Introduction to Trusted Computing Pieter Maene , Johannes G - - PowerPoint PPT Presentation

introduction to trusted computing
SMART_READER_LITE
LIVE PREVIEW

Introduction to Trusted Computing Pieter Maene , Johannes G - - PowerPoint PPT Presentation

Dec 07, 2022 354 likes •724 views

Introduction to Trusted Computing Pieter Maene , Johannes G otzfried, Ruan de Clercq, Tilo M uller, Felix Freiling, and Ingrid Verbauwhede 1 KU Leuven/COSIC, Belgium 2 FAU Erlangen-N urnberg, Germany January 31, 2017 Trusted Computing 2

slide-1
SLIDE 1

Introduction to Trusted Computing

Pieter Maene, Johannes G¨

  • tzfried, Ruan de Clercq,

Tilo M¨ uller, Felix Freiling, and Ingrid Verbauwhede

1KU Leuven/COSIC, Belgium 2FAU Erlangen-N¨

urnberg, Germany January 31, 2017

slide-2
SLIDE 2

Trusted Computing

2

slide-3
SLIDE 3

Trusted Computing

“An entity can be trusted if it always behaves in the expected manner for the intended purpose.”—Trusted Computing Group 2004

3

slide-4
SLIDE 4

Hardware-Based Architectures

  • Limitations of software-based solutions
  • Protect against system-level attacker
  • Hardware considered immutable

4

slide-5
SLIDE 5

Architecture Security Properties Architectural Features Other I s

  • l

a t i

  • n

A t t e s t a t i

  • n

S e a l i n g D y n a m i c R

  • T

C

  • d

e C

  • n

fi d e n t i a l i t y S i d e

  • C

h a n n e l R e s i s t a n c e

1

M e m

  • r

y P r

  • t

e c t i

  • n

2

L i g h t w e i g h t C

  • p

r

  • c

e s s

  • r

H W

  • O

n l y T C B P r e e m p t i

  • n

D y n a m i c L a y

  • u

t U p g r a d e a b l e T C B B a c k w a r d s C

  • m

p a t i b i l i t y O p e n

  • S
  • u

r c e A c a d e m i c T a r g e t I S A AEGIS

TPM

TXT

  • x86 64

TrustZone

  • ARM

Bastion

  • UltraSPARC

SMART

  • AVR/MSP430

Sancus

  • MSP430

Soteria

  • MSP430

SecureBlue++

  • POWER

SGX

  • x86 64

Iso-X

  • OpenRISC

TrustLite

  • Siskiyou Peak

TyTAN

  • Siskiyou Peak

Sanctum

  • RISC-V

= Yes; = Partial; = No; – = Not Applicable

1Resistance against software side-channel attacks targeting memory access patterns only. 2Protection from physical attacks, both passive (e.g., probing) and active (e.g., fault injection).

5

slide-6
SLIDE 6

Outline

1 Introduction 2 Background 3 Attacker Model 4 Properties 5 Architectures 6 Comparison 7 Conclusion

6

slide-7
SLIDE 7

Memory Hierarchy

Instructions Data Caches Registers Processor Main Memory

7

slide-8
SLIDE 8

Protection Rings

Ring 0 Ring 1 Ring 2 Ring 3 Supervisor Mode User Mode Kernel Device Drivers Applications

8

slide-9
SLIDE 9

Protected Module Architectures (PMAs)

  • Protect smaller, verifiable code base
  • Trusted Computing Base (TCB)

SM1 SM2 TCB App1 App2 Processor HW HW/SW SW

9

slide-10
SLIDE 10

Attacker Model

1 Controls all software outside the TCB 2 Access to communication channel 3 Dolev-Yao 4 No Denial-of-Service protection 5 Physical attacks out of scope

  • Some allow off-chip memory attacks
  • Hardware side-channels not considered

6 Software side-channels generally excluded 10

slide-11
SLIDE 11

Isolation

  • Access control mechanism
  • Entry point

SM1 SM2 TCB App1 App2 Processor

11

slide-12
SLIDE 12

Attestation

  • Measurements anchored in Root of Trust (RoT)

Verifier Prover n M = Measure(n, code) M Check M

12

slide-13
SLIDE 13

Sealing

SM1 SM2 RoT RoT TCB App1 App2 Remote Storage Attestation Sealing Measuring Processor

13

slide-14
SLIDE 14

Dynamic Roots of Trust (DRoTs)

SM1 SM2 DRoT DRoT TCB App1 App2 Remote Storage Attestation Sealing Measuring Processor

14

slide-15
SLIDE 15

Code Confidentiality

15

slide-16
SLIDE 16

Side-Channel Resistance

  • Software side-channels
  • Untrusted software only learns I/O behaviour

16

slide-17
SLIDE 17

Memory Protection

  • Integrity and authenticity of main memory
  • Active and passive attacks

17

slide-18
SLIDE 18

Architectural Features

Lightweight

  • Architectures without MMU
  • Limited number of applications

Preemption

  • Suspension of running tasks at any time
  • Mainly impacts context switching

Upgradeable TCB

  • Hardware-only TCB is not upgradeable
  • Some designs include trusted software
  • Design flexibility and later upgrades

18

slide-19
SLIDE 19

Architectures

SMART ([El Defrawy et al., 2012]) Lightweight remote attestation mechanism Sancus ([Noorman et al., 2013]) Protected module architecture for embedded systems TrustZone (ARM, 2009) Isolation mechanism in ARM’s processors

19

slide-20
SLIDE 20

SMART

  • Lightweight remote attestation mechanism
  • Minimal (proven by [Francillon et al., 2014])

Architecture Security Properties Architectural Features Other Isolation Attestation Sealing Dynamic RoT Code Confidentiality Side-Channel Resistance1 Memory Protection2 Lightweight Coprocessor HW-Only TCB Preemption Dynamic Layout Upgradeable TCB Backwards Compatibility Open-Source Academic Target ISA SMART

  • AVR/MSP430

20

slide-21
SLIDE 21

SMART

Verifier Prover n, x M = HMACK(n, code) M Check M Execute x

21

slide-22
SLIDE 22

SMART

User’s Application Attested Code SMART Code Instructions Data Registers/IO Application Data Key Memory HMAC Reset Memory Erasure

22

slide-23
SLIDE 23

Sancus

  • Hardware-only protected module architecture for embedded devices
  • Program counter-based access control
  • Extended with code confidentiality ([G¨
  • tzfried et al., 2015])

Architecture Security Properties Architectural Features Other I s

  • l

a t i

  • n

A t t e s t a t i

  • n

S e a l i n g D y n a m i c R

  • T

C

  • d

e C

  • n

fi d e n t i a l i t y S i d e

  • C

h a n n e l R e s i s t a n c e1 M e m

  • r

y P r

  • t

e c t i

  • n2

L i g h t w e i g h t C

  • p

r

  • c

e s s

  • r

H W

  • O

n l y T C B P r e e m p t i

  • n

D y n a m i c L a y

  • u

t U p g r a d e a b l e T C B B a c k w a r d s C

  • m

p a t i b i l i t y O p e n

  • S
  • u

r c e A c a d e m i c T a r g e t I S A Sancus

  • MSP430

Soteria

  • MSP430

23

slide-24
SLIDE 24

Sancus

N1 N2 IP SP1 SP2

. . .

SM1,1 SM2,1

· · ·

SM2,2 SMj,k

· · ·

. . .

24

slide-25
SLIDE 25

Sancus

Unprotected Entry Point Code & Constants Unprotected SM1 Text Section Protected Data SM1 Data Section Unprotected Memory KN,SP,SM1 IDSM1 Next ID Caller ID KN SM1 Metadata Layout Key ID Protected Storage Area

25

slide-26
SLIDE 26

TrustZone

  • Global Platform’s Trusted Execution Environment (TEE)
  • Normal World (REE) and Secure World (TEE)

Architecture Security Properties Architectural Features Other I s

  • l

a t i

  • n

A t t e s t a t i

  • n

S e a l i n g D y n a m i c R

  • T

C

  • d

e C

  • n

fi d e n t i a l i t y S i d e

  • C

h a n n e l R e s i s t a n c e1 M e m

  • r

y P r

  • t

e c t i

  • n2

L i g h t w e i g h t C

  • p

r

  • c

e s s

  • r

H W

  • O

n l y T C B P r e e m p t i

  • n

D y n a m i c L a y

  • u

t U p g r a d e a b l e T C B B a c k w a r d s C

  • m

p a t i b i l i t y O p e n

  • S
  • u

r c e A c a d e m i c T a r g e t I S A TrustZone

  • ARM

26

slide-27
SLIDE 27

TrustZone

Rich OS TEE Client API App1 App2 App3 Monitor Trusted OS TEE Internal API Trusted App1 Trusted App2 Trusted App3 Normal World Secure World Processor

27

slide-28
SLIDE 28

Comparison

Isolation

  • Provided by all except TPM and SMART
  • Lightweight: program counter-based memory access control
  • Complex architectures extend MMU, coarser granularity

Attestation

  • Wide variety of approaches
  • Simple symmetric protocols in hardware
  • Trusted software for advanced algorithms

28

slide-29
SLIDE 29

Comparison

TCBs

  • Hardware-only TCB cannot be upgradeable
  • Stronger guarantees, as no part is vulnerable to software attackers
  • Carefully designed software components increase flexibility

Trust Boundaries

  • Typically extend to the CPU package
  • Protection against physical bus and memory attacks

Attacker Model

  • Very similar for all isolation architectures
  • Internal vulnerabilities remain exploitable

29

slide-30
SLIDE 30

Comparison

Code Injection Attacks

  • Protected against by isolation mechanism
  • Attestation enables detection of changes

Code Reuse Attacks

  • Prevented by enforcing the entry point

Software Side-Channel Attacks

  • No general protection mechanism
  • Sanctum addresses cache timing attacks

30

slide-31
SLIDE 31

Comparison

Backwards Compatibility

  • Mechanisms integrated by programmers or enabled transparently
  • Legacy applications typically remain vulnerable

Inter-Process Communication

  • Register-based for smaller messages
  • Larger messages sent through shared memory

31

slide-32
SLIDE 32

Architecture Security Properties Architectural Features I s

  • l

a t i

  • n

A t t e s t a t i

  • n

S e a l i n g D y n a m i c R

  • T

C

  • d

e C

  • n

fi d e n t i a l i t y S i d e

  • C

h a n n e l R e s i s t a n c e M e m

  • r

y P r

  • t

e c t i

  • n

L i g h t w e i g h t C

  • p

r

  • c

e s s

  • r

H W

  • O

n l y T C B P r e e m p t i

  • n

D y n a m i c L a y

  • u

t U p g r a d e a b l e T C B B a c k w a r d s C

  • m

p a t i b i l i t y AEGIS

  • TPM

  • TXT
  • TrustZone
  • Bastion
  • SMART

  • Sancus
  • Soteria
  • SecureBlue++
  • SGX
  • Iso-X
  • TrustLite
  • TyTAN
  • Sanctum
  • 32
slide-33
SLIDE 33

Architecture Other O p e n

  • S
  • u

r c e A c a d e m i c T a r g e t I S A AEGIS

TPM

TXT

  • x86 64

TrustZone

  • ARM

Bastion

  • UltraSPARC

SMART

  • AVR/MSP430

Sancus

  • MSP430

Soteria

  • MSP430

SecureBlue++

  • POWER

SGX

  • x86 64

Iso-X

  • OpenRISC

TrustLite

  • Siskiyou Peak

TyTAN

  • Siskiyou Peak

Sanctum

  • RISC-V

33

slide-34
SLIDE 34

Conclusion

  • Protect applications and users from malicious software
  • All architectures offer strong guarantees
  • Very few support all possible trusted computing mechanisms
  • Many researchers do not open-source their designs

34

slide-35
SLIDE 35

Conclusion

  • Protect applications and users from malicious software
  • All architectures offer strong guarantees
  • Very few support all possible trusted computing mechanisms
  • Many researchers do not open-source their designs

Questions?

pieter.maene@esat.kuleuven.be

34