows Owns most HW Only real-time OS Security benefits via scenarios Compartments are Windows-based Significantly reduced footprint Strongly Isolated, hardened and armored Secure device ownership Nexus or service compartments Great device diversity Thousands of drivers MLOC Little device diversity Only a few drivers KLOC Biddle, 2004

Additional Questions: 

Additional Questions

Additional Questions (cont.): 

Additional Questions (cont.)

Conclusion: 

Conclusion

APPENDICES: 

APPENDICES

Attested Meter: 

48 Attested Meter Distributed Energy Resource management Demand Reducation/Load Management Automated Meter Reading/Real Time Pricing

Problem: 

49 Problem For real-time pricing to work, power company has to know exactly how much power was used by each customer at each point in time Could be privacy problem User should be able to access consumer portal software on meter from local network We’re taking a closed-box platform, a meter, and adding an isolated open-box application Same thing suggested by Ravinder for Xbox

Attested Meter Architecture: 

Attested Meter Architecture

Motivating Applications: 

Motivating Applications

Trusted Access Point: 

Trusted Access Point

High-Assurance Terminals: 

High-Assurance Terminals

Isolated Monitors: 

Isolated Monitors

Virtual Secure Coprocessors: 

Virtual Secure Coprocessors

Trusted Quake: 

Trusted Quake

SECURITY REQUIREMENTS: 

SECURITY REQUIREMENTS

Root Security: 

Root Security

Remote Attestation: 

Remote Attestation

Trusted Path: 

Trusted Path

PROPERTIES OF COMMODITY SYSTEMS: 

PROPERTIES OF COMMODITY SYSTEMS

Implications of Characteristics: 

Implications of Characteristics

TERRA DESIGN: 

TERRA DESIGN

TVMM Attestation: 

64 VM TVMM Attestation Each layer of software has a keypair Lower layers certify higher layers Enables attestation of entire stack Hardware (TPM) Firmware Operating System Application Bootloader TVMM (Terra) Hash of Attestable Data Higher Public Key Other Application Data Signed by Lower Level Certificate Layers

HARDWARE SUPPORT: 

HARDWARE SUPPORT

Required Hardware: 

Required Hardware TPM

Required Hardware (cont.): 

Required Hardware (cont.)

Required Hardware (cont.): 

Required Hardware (cont.)

TCG Layers: 

69 TCG Layers http://trousers.sourceforge.net

TPM 1.2: 

TPM 1.2 Next Try TCG 1.2: Trustworthy or Treacherous? (warning: conspiratorial)

Opposition: 

71 Opposition Trusted Computing has many opponents, because it considers the computer operator to be a potential attacker: EFF: Trust Computing: Promise and Risk Against-TCPA LAFKON - A movie about Trusted Computing And, a rebuttal: TCPA Misinformation Rebuttal and Linux drivers

Credential Relationships: 

Credential Relationships DevID Relationship to TPM

Credential Relationships (cont.): 

Credential Relationships (cont.)

TERRA IMPLEMENTATION: 

TERRA IMPLEMENTATION

Basic Implementation: 

Basic Implementation

Implementation Performance: 

Implementation Performance

SAMPLE APPLICATIONS - REVISITED: 

SAMPLE APPLICATIONS - REVISITED

Trusted Access Points: 

78 Trusted Access Points VPN client can be implemented as closed-box VM and distributed to visitors when they first connect to a regulated network VM can attest to VPN gateway that it is operating properly, and will enforce intended traffic regulations

TAP Benefits: 

79 TAP Benefits Prevents source forgery: TAP can reliably check all outgoing packets Prevents DoS attacks: TAP can block DoS attacks at their source, before they even reach the network Scalability: Clients enforce regulations on their own traffic Network Scalability: TAP can perform local vulnerability scan on host before permitting it to connect

Example #1: 

80 Example #1 Online gaming: Quake Players often modify Quake to provide additional capabilities to their characters, or otherwise cheat Quake can be transformed into a closed-box VM and distributed to players Remote attestation shows that it is unmodified Very little performance degradation Covert channels remain, such as frame rate statistics

Trusted Quake Assurances: 

81 Trusted Quake Assurances Secure Communication: VM can’t be inspected, so shared key can be embedded in VM image to protect network communication Any software can be reverse engineered, so is this a good idea? Client Integrity: maps and media files are protected from modification on client Server Integrity: Bad clients can’t connect

Trusted Quake Weaknesses: 

82 Trusted Quake Weaknesses Bugs and Undesirable Features: Rendered polygon OSD permits prediction of impending character appearances Network DoS Attacks: Terra does nothing in this regard Out-of-Band Collusion: Players can still communicate if they’re sitting together in a basement or using IM

ANALYSIS: 

ANALYSIS

Advantages of Terra: 

Advantages of Terra

Limitations of Terra: 

Limitations of Terra

RELATED WORK: 

RELATED WORK

authorStream Live Help