Citizen Electronic Identities using TPM 2.0

Electronic Identification (eID) is becoming commonplace in several European countries. eID is typically used to authenticate to government e-services, but is also used for other services, such as public transit, e-banking, and physical security access control. Typical eID tokens take the form of physical smart cards, but successes in merging eID into phone operator SIM cards show that eID tokens integrated into a personal device can offer better usability compared to standalone tokens. At the same time, trusted hardware that enables secure storage and isolated processing of sensitive data have become commonplace both on PC platforms as well as mobile devices. Some time ago, the Trusted Computing Group (TCG) released the version 2.0 of the Trusted Platform Module (TPM) specification. We propose an eID architecture based on the new, rich authorization model introduced in the TCGs TPM 2.0. The goal of the design is to improve the overall security and usability compared to traditional smart card-based solutions. We also provide, to the best our knowledge, the first accessible description of the TPM 2.0 authorization model.Comment: This work is based on an earlier work: Citizen Electronic Identities using TPM 2.0, to appear in the Proceedings of the 4th international workshop on Trustworthy embedded devices, TrustED'14, November 3, 2014, Scottsdale, Arizona, USA, http://dx.doi.org/10.1145/2666141.266614

C-FLAT: Control-FLow ATtestation for Embedded Systems Software

Remote attestation is a crucial security service particularly relevant to increasingly popular IoT (and other embedded) devices. It allows a trusted party (verifier) to learn the state of a remote, and potentially malware-infected, device (prover). Most existing approaches are static in nature and only check whether benign software is initially loaded on the prover. However, they are vulnerable to run-time attacks that hijack the application's control or data flow, e.g., via return-oriented programming or data-oriented exploits. As a concrete step towards more comprehensive run-time remote attestation, we present the design and implementation of Control- FLow ATtestation (C-FLAT) that enables remote attestation of an application's control-flow path, without requiring the source code. We describe a full prototype implementation of C-FLAT on Raspberry Pi using its ARM TrustZone hardware security extensions. We evaluate C-FLAT's performance using a real-world embedded (cyber-physical) application, and demonstrate its efficacy against control-flow hijacking attacks.Comment: Extended version of article to appear in CCS '16 Proceedings of the 23rd ACM Conference on Computer and Communications Securit

Color My World: Deterministic Tagging for Memory Safety

Hardware-assisted memory protection features are increasingly being deployed in COTS processors. ARMv8.5 Memory Tagging Extensions (MTE) is a recent example, which has been used to provide probabilistic checks for memory safety. This use of MTE is not secure against the standard adversary with arbitrary read/write access to memory. Consequently MTE is used as a software development tool. In this paper we present the first design for deterministic memory protection using MTE that can resist the standard adversary, and hence is suitable for post-deployment memory safety. We describe our compiler extensions for LLVM Clang implementing static analysis and subsequent MTE instrumentation. Via a comprehensive evaluation we show that our scheme is effective

Trusted Hart for Mobile RISC-V Security

The majority of mobile devices today are based on Arm architecture that supports the hosting of trusted applications in Trusted Execution Environment (TEE). RISC-V is a relatively new open-source instruction set architecture that was engineered to fit many uses. In one potential RISC-V usage scenario, mobile devices could be based on RISC-V hardware. We consider the implications of porting the mobile security stack on top of a RISC-V system on a chip, identify the gaps in the open-source Keystone framework for building custom TEEs, and propose a security architecture that, among other things, supports the GlobalPlatform TEE API specification for trusted applications. In addition to Keystone enclaves the architecture includes a Trusted Hart -- a normal core that runs a trusted operating system and is dedicated for security functions, like control of the device's keystore and the management of secure peripherals. The proposed security architecture for RISC-V platform is verified experimentally using the HiFive Unleashed RISC-V development board.Comment: This is an extended version of a paper that has been published in Proceedings of TrustCom 202

Programvarusystem för säkra processorarkitekturer

Processor hardware support for security dates back to the 1970s, and such features were then primarily used for hardening operating systems. This idea has re-emerged as hardware security features in contemporary cost-efficient mobile processors. These support specific operating-system functionality such as communication stack isolation and identity binding, which are needed on mobile devices to satisfy regulatory requirements for e.g. cellular phones. This thesis builds on these hardware security features to implement a generic trusted execution environment (TEE) that can be used for a larger variety of applications. We present software building blocks and infrastructure for isolated trustworthy execution on these hardware environments. The goal is to achieve the same level of isolation as in smart cards or trusted platform modules implemented as separate integrated circuits. The thesis contributes to the state of the art in several ways: We present mechanisms for isolated piecemeal execution of code and processing of data in these very memory-constrained hardware environments. Isolation, freshness and data commit guarantees are provided by cryptographic means. We present security proofs for selected cryptographic primitives used in this hardware context. The thesis also improves on the integrity guarantees of contemporary processor support by implementing rollback protection even when the device is powered down. This is done by combining the security functionality of the processor with auxilliary hardware and firmware logic. We advance the understanding of trusted execution by describing a minimal set of hardware trust roots needed to implement an engine for isolated execution. Ideally, advancement of computer science can be translated into implementable designs with real-world impact. The mechanims presented in this thesis were implemented and deployed in the On-board Credentials (ObC) architecture, and partly standardized as features for the Mobile Trusted Module (MTM). These technologies enable implementation of isolated execution at significant cost savings compared to the deployment of discrete hardware components. The MTM specification, co-designed by the author, is the first global security standard that provides an adaptation to processor hardware mechanisms for isolated execution. The TEE part of On-board Credentials, designed and implemented by the author, is deployed in more than 100 million devices in the field, and has already been used in several public trials and demonstrations of end-user applications. Both ObC and MTM rely on the results of this thesis research. 　Processorstöd för säkerhet introducerades på 1970-talet, främst för att förbättra operativsystemens intergritet. Med de öppna PC-plattformernas genombrott försvann dessa mekanismer för några tiotal år, men motsvarande mekanismer togs åter i bruk för omkring tio år sedan i mobila hårdvaruplattformer, nu främst för att garantera protokollintegritet för kommunikation och för att binda upp den mobila hårdvarans identitet - typiska villkor för att kunna erhålla t.ex. radiolicens för en mobiltelefon. Denna avhandling bygger från dessa existerande hårdvarumekanismer och presenterar programvarubyggstenar för att kunna implementera säker, isolerad tolkning av programvara i en arkitektur som externt motsvarar en diskret hårdvarukomponent såsom t.ex. ett smartkort. Avhandlingen bidrar till den senaste kunskapen från många infallsvinklar. Den presenterar mekanismer för isolerad tolkning av programvara och associerad data i stycken i dessa högst begränsade omgivningar, där garantierna för isolation, versionshantering och dataflöde måste byggas upp med kryptografiska metoder. Avhandlingen bidrar också med säkerhetsbevis för valda kryptografiska algoritmer i denna omgivning. Vi förbättrar nivån av off-line integritet med att presentera en lösning där det säkra processorstödet kombineras med extern, diskret logik för att säkra mot rollback. Avhandlingen presenterar även en minimal uppsättning av säkerhetsfundament som en processor måste stöda i hårdvara för att isolerad tolkning skall kunna implementeras. Den beskriver också två arkitekturer som uppbyggts baserat på de byggstenar som presenteras i denna avhandling, och vilka var för sig erbjuder gränssnitt för mobilapplikationer och i sista hand användare. Sin största verkan får datavetenskapen när den ibruktas medelst implementationer. Byggstenarna som presenteras i denna avhandling möjliggör isolerad programvarutolkning till en betydligt lägre kostnad än vad som är möjligt med diskret hårvara, t.ex. smartkort. Författaren har aktivt bidragit till standarden Mobile Trusted Module (MTM) - den första globala säkerhetsstandarden som definierar och möjliggör en adaptering baserad på isolation byggd utgående från processorer med säkerhetsfunktioner. Säkerhetskärnan i OnBoard Credentials arkitekturen, som planerats och implementerats av författaren, finns tillgänglig i över 100 miljoner mobiltelefoner, och har redan använts i flera publika forskningsprojekt och demonstrationer. Båda dessa arkitekturer baserar sig på metodologi och även programvara som härrör sig från denna avhandling