Embed Size (px)
DESCRIPTION
Establishing the Genuinity of Remote Computer Systems. Rick Kennel & Leah H Jamieson (Purdue University) Presented By Sai R Ganti Sujan B Pakala. Layout. Introduction and problem definition Tests of Genuinity (of the remote System) - Software Genuinity - PowerPoint PPT Presentation
Citation preview
Establishing the Genuinity of Establishing the Genuinity of Remote Computer SystemsRemote Computer Systems
Rick Kennel & Leah H JamiesonRick Kennel & Leah H Jamieson(Purdue University)(Purdue University)
Presented By Presented By Sai R Ganti Sai R Ganti Sujan B Pakala Sujan B Pakala
LayoutLayout• Introduction and problem definitionIntroduction and problem definition• Tests of Genuinity (of the remote System)Tests of Genuinity (of the remote System) - Software Genuinity- Software Genuinity - Hardware Genuinity (- Hardware Genuinity (µP Genuinity)µP Genuinity) - Combined Genuinity - Combined Genuinity • Establishing Genuinity Via Insecure NetworkEstablishing Genuinity Via Insecure Network• Potential Attacks ( simulators and hardware -Potential Attacks ( simulators and hardware -
attacks)attacks)• Implementation Implementation • Related Work Related Work • ConclusionConclusion
IntroductionIntroduction
• For all real world objects, non destructive For all real world objects, non destructive
measures can be used to establish their genuinity.measures can be used to establish their genuinity.
• Not so for programmable computer system due to Not so for programmable computer system due to
their dynamic nature.their dynamic nature.
• A computer system could be modified or A computer system could be modified or
reprogrammed when the location of the system reprogrammed when the location of the system
changes.changes.
• The genuinity of such a system needs to be The genuinity of such a system needs to be
established before allowing it to access any established before allowing it to access any
resources.resources.
Problem DescriptionProblem Description• Alice is NFS server administrator. Alice is NFS server administrator.
• Bob and Clint are clients wanting to use the Bob and Clint are clients wanting to use the system and manipulate the data on the server. system and manipulate the data on the server.
• Clint wants to access Bob’s data.Clint wants to access Bob’s data.
• Clint wants to add computers to access his Clint wants to add computers to access his resources on the server.resources on the server.
• Alice’s Problem - determining the genuinity of Alice’s Problem - determining the genuinity of
each computer.each computer.
Tests of GenuinityTests of Genuinity• Alice needs to determine:Alice needs to determine: a) The computer must be a genuine computer and a) The computer must be a genuine computer and
not a simulator or a emulator not a simulator or a emulator Hardware Hardware Genuinity Test.Genuinity Test.
b) The computer is running the software Alice b) The computer is running the software Alice expects (knowing the software helps determining expects (knowing the software helps determining the behavior of the system).the behavior of the system).
Software Genuinity TestSoftware Genuinity Test
Software GenuinitySoftware Genuinity• Verifying the Genuinity of System Software:Verifying the Genuinity of System Software:
• To establish to an authority that the instructions To establish to an authority that the instructions of an of an Entity Entity running a program are not tampered running a program are not tampered with.with.
• A subroutine is included in the program to be A subroutine is included in the program to be executed that calculates the checksum of the executed that calculates the checksum of the memory space and sends to the authority. The memory space and sends to the authority. The authority compares it with a known-good result.authority compares it with a known-good result.
- Forgeries can be detected.- Forgeries can be detected.• The authority can challenge the The authority can challenge the Entity Entity by by
specifying one or more regions of the program’s specifying one or more regions of the program’s instruction address space.instruction address space.
• Replay attacks can be detected.Replay attacks can be detected.
Tampering S/WTampering S/W• Example:Example:
Bob receives a digital container from Alice, Bob receives a digital container from Alice, consisting of some digital media and code that consisting of some digital media and code that transfers some electronic money to Alice’s transfers some electronic money to Alice’s account whenever the media is playedaccount whenever the media is played..
Bob can:Bob can:-- modify the amount he has to pay to Alice;modify the amount he has to pay to Alice;-- extract the media content itself….thus extract the media content itself….thus resorting to resorting to piracy .piracy .
Tampering S/WTampering S/W
S/W TamperproofingS/W Tamperproofing
• Defense against tampering so that unauthorized Defense against tampering so that unauthorized modifications will result in a non-functional code.modifications will result in a non-functional code.
• Goal : Prevent unauthorized use of a program. Goal : Prevent unauthorized use of a program.
• Mechanism : to put in code to check Mechanism : to put in code to check authorization and prevent the authorization and prevent the
• program from operating properly program from operating properly if if ANY ANY changes are changes are
observed.observed.
• Result : Might prevent the piracy of software.Result : Might prevent the piracy of software.
Methods for Tamperproofing…..Methods for Tamperproofing…..
• Insert Insert authorization checksauthorization checks:: passwords, machine/system prints.passwords, machine/system prints.Take appropriate action if the check fails. Take appropriate action if the check fails.
• Insert Insert guardsguards: Compute check sums on the code of : Compute check sums on the code of program .program .
• Insert Insert multiple guardsmultiple guards: Guard each other as well : Guard each other as well as the program . as the program .
Complex network of guards that protect one Complex network of guards that protect one another so that they have to all be removed another so that they have to all be removed
before the guarding fails. before the guarding fails.
• PROBLEMPROBLEM: A determined attacker might be able to : A determined attacker might be able to find and remove all guards.find and remove all guards.
Methods for Tamperproofing…..Methods for Tamperproofing…..
• Obfuscate Obfuscate the authorization and guard codes so the authorization and guard codes so they are hard to identify; e.g., hide 1789 and they are hard to identify; e.g., hide 1789 and 4969 in their product 8889541.4969 in their product 8889541.
• BenefitBenefit : Hard to find the actual program code. : Hard to find the actual program code.
• PROBLEMPROBLEM: Obfuscated code may be hard to : Obfuscated code may be hard to understand but it is “strange” so one can understand but it is “strange” so one can eventually identify and remove it.eventually identify and remove it.
• Insert repairing guardsInsert repairing guards. They correct errors . They correct errors introduced into the program; if they are deleted introduced into the program; if they are deleted then program does not work properly.then program does not work properly.
Methods for Tamperproofing…..Methods for Tamperproofing…..
• Mix (Mix (tangletangle) these codes with pieces of ) these codes with pieces of program’s code and obfuscate it all together. program’s code and obfuscate it all together.
• BenefitBenefit: Cannot remove the obfuscated code : Cannot remove the obfuscated code without corrupting the program code.without corrupting the program code.
• PROBLEMPROBLEM: Obfuscated code is tough to untangle : Obfuscated code is tough to untangle but the toughness depends on the length. These but the toughness depends on the length. These code fragments tend to be fairly short.code fragments tend to be fairly short.
Methods for Tamperproofing…..Methods for Tamperproofing…..
• Introduce Introduce dummy code dummy code which does not affect which does not affect the program’s operation. the program’s operation.
• Method: Tangle this in with the authorization, Method: Tangle this in with the authorization, guard and program’s code, then obfuscate. guard and program’s code, then obfuscate.
• Obfuscation and automatic dummy code Obfuscation and automatic dummy code generation can be automated.generation can be automated.
Hardware Genuinity TestHardware Genuinity Test
• Alice’s prime concern – genuinity of Alice’s prime concern – genuinity of µP (exercise a µP (exercise a
representative subset of its functions and checking that representative subset of its functions and checking that
they conform to all the specifications).they conform to all the specifications).
• Easy to discriminate µP with different ISA.Easy to discriminate µP with different ISA.
• Harder to discriminate µP with different implementation Harder to discriminate µP with different implementation
of same ISA but there are observable differences.of same ISA but there are observable differences.
- implementations differing in cache geometry - implementations differing in cache geometry
result result in different execution times for an in different execution times for an
instruction instruction sequence with a particular memory sequence with a particular memory
reference reference pattern. pattern.
Hardware Genuinity Test….Hardware Genuinity Test….• Alice also needs to differentiate between a computer Alice also needs to differentiate between a computer
and a simulator and a simulator
- contrary to Turning’s theory .- contrary to Turning’s theory .
• Most modern simulators are a order magnitude Most modern simulators are a order magnitude slower than real computers. slower than real computers.
• Establishing a response time for the Establishing a response time for the Entity Entity can help in can help in determining if the determining if the EntityEntity was run as a computer or a was run as a computer or a simulator.simulator.
• Complicating the procedure to calculate the Complicating the procedure to calculate the checksum results in greater disparity between checksum results in greater disparity between simulator and real computer execution times.simulator and real computer execution times.
Hardware Genuinity Test….Hardware Genuinity Test….• Characteristics to design test to establish the Characteristics to design test to establish the
genuinity are - genuinity are - • Function of CPU:Function of CPU: - The function will occur automatically as a side - The function will occur automatically as a side
effect of instruction execution.effect of instruction execution. - The function must be deterministic and - The function must be deterministic and
predictable.predictable. - The effects of the function can be measured - The effects of the function can be measured
easily.easily. - The function will have a good deal of parallelism - The function will have a good deal of parallelism
(minimizing the chances that the simulator mimic (minimizing the chances that the simulator mimic it). it).
• Memory hierarchy makes an excellent device to Memory hierarchy makes an excellent device to satisfy the characteristics of a good test .satisfy the characteristics of a good test .
S/W and H/W Genuinity TestS/W and H/W Genuinity Test• How? How? - Mechanism that checks the integrity of its own - Mechanism that checks the integrity of its own
instructions and also ensuring that the instructions and also ensuring that the instructions are running on a real computer.instructions are running on a real computer.
• Source of CPU meta information – Memory Source of CPU meta information – Memory hierarchy.hierarchy.
• TLB TLB - Higher associativity than the caches - Higher associativity than the caches - measurable deterministic policies.- measurable deterministic policies.• Make Genuinity Tests difficult to simulate.Make Genuinity Tests difficult to simulate.• Result of one genuinity test should give no clue Result of one genuinity test should give no clue
about how the future test will be computedabout how the future test will be computed
S/W and H/W Genuinity Test…S/W and H/W Genuinity Test…
DTLB replacement pattern that could be predicted.
Pseudorandom traversal introduces uncertaintywhether loaded page is mapped by DTLB
S/W and H/W Genuinity Test…S/W and H/W Genuinity Test…
Further complicating the checksumprocedure.
Aliasing the physical memory regionmultiple times with virtual memoryregion
Result: increases the checksum calculation duration
Note: - Any important source of meta information of the procedure’s execution be incorporated into the checksum result.
H/W and S/W genuinity Tests …H/W and S/W genuinity Tests …
• Result : memory checksum that has been Result : memory checksum that has been modified with the meta information of the modified with the meta information of the execution procedure.execution procedure.
- difficult to simulate in a timely manner- difficult to simulate in a timely manner
- incorrect result (implies incorrect memory - incorrect result (implies incorrect memory contents or the execution procedure ) contents or the execution procedure ) S/W S/W genuinity test.genuinity test.
- takes too long if evaluated by a simulator - takes too long if evaluated by a simulator H/W genuinity testH/W genuinity test
Establishing Genuinity Via Insecure Establishing Genuinity Via Insecure NetworkNetwork
• Assumption –Assumption –distance does not permit a secure communication distance does not permit a secure communication channel prior to genuinity test.channel prior to genuinity test.
Negotiate a public key exchange with the Negotiate a public key exchange with the AuthorityAuthority..
• Procedure Procedure
-The public key of the Authority is embedded into the -The public key of the Authority is embedded into the verified memory space of the Entity’s genuinity test.verified memory space of the Entity’s genuinity test.
-The entity sends to the Authority -The entity sends to the Authority EEK1K1 [computed checksum , random ID] [computed checksum , random ID] where K1-public key of authoritywhere K1-public key of authority
Establishing Genuinity …Establishing Genuinity …
RemoteEntityAuthority
Request for challenge
Offer to challenge(initial memory map)
Accept the challenge
Challenge signed( key+checksum code)
Response encrypted(result +randomId)Qualification or rejection
Establishing Genuinity Via Establishing Genuinity Via Insecure Network…Insecure Network…
• Important to check the validity of the challenge Important to check the validity of the challenge (runnable code that is to be inserted into (runnable code that is to be inserted into Entity’sEntity’s kernel memory).kernel memory).
• Why ? – To avoid running code sent by attacker.Why ? – To avoid running code sent by attacker.
• How ? – generating a second key pair and How ? – generating a second key pair and embedding the public key into embedding the public key into Entity’sEntity’s kernel. kernel.
• AuthorityAuthority signs the messages it sends and the signs the messages it sends and the EntityEntity can discriminate bogus messages. can discriminate bogus messages.
Potential Attacks and GuardsPotential Attacks and Guards• Primary discriminant – execution timePrimary discriminant – execution time
• Proposed genuinity test has a lower bound on the Proposed genuinity test has a lower bound on the target CPU that can be verified.target CPU that can be verified.
• As the performance of new systems on which As the performance of new systems on which simulators can run increases, the lower bound on simulators can run increases, the lower bound on target CPU increases.target CPU increases.
• Kinds of Simulators – Kinds of Simulators – a) a) Algorithmic SimulatorsAlgorithmic Simulators Guard – The authority must send executable code Guard – The authority must send executable code
instructions of prevent simple interpretation by instructions of prevent simple interpretation by algorithmic simulators.algorithmic simulators.
b) b) Virtualizing SimulatorsVirtualizing Simulators Guard – Virtual simulator executes too slowly to Guard – Virtual simulator executes too slowly to
succeed.succeed.
Hardware AttacksHardware Attacks • Ultimate attack – modifying the remote computer Ultimate attack – modifying the remote computer
such that it computes the check sum correctly but such that it computes the check sum correctly but allows third party to inspect and alter the system allows third party to inspect and alter the system after the test.after the test.
• How ? - By attaching analyzers to µP probe ports.How ? - By attaching analyzers to µP probe ports. - attaching hardware to the coherent - attaching hardware to the coherent
memory memory bus of a system. bus of a system.
• Acceptable Risk – since skill and equipment are Acceptable Risk – since skill and equipment are required to achieve the above.required to achieve the above.
• Attack against microprocessor :Attack against microprocessor :• Guard: requiring the remote machine to remain Guard: requiring the remote machine to remain
in active contact with the Authority in active contact with the Authority with with period no longer than the time period no longer than the time necessary necessary to pause the machine to to pause the machine to obtain obtain information. information.
ImplementationImplementation
Components of Authority:Components of Authority:
• Generator – builds RSA-128 key-pairsGenerator – builds RSA-128 key-pairs
• Test case generator – randomly combines pre-Test case generator – randomly combines pre-defined code sets into a unified imagedefined code sets into a unified image
• Network server – handles negotiation of Network server – handles negotiation of genuinity challenges and selection of tests genuinity challenges and selection of tests based on type of microprocessor.based on type of microprocessor.
Implementation..Implementation..• The Host Application:The Host Application:• Linux 2.5 kernel – convenient and portable Linux 2.5 kernel – convenient and portable
environment for manipulating virtual memory and environment for manipulating virtual memory and network interfacesnetwork interfaces
• Modifications:Modifications:
Inserted few pages of empty spaceInserted few pages of empty space
Added set of functions to perform network test Added set of functions to perform network test negotiationnegotiation
• Implemented an in-kernel 128-bit RSA algorithm Implemented an in-kernel 128-bit RSA algorithm to perform public-key encryption of the return to perform public-key encryption of the return resultresult
Implementation..Implementation..• Some Specifications for flexibility:Some Specifications for flexibility:
128-bit RSA key, UnOptimized RSA 128-bit RSA key, UnOptimized RSA
implementation, Entity assumed to operate implementation, Entity assumed to operate
without non-volatile storagewithout non-volatile storage
• Kernel loaded via the network using GRUB or Kernel loaded via the network using GRUB or
Etherboot.Etherboot.
• At the conclusion of genuinity test, key exchange At the conclusion of genuinity test, key exchange
negotiates keys for the IPsec session.negotiates keys for the IPsec session.
• Finally, a trusted system is identified and the Finally, a trusted system is identified and the
authority can now allow NFS exports to the Entity.authority can now allow NFS exports to the Entity.
Pre-computation of Checksum ResultsPre-computation of Checksum Results
• Authority must precompute checksum results for each Authority must precompute checksum results for each
genuinity test inorder handle initial surge of requestsgenuinity test inorder handle initial surge of requests
• This is done by using an offline simulatorThis is done by using an offline simulator
• ProblemProblem: genuinity tests can exploit deterministic : genuinity tests can exploit deterministic
instruction execution side-effects;instruction execution side-effects;
example – example – μμP with an undocumented TLB replacement P with an undocumented TLB replacement
policy might make it infeasible to use the simulator policy might make it infeasible to use the simulator
for result computationfor result computation
• SolutionSolution: use an existing genuine system to compute : use an existing genuine system to compute
results for new tests.results for new tests.
Pre-Computation…Pre-Computation…But this begs for an But this begs for an interposition attackinterposition attack
To counter this, a flag is added to the challenge To counter this, a flag is added to the challenge
delivered by the authority.delivered by the authority.
Purpose of the flag – indicates whether the Purpose of the flag – indicates whether the EntityEntity should should
deliver results over the network and reinitialize itself deliver results over the network and reinitialize itself
to become a known hostto become a known host
Checksum result, random identifier encrypted by the exit Checksum result, random identifier encrypted by the exit
path of checksum algorithmpath of checksum algorithm
Use of a secure channel to initiate a new test and then Use of a secure channel to initiate a new test and then
procure resultprocure result
Side effect: remote host will involve a momentary pause Side effect: remote host will involve a momentary pause
of other activity while its interrupts are disabledof other activity while its interrupts are disabled
Precomputation…Precomputation…
• Most of the checksum results were computed Most of the checksum results were computed using a CPU rather than a constructed simulatorusing a CPU rather than a constructed simulator
BenchmarksBenchmarks• The benchmark test:The benchmark test:
--to establish time limit for response delay.to establish time limit for response delay.
• Target CPU == 133MHz Intel PentiumTarget CPU == 133MHz Intel Pentium• Simulator [run on] == 2.4GHz Intel PentiumSimulator [run on] == 2.4GHz Intel Pentium
• Authority software used to generate the random Authority software used to generate the random genuinity test as follows:genuinity test as follows:
-Pseudo-random mapping of the static -Pseudo-random mapping of the static region region of kernel’s physical memory into the of kernel’s physical memory into the 16MB 16MB region using alternate page tables in region using alternate page tables in the the beginning of the kernel text beginning of the kernel text segmentsegment
Memory map for benchmark test Memory map for benchmark test casecase
Benchmarks…Benchmarks…• Kernel page tables, alternate page tables are Kernel page tables, alternate page tables are
mapped in the virtual pagesmapped in the virtual pages
• NoteNote: the 16MB region is only memory accessible : the 16MB region is only memory accessible for the duration of the test for the duration of the test
• Advantage: self-contained nature of the region Advantage: self-contained nature of the region makes it difficult to subvert the genuinity test by makes it difficult to subvert the genuinity test by patching in malicious codepatching in malicious code- Checksum code is constructed in nodes spread - Checksum code is constructed in nodes spread over 22 of the code page mappings in virtual over 22 of the code page mappings in virtual memorymemory
Benchmarks..…Benchmarks..…
• Selection of checksum code nodes:Selection of checksum code nodes:• A node A node
- accessed the ITLB CAM cells.- accessed the ITLB CAM cells.
- accessed the DTLB CAM cells.- accessed the DTLB CAM cells.
- accessed the tag and replacement information for - accessed the tag and replacement information for the data cache and instruction cache cells.the data cache and instruction cache cells.
- read a performance counter.- read a performance counter.
- sampled the time stamp counter probabilistically.- sampled the time stamp counter probabilistically.• The other 16 nodes read a byte of memory, added it to The other 16 nodes read a byte of memory, added it to
the 32-bit checksum value and advanced the memory the 32-bit checksum value and advanced the memory pointerpointer
Benchmarks..Benchmarks..
• Test with a genuine CPU:Test with a genuine CPU:- appropriate kernel is booted on the test entity - appropriate kernel is booted on the test entity [133MHz Pentium CPU][133MHz Pentium CPU]- entity was on the same Ethernet segment as the - entity was on the same Ethernet segment as the authority [so as to discount effects of network latency]authority [so as to discount effects of network latency]
• ResultResult: Entity was able to receive test, compute : Entity was able to receive test, compute checksum value & random identifier, encrypt checksum value & random identifier, encrypt results and return then via network in results and return then via network in 7.93 sec.7.93 sec.
• Note: Encryption step doesn’t contribute Note: Encryption step doesn’t contribute significantly to response delay [~ 0.007 sec]significantly to response delay [~ 0.007 sec]
Benchmarks….Benchmarks….• - With the ideal simulator –- With the ideal simulator –• Features:Features:
- assumed to have a - assumed to have a priori priori of how the test code of how the test code would work.would work.
- equivalent to a virtualizing simulator.- equivalent to a virtualizing simulator.- doesn’t have to generate random value.- doesn’t have to generate random value.
• Simulator is built by manually encoding the Simulator is built by manually encoding the precise effects of execution of all the 22 test case precise effects of execution of all the 22 test case nodes on ITLB, DTLB, caches and two instruction nodes on ITLB, DTLB, caches and two instruction countscounts
• Performance: 10.72 secPerformance: 10.72 sec
Effectiveness of Random Number Effectiveness of Random Number GenerationGeneration
• To be efficient, Random numbers must be To be efficient, Random numbers must be unguessable [to prevent replay, interposition attacks].unguessable [to prevent replay, interposition attacks].
• In a captive test case on a single machine, 99778 In a captive test case on a single machine, 99778 random values were observed.random values were observed.
• Only two 32-bit values duplicated.Only two 32-bit values duplicated.
• Expected collisions in linear distribution : Expected collisions in linear distribution :
2/99778 = 0.000020 &2/99778 = 0.000020 &
99778/2³² = 0.00002399778/2³² = 0.000023• 2-D visual analysis of generated values did not reveal 2-D visual analysis of generated values did not reveal
any apparent clustering.any apparent clustering.
Related WorkRelated Work• Execution Verification:Execution Verification:
• Secure Coprocessors:Secure Coprocessors: - Remote system demonstrates genuinity by - Remote system demonstrates genuinity by
proving its identity.proving its identity. - Identity must be known in advance to other - Identity must be known in advance to other
systems.systems.
Related Work …Related Work …
• Secure Bootloaders:Secure Bootloaders: - Allow a system to authenticate the software that - Allow a system to authenticate the software that
it loads using cryptographic secrets.it loads using cryptographic secrets. - require integration of secure BIOS or special - require integration of secure BIOS or special
loader.loader.
• TCPA, Palladium and LaGrande:TCPA, Palladium and LaGrande: - Aid in generation and manipulation of - Aid in generation and manipulation of
cryptographic secrets for identity management cryptographic secrets for identity management and access control.and access control.
- Some form of hardware to be added to the - Some form of hardware to be added to the participating computer to handle cryptographic participating computer to handle cryptographic secrets.secrets.
ConclusionConclusion• Method to establish the genuinity of the hardware Method to establish the genuinity of the hardware
and the software of remote computer system to a and the software of remote computer system to a certifying authority.certifying authority.
• Advantages – Enabling aggregation of arbitrary Advantages – Enabling aggregation of arbitrary anonymous systems into distributed anonymous systems into distributed computational clusters without need for human computational clusters without need for human intermediary.intermediary.
• Direct attacks are possible but the complexity in Direct attacks are possible but the complexity in doing so allows the implementation possible.doing so allows the implementation possible.
• Potential targets –Lower performance embedded Potential targets –Lower performance embedded CPUsCPUs
References References
Computer Architecture – textComputer Architecture – text http://fie.engrng.pitt.edu/fie2002/paphttp://fie.engrng.pitt.edu/fie2002/pap
ers/1160.pdfers/1160.pdf [27] –Proofs of work and bread [27] –Proofs of work and bread
pudding protocolspudding protocols [34] – Distributed execution with [34] – Distributed execution with
remote auditremote audit
