Introduction to Trusted Computing Pieter Maene , Johannes G - PowerPoint PPT Presentation

Introduction to Trusted Computing Pieter Maene , Johannes G¨ otzfried, Ruan de Clercq, Tilo M¨ uller, Felix Freiling, and Ingrid Verbauwhede 1 KU Leuven/COSIC, Belgium 2 FAU Erlangen-N¨ urnberg, Germany January 31, 2017

Trusted Computing 2

Trusted Computing “An entity can be trusted if it always behaves in the expected manner for the intended purpose.”—Trusted Computing Group 2004 3

Hardware-Based Architectures • Limitations of software-based solutions • Protect against system-level attacker • Hardware considered immutable 4

Architecture Security Properties Architectural Features Other 1 e y t c i n l i a 2 b y t t n t i s l i i o B a a s p e t i i t C m t R c u n e B T T o o e l t C d e o y e C e o r T a c n R fi n r t o n l P h o L b s r A o n n s d u c a g s y i a S n t i c o i l t c e r o i i h y e e n p i a m I o a g m C r c m d S t C o w O m w - e t i n o a e t s a e - m t - a r k n d a e l i e h r e g e g l a n d p W e n c a o t y o d e g o y p a p r t e M r c a s A S D C S i i C H P D U B O A T I L AEGIS – � � � � � � � � � � � � � � � � TPM – – – – � � � � � � � � � � � � � � TXT x86 64 � � � � � � � � � � � � � � � � � TrustZone ARM � � � � � � � � � � � � � � � � Bastion UltraSPARC � � � � � � � � � � � � � � � � SMART – – – AVR/MSP430 � � � � � � � � � � � � � Sancus MSP430 � � � � � � � � � � � � � � � � Soteria � � � � � � � � � � � � � � � � MSP430 SecureBlue++ POWER � � � � � � � � � � � � � � � � SGX x86 64 � � � � � � � � � � � � � � � � Iso-X OpenRISC � � � � � � � � � � � � � � � � TrustLite Siskiyou Peak � � � � � � � � � � � � � � � � TyTAN Siskiyou Peak � � � � � � � � � � � � � � � � Sanctum RISC-V � � � � � � � � � � � � � � � � � = Yes; � � = Partial; � = No; – = Not Applicable 1 Resistance against software side-channel attacks targeting memory access patterns only. 2 Protection from physical attacks, both passive (e.g., probing) and active (e.g., fault injection). 5

Outline 1 Introduction 2 Background 3 Attacker Model 4 Properties 5 Architectures 6 Comparison 7 Conclusion 6

Memory Hierarchy Processor Registers Caches Instructions Data Main Memory 7

Protection Rings Ring 3 Applications User Mode Ring 2 Device Drivers Supervisor Mode Ring 1 Ring 0 Kernel 8

Protected Module Architectures (PMAs) • Protect smaller, verifiable code base • Trusted Computing Base (TCB) SM 1 SM 2 App 1 App 2 TCB Processor HW/SW HW SW 9

Attacker Model 1 Controls all software outside the TCB 2 Access to communication channel 3 Dolev-Yao 4 No Denial-of-Service protection 5 Physical attacks out of scope • Some allow off-chip memory attacks • Hardware side-channels not considered 6 Software side-channels generally excluded 10

Isolation • Access control mechanism • Entry point SM 1 SM 2 App 1 App 2 TCB Processor 11

Attestation • Measurements anchored in Root of Trust (RoT) Verifier Prover n M = Measure( n , code) M Check M 12

Sealing Storage Remote Attestation Sealing Measuring SM 1 SM 2 App 1 App 2 RoT RoT TCB Processor 13

Dynamic Roots of Trust (DRoTs) Storage Remote Sealing Attestation Measuring SM 1 SM 2 App 1 App 2 DRoT DRoT TCB Processor 14

Code Confidentiality 15

Side-Channel Resistance • Software side-channels • Untrusted software only learns I/O behaviour 16

Memory Protection • Integrity and authenticity of main memory • Active and passive attacks 17

Architectural Features Lightweight • Architectures without MMU • Limited number of applications Preemption • Suspension of running tasks at any time • Mainly impacts context switching Upgradeable TCB • Hardware-only TCB is not upgradeable • Some designs include trusted software • Design flexibility and later upgrades 18

Architectures SMART ([El Defrawy et al., 2012]) Lightweight remote attestation mechanism Sancus ([Noorman et al., 2013]) Protected module architecture for embedded systems TrustZone (ARM, 2009) Isolation mechanism in ARM’s processors 19

SMART • Lightweight remote attestation mechanism • Minimal (proven by [Francillon et al., 2014]) Architecture Security Properties Architectural Features Other Side-Channel Resistance 1 Backwards Compatibility Memory Protection 2 Code Confidentiality Upgradeable TCB Dynamic Layout HW-Only TCB Dynamic RoT Open-Source Coprocessor Lightweight Preemption Attestation Target ISA Academic Isolation Sealing SMART – – – AVR/MSP430 � � � � � � � � � � � � � 20

SMART Verifier Prover n , x M = HMAC K ( n , code) M Check M Execute x 21

SMART Instructions Data HMAC Registers/IO User’s Application Reset Memory Erasure Attested Code Application Data Key SMART Code Memory 22

Sancus • Hardware-only protected module architecture for embedded devices • Program counter-based access control • Extended with code confidentiality ([G¨ otzfried et al., 2015]) Architecture Security Properties Architectural Features Other e 1 y t c i n l i a n 2 b y t i t t s l i i o B a a s i p i e t t C t c m R B u n e T T o o e t C e l o y C e o d r a e n r t T n l c n R fi h o L b r A n P o s o n s a d u c a g s y i S n i c o l t c e r o i t h y e i e n m I o a g i C p i d a S m C r w c O m w i t n o m a - e t t s o n e a e - m t - a r k d a e l i e h r e e g a n d p W n g c a l t d e g e p r o t e y o o r y p a c a i M i s A S D C S L C H P D U B O A T I Sancus MSP430 � � � � � � � � � � � � � � � � Soteria MSP430 � � � � � � � � � � � � � � � � 23

Sancus IP N 1 SP 1 SM 1 , 1 SM 2 , 1 · · · N 2 SP 2 SM 2 , 2 SM j , k · · · . . . . . . 24

Sancus SM 1 Text Section SM 1 Data Section Entry Point Memory Unprotected Code & Constants Unprotected Unprotected Protected Data Next ID K N , SP , SM 1 ID SM 1 SM 1 Metadata Protected Caller ID Storage Area K N Layout Key ID 25

TrustZone • Global Platform’s Trusted Execution Environment (TEE) • Normal World (REE) and Secure World (TEE) Architecture Security Properties Architectural Features Other e 1 y c t i n l i a n 2 b y t i t t i s l i o B a a s p i i e t t C t c m R B u T n e T o o e l t C e o y e C e o d r a n r t T n l c n R fi h o L b r A n P o s o n g s a d u c a s y i S n i c o i l t c e r o i t h y e e n p a m I o a g m i C r m i d S C w c O m w t i t n o o a - e t s n e i a e - m t r - a r k d a e l e h e g e g a n d p W n c a l t d e g e p p r o t e y o o r y a c a D i M i H D O s A S C S L C P U B A T I TrustZone ARM � � � � � � � � � � � � � � � � 26

TrustZone Normal World Secure World Trusted Trusted Trusted App 1 App 2 App 3 App 1 App 2 App 3 TEE Client API TEE Internal API Rich OS Monitor Trusted OS Processor 27

Comparison Isolation • Provided by all except TPM and SMART • Lightweight: program counter-based memory access control • Complex architectures extend MMU, coarser granularity Attestation • Wide variety of approaches • Simple symmetric protocols in hardware • Trusted software for advanced algorithms 28

Comparison TCBs • Hardware-only TCB cannot be upgradeable • Stronger guarantees, as no part is vulnerable to software attackers • Carefully designed software components increase flexibility Trust Boundaries • Typically extend to the CPU package • Protection against physical bus and memory attacks Attacker Model • Very similar for all isolation architectures • Internal vulnerabilities remain exploitable 29

Comparison Code Injection Attacks • Protected against by isolation mechanism • Attestation enables detection of changes Code Reuse Attacks • Prevented by enforcing the entry point Software Side-Channel Attacks • No general protection mechanism • Sanctum addresses cache timing attacks 30