Design and Analysis of Trusted Computing Platforms (Ontwerp en analyse van vertrouwde computerplatformen)

This thesis deals with the analysis and design of trusted computing platforms. Trusted computing technology is a relatively new enabling technology to improve the trustworthiness of computing platforms. With minor changes to the boot process and the addition of a new hardware security component, called TPM (Trusted Platform Module), trusted computing platforms offer the possibility to verifiably report their integrity to external parties (i.e., remote attestation) and to bind information to a specific platform (i.e., sealed storage).The first part of this thesis mainly focuses on the analysis of existing trusted computing platforms. We analyze the functionality provided by the specifications of the TCG (Trusted Computing Group) and purely software-based alternatives. Based on this analysis we present an improvement to a software-based attestation scheme: we propose to measure the execution time of a memory checksum function locally (with the time stamping functionality of the TPM) instead of remotely (over the network).We also study the resilience of trusted computing platforms against hardware attacks. We describe how attacks on the communication interface of the TPM can circumvent the measured boot process. The feasibility of these attacks is investigated in practice. Additionally we explore which operations should be targeted with a side channel attack to extracts the secret keys of a TPM.The second part of this thesis addresses some of the challenges to implement trusted computing technology on embedded and reconfigurable devices. One of the main problems when integrating a TPM into a system-on-chip design, is the lack of on-chip reprogrammable non-volatile memory. We develop schemes to securely externalize the non-volatile storage of a TPM. One scheme relies a new security primitive, called a reconfigurable physical unclonable function, and another extends the security perimeter of the TPM to the external memory with a cryptographic protocol.We propose a new architecture to reset the trust boundary to a much smaller scale, thus allowing for simpler and more flexible TPM implementations. The architecture has two distinctive features: the program code is stored outside the coprocessor and only gets loaded in RAM memory when needed, and the architecture is open by allowing to execute arbitrary programs in remotely verifiable manner.Finally, we study how the TPM can be implemented securely on reconfigurable hardware. This type of implementation is beneficial because it allows for updates of the software as well as of the hardware of the TPM (e.g., the cryptographic coprocessor) in the field. We examine the implementation options on reconfigurable hardware that is currently available commercially. Next, we propose a novel architecture that can measure and report the integrity of configuration bitstreams.1 Introduction 1.1 Background on Trusted Computing 1.1.1 Closed Platforms 1.1.2 Open Platforms 1.1.3 Secure Coprocessor 1.1.4 Trusted Computing Platforms 1.1.5 Compatibility with Legacy Operating System 1.2 Thesis Outline and Contributions 2 Remote Attestation 2.1 Attestation with Trusted Computing Platforms 2.1.1 Trusted Platform Module 2.1.2 TCG Functionality 2.1.3 Application Level Attestation 2.2 Software-based Attestation on Legacy Platforms 2.2.1 Checksum Functions 2.2.2 Pioneer 2.2.3 Timed Executable Agent System 2.3 Local Execution Time Measurement with TPMs 2.3.1 TPM Time Stamping 2.3.2 Improved Pioneer Protocol 2.3.3 Proxy Attacks 2.3.4 Experimental Results 2.4 Configuration Identification with Trusted Bootloader 2.4.1 Processor Identification 2.4.2 Runtime Checksum Performance Measurement 2.5 Conclusion 3 Hardware Attacks 3.1 Attacks on Trusted Computing Platforms 3.1.1 Attacks on the TPM 3.1.2 Attacks on the Platform 3.2 Attacking the TPM Communication Bus 3.2.1 Passive Monitoring 3.2.2 Reset Attacks 3.2.3 Active Monitoring 3.2.4 Transport Session 3.2.5 LPC Bus Encryption 3.2.6 Integrated TPM 3.3 Experimental Results 3.3.1 Reverse Engineering of TPM Daughterboard 3.3.2 Low Pin Count Bus 3.3.3 Analysis of Trusted Platform Communication 3.4 Side-Channel Attacks on TPMs 3.4.1 Attacking the Endorsement Key 3.4.2 Attacking the Storage Root Key 3.5 Conclusion 4 Non-Volatile State Protection 4.1 Introduction 4.1.1 Mobile Trusted Module 4.1.2 Embedded Trusted Computing 4.1.3 Non-Volatile State 4.1.4 Monotonic Counters 4.2 Protection of Non-Volatile State in External Memory 4.2.1 Security Requirements 4.2.2 Generic Approaches 4.2.3 Authenticated Encryption 4.2.4 Frequency of State Updates 4.2.5 Authentication Tree 4.2.6 On-Chip Non-Volatile Memory 4.3 Physical Unclonable Function-Based Key Storage 4.3.1 Physical Unclonable Functions 4.3.2 Reliable Key Extraction with Fuzzy Extractors 4.3.3 Reconfigurable PUFs 4.3.4 Non-Volatile State Protection with RPUFs 4.3.5 Discussion 4.4 Extending the Security Perimeter of the Trusted Module 4.4.1 Non-Volatile State Protection with External Authenticated NVM 4.4.2 Memory Authentication Protocols 4.4.3 Practical Aspects 4.4.4 Alternative Segregation of Responsibilities 4.5 Conclusion 5 Flexible TPM Architecture 5.1 Introduction 5.1.1 Related Work 5.1.2 Towards an Alternative TPM Architecture 5.2 µTPM Architecture 5.2.1 Design Principles 5.2.2 Process Management 5.2.3 Memory Management 5.2.4 Firmware Integrity Measurement 5.2.5 Firmware Integrity Reporting 5.3 Discussion 5.3.1 Implementation Options 5.3.2 Memory Externalization 5.3.3 Security Considerations 5.4 Conclusion 6 Reconfigurable Trusted Computing 6.1 FPGA Security 6.1.1 Attacker Objectives 6.1.2 Attacks 6.1.3 Defenses 6.2 Trusted Computing on Commercial FPGAs 6.2.1 Protection of Non-Volatile State 6.2.2 Protection of the Bitstream 6.2.3 Field Updates 6.3 Trusted FPGA Architecture 6.3.1 Underlying Model 6.3.2 Basic Idea and Design 6.3.3 Setup Phase 6.3.4 Operational Phase 6.3.5 TPM Updates 6.3.6 Discussion 6.4 Conclusion 7 Conclusions and Future Work 7.1 Conclusions 7.2 Directions for Future Research Bibliographynrpages: 213+22status: publishe