Principles of Security and Trust

This open access book constitutes the proceedings of the 8th International Conference on Principles of Security and Trust, POST 2019, which took place in Prague, Czech Republic, in April 2019, held as part of the European Joint Conference on Theory and Practice of Software, ETAPS 2019. The 10 papers presented in this volume were carefully reviewed and selected from 27 submissions. They deal with theoretical and foundational aspects of security and trust, including on new theoretical results, practical applications of existing foundational ideas, and innovative approaches stimulated by pressing practical problems

Implementing TPM Commands in the Copland Remote Attestation Language

So much of what we do on a daily basis is dependent on computers: email,social media, online gaming, banking, online shopping, virtual conference calls, and general web browsing to name a few. Most devices we depend on for these services are computers or servers that we do not own, nor do we have direct physical access to. We trust the underlying network to provide access to these devices remotely. But how do we know which computers/servers are safe to access, or verify that they are who they claim to be? How do we know that a distant server has not been hacked and compromised in some way? Remote attestation is a method for establishing trust between remote systems. An appraiser can request information from a target system. The target responds with evidence consisting of run-time measurements, configuration information, and/or cryptographic information (i.e. hashes, keys, nonces, or other shared secrets). The appraiser can then evaluate the returned evidence to confirm the identity of the remote target, as well as determine some information about the operational state of the target, to decide whether or not the target is trustworthy. A tool that may prove useful in remote attestation is the TPM, or “Trusted Platform Module”. The TPM is a dedicated microcontroller that comes built-in to nearly all PC and laptop systems produced today. The TPM is used as a root of trust for storage and reporting, primarily through integrated cryptographic keys. This root of trust can then be used to assure the integrity of stored data or the state of the system itself. In this thesis, I will explore the various functions of the TPM and how they may be utilized in the development of the remote attestation language, “Copland”

A Verified Achitecture for Trustworthy Remote Attestation

Remote attestation is a process where one digital system gathers and provides evidence of its state and identity to an external system. For this process to be successful, the external system must find the evidence convincingly trustworthy within that context. Remote attestation is difficult to make trustworthy due to the external system’s limited access to the attestation target. In contrast to local attestation, the appraising system is unable to directly observe and oversee the attestation target. In this work, we present a system architecture design and prototype implementation that we claim enables trustworthy remote attestation. Furthermore, we formally model the system within a temporal logic embedded in the Coq theorem prover and present key theorems that strengthen this trust argument

Type Dependent Policy Language

Remote attestation is the act of making trust decisions about a communicating party. During thisprocess, an appraiser asks a target to execute an attestation protocol that generates and returns evidence. The appraiser can then make claims about the target by evaluating the evidence. Coplandis a formally specified, executable language for representing attestation protocols. We introduceCopland centered negotiation as prerequisite to attestation to find a protocol that meets the target’s needs for constrained disclosure and the appraiser’s desire for comprehensive information. Negotiation begins when the appraiser sends a request, a Copland phrase, to the target. The target gathers all protocols that satisfy the request and then, using their privacy policy, can filter out the phrases that expose sensitive information. The target sends these phrases to the appraiser as a proposal. The appraiser then chooses the best phrase for attestation, based on situational requirementsembodied in a selection function. Our focus is statically ensuring the target does not share sensitive information though terms in the proposal, meeting their need for constrained disclosure. To accomplish this, we realize two independent implementation of the privacy and selection policies using indexed types and subset types. In using indexed types, the policy check is accomplished by indexing the term grammar with the type of evidence the term produces. The statically ensures that terms written in the language will satisfy the privacy policy criteria. In using the subset type,we statically limit the collection of terms to those that satisfy the privacy policy. This type abides by the rules of set comprehension to build a set such that all elements of the set satisfy the privacy policy. Combining our ideas for a dependently typed privacy policy and negotiation, we give the target the chance to suggest a term or terms for attestation that fits the appraiser’s needs while not disclosing sensitive information

Formally Verified Bundling and Appraisal of Evidence for Layered Attestations

Remote attestation is a technology for establishing trust in a remote computing system. Core to the integrity of the attestation mechanisms themselves are components that orchestrate, cryptographically bundle, and appraise measurements of the target system. Copland is a domain-specific language for specifying attestation protocols that operate in diverse, layered measurement topologies. In this work we formally define and verify the Copland Virtual Machine alongside a dual generalized appraisal procedure. Together these components provide a principled pipeline to execute and bundle arbitrary Copland-based attestations, then unbundle and evaluate the resulting evidence for measurement content and cryptographic integrity. All artifacts are implemented as monadic, functional programs in the Coq proof assistant and verified with respect to a Copland reference semantics that characterizes attestation-relevant event traces and cryptographic evidence structure. Appraisal soundness is positioned within a novel end-to-end workflow that leverages formal properties of the attestation components to discharge assumptions about honest Copland participants. These assumptions inform an existing model-finder tool that analyzes a Copland scenario in the context of an active adversary attempting to subvert attestation. An initial case study exercises this workflow through the iterative design and analysis of a Copland protocol and accompanying security architecture for an Unpiloted Air Vehicle demonstration platform. We conclude by instantiating a more diverse benchmark of attestation patterns called the "Flexible Mechanisms for Remote Attestation", leveraging Coq's built-in code synthesis to integrate the formal artifacts within an executable attestation environment

Principles of Security and Trust

This open access book constitutes the proceedings of the 8th International Conference on Principles of Security and Trust, POST 2019, which took place in Prague, Czech Republic, in April 2019, held as part of the European Joint Conference on Theory and Practice of Software, ETAPS 2019. The 10 papers presented in this volume were carefully reviewed and selected from 27 submissions. They deal with theoretical and foundational aspects of security and trust, including on new theoretical results, practical applications of existing foundational ideas, and innovative approaches stimulated by pressing practical problems