1

Bootstrapping Trust in aBootstrapping Trust in a“Trusted” Platform“Trusted” Platform

Carnegie Mellon University

November 11, 2008

Bryan Parno

2

A Travel Story

3

Do you trust…

• A kiosk computer?

• A friend’s computer?

• A relative’s computer?

• Your own computer?

Without trust, you cannot…

• Check your email• Pay bills• Privately surf the web• …How do we bootstrap trust in a computer? How do we bootstrap trust in a computer?

4

Assumptions• User has a trusted, mobile device

• User trusts someone to vouch for the physical security of the computer

5

Bootstrapping Trust

PhysicalSecurity

TrustedHardware

TrustedSoftware

6

CPU, RAMTPM, Chipset

CPU, RAMTPM, Chipset

Trusted Software Using Flicker

DMA Devices (Network, Disk,

USB, etc.)

OS

App

SS

App1 …

DMA Devices (Network, Disk,

USB, etc.)

OS

AppApp1 …

SS

ShimShim

7

Flicker’s Properties• Isolate security-sensitive code execution

from all other code and devices

• Attest to security-sensitive code and its arguments and nothing else

• Convince a remote party that security-sensitive code was protected

• Add < 250 LoC to the software TCB

ShimShim

SSSoftwareTCB < 250 LoC

All relies on bootstrapping trust!All relies on bootstrapping trust!

PhysicalSecurity

TrustedHardware

TrustedSoftware

8

Outline

• Introduction

• Background

• The Cuckoo Attack

• Potential Solutions

• Conclusions

9

TPM Background

• The Trusted Platform Module (TPM) is a dedicated security chip

• Contains a public/private keypair {KPub, KPriv}

• Contains a certificate indicating that KPub belongs to a legitimate TPM

• Not tamper-resistant!

10

BIOSBIOS Boot LoaderBoot Loader OS KernelOS Kernel

conf

Module 2Module 2

Module 1Module 1

TPMTPM

PCRs

BIOSBIOS Boot LoaderBoot Loader

HardwareSoftware

KPriv

AppsApps

App 2App 2

App 1App 1

AppsApps

App 2App 2

App 1App 1

OS KernelOS Kernel

conf

Module 2Module 2

Module 1Module 1

Bootstrapping Trust with a TPM

11

BIOSBIOS Boot LoaderBoot Loader OS KernelOS Kernel

conf

Module 2Module 2

Module 1Module 1

TPMTPM

PCRs

KPriv

AppsApps

App 2App 2

App 1App 1

Bootstrapping Trust with a TPMNonce

Sign( ), KPriv

Nonce

KPub

Guarantees freshness

Guarantees freshnessGuarantees key

originated from a real TPM

Guarantees key originated from a

real TPM

TPM attests to the software

TPM attests to the software

Trustworthy!

12

Outline

• Introduction

• Background

• The Cuckoo Attack

• Potential Solutions

• Conclusions

13

The Cuckoo Attack

Nonce

Sign( ), KPriv

Nonce

KKPrivPriv KKPrivPriv

Nonce

KPub

Guarantees freshness

Guarantees freshness

Guarantees key originated from a

real TPM

Guarantees key originated from a

real TPM

TPM attests to the software

TPM attests to the software

Trustworthy!

14

What went wrong?

• An attestation says that a TPM vouches for a software state, but not which TPM

Sign( ), KPriv

NonceKPub

Sign( ), KPriv

NonceKPub

15

Analyzing the Attack• Paper develops a logical framework for

bootstrapping trust– Allows precise characterization of the

attack

• Framework identifies which solutions work, and which do not

16

Potential Solutions

• Remove the network• Trust the computer• Detect timing

deviations• Make late-launch

data available• Add a special-

purpose button

• Employ SiB• Employ camera-less SiB• Trust the BIOS• Trust a third party• Use an existing interface• Use a special-purpose

interface

Analyze which work, and which don’t Analyze which work, and which don’t

Identify pros and cons of eachIdentify pros and cons of each

17

KKPrivPriv

An Invalid Solution

KKPrivPriv

Sign( ), KPriv

NonceKPub

HWHWViolation!Violation!

HWHWViolation!Violation!

18

High-Level Goal

• Establish a secure channel to the local TPM– Channel must provide authenticity & integrity

• We can instantiate the channel via:– Cryptography– Hardware

19

KKPrivPriv

SHA-1(KPub)camera…

vision…

Cryptographic Secure Channels• Requires authentic public key (or shared

secret)• Use Seeing-is-Believing (SiB) [McCune et al., ‘05]

– Place a barcode on the PC encoding the TPM’s public key

• Trust the BIOS– Reboot and trust BIOS to output public key via

existing interface

20

Hardware Secure Channels

• Reuse an existing interface– Existing interfaces do not support direct

communication with the TPM

• Add a special-purpose interface– Reduces opportunities for user error– Makes manufacturers unhappy

21

Choosing a Solution

• After analyzing 10 potential solutions, none is entirely satisfactory

• Preferred solutions:– Short-term: Seeing-is-Believing– Long-term: Special-purpose Interface

22

Related Work• Device Pairing

– Typically assumes both devices are trusted

• Kiosk Computing [Garriss et al., ‘08]

– Even more difficult, since hardware integrity may not be guaranteed

• Secure Object Identification [Alkassar et al., ‘03], [Brands & Chaum ‘94]

– Solutions inappropriate to TPM setting

23

Conclusions

• Trust in your local computer is critical

• Due to the cuckoo attack, current techniques cannot bootstrap trust

• Changes are needed to make useful security guarantees

24

Thanks!parno@cmu.edu