for tpm api
play

for TPM API Aybek Mukhamedov, Andy Gordon and Mark Ryan Trusted - PowerPoint PPT Presentation

Nov 07, 2022 •205 likes •374 views

Towards Verified C specification for TPM API Aybek Mukhamedov, Andy Gordon and Mark Ryan Trusted Platform Module Trusted Computing, an initiative by major IT vendors Functions: integrity measurement, reporting & protected storage

  1. Towards Verified C specification for TPM API Aybek Mukhamedov, Andy Gordon and Mark Ryan

  2. Trusted Platform Module • Trusted Computing, an initiative by major IT vendors • Functions: integrity measurement, reporting & protected storage • Relies on a security chip TPM : Root of Trust for Storage and Reporting • Manual inspection is not feasible (>90 commands), recalls are expensive: need for formal analysis • Utilize protocol verification tools

  3. Protocol Verification • A number of successful frameworks: specialized (AVISPA, ProVerif) and general-purpose (FDR, PRISM, Isabelle, mocha, nusmv) • Abstract models hard to distill, implementations may deviate and revisions may get out of sync • hence, hot topic: implementation analysis • FS2PV: a framework by Gordon et al. (MSRC)

  5. TPM API Analysis Authorization Protocols: • Important for TPM functionality • Weak secret off-line attacks by Chen,Ryan (‘08) Our work: • Concrete implementation of authorization, encrypted transport session protocols in F# • Formal verification with FS2PV: attacks, verified our fixes • F2C: automatic translation into executable C code

  6. Authorization Data • Most TPM commands & objects require authorization • Realised via a shared secret authdata • authdata (20B) is chosen by client app: – ideally, it’s a secret + high -entropy data – on-line dictionary attack mitigation by TPM • Ad- hoc analysis by Chen and Ryan (‘08): off -line attack revealing low-entropy authdata

  7. Authorization Protocols • Object Independent Authorization Protocol (OIAP): – can authorize several entities within a session – authorization via hmac digest keyed on authdata • Object Specific Authorization Protocol (OSAP): – tied to a single entity – authorization via hmac digest keyed on a secret derived from authdata • Most commands allow either protocol

  8. Object-Independent Pattern (OIAP) TPM_OIAP _IN : tag || paramSize || ordinal Client TPM_OIAP _OUT : tag || paramSize || returnCode || authHandle || nonceEven TPM_OwnerClear _IN : tag || paramSize || ordinal || authHandle || nonceOdd || continueAuthSession || inAuth inAuth= hmacsha1 authData (concat1 || concat2) with concat1= sha1(ordinal) concat2= nonceEven || nonceOdd || continueAuthSession TPM_OwnerClear _OUT: tag || paramSize || returnCode|| nonceEven ‘ || continueAuthSession|| resAuth) resAuth=hmacsha1 authData (concat1 || concat2) with concat1=sha1(returnCode || ordinal) concat2= nonceEven' || nonceOdd || continueAuthSession authData is the weak secret

  9. Object-Specific Pattern (OSAP) TPM_OSAP _IN : tag || paramSize || ordinal || entityType || entityValue || nonceOddOSAP ) Client TPM_OSAP _OUT : tag || paramSize || returnCode || authHandle|| nonceEven || nonceEvenOSAP TPM_OwnerClear _IN : tag || paramSize || ordinal || authHandle || nonceOdd ||continueAuthSession || inAuth inAuth= hmacsha1 sharedSecret (concat1 || concat2) with sharedSecret = hmacsha1 authData ( nonceOddOSAP || nonceEvenOSAP ) concat1= sha1(ordinal) concat2= nonceEven || nonceOdd || continueAuthSession TPM_OwnerClear _OUT : tag || paramSize || returnCode|| nonceEven ‘ || continueAuthSession|| resAuth resAuth=hmacsha1 sharedSecret (concat1 || concat2) with sharedSecret = hmacsha1 authData ( nonceOddOSAP || nonceEvenOSAP ) concat1=sha1(returnCode || ordinal) concat2= nonceEven' || nonceOdd|| continueAuthSession authData is the weak secret

  10. Encrypted Transport Protection Start auth session, load secret encryption key TPM_EstablishTransport _IN : encHandle || encr. secret || authHandle || keyAuth Client TPM_EstablishTransport _OUT : transHandle|| transonceEven || resAuth wrappedCmd = TAGw || LENw || ORDw || HANDLESw || DATAw || AUTH1w TPM_ExecuteTransport _IN : wrappedCmd , transHandle || transNonceOdd ||transAuth Auth wrappedRsp= TAGw || LENw || RCw || HANDLESw || DATAw || AUTH1w tranEncKey = transNonceEven || transNonceOdd || “in” || secret session setup TPM_ExecuteTransport _OUT : wrappedRsp , transHandle || transNonceEven ’ || transAuth tranEncKey = transNonceEven’ || transNonceOdd || “out” || secret TPM_ExecuteTransport _IN : wrappedCmd , transHandle || transNonceOdd ||transAuth Command TPM_ExecuteTransport _OUT : wrappedRsp , transHandle || transNonceEven ’ || transAuth

  11. Concrete specification in F# • We implemented authorization and transport protection protocols Data defs Snippet of fTPM.fs (TPM code) type TPM_NONCE = { let TPM_OSAP (input:TPM_OSAP_IN) : TPM_OSAP_OUT = nonce: BYTE20 } if (input.tag_osapIn = TPM_TAG_RQU_COMMAND) then if (input.ordinal_osapIn = TPM_ORD_OSAP) then let TPM_ORD_OSAP = (UINT32 0x0000000B) let TPM_ORD_OIAP = (UINT32 0x0000000A) let nonceEven : TPM_NONCE = mkNonceEven() in let nonceEvenOSAP : TPM_NONCE = mkNonce() in type TPM_OSAP_IN = { let xNonceOddOSAP : TPM_NONCE = tag_osapIn : TPM_TAG; input.nonceOddOSAP_osapIn in paramSize_osapIn : UINT32; let hmac_data : BYTES = dconcat nonceEvenOSAP ordinal_osapIn : TPM_COMMAND_CODE; xNonceOddOSAP in entityType_osapIn : TPM_ENTITY_TYPE; let handle : TPM_AUTHHANDLE = allocHandle() in entityValue_osapIn : UINT32; nonceOddOSAP_osapIn : TPM_NONCE let entityType : TPM_ENTITY_TYPE = input.entityType_osapIn in } if (entityType=TPM_ET_OWNER) then begin [...]

  12. Verification with FS2PV • Symbolic libraries: Crypto, Data, Net, Db type bytes = let sym_encrypt key text = SymEncrypt(key,text)) | SymEncrypt of bytes*bytes let sym_decrypt key msg = match msg with | Hmacsha1 of bytes*bytes | SymEncrypt(key',text) when key = key' -> text | Num32 of unit32 | _ ->failwith "sym_decrypt failed" | Concat of bytes*bytes • Symbolic execution: sanity check, debugger • Active attacker: – crypto, data manipulation, network control defined via F # interface files • FS2PV generates ProVerif model, which is verified against any number of TPM, Client runs & arbitrary attacker

  13. Verification Results Found reported attacks, issues with transport protection and proved correctness of our fixes LoC in F# LoC in C (incl. data, (incl. data, FS2PV analysis type defs) type defs) OSAP session 265 275 found attack OIAP session 250 260 found attack Encrypted Transport Session 780 660 found attack & OIAP ed proved fix when all commands in OIAP session encrypt nonceEven Encrypted Transport Session 800 680 found attack & OSAP proved fix when TPM_OSAP response is encrypted

  14. F2C: executable C from F# code • F# is not widely adopted and relies on .NET • F2C : translates verified F# code of the TPM into executable C implementation: - TPM commands, data structures • Built on top of FS2PV library • Implemented sample client and crypto functions in C++ for authorization sessions

  16. Conclusions • Verified concrete implementation of TPM API fragment • Captured attacks and verified fixes • F2C: C code generator from a stylized F# Future work: • Many more commands to cover, interoperability • Improve verification engine: mutable states • Generate F# code from C spec Verified reference implementation of the whole TPM seems plausible

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Modest Proposal A Modest Proposal For preventing the Testing of User Interfaces From being a

A Modest Proposal A Modest Proposal For preventing the Testing of User Interfaces From being a

A Modest Proposal A Modest Proposal For preventing the Testing of User Interfaces From being a Burden to Their Developers or Maintainers, and For making them Beneficial to the Application Jonathan Swift Mocha Jest Tape Jasmine QUnit Selenium

579 views • 30 slides
t rt t ss s s

t rt t ss s s

ts rst t t tr st r s ts ssr

699 views • 69 slides
Photons Be Free! The State of Fauxton 2015 Photons Be Free! The State of Fauxton 2015

Photons Be Free! The State of Fauxton 2015 Photons Be Free! The State of Fauxton 2015

Photons Be Free! The State of Fauxton 2015 Photons Be Free! The State of Fauxton 2015 ApacheCon: Core Corinthia Hotel Budapest, Hungary October 2015 Michelle Phung Apache Software Foundation Committer michellep@apache.org CouchDB Fauxton

540 views • 31 slides
Math for Liberal Arts MAT 110: Chapter 4 Notes Taking Control of Your Finances Managing Money

Math for Liberal Arts MAT 110: Chapter 4 Notes Taking Control of Your Finances Managing Money

MAT 110, Chapter 4 Math for Liberal Arts MAT 110: Chapter 4 Notes Taking Control of Your Finances Managing Money David J. Gisch Controlling Y our Finances A Four-S tep budget 1. List all monthly income, including a prorated Know your

323 views • 14 slides
Coalitional Games Stphane Airiau and Wojtek Jamroga Stphane: ILLC @ University of Amsterdam

Coalitional Games Stphane Airiau and Wojtek Jamroga Stphane: ILLC @ University of Amsterdam

Coalitional Games Stphane Airiau and Wojtek Jamroga Stphane: ILLC @ University of Amsterdam Wojtek: ICR @ University of Luxembourg European Agent Systems Summer School Torino, Italy, September 2009 Stphane Airiau and Wojtek Jamroga

2.04k views • 182 slides
Ranking patterns of unfolding models of codimension one Hidehiko Kamiya (Nagoya University)

Ranking patterns of unfolding models of codimension one Hidehiko Kamiya (Nagoya University)

Recent developments on geometric and algebraic methods in Economics August 24, 2014 Hokkaido University Ranking patterns of unfolding models of codimension one Hidehiko Kamiya (Nagoya University) Joint work with H. Terao and A. Takemura This

1.42k views • 108 slides
Composition vs. Inheritance, Cloud Computing, and REST-based Architectures Reid Holmes Store

Composition vs. Inheritance, Cloud Computing, and REST-based Architectures Reid Holmes Store

Material and some slide content from: - Atif Kahn SERVICES COMPONENTS OBJECTS MODULES Composition vs. Inheritance, Cloud Computing, and REST-based Architectures Reid Holmes Store Example Starbucks example Beverages: house, dark

288 views • 26 slides
A Lap Around NativeScript TJ VanToll | @tjvantoll Server-Side Code Desktop applications Mobile

A Lap Around NativeScript TJ VanToll | @tjvantoll Server-Side Code Desktop applications Mobile

A Lap Around NativeScript TJ VanToll | @tjvantoll Server-Side Code Desktop applications Mobile apps What is NativeScript? A runtime for building and running native iOS and Android apps with a single, JavaScript code base != != No DOM

522 views • 18 slides
The 02/27/2010 Mw8.8 Chile Earthquake Educational Slides Created & Complied by David J. Wald,

The 02/27/2010 Mw8.8 Chile Earthquake Educational Slides Created & Complied by David J. Wald,

The 02/27/2010 Mw8.8 Chile Earthquake Educational Slides Created & Complied by David J. Wald, Gavin P. Hayes, Kristin D. Marano U.S. Geological Survey, National Earthquake Information Center Contributions from: Susan Rhea, USGS NEIC Stephen

491 views • 21 slides
Developing Java Applications for Mobile Devices A glimpse of the future Jakob Magun Senior

Developing Java Applications for Mobile Devices A glimpse of the future Jakob Magun Senior

Developing Java Applications for Mobile Devices A glimpse of the future Jakob Magun Senior Software Engineer ERGON Informatik AG 1 Introduction The Connected PDA & Java CLDC & Java Virtual Machine An

1.01k views • 12 slides
LibreOffjce Online client side development by Mihai Varga Consultant Software Engineer

LibreOffjce Online client side development by Mihai Varga Consultant Software Engineer

LibreOffjce Online client side development by Mihai Varga Consultant Software Engineer Intern +MihaiVarga13 mihai.varga@collabora.com @CollaboraOffjce www.CollaboraOffjce.com A brief introduction 2/37 LibreOffjce Conference 2015 |

542 views • 37 slides
Source Code Manipulation Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 30 November 2015

Source Code Manipulation Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 30 November 2015

Source Code Manipulation Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 30 November 2015 Roadmap W44 Introduction V.Zaytsev W45 Metaprogramming J.Vinju W46 Reverse Engineering V.Zaytsev W47 Software Analytics M.Bruntink W48 Clone

1.29k views • 57 slides
Outline Introduction 1 Identifier renaming 2 Complicating control flow 3 Inserting bogus

Outline Introduction 1 Identifier renaming 2 Complicating control flow 3 Inserting bogus

Outline Introduction 1 Identifier renaming 2 Complicating control flow 3 Inserting bogus control-flow Control-flow flattening Opaque values from array aliasing Jumps through branch functions Opaque Predicates 4 Opaque predicates from

2.19k views • 187 slides
CS 126 Lecture S1: Introduction to Java Systems Part of the Class What is the

CS 126 Lecture S1: Introduction to Java Systems Part of the Class What is the

CS 126 Lecture S1: Introduction to Java Systems Part of the Class What is the system? - Loosely defined as anything thats not your application Why should you care? - Learn more about the pieces that constitute a large part

637 views • 28 slides
JavaScript for #NewDevs Programming Once you become a programmer, you will not only use the

JavaScript for #NewDevs Programming Once you become a programmer, you will not only use the

JavaScript for #NewDevs Programming Once you become a programmer, you will not only use the computer, but control it. JavaScript is awesome (for beginners) no fancy setup needed is quite forgiving can be coded directly in the

564 views • 34 slides
Marshall/Weidner Garden Fall 2008, Clayton Native Plant List Latin Name Common Name Notes Acer

Marshall/Weidner Garden Fall 2008, Clayton Native Plant List Latin Name Common Name Notes Acer

Marshall/Weidner Garden Fall 2008, Clayton Native Plant List Latin Name Common Name Notes Acer circinatum Vine Maple front shade garden Achillea millefolim 'Calistoga' Calistoga White Yarrow front Achillea millefolim 'Island Pink' Island

182 views • 4 slides
Slides for Lecture 29 ENEL 353: Digital Circuits Fall 2013 Term Steve Norman, PhD, PEng

Slides for Lecture 29 ENEL 353: Digital Circuits Fall 2013 Term Steve Norman, PhD, PEng

Slides for Lecture 29 ENEL 353: Digital Circuits Fall 2013 Term Steve Norman, PhD, PEng Electrical & Computer Engineering Schulich School of Engineering University of Calgary 18 November, 2013 slide 2/17 ENEL 353 F13 Section 02

307 views • 17 slides
N F V l a V D E wa y R e n z o D a v o l i F O S D E M 2 0 1 8

N F V l a V D E wa y R e n z o D a v o l i F O S D E M 2 0 1 8

N F V l a V D E wa y R e n z o D a v o l i F O S D E M 2 0 1 8 This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.(unless otherwise specified) V i r t u a l D i

564 views • 31 slides
TF-Mobility: Qos for wireless environments Enrique de la Hoz de la Hoz enrique@aut.uah.es

TF-Mobility: Qos for wireless environments Enrique de la Hoz de la Hoz enrique@aut.uah.es

Introduction Network under study Quality of Service Proposal Conclusions TF-Mobility: Qos for wireless environments Enrique de la Hoz de la Hoz enrique@aut.uah.es Universidad de Alcal a de Henares 28 de septiembre de 2007 logo Enrique de

626 views • 61 slides
A step towards the characterization of SAR Mode Altimetry Data over Inland Waters SHAPE

A step towards the characterization of SAR Mode Altimetry Data over Inland Waters SHAPE

A step towards the characterization of SAR Mode Altimetry Data over Inland Waters SHAPE Project Pierre Fabry, Nicolas Bercher A -T , France Mnica Roca, Albert Garcia Mondejar isardSAT, UK Amrico

1.21k views • 65 slides
CSEE 3827: Fundamentals of Computer Systems, Spring 2011 5. Finite State Machine Design Prof.

CSEE 3827: Fundamentals of Computer Systems, Spring 2011 5. Finite State Machine Design Prof.

CSEE 3827: Fundamentals of Computer Systems, Spring 2011 5. Finite State Machine Design Prof. Martha Kim (martha@cs.columbia.edu) Web: http://www.cs.columbia.edu/~martha/courses/3827/sp11/ Outline (H&H 3.5) Finite State Machines

448 views • 24 slides
Patent Law Prof. Roger Ford September 18, 2017 Class 6 Disclosure: Definiteness; Best Mode

Patent Law Prof. Roger Ford September 18, 2017 Class 6 Disclosure: Definiteness; Best Mode

Patent Law Prof. Roger Ford September 18, 2017 Class 6 Disclosure: Definiteness; Best Mode Recap Recap Written description versus enablement Written description: Timing and limitations on amendments Written description: Scope

1.07k views • 40 slides
+ Hawaiians in Los Angeles Lessa Kananiopua Pelayo -Lozada Childrens Librarian Glendale

+ Hawaiians in Los Angeles Lessa Kananiopua Pelayo -Lozada Childrens Librarian Glendale

+ Hawaiians in Los Angeles Lessa Kananiopua Pelayo -Lozada Childrens Librarian Glendale Public Library + History of Native Hawaiians Members of the Kuhia family are pictured celebrating Jubilee, a celebration of the Hukilau in Laie on

1.58k views • 8 slides
Characterizing quotation Chung-chieh Shan Rutgers University April 3, 2009 Thanks to Chris

Characterizing quotation Chung-chieh Shan Rutgers University April 3, 2009 Thanks to Chris

Characterizing quotation Chung-chieh Shan Rutgers University April 3, 2009 Thanks to Chris Barker, Sam Cumming, Gabriel Greenberg, Michael Johnson, Ernie Lepore, Emar Maier, Matthew Stone, Rutgers Linguistics, and the University of Arhus.

640 views • 40 slides

More recommend