Trusted Component Deployment Trusted Components Bernd Schoeller - - PowerPoint PPT Presentation

trusted component deployment
SMART_READER_LITE
LIVE PREVIEW

Trusted Component Deployment Trusted Components Bernd Schoeller - - PowerPoint PPT Presentation

Mar 11, 2024 111 likes •398 views

Trusted Component Deployment Trusted Components Bernd Schoeller January 30 th , 2006 Code from the Web Can I trust the software on my machine, knowing that there are very bad people out there ? risk of malicious code risk of

slide-1
SLIDE 1

Trusted Component Deployment

Trusted Components Bernd Schoeller January 30th, 2006

slide-2
SLIDE 2

Code from the Web

➢ Can I trust the software on my machine,

knowing that there are “very bad people” out there ?

  • risk of malicious code
  • risk of insecure code
  • risk of misbehaving code
slide-3
SLIDE 3

Overview

➢ Cryptographic crash course ➢ Component deployment technologies

  • signed binaries
  • public key infrastructure
  • trusted computing
  • processes and virtual machines

➢ Next week: proof-carrying code

slide-4
SLIDE 4

Cryptographic Crash Course

➢ Encryption / Decryption

Hello World xrundctba asjfijas43 Hello World

slide-5
SLIDE 5

Cryptographic Crash Course

➢ Symmetric Encryption

Hello World xrundctba asjfijas43 Hello World

= “shared secret”

slide-6
SLIDE 6

Cryptographic Crash Course

➢ Asymmetric Encryption

Hello World xrundctba asjfijas43 Hello World

= “private key” = “public key” = “key pair” +

slide-7
SLIDE 7

Hash Function

Hello World

4711

Hallo World

0815 = “hash function” 4711 = “hash value”

slide-8
SLIDE 8

Digital Signatures (very short)

Hello World

4711 4654

4654

Hello World

4654

4711 4711 equal ?

slide-9
SLIDE 9

Using Hash Values for Trust

slide-10
SLIDE 10

Using Hash Values for Trust

slide-11
SLIDE 11

Using Hash Values for Trust

Bad guyTM

slide-12
SLIDE 12

“Man in the Middle” Attack

Request hash value for X The hash value for X is H Bad guyTM Request hash value for X The hash value for X is H'

slide-13
SLIDE 13

Signed Binaries

➢ A signed binary can be authenticated to come

from a certain source

  • trust developer, but not deployment channel
  • safe for “man in the middle” attack
  • automatic check
  • liability and damages
slide-14
SLIDE 14

The Next Problem

➢ How do we get the public keys to the users ?

slide-15
SLIDE 15

PKI

➢ “Public Key Infrastructure”: an global or local

arrangement that provides the vetting of, and the vouching for user identities and the connected distribution of public keys.

➢ Types of PKI

  • Hierarchical
  • Distributed
slide-16
SLIDE 16

Hierarchical PKIs

Central Authority Key Issuer Key Issuer Key Issuer signs the public keys of signs the public keys of signs the public keys of signs the public keys of

CAs: VeriSign, BSI

slide-17
SLIDE 17

Distributed PKIs

➢ “Chain of Trust”

  • all participants of a security network start to sign

each others keys

  • a key is officially seen as valid if
  • signed by myself
  • signed by “enough” other key holders, which are trusted

by myself

slide-18
SLIDE 18

PGP “Web of Trust”

➢ Levels of trust

  • untrusted: signatures with this key are ignored
  • marginal: 2 signatures make a key valid
  • complete/unlimited: signatures with this key make a

key valid

slide-19
SLIDE 19

APT Secure

➢ APT is the standard package distribution tool of

the Debian linux distribution

➢ Packages can be distributed world-wide ➢ User are encouraged to use a local package

server with good connectivity

➢ Authenticity of packages automatically validated

with digital signatures

slide-20
SLIDE 20

APT Secure (cont.)

Maintainer Debian Developer Software 3476 Software 3476 Packages Release Release Packages Release Packages User

slide-21
SLIDE 21

Trusted Computing

➢ Definition I:

System that lets the user verify/control the software that he is running on his machine

➢ Definition II:

System that lets the manufacturer verify/control the software that the user is running on his machine

Not part of this lecture

slide-22
SLIDE 22

Trusted Computing (cont.)

➢ Integrate a chip into computers that can

  • supervise the boot process
  • safely store (write only) keys
  • verify signatures of code before execution

➢ Integrated into many IBM Thinkpad notebooks ➢ Driver available for Linux (tpm)

  • Part of Linux Kernel 2.6.12-rc2 or later
slide-23
SLIDE 23

Untrusted Execution

➢ Can we execute code that we do not trust ?

  • separate the code execution from the rest of the

system

  • control access to resources (CPU, memory, IO)
  • support the user in assessing computational results
slide-24
SLIDE 24

Assessing Computational Results

Am I trustworthy?

slide-25
SLIDE 25

UNIX Processes

➢ Traditional system separation

  • code execution is associated with a user account
  • control hardware resources (ulimit)
  • IO access controlled by “user mode”
  • CPU resource controlled by scheduler
  • memory access controlled by MMU
slide-26
SLIDE 26

Virtual Machines

➢ Hardware support not needed

  • Code JIT compiled or interpreted

➢ Byte-code allows static analysis ➢ Code verification at load time

  • verified code can disable monitoring

➢ JIT compiler can integrate run-time checks ➢ Fine-grained verification

slide-27
SLIDE 27

Examples of Virtual Machines

➢ JVM, .NET ➢ JavaScript ➢ Postscript ➢ Online Games: Quake, UT, Doom, Half-Life

slide-28
SLIDE 28

Summary

➢ We have to be careful about the code that is

executed on our machines

  • There are many reasons not to trust code that
  • thers give you
  • Dynamic systems require complex deployment and

verification mechanisms