7. Results, Conclusion and Further Work
7.4. Knowledge gained from this Research Project
After initially spending time investigating the state-of-the-art technologies for hardware-based security modules, a richer understanding was gained into the world of IT security and trusted computing systems, as well as the associated basic cryptographic algorithms and protocols. Although, on starting the project work, the author already had a basic comprehensive under- standing of virtualization techniques, much more depth and appreciation was gained during the review phase of the currently available hypervisors, especially the open source hypervisor: ’Xen’.
A completely new and unknown experience to the author was that of leading a project team consisting of two students. During the time of this project, weekly meetings had to be arranged to review the research project status, synchronise results and to discuss further plans and prospects.
Bibliography
[1] ISO/IEC 11889-1:2009 - Information technology – Trusted Platform Module – Part 1: Overview. http://www.iso.org/iso/catalogue_detail.htm?csnumber=50970.
[2] Official KVM website. http://www.linux-kvm.org/page/Main_Page.
[3] Official tboot project sourceforge website. http://sourceforge.net/projects/tboot/files/. [4] Official TCG website. http://www.trustedcomputinggroup.org/.
[5] Official tpm-tools sourceforge website. http://sourceforge.net/projects/trousers/files/ tpm-tools/.
[6] Official TrouSerS project sourceforge website. http://sourceforge.net/projects/trousers/ files/trousers/.
[7] Official WindRiver - Hypervisor website. http://www.windriver.com/products/
hypervisor/.
[8] Official Xen website. http://www.xen.org/.
[9] Phrack magazine - system management mode hacks. http://www.phrack.com/issues. html?issue=65&id=7.
[10] TCG PC Client Specific TPM Interface Specification (TIS), July 2005. [11] TCG Software Stack (TSS) Specification Version 1.2 Level 1, March 2007. [12] TCG Specification Architecture Overview, 2007.
[13] TCG Trusted Network Connect, September 2010. [14] TPM Main-Part 1 Design Principles, March 2011. [15] TPM Main-Part 2 TPM Structures, March 2011. [16] TPM Main-Part 3 Commands, March 2011.
Bibliography
[17] DoD 5200.28-STD. Trusted Computer System Evaluation Criteria. Dod Computer Se- curity Center, December 1985.
[18] Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the art of virtualization. In Pro- ceedings of the nineteenth ACM symposium on Operating systems principles, SOSP ’03, pages 164–177, New York, NY, USA, 2003. ACM.
[19] Stefan Berger, Kenneth A. Goldman, Ronald Perez, Reiner Sailer, and Leendert Doorn. vtpm: Virtualizing the trusted platform module. In In USENIX Security, pages 305–320, 2006.
[20] Hans Brandl. Trusted Computing: The TCG Trusted Platform Module Specification. Embedded Systems, 2004.
[21] Hans Brandl and Thomas Rosteck. Technology, implementation and application of the trusted computing group standard (tcg) - secure platforms provide new levels of security. Technical report, Infineon, 2004.
[22] Martin Brunner, Hans Hofinger, Christoph Krauß, Christopher Roblee, Peter Schoo, and Sascha Todt. Infiltrating critical infrastructures with next-generation attacks: W32.stuxnet as a showcase threat. Fraunhofer SIT, Darmstadt, December 2010.
[23] David Challener, Kent Yoder, Ryan Catherman, David Safford, and Leendert Van Doorn. A practical guide to trusted computing. IBM Press, first edition, 2007.
[24] David Chisnall. The Definitive Guide to the Xen Hypervisor (Prentice Hall Open Source Software Development Series). Prentice Hall PTR, Upper Saddle River, NJ, USA, 2007. [25] Intel Corporation. Intel atom processor z5xx series for embedded computing. 2009. [26] Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. Buffer
overflows: Attacks and defenses for the vulnerability of the decade. DARPA Information Survivability Conference and Exposition,, 2000.
[27] Roger R. Dube. Hardware-based Computer Security Techniques to Defeat Hackers: From Biometrics to Quantum Cryptography. Wiley Publishing, 2008.
[28] Keir Fraser, Steven H, Rolf Neugebauer, Ian Pratt, Andrew Warfield, and Mark Williamson. Safe hardware access with the xen virtual machine monitor. In In 1st Work- shop on Operating System and Architectural Support for the on demand IT InfraStructure (OASIS, 2004.
Bibliography
[29] Carl Gebhardt, Chris I. Dalton, and Richard Brown. Preventing hypervisor-based rootk- its with trusted execution technology. Elsevier Network Security Newsletter, 11:7–11, November 2008.
[30] Kenneth Goldman, Reiner Sailer, Dimitrios Pendarakis, and Deepa Srinivasan. Scalable integrity monitoring in virtualized environments. In Proceedings of the fifth ACM work- shop on Scalable trusted computing, STC ’10, pages 73–78, New York, NY, USA, 2010. ACM.
[31] David Grawrock. Dynamics of a Trusted Platform: A Building Block Approach. Intel Press, 1st edition, 2009.
[32] David Grawrock. Establishing security with trusted execution technology architecture. Technical report, Intel Corporation, 2010.
[33] David Grawrock. Establishing trust through system protection. Technical report, Intel Corporation, 2010.
[34] John Linwood Griffin, Trent Jaeger, Ronald Perez, Reiner Sailer, and Leendert Van Doorn. Trusted virtual domains: Toward secure distributed services. In In Proc. of the First Workshop on Hot Topics in System Dependability (Hotdep05. IEEE Press, 2005.
[35] Junkai Gu and Weiyong Ji. A secure bootstrap based on trusted computing. International Conference on New Trends in Information and Service Science, pages 502–504, 2009.
[36] Infineon, http://www.infineon.com/cms/en/product/chip-card-and-security-ics/
embedded-security/trusted-platform-management/trusted-platform-module-%28tpm1.
2%29/channel.html?channel=ff80808112ab681d0112ab6921ae011f. Infineon Trusted
Platform Module SLB 9635 TT 1.2.
[37] Infineon. TPM Key Backup and Recovery For Trusted Platforms, September 2006. [38] Infineon. Using Trusted Computing for enhancing Embedded Computing Platforms, July
2006.
[39] Intel Corporation. Intel Trusted Execution Technology - Preliminary Architecture Speci- fication, August 2007.
[40] Intel Corporation. Intel Trusted Execution Technology MLE Developer’s Guide, June 2008.
[41] Intel Corporation. Intel Virtualization Technology for Directed I/O - Architecture Speci- fication, September 2008.
Bibliography
[42] Intel Corporation. Installing Xen* on an Intel Embedded Platform, October 2010. [43] Intel Corporation. Intel 64 and IA-32 Architectures Software Developer’s Manual - Volume
2B, September 2010.
[44] Intel Corporation. A Practical Guide To tboot, November 2010.
[45] Intel Corporation. Intel 64 and IA-32 Architectures Software Developer’s Manual - Volume 1: Basic Architecture, January 2011.
[46] Intel Corporation. Intel 64 and IA-32 Architectures Software Developer’s Manual - Volume 3B, January 2011.
[47] Invisible Things Lab. Qubes OS Architecture - Specification, January 2010.
[48] ISO/IEC Standard 15408. Common Criteria for Information Technology Security Eval- uation, August 1999.
[49] Kontron Embedded Modules GmbH, http://de.kontron.com/products/
computeronmodules/com+express/com+express+basic/etxexpresspc.html. ETXexpress- PC - Datasheet.
[50] Kontron Embedded Modules GmbH, http://de.kontron.com/products/
computeronmodules/com+express/com+express+basic/etxexpresssc.html. ETXexpress- SC - Datasheet.
[51] Kontron Embedded Modules GmbH, http://de.kontron.com/products/
computeronmodules/com+express/com+express+compact/starterkits+and+evaluation+ boards/com+express+eval+type+2.html. Starterkits and Evaluation Boards - Datasheet. [52] F. Leung, G. Neiger, D. Rodgers, A. Santoni, and R. Uhlig. Intel virtualization technology hardware support for efficient processor virtualization. Intel Technology Journal, 2006. [53] J. McDermott, J. Kirby, B. Montrose, T. Johnson, and M. Kang. Re-engineering xen
internals for higher-assurance security. Inf. Secur. Tech. Rep., 13:17–24, January 2008. [54] Rebecca T. Mercuri and Peter G. Neumann. Security by obscurity. Commun. ACM,
46:160–, November 2003.
[55] Thomas Mueller. Trusted Computing Systeme: Konzepte und Anforderungen. Springer- Verlag, 2008.
[56] Ronald Perez, Leendert van Doorn, and Reiner Sailer. Virtualization and hardware-based security. IEEE Security and Privacy, 6:24–31, September 2008.
Bibliography
[57] Bruce Potter. High time for trusted computing. IEEE Security and Privacy, pages 54–56, 2009.
[58] Joanna Rutkowska and Rafal Wojtczuk. Detecting & Preventing the Xen Hypervisor Subversions. 2008.
[59] Joanna Rutkowska and Rafal Wojtczuk. Attacking smm memory via intel cpu cache poisoning. 2009.
[60] Dries Schellekens, Brecht Wyseur, and Bart Preneel. Remote attestation on legacy operat- ing systems with trusted platform modules. Sci. Comput. Program., 74:13–22, December 2008.
[61] Bruce Schneier. Applied cryptography (2nd ed.): protocols, algorithms, and source code in C. John Wiley & Sons, Inc., New York, NY, USA, 1995.
[62] Mario Strasser and Heiko Stamer. A software-based trusted platform module emulator. volume 4968 of Lecture Notes in Computer Science, pages 33–47. Springer, 2008. [63] Chis Takemur and Luke Awford. The Book of Xen - a practical guide for the system
administrator. No Starch Press, 2009.
[64] Amit Vasudevan, Jonathan M. McCune, Ning Qu, Leendert Van Doorn, and Adrian Per- rig. Requirements for an integrity-protected hypervisor on the x86 hardware virtualized architecture. In Proceedings of the 3rd international conference on Trust and trustworthy computing, TRUST’10, pages 141–165, Berlin, Heidelberg, 2010. Springer-Verlag. [65] William von Hagen. Professional Xen Virtualization. Wrox Press Ltd., Birmingham, UK,
List of Figures
1.1. The company logo of Kontron Embedded Modules GmbH . . . 3
1.2. Principal project goals . . . 4 2.1. CPU protection rings - ideal usage . . . 12 2.2. CPU protection rings - real usage . . . 13 2.3. High-level overview of a Direct Memory Access (simplified) . . . 14 2.4. Overview of the processor states . . . 15 2.5. Illustration of a Buffer Overflow vulnerability . . . 16 3.1. Document Roadmap Diagram of the Trusted Computing Group . . . 21 3.2. Schematic design of a Trusted Computing System . . . 26 3.3. Trusted Software Stack . . . 29 4.1. The logo for the Xen hypervisor . . . 37 4.2. Xen-Hypercalls . . . 39 4.3. CPU protection rings - additional Ring -1 . . . 40 5.1. Architecture of the experimental proof-of-concept system . . . 46 5.2. Hardware structure of the proof-of-concept system . . . 47 5.3. ETXexpress evaluation Backplane . . . 49 5.4. ETXexpress-PC COM Module . . . 51 5.5. ETXexpress-SC COM Module . . . 52 5.6. Trusted Platform Module from Infineon . . . 53 5.7. Components of an integrated iTPM from Intel (simplified) . . . 54 5.8. Virtual vTPM implementation in Xen . . . 55 6.1. Proof-of-concept platform provisioning process overview . . . 75
E.1. Internal component structure of a Trusted Platform Module . . . XXXI
E.2. TPM states and state transitions . . . XXXVI E.3. Highlevel overview of a Chain of Trust . . . XXXVII
List of Figures
E.4. Root of Trust for Storage - Key Hierarchy . . . XXXIX
List of Tables
E.1. Platform Configuration Register usage . . . XXXV
List of Listings
5.1. Connect to local TPM . . . 64 5.2. Create PCR object . . . 64 5.3. Utilize RNG for the creation of a symmetric key . . . 65 5.4. Create new asymmetric key object . . . 65 5.5. Sealing of symmetric key . . . 67 5.6. Close context to TPM . . . 68
Glossary of Terms
AApplication Programming Interface
An Application Programming Interface (API) is a set of definitions of the ways one piece of computer software communicates with another. It is a method of achieving abstraction, usually (but not necessarily) between lower-level and higher-level software. Attestation Identity Key
The Attestation Identity Key (AIK) is an asymmetric RSA key pair, created by a Trusted Platform Module (TPM), used for the attestation of the trustworthiness of a platform to a third party. The Attestation Identity Key pair originates from the Endorsement Key (EK) and the public part of this key pair is transmitted to the attesting party which cannot be linked to the Endorsement Key for privacy protection reasons.
B
Basic Input Output System
The Basic Input Output System (BIOS) is a de facto standard in IBM PC compatible computers, defining a firmware interface. The BIOS software is the first code executed when a platform is powered on. The BIOS identifies and initializes system devices and locates, loads and executes software held on a boot device. For Trusted Computing purposes the BIOS must be part of the static Chain of Trust for a secure bootstrap of the system.
C
Common Criteria for Information Technology Security Evaluation
The Common Criteria for Information Technology Security Evaluation (CC) is an inter- national standard for computer security evaluation and certification (ISO/IEC 15408). The Common Criteria standard provides assurance that the specification, implementa- tion and evaluation processes of a computer security product have been carried out in a standard manner.
Glossary of Terms
Computer On Module
A Computer On Module (COM) is a subtype of an embedded computer system which illustrates an extension of the System On a Chip (SOC) concept. COM modules are complete computer systems built on a single circuit board which will usually lack the standard connectors for input/output peripherals. COM modules are usually mounted on a backplane which wires the bus signals to standard peripheral connectors.
Core Root of Trust for Measurement
In Trusted Computing (TC) capable systems the Core Root of Trust for Measurement (CRTM) code contains the first instructions executed when powering up the platform. The CRTM code, which is often implemented as BIOS extension must be explicitly trusted by the platform owner and includes the instructions for the creation of a Chain of Trust used for a secure bootstrap of the system by calculating a hash value of the next component and storing this value securely inside the Trusted Platform Module (TPM) before executing this component.
D
Direct Memory Access
The Direct Memory Access (DMA) functionality allows specific subsystems within the computer to access the system’s memory region independently of the CPU. DMA was developed by reason of performance and not with security in mind. Therefore the direct memory access difficulty has to be taken into account when developing trusted computing systems.
Dynamic Root of Trust for Measurement
The Dynamic Root of Trust for Measurement (DRTM) is a method for the establishment of a trusted boot sequence. It should provide assurance that the system, which booted is the exactly the system which was intended to boot. The Intel Trusted eXecution Technology (TXT) builds up on the central concept of a DRTM.
E
Endorsement Key
The Endorsement Key (EK) is an unique RSA key pair with a length of 2048 bit, which usually is created during manufacturing process of a Trusted Platform Module (TPM). The EK can be clearly identified for a specific TPM and therefore must never leave the TPM, due to privacy reasons.
Glossary of Terms
G
Graphical User Interface
A Graphical User Interface (GUI) is a software component that allows the user of a computer system the interaction with the system via graphical elements rather than text commands. A GUI represents the available informations and actions through visual indicators and symbols. The actions are usually performed through a direct manipulation of the individual graphical icons.
H
Hash-based Message Authentication Code
The Hash-based Message Authentication Code (HMAC) is a cryptographic algorithm used for the calculation of a Message Authentication Code (MAC) in combination with a secret key. This way, both the data integrity and the authenticity of a message can be verified simultaneously.
I
Input/Output Memory Management Unit
The Input/Output Memory Management Unit (IOMMU) is a special form of Memory Management Unit (MMU) which connects an I/O bus which is capable of performing Direct Memory Access (DMA) to the main system memory. Intel Virtualization Tech- nology for Directed I/O (Intel VT-d) implements an IOMMU for Intel chipsets.
L
Low Pin Count
The Low Pin Count (LPC) bus is used to connect low-bandwidth devices to the CPU. The physical wires of the Low Pin Count bus are usually connected to the southbridge of the chipset. The Trusted Platform Module (TPM) is also connected via the LPC bus. M
Master Boot Record
The Master Boot Record (MBR) us the first sector of a partitioned data storage device, with a size of 512 byte. After the BIOS has initialized all components it passes execution to the instructions contained in the MBR which will contain information for the bootstrap of the operating system. In a Trusted Computing (TC) capable system the MBR must be part of the Chain of Trust.
Glossary of Terms
Memory Management Unit
The Memory Management Unit (MMU) is a hardware component which is responsible for the handling of memory access requested by the CPU. The MMU translates virtual addresses to physical addresses and offers memory protection features.
Message Authentication Code
A Message Authentication Code (MAC) usually is a short piece of information used to authenticate a message. For the creation of MAC values different cryptographic primitives, such as hash functions or block cipher algorithms are used.
P
Personal Identification Number
A Personal Identification Number (PIN) most often is a secret numeric password shared between a system and the user of that system introduced for the authentication of the user to the system.
Platform Configuration Register
The Platform Configuration Register (PCR) are a special memory region located in the volatile memory of a Trusted Platform Module (TPM), each with a size of 160 bit. These register store the hash values of special data blocks during boot process of the platform and therefore they can represent the state of the platform.
Power On Self Test
The BIOS Power On Self Test (POST) refers to routines, which run immediately after the power is applied to the system. The BIOS POST protects the bootstrapped code from being interrupted by faulty hardware components. Only if the POST completes successfully the bootstrap of the system will continue.
R
Root of Trust for Measurement
The Root of Trust for Measurement (RTM) is one out of three Roots of Trust as defined by the Trusted Computing Group (TCG) needed for the creation of a Trusted Computing Platform (TCP). The Root of Trust for Measurement is the basic component for the integrity measurements and the creation of a Chain of Trust. This Root of Trust is realized by the Core Root of Trust for Measurement (CRTM) BIOS extension.
Glossary of Terms
Root of Trust for Reporting
The Root of Trust for Reporting (RTR) is one out of three Roots of Trust as defined by the Trusted Computing Group (TCG) needed for the creation of a Trusted Computing Platform (TCP). The Root of Trust for Reporting is responsible for the establishment of a platform identity and the protection of the transferred Platform Configuration Register (PCR) values during attestation of the system. This Root of Trust is realized by the Endorsement Key (EK) and corresponding certificates.
Root of Trust for Storage
The Root of Trust for Storage (RTS) is one out of three Roots of Trust as defined by the Trusted Computing Group (TCG) needed for the creation of a Trusted Computing Platform (TCP). The Root of Trust for Storage ensures that security critical data, such as keys, which have to be stored on an external storage device are bound to the platform first through encryption. This Root of Trust is realized by the Storage Root Key (SRK). S
Secure Hash Algorithm
The term Secure Hash Algorithm (SHA) describes a group of standardized cryptographic hash functions. These functions serve for the calculation of unique check sums of arbitrary electronic data and messages. As a requirement for secure hash algorithms it must be impractically to find two messages with the same hash value.
Static Root of Trust for Measurement
The Static Root of Trust for Measurement (SRTM) is a method for the establishment of a trusted boot sequence. The system starts booting from a immutable piece of firmware, i.e. the Core Root of Trust for Measurement (CRTM) BIOS extension, which initiates a measurement process, in which each component measures the next one in a chain, also called Chain of Trust.
Storage Root Key
The Storage Root Key (SRK) is an RSA key pair with a length of 2048 bit, which is created inside of the Trusted Platform Module (TPM) when the owner of the platform takes the ownership of the security module. The Storage Root Key forms the top of the TPM key hierarchy. Unlike the Endorsement Key (EK) the Storage Root Key can be changed an unlimited amount of times by first clearing the TPM and than taking ownership again.
System Management Interrupt
Glossary of Terms
(SMM), an operating mode of Intel architectures. The System Management Interrupts are disabled, while the processor executes in the System Management Mode. A SMI can be signalized through an external processor pin or through a special SMI message received by the CPU through the Advanced Programmable Interrupt Controller (APIC). System Management Mode
The System Management Mode (SMM) is a basic operating mode of Intel architectures. Moreover the SMM mode is the most privileged CPU operation mode, which allows power-management features and other operating-system-independent functions. The processor will enter the System Management Mode if a System Management Interrupt (SMI) is triggered. The SMM mode is security critical and could be used as a attack vector if the attacker achieves to change the code of the System Management Mode. System Management RAM
The System Management RAM (SMRAM) is a special memory region which contains the executable code of the System Management Mode (SMM), which will be executed when a System Management Interrupt (SMI) is initiated. The actual location of the SMRAM can be in a separate RAM memory or in the system memory. The SMRAM space is mapped to the physical address space and so a size up to 4 GBytes of memory can be addressed.
System On a Chip
The term System On a Chip (SOC) refers to an approach of integrating all required components for specific tasks of an electrical system or computer system into one single