Second year review WP3 overview HW/SW-based methods Trento – October 17th, 2008
Goal Investigate the combination of hardware- and software based software protection techniques in order to implement the remote entrusting principle 2
Participants • Team: • KUL (WP leader) Team: - Bart PRENEEL Bart PRENEEL - Jan CAPPAERT Jan CAPPAERT - Sebastian FAUST Sebastian FAUST - Thomas HERLEA Thomas HERLEA - Dries SCHELLEKENS Dries SCHELLEKENS - Brecht WYSEUR Brecht WYSEUR 3
Participants • KUL (WP leader) • Gemalto • Team: Team: • Jean-Daniel AUSSEL Jean-Daniel AUSSEL • Jerome D’ANNOVILLE Jerome D’ANNOVILLE • Christian Cudonnec Christian Cudonnec 4
Participants • KUL (WP leader) • Gemalto • UNITN - Team: Team: - Paolo TONELLA Paolo TONELLA - Mariano CECCATO Mariano CECCATO - Jasvir NAGRA Jasvir NAGRA - Milla DALLA PREDA Milla DALLA PREDA - Amitabh SAXENA Amitabh SAXENA 5
Participants • KUL (WP leader) • Gemalto • UNITN • POLITO • Team: Team: • Stefano DI CARLO Stefano DI CARLO • Alberto SCIONTI Alberto SCIONTI 6
Participants • KUL (WP leader) • Gemalto • UNITN • POLITO • Team: • SPIIRAS Team: • Igor KOTENKO Igor KOTENKO • Vasily DESNITSKY Vasily DESNITSKY 7
T asks D3.2 M0 M3 M6 M9 M12 M15 M18 M21 M24 M27 M30 M33 M36 T3.1 T3.1 T3.2 T3.2 T3.3 T3.3 T3.4 T3.4 T3.5 T3.5 8
T ask 3.2 M11 M12 M13 M14 M15 M16 M17 M18 M19 M20 M21 M22 M23 M24 M25 M26 T3.1 T3.1 T3.2 T3.2 T3.3 T3.3 T3.4 T3.4 T3.5 T3.5 9
T3.2 T3.2 Hardware/Software Co-Obfuscation Use of light-weight hardware to ensure software confidentiality and software integrity • TPM, Smart card, … Developments • TPM assisted remote software entrusting (KUL) • FPGA-based remote entrusting (POLITO) • HW Barrier Slicing (UNITN) 10
T3.2 T3.2 T3.2 Hardware/Software Co-Obfuscation TPM Assisted Remote Software Entrusting (KUL) Trusted computing approach: remote attestation Option Memory Hardware ROMs OS Network OS Application CRTM BIOS loader root of trust in integrity New OS trusted measurem Component TPM component ent measuri ng root of reporting trust in storing integrity values logging reporting 11 methods
T3.2 T3.2 T3.2 Hardware/Software Co-Obfuscation TPM Assisted Remote Software Entrusting (KUL) Disadvantages of timing based attestation techniques • Constraints on verification function implementation • predictable execution time (interrupts, supervisor mode) • time-optimal • Known hardware configuration → hardware replacement attack • Network delays need to be incorporated → proxy attacks Minimal trade-off: assist software attestation with TPM features. 12
T3.2 T3.2 T3.2 Hardware/Software Co-Obfuscation TPM Assisted Remote Software Entrusting (KUL) Enhanced solution: TPM tick stamping Untrusted Untrusted Trusted platform Trusted platform platform platform c := cksum(TS 1 ,M) c := cksum(TS 1 ,M) n TS 1 TS 1 := Sign TPM (n||t 1 ) M M M M TPM TPM TS 2 := Sign TPM (c||t 2 ) TS 2 h := hash(TS 2 ,P) h := hash(TS 2 ,P) h P P P P t 2 – t 1 < Δ t expected 13
T3.2 T3.2 T3.2 Hardware/Software Co-Obfuscation TPM Assisted Remote Software Entrusting (KUL) Extensions: assistance for trusted OS loader • Include HW specifications (CPUID) in Tag • Simulate verification function at boot-time Publication • Dries Schellekens, and Brecht Wyseur, and Bart Preneel, “Remote Attestation on Legacy Operating Systems with Trusted Platform Modules”, In 1 st International Workshop on Run Time Enforcement for Mobile and Distributed Systems (REM 2007) • Dries Schellekens, and Brecht Wyseur, and Bart Preneel, “Remote Attestation on Legacy Operating Systems with Trusted Platform Modules”, Special Issue on Science of Computer Programming, 2008 14
T3.2 T3.2 T3.2 Hardware/Software Co-Obfuscation FPGA-based remote entrusting (POLITO) • CLIENT System Architecture APPLICATION uses available services exported by the DRIVER • DRIVER manages communication between the application server and the authentication hardware • AUTHENTICATION MONITOR manages the application code hashing and encrypting operations 15
T3.2 T3.2 T3.2 Hardware/Software Co-Obfuscation FPGA-based remote entrusting (POLITO) 1. At startup of the client application, a session key is established, using a key agreement protocol between the application server and the client machine. Optionally, the session key can be updated during the execution of the program. 2. The session key is used to computed a signature of the client application. 3. The server periodically sends to the hardware monitor an Authentication Request, and waits for the computed signature 4. The client receives the requests (on a socket interface implemented in the driver module) and forwards it to the hardware monitor 5. The hardware monitor computes the hash of the memory pages’ content related to the client application (code segment) directly accessing the computer’s memory and without relying on any system call. The only used information is the name of the target application used to determine the position of the application in memory 6. The hardware module computes the signature for the considered memory pages using the session key, and sends it to the server via the driver’s socket 7. The server compares the two signatures and determines whether it can already deliver the service to the client or not 16
T3.2 T3.2 T3.2 Hardware/Software Co-Obfuscation FPGA-based remote entrusting (POLITO) Application Client Server session key agreement FPGA request hash sign sk (mem) service mem 17
T3.2 T3.2 T3.2 Hardware/Software Co-Obfuscation Distributed Architecture (UNITN) Networ k Program P Trusted host Un-trusted host Card Reader Virtual secure channel 18
T3.2 T3.2 T3.2 Hardware/Software Co-Obfuscation Program Transformation (UNITN) Un-trusted host: Smart card: • • X ∈ s |unsafe The barrier-slice is run • • The slice is fed with any input coming X uses are removed from the program from the host • They are replaced by a query to get the • Validity of the host is evaluated actual value from the card • • X values are provided as required X defs are replaced by synchronization statements • Synchronization with the host Smart card Un-trusted host 19
T3.2 T3.2 T3.2 Hardware/Software Co-Obfuscation Empirical results (UNITN) Original Barrier slice client 858 120 14% Memory Network Threads 20
T3.2 T3.2 T3.2 Hardware/Software Co-Obfuscation Empirical results (UNITN) • Barrier slicing is used to separate the security sensitive part of the application • Both centralized and distributed architectures are able to verify the client healthy execution • The distributed architecture has better scalability 15% memory 25% threads 8% network • The slice is small and can fit in a smart card (14% of the application) Mariano Ceccato, Jasvir Nagra, Paolo Tonella, “Distributed Trust Verification to Increase Application Performance”, In 16 th Euromicro Conference on Parallel, Distributed and Network-Based Processing, 2008 21
Task 3.3 M11 M12 M13 M14 M15 M16 M17 M18 M19 M20 M21 M22 M23 M24 M25 M26 T3.1 T3.1 T3.2 T3.2 T3.3 T3.3 T3.4 T3.4 T3.5 T3.5 22
T3.3 T3.3 T3.3 – Encrypted Code Execution (KUL - GEMALTO) Computing with Encrypted Data • State of the art study (Goldwasser- micali, Paillier cryptosystems, Boneh) B. Wyseur, M. Deng, and T. Herlea, “A Survey of Homomorphic Encryption Schemes”, COSIC internal report, 15 pages, 2007 Deliverable 3.3 (M30) • Relation with White-Box Remote Program Execution (T2.4) 23 Smart Dongle
T3.3 T3.3 T3.3 Encrypted code execution Secure with hardware (GEMALTO) • Scope Study the opportunity to use a new hardware as a candidate platform for the project/task • Platform: USB Dongle: Smartcard + flash memory • Purpose: - Use the platform in the context of the T3.3 - Host the monitor locally in the USB Dongle 24
T3.3 T3.3 T3.3 Encrypted code execution Secure with hardware (GEMALTO) • Evolution of the USB Dongle: no more hub Flash Memory USB Controller Connector SIM card 25
T3.3 T3.3 T3.3 Encrypted code execution Secure with hardware (GEMALTO) Controlle Flash r Memory • USB Dongle: Partition CDROM Private Smart Card + CTRL Flash memory UICC ISO 7816 Smart Card 26
T3.3 T3.3 T3.3 Encrypted code execution Secure with hardware (GEMALTO) • USB Dongle main features: No installation, Zero footprint Smartcard Levels of trust - CD-ROM partition: no persistent tampering - Secure channel - Thumbprint mechanism to secure the application 27
T3.3 T3.3 Untrusted computer Server Smartcard Trusted Application Service: Data Access Keys Cryptography Memory Thumbprints Property Monitor Analyzer Log service Application maintenance Releases Mgt Provide Report, or update shutdown propertie service s 28
T3.3 T3.3 T3.3 Encrypted code execution Secure with hardware (GEMALTO) • Smart card entrusting of terminal applications Smart Card Untrusted Computer Trusted Application Service: Data Access Cryptography Properties Report Properties Monitor Analyzer Update Properties Keys Memory thumbprints Provide or shutdown service 29
Recommend
More recommend