Bootstrapping Trust in Commodity Computers Bryan Parno, Jonathan McCune, Adrian Perrig Carnegie Mellon University 1 A Travel Story 2 Trust is Critical Will I regret having done this? 3 Does program P compute F? Is F what the programmer intended? Bootstrapping Trust What F will this machine compute? XOther YOther F XAlice YAlice 4 Bootstrapping Trust is Hard! Challenges: • Hardware assurance • Ephemeral software App AppApp App App App 1 4 5 N23 • User Interaction Module 1 Module 3 OS Safe? Yes! S15 ( ( ) ) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Module Module 2 4 ^ H( ) 5 Bootstrapping Trust is Hard! Challenges: • Hardware assurance • Ephemeral software • User Interaction Safe? Evil App Evil OS Yes! 6 In the paper… • Bootstrapping foundations • Transmitting bootstrap data • Interpretation • Validation • Applications • Human factors • Limitations • Future directions • … and much more! 7 1) Establish Trust in Hardware • Hardware is durable • Establish trust via: – Trust in the manufacturer Open Question: Can we do better? – Physical security 8 2) Establish Trust in Software • Software is ephemeral • We care about the software currently in control • Many properties matter: – Proper control flow – Type safety – Correct information flow App 1 … App N OS Which property matters most? … 9 A Simple Thought Experiment • Imagine a perfect algorithm for analyzing control flow – Guarantees a program always follows intended control flow • Does this suffice to bootstrap trust? Respects Type Safe control flow No! We want code identity P 10 What is Code Identity? • An attempt to capture the behavior of a program • Current state of the art is the collection of: – – – – Program binary Function f Program libraries Program configuration files Inputs to f Initial inputs • Often condensed into a hash of the above 11 Code Identity as Trust Foundation • From code identity, you may be able to infer: – Proper control flow – Type safety – Correct information flow … • Reverse is not true! 12 What Can Code Identity Do For You? • Research applications • Secure the boot process • Count-limit objects • Improve security of network protocols • Thwart insider attacks • Protect passwords • Create a Trusted Third Party • Commercial applications • • • • Secure disk encryption (e.g., Bitlocker) Improve network access control Secure boot on mobile phones Validate cloud computing platforms 13 Establishing Code Identity [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],… YOther XOther F XAlice YAlice 14 Establishing Code Identity [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],… YOther XOther f1 XAlice f2 … fN YAlice 15 Establishing Code Identity [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04],… Chain of Trust Root of Trust ? Software 1 ... Software N-1 Software N 16 Trusted Boot: Recording Code Identity Root of Trust [Gasser et al. ’89], [England et al. ‘03], [Sailer et al. ‘04],… Software 1 SW 1 ... SW 2 Software N-1 SW N-1 Software N SW N 17 Attestation: Conveying Records to an External Entity [Gasser et al. ‘89], [Arbaugh et al. ‘97], [England et al. ‘03], [Sailer et al. ’04]… Software Software random # N-1 1 ... ( K Sign SW 1 SW SW SW SW 1 2 N-1 N # priv SW randomSW 2 Software N ) N-1 SW N Controls Kpriv 18 Interpreting Code Identity App 1…N Drivers 1…N Traditional [Gasser et al. ‘89], [Sailer et al. ‘04] Policy Enforcement [Marchesini et al. ‘04], [Jaeger et al. ’06] OS Bootloader Option ROMs BIOS 19 Interpreting Code Identity Traditional [Gasser et al. ‘89], [Sailer et al. ‘04] Virtual Machine Policy Enforcement [Marchesini et al. ‘04], [Jaeger et al. ’06] Virtualization [England et al. ‘03], [Garfinkel et al. ‘03] Virtual Machine Monitor Bootloader Option ROMs BIOS 20 Interpreting Code Identity Traditional [Gasser et al. ‘89], [Sailer et al. ‘04] VMM Virtual Machine OS Virtual Machine Monitor Policy Enforcement [Marchesini et al. ‘04], [Jaeger et al. ’06] Virtualization [England et al. ‘03], [Garfinkel et al. ‘03] Late Launch [Kauer et al. ‘07], [Grawrock ‘08] Bootloader Option ROMs BIOS 21 Interpreting Code Identity Traditional [Gasser et al. ‘89], [Sailer et al. ‘04] Flicker Policy Enforcement [Marchesini et al. ‘04], [Jaeger et al. ’06] OS S Virtualization [England et al. ‘03], [Garfinkel et al. ‘03] Late Launch [Kauer et al. ‘07], [Grawrock ‘08] Flicker Targeted Late Launch [McCune et al. ‘07] Attested 22 Interpreting Code Identity App 1…N Drivers 1…N OS S Flicker Bootloader Option ROMs BIOS 23 Load-Time vs. Run-Time Properties • Code identity provides load-time guarantees • What about run time? • Approach #1: Static transformation [Erlingsson et al. ‘06] Run-Time Policy Code Compiler Attested Code’ 24 Load-Time vs Run-Time Properties • Code identity provides load-time guarantees • What about run time? • Approach #1: Static transformation [Erlingsson et al. ‘06] Open Question: • Approach #2: Run-Time Enforcement layer How can we get complete run-time [Haldar et al. ‘04],properties? [Kil et al. ‘09] Attested Code Enforcer Run Time Load Time 25 Roots of Trust Cheaper 0 0 4 2 • General • General • Special • Timing-based purpose purpose purpose attestation Open Question: • Tamper • No physical • Require What functionality do we need in hardware? responding defenses detailed HW knowledge [Weingart ‘87] [White et al. ‘91] [Yee ‘94] [Smith et al. ‘99] … [ARM TrustZone ‘04] [TCG ‘04] [Zhuang et al. ‘04] … [Chun et al. ‘07] [Levin et al. ‘09] [Spinellis et al. ‘00] [Seshadri et al. ‘05] … 26 Human Factors SW SW SW SW 1 2 N-1 N Open Questions: SW SW How should SW1 SW2 N-1 be communicated to Alice? N What does Alice do with a failed attestation? How can Alice trust her device? 27 Conclusions • Code identity is critical to bootstrapping trust • Assorted hardware roots of trust available • Many open questions remain! Thank you! parno@cmu.edu 28