Design and Analysis of Trusted Computing Platforms (Ontwerp en analyse van vertrouwde computerplatformen)

This thesis deals with the analysis and design of trusted computing platforms. Trusted computing technology is a relatively new enabling technology to improve the trustworthiness of computing platforms. With minor changes to the boot process and the addition of a new hardware security component, called TPM (Trusted Platform Module), trusted computing platforms offer the possibility to verifiably report their integrity to external parties (i.e., remote attestation) and to bind information to a specific platform (i.e., sealed storage).The first part of this thesis mainly focuses on the analysis of existing trusted computing platforms. We analyze the functionality provided by the specifications of the TCG (Trusted Computing Group) and purely software-based alternatives. Based on this analysis we present an improvement to a software-based attestation scheme: we propose to measure the execution time of a memory checksum function locally (with the time stamping functionality of the TPM) instead of remotely (over the network).We also study the resilience of trusted computing platforms against hardware attacks. We describe how attacks on the communication interface of the TPM can circumvent the measured boot process. The feasibility of these attacks is investigated in practice. Additionally we explore which operations should be targeted with a side channel attack to extracts the secret keys of a TPM.The second part of this thesis addresses some of the challenges to implement trusted computing technology on embedded and reconfigurable devices. One of the main problems when integrating a TPM into a system-on-chip design, is the lack of on-chip reprogrammable non-volatile memory. We develop schemes to securely externalize the non-volatile storage of a TPM. One scheme relies a new security primitive, called a reconfigurable physical unclonable function, and another extends the security perimeter of the TPM to the external memory with a cryptographic protocol.We propose a new architecture to reset the trust boundary to a much smaller scale, thus allowing for simpler and more flexible TPM implementations. The architecture has two distinctive features: the program code is stored outside the coprocessor and only gets loaded in RAM memory when needed, and the architecture is open by allowing to execute arbitrary programs in remotely verifiable manner.Finally, we study how the TPM can be implemented securely on reconfigurable hardware. This type of implementation is beneficial because it allows for updates of the software as well as of the hardware of the TPM (e.g., the cryptographic coprocessor) in the field. We examine the implementation options on reconfigurable hardware that is currently available commercially. Next, we propose a novel architecture that can measure and report the integrity of configuration bitstreams.1 Introduction 1.1 Background on Trusted Computing 1.1.1 Closed Platforms 1.1.2 Open Platforms 1.1.3 Secure Coprocessor 1.1.4 Trusted Computing Platforms 1.1.5 Compatibility with Legacy Operating System 1.2 Thesis Outline and Contributions 2 Remote Attestation 2.1 Attestation with Trusted Computing Platforms 2.1.1 Trusted Platform Module 2.1.2 TCG Functionality 2.1.3 Application Level Attestation 2.2 Software-based Attestation on Legacy Platforms 2.2.1 Checksum Functions 2.2.2 Pioneer 2.2.3 Timed Executable Agent System 2.3 Local Execution Time Measurement with TPMs 2.3.1 TPM Time Stamping 2.3.2 Improved Pioneer Protocol 2.3.3 Proxy Attacks 2.3.4 Experimental Results 2.4 Configuration Identification with Trusted Bootloader 2.4.1 Processor Identification 2.4.2 Runtime Checksum Performance Measurement 2.5 Conclusion 3 Hardware Attacks 3.1 Attacks on Trusted Computing Platforms 3.1.1 Attacks on the TPM 3.1.2 Attacks on the Platform 3.2 Attacking the TPM Communication Bus 3.2.1 Passive Monitoring 3.2.2 Reset Attacks 3.2.3 Active Monitoring 3.2.4 Transport Session 3.2.5 LPC Bus Encryption 3.2.6 Integrated TPM 3.3 Experimental Results 3.3.1 Reverse Engineering of TPM Daughterboard 3.3.2 Low Pin Count Bus 3.3.3 Analysis of Trusted Platform Communication 3.4 Side-Channel Attacks on TPMs 3.4.1 Attacking the Endorsement Key 3.4.2 Attacking the Storage Root Key 3.5 Conclusion 4 Non-Volatile State Protection 4.1 Introduction 4.1.1 Mobile Trusted Module 4.1.2 Embedded Trusted Computing 4.1.3 Non-Volatile State 4.1.4 Monotonic Counters 4.2 Protection of Non-Volatile State in External Memory 4.2.1 Security Requirements 4.2.2 Generic Approaches 4.2.3 Authenticated Encryption 4.2.4 Frequency of State Updates 4.2.5 Authentication Tree 4.2.6 On-Chip Non-Volatile Memory 4.3 Physical Unclonable Function-Based Key Storage 4.3.1 Physical Unclonable Functions 4.3.2 Reliable Key Extraction with Fuzzy Extractors 4.3.3 Reconfigurable PUFs 4.3.4 Non-Volatile State Protection with RPUFs 4.3.5 Discussion 4.4 Extending the Security Perimeter of the Trusted Module 4.4.1 Non-Volatile State Protection with External Authenticated NVM 4.4.2 Memory Authentication Protocols 4.4.3 Practical Aspects 4.4.4 Alternative Segregation of Responsibilities 4.5 Conclusion 5 Flexible TPM Architecture 5.1 Introduction 5.1.1 Related Work 5.1.2 Towards an Alternative TPM Architecture 5.2 µTPM Architecture 5.2.1 Design Principles 5.2.2 Process Management 5.2.3 Memory Management 5.2.4 Firmware Integrity Measurement 5.2.5 Firmware Integrity Reporting 5.3 Discussion 5.3.1 Implementation Options 5.3.2 Memory Externalization 5.3.3 Security Considerations 5.4 Conclusion 6 Reconfigurable Trusted Computing 6.1 FPGA Security 6.1.1 Attacker Objectives 6.1.2 Attacks 6.1.3 Defenses 6.2 Trusted Computing on Commercial FPGAs 6.2.1 Protection of Non-Volatile State 6.2.2 Protection of the Bitstream 6.2.3 Field Updates 6.3 Trusted FPGA Architecture 6.3.1 Underlying Model 6.3.2 Basic Idea and Design 6.3.3 Setup Phase 6.3.4 Operational Phase 6.3.5 TPM Updates 6.3.6 Discussion 6.4 Conclusion 7 Conclusions and Future Work 7.1 Conclusions 7.2 Directions for Future Research Bibliographynrpages: 213+22status: publishe

Self-validating bundles for flexible data access control

Modern cloud-based services offer free or low-cost content sharing with significant advantages for the users but also new issues in privacy and security. To protect sensitive contents (i.e., copyrighted, top secret, and personal data) from the unauthorized access, sophisticated access management systems or/and decryption schemes have been proposed, generally based on trusted applications at client side. These applications work also as access controllers, verifying specific permissions and restrictions accessing user\u2019s resources. We propose secure bundles (S-bundles), which encapsulate a behavioral model (provided as bytecode) to define versatile stand-alone access controllers and encoding/decoding/signature schemes. S-bundles contain also ciphered contents, data access policies, and associated metadata. Unlike current solutions, our approach decouples the access policies from the applications installed in the user\u2019s platform. S-bundles are multi-platform, by means of trusted bytecode executors. They offer data protection in case of storage in untrusted or honest-but-curious cloud providers

Trusted Platforms

status: publishe

Embedded Trusted Computing with Authenticated Non-Volatile Memory ⋆

Abstract. Trusted computing is an emerging technology to improve the trustworthiness of computing platforms. The Trusted Computing Group has proposed specifications for a Trusted Platform Module and a Mobile Trusted Module. One of the key problems when integrating these trusted modules into an embedded system-on-chip design, is the lack of on-chip multiple-time-programmable non-volatile memory. In this paper, we describe a solution to protect the trusted module’s persistent state in external memory against non-invasive attacks. We introduce a minimal cryptographic protocol to achieve an authenticated channel between the trusted module and the external non-volatile memory. A MAC algorithm has to be added to the external memory to ensure authenticity. As a case study, we discuss trusted computing on reconfigurable hardware. In order to make our solution applicable to the low-end FPGA series which has no security measures on board, we present a solution that only relies on the reverse engineering complexity of the undocumented bitstream encoding and uses a physically unclonable function for one-time-programmable key storage. Clearly, this solution is also applicable to high-end series with special security measures on board. Our solution also supports field updates of the trusted module.

A Pay-per-Use Licensing Scheme for Hardware IP Cores in Recent SRAM based FPGAs

Currently achievable intellectual property (IP) protection solutions for field-programmable gate arrays (FPGAs) are limited to single large monolithic configurations. However, the ever growing capabilities of FPGAs and the consequential increasing complexity of their designs ask for a modular development model, where individual IP cores from multiple parties are integrated into a larger system. To enable such a model, the availability of IP protection at the modular level is imperative. In this work, we propose an IP protection mechanism for FPGA designs at the level of individual IP cores, by making use of the self-reconfiguring capabilities of modern FPGAs and deploying a trusted third party to run a metering service, similar to the work of Gneysu and Drimer The proposed scheme makes it possible to enforce a pay-per-use licensing scheme which holds considerable advantages, both for IP core providers as well as for system integrators. Moreover, the scheme has a minimal implementation overhead and is the first of its kind to be solely based on primitives that are already available in recent commercially available FPGA devices. This allows for an immediate and feasible deployment, in contrast to earlier proposed solutions. © 2011 IEEE.status: publishe

Remote attestation on legacy operating systems with trusted platform modules

status: publishe

Remote attestation on legacy operating systems with trusted platform modules

AbstractA lot of progress has been made to secure network communication, e.g., through the use of cryptographic algorithms. However, this offers only a partial solution as long as the communicating end points still suffer from security problems. A number of applications require remote verification of software executing on an untrusted platform. Trusted computing solutions propose to solve this problem through software and hardware changes, typically a secure operating system and the addition of a secure coprocessor, respectively. On the other hand, timed execution of code checksum calculations aims for a solution on legacy platforms, but can not provide strong security assurance. We present a mixed solution by using the trusted computing hardware, namely the time stamping functionality of the Trusted Platform Module (TPM), in combination with a timing-based remote code integrity verification mechanism. In this way, the overall security of the timed execution scheme can be improved without requiring a secure operating system

Analyzing trusted platform communication

Abstract. In this paper we discuss the analysis of trusted platform communication. While the trusted platform module itself is considered reasonably tamper resistant, the communication channel between this module and the rest of the trusted platform turns out to be comparatively insecure. Passive attacks can be mounted on the communication interface with fairly inexpensive equipment and allow eavesdropping of critical information. Performing active manipulation on the communication bus could provide an even stronger attack scenario, resulting in a circumvention of the whole chain of trust provided by trusted platforms. At this stage, our research has been limited to passive attacks.