Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn†, Patrick Reynolds*, Alan Shieh‡, Kevin Walsh, Dan Williams, Fred B. Schneider Cornell University *now at BlueStripe Software ‡now at Nicira Networks † now at Google, Inc. TPMs and Attestation Secure coprocessors provide a unique key and on-board cryptographic functions to capture software state Cheap Rapidly becoming ubiquitous Evil 0xab... Hash-based Attestation TCB Trusted Platform Module Evils of Hash-based Attestation 0xab... Supports only axiomatic trust Eliminates user choice and control over platform Requires database of trusted configurations Attestation process violates privacy Does not capture dynamic run time state or configuration Trust Establishment Three techniques for establishing trust: Axiomatic trust by fiat binary hashes, ACLs, vendor crypto-signatures Analytic an analyzer checked and ascertained a property e.g. type checkers, binary analyzers code contains only forward jumps code is typesafe Synthetic an execution environment assures a desired property e.g. reference monitors, sandboxes, SFI, binary rewriters code cannot issue certain system calls code respects resource limits Authorization Comes down to a simple if statement… “should this principal be allowed to perform this operation on this resource?” But how that statement is implemented has profound consequences what kinds of policies can be expressed how practical the system is what kind of performance it achieves Goals and Contributions Logical Attestation: A new attestation scheme that captures semantic properties of programs through labels Nexus: A new OS with mechanisms for generating meaningful and useful credentials managing credentials, combining them with state checking credentials efficiently Applications: Fauxbook, Movie Player, Java Object Store, CertiPics, TruDocs, NBGP, … Logical Attestation A label is a statement attributed to a principal principal says statement Uttered by a labeling function Unforgeable, backed by a TPM Expressed in a variant of first-order logic Logic Labels are expressed in Nexus Authorization Logic (NAL) • Similar to CDD and BAN logic, machine-parseable extensible, terms defined by label producers • incorporates references to dynamic system state • Constructive • reasoning requires positive evidence • Logic of beliefs • inference rules preserve justification (not just truth) of statements • world-views restrict the impact of compromised principals • Sub-principals and Groups • in addition to primary principals consisting of keys and processes Establishing Trust with Logical Attestation axiomatic hash analysis safe language synthesis sandboxing user.egs says hash speaksfor user.egs analyzer says analyzer.typesafe(“app”) refmon says refmon.noaccess(pid1, disk) Chain of Trust in Logical Attestation labeling function … nexus says executed(labeling function) bootloader says sha(nexus) = 0xab.. bios says sha(bootloader) = 0xbc.. tpm says sha(bios) = 0xcd.. atmel says tpm speaksfor atmel Label Creation Labels are issued into labelstores with the say(principal, statement) system call LF1 LF2 lstore nexus Secure channel obviates crypto in the common case Labels can be externalized to X.509, internalized, copied, deleted Authorization with Labels Nexus enables all resource accesses to be predicated on a guard Guards perform authorization, by checking labels against a goal formula A NAL statement that needs to be discharged for access Can capture any provable characteristic Goal formula provides policy flexibility setgoal(object, method, goal) system call setting the goal statement itself requires authorization if not set, only the creator can set the goal, no super-user Guards Clients use labels to construct proofs that discharge the goal formula Guards validate proofs provides flexibility to clients Validation may require consulting authorities Halt! Prove goal formula to show that I can trust you with this resource. Authorities Certain statements are time-varying or non-monotonic They cannot be safely issued as credentials E.g. time, number of times a file has been read, current memory consumption, etc. In logical attestation, the validity of time-varying labels is checked by consulting an authority Authorities are designated by the goal formula Multiple authorities can coexist Authorization with Logical Attestation 1. Owner sets policy goal(*, write, file) = file 2. User gathers labels 3. User generates proof says time<3pm L1 timesrv says time=2:30pm L2 file says timesrv speaksfor file import L1; import L2; speaksfor; arithmetic-lt 4. Guard verifies proof and labels Caching Cache extensively to speed up authorization An in-kernel decision-cache avoids re-invoking a guard Hashtable indexed by subject, object, method, proof A user-level guard-cache avoids re-validating a previously checked proof or lemma Dynamically varying parts of the proof are not cached All caches contain soft-state Invalidated as necessary when goal formulas are modified Overview Caller Guard Authority Goal Store Labelstore call(P, S, M, proof) Proof Cache Proof Checker Interposition Service nexus Authority Decision Cache Object logical attestation nexus applications evaluation Nexus OS Overview Microkernel unique driver architecture 21K loc Somewhat Posix compatible python, lighttpd, sqlite, mplayer, … Xen, Linux Non-standard services labels, labelstores, guards, authorities introspection & interposition protected persistent storage Analysis some analysis involve examining the application no system support needed Introspection: live kernel metadata Many analyses involve the application’s environment Nexus provides a /proc filesystem on steroids access by labeling functions is mediated by the app Interpositioning app interpose(prin, obj, method) system call enables a process to interpose on any IPC Can interpose on any subject, object, operation triple, with wildcards interposition itself is guarded by a goal formula nexus Interpositioning app ref mon nexus interpose(subj, obj, method) system call enables a process to interpose on any IPC Can interpose on any subject, object, operation triple, with wildcards interposition itself is guarded by a goal formula logical attestation nexus applications evaluation Movie Player GNU app nexus labeling function labeling functions can be written by third-parties Movie Player app GNU labeling function nexus they use the introspection and/or interposition service to examine and modify the application’s behavior Movie Player app GNU labeling function ref mon nexus proc17 says sonyLF.nowrite(app, disk|network) os says proc17 speaks-for sonyLF they generate attributable statements Movie Player app GNU labeling function ref mon nexus labels are combined into proofs, which are shipped to consumers to form the basis of trust decisions Fauxbook • Privacy-preserving social networking application deployed in the cloud • Three classes of principals: – Cloud operator – Cloud application developers – Users • Cloud application developer receives assurance that he will get a desired share of resources • User receives assurance that her data will not leak beyond her social circle, even if the developer is adversarial Fauxbook Mechanism • Insight: many applications are data-independent – Possible to implement the core data-sharing functionality in a social networking application without examining the data • Core mechanism: – A reference monitor wraps all incoming data into a Python object, called a constrained buffer (cobuf) – Applications may slice, dice, concatenate cobufs, but may not peek at contents • Bases of trust: – Axiomatic trust in the device driver – Analytic trust in a Python analyzer that ensures that Fauxbook code will not use Python features to violate the cobuf abstraction – Synthetic trust in Fauxbook’s access to the social graph Fauxbook Driver provides labels showing that it can only talk to the web framework and that it lacks the ability to modify or divert packets Cloud Operator net drv nexus framework analyzer lighttpd cobuf social db Fauxbook lighttpd is axiomatically trusted to deliver packets to the framework without modification it lacks the capability to leak to other processes Cloud Operator net drv nexus framework analyzer lighttpd cobuf social db Fauxbook Analyzer ensures that fauxbook code does not use Python reflection to violate the cobuf interface fauxbook framework analyzer net drv nexus lighttpd cobuf social db Fauxbook adding a friend adds a speaks-for label into the social database fauxbook framework analyzer net drv lighttpd friend(egs, alice) friend(egs, bob) friend(bob, charlie) nexus bob) friend(alice, cobuf social db Fauxbook cobufs wrap user data into opaque objects, and tag it with the user’s id fauxbook framework analyzer net drv nexus alice says hey! lighttpd cobuf social db Fauxbook fauxbook Fauxbook may slice and dice user data, but may not leak it to another user or gain raw access to it fauxbook framework analyzer net drv nexus lighttpd cobuf social db Fauxbook Fauxbook may slice and dice user data, but may not leak it to another user or gain raw access to it fauxbook fauxbook framework cobuf analyzer alice says hey! net drv nexus lighttpd social db logical attestation nexus applications evaluation Microbenchmarks Protected Nexus calls incur overheads comparable to regular Linux calls but the microkernel architecture of the Nexus can necessitate additional and costly process boundary crossings Proof-checking overhead Cached decisions incur <500 cycles (<1usec) Guard invocations are 20x more expensive Related Work • Secure boot – Gasser et al 89, Haertig et al 93, Arbaugh et al. 97 • Attestation – Property-based: Haldar et al. 04, Sadeghi et al. 08 – Binary: TCGLinux – Software: Seshadri et al. 04-05, BIND, Flicker • Credentials-based Authorization – Appel & Felten 99, Lampson ‘04, Parno & Perrig ‘10 • Systems – Terra, Nizza, BirliX, XOMOS, sHype, Wedge, HiStar, Asbestos, EROS, Flask • Others – Not-a-bot, TrInc, … Conclusions and Future Work • TPMs can be used to build the next generation of trustworthy applications – need not impinge on user choice over software – can provide qualitatively richer guarantees • Novel labeling functions enable new functionality http://www.cs.cornell.edu/people/egs/nexus/ git.systems.cs.cornell.edu/nexus screenshot Macrobenchmark: Packet Processing Caching enables packet processing overhead to be <6% Cryptographic Overhead Avoiding cryptography leads to 3 orders of magnitude performance gain kernel size application: web application server interpositioning: kernel message hooks synthesis: (subject, *) → ipcport allow /operation, block <transformed authorization: (*, operation,call> object) → ipcport cache / nocache CertiPics: problem CertiPics: certified chain-of-custody • NY Times Policy: Image comes from a legitimate camera,with only acceptable adjustments: – – Cropping, captions, redaction, color balancing, … Compositing/splicing after adding borders IRAN ? CertiPics: design options • trusted photo editor: – Incapable of modifying image in undesirable ways – evidence: editor is the trusted version • image analysis: – evidence: analyzer input and output • audit trail: – image modification tools generate logical labels at each step – evidence: data from each modification IRAN ? CertiPics: demo user input crop.exe splice.exe caption.exe Nexus Nexus Nexus IRAN EOS says pristine(«im1») ipd3 says crop(«im1», 20%) = «im2» nexus says hash(ipd3) ==«hash1» nexus says hash(ipd3) nexus says hash(ipd3) ==«hash1» «hash1» nexus says hash(ipd3) «hash1» nexus nexussays sayshash(ipd3) hash(ipd3)==«hash1» «hash1» ? NYTimes policy 52 TruDocs: documents with excerpts “ One cannot look at this Universe with all living productions & man without believing that all has been intelligently designed; yet when I look to each individual organism, I can see no evidence of this. ” ” – Charles Darwin, 1861 53 TruDocs: document integrity examples Wesleyan Cinema Archive may quote 75 words at a time 20 quotes per derivative work New International Version Bible at most 500 verses, verbatim only at most 25% of derivative work W3C Logo may embed if validator passes must retain attribution, link to W3C URL 54 TruDocs with logical attestation Let • D be a document – D is a corresponding principal – W(D) are statements conveyed in D • E be an excerpt from D’ appearing in D – Src(E) =D’ Src(E) = D’ – E<D: E appears in D TruDocs says (E<D: E Src(E)) TruDocs: labeling function design Approximating: E Src(E) usePolD’(E,D): an analytic basis for trust: – Find some E’ in D’; – make “acceptable” edits to E’, getting E in D. D’ says ( usePolD’(E,D) E D’ ) usePol is defined by author of D’. TruDocs says (E<D: usePolSrc(E)(E,D)) 56 trust in the network Existing networks cannot provide strong security guarantees All networks look the same All clients look the same Cannot tell what a router is actually doing Network elements constructed from untrustworthy components No mechanisms for querying the properties of network participants no mechanisms for querying network properties clients cannot differentiate between different networks Internet 1 Mb/s 100 Mb/s ? ISP A 90% uptime Identical WiFi base stations! ? ISP B 99% uptime fault-tolerant no mechanisms for querying network properties networks cannot differentiate between clients Identical Ethernet stations! ??? no mechanisms for querying network properties networks cannot differentiate between other networks Identical IP packet delivery interface! ISP A Forward all packets ? ? Customer AS ISP B DoS filter S T L1 L2 R1 L4 Every network participant corresponds to a tuple U M1 L5 Network Tuplespace R2: Type = Router ISP: Type = Link ISP: Type = Link R2: NextHop = ISP: Ends = (R1, R2) ISP: Ends = (R2, T) { [IP_T] = L3, ... } R1: Type = Router ISP: Type = Link R1: NextHop = ISP: Ends = (S, R1) { [IP_T] = L2, ...] } S: Type = Host S: Name = HostS S: NextHop = { [IP_T] = L2, ... } L3 R2 T: Type = Host T: Name = HostT M1: Type = Sniffer ISP: Type = Link ISP: Type = Link M1: NextHop = ISP: Ends = (R1, R3) ISP: Ends = (R3, T) { [IP_T] = L5, ... } a single, distributed tuplespace covers the Internet every information provider is responsible for provisioning a sub-tuplespace for storing local information AS1 AS2 R1 POP1 R2 POP2 Global Tuplespace AS1 AS2 R1 POP1 R2 POP2 information management anyone can annotate any tuple – New, unanticipated attributes are organically supported attributes can be added by anyone – best done by a TPM, signed, unforgeable – signed attributes can be inserted manually attributes are masked for privacy according to an export policy applications import annotations only from sources they trust, according to an import policy querying the tuplespace Is there a packet sniffer on (S,T) path? Queries retrieve(S.nexthop[IP_T]) -> S:S.NextHop[IP_T] = L1 retrieve(L1.endpoints) -> S:L1.endpoints = (S,R1) ... Detected properties Path(S,T) = [L1,R1,L2,R2,L3] Apps can detect properties at a single point in time monitoring the tuplespace Detect new packet sniffers on (S,T) path Trigger installation Trigger notification Path(S,T) = [L1,R1,L4,M1,L5] install_trigger( R1.NextHop[IP_T],IP_S) S R1 Apps can maintain properties over time T X L2 L4 Change @ R1.NextHop R1: Type = Router R1: NextHop = { [IP_T] = L2, ... } L5 M1 R1: Type = Router R1: NextHop = { [IP_T] = L4, ... } collaborators • Fred Schneider • William de Bruijn • Alan Shieh • Patrick Reynolds • Kevin Walsh backups proof evaluation cost control operation cost dynamic state labels can be shared labels may not encode false statements → live authority protocol over ipc or network subscribes to statement, but without attribution statement cannot be shared protected storage confidentiality: block cipher integrity: hash trees proof caching 1. kernel decision cache 2a. guard credential cache only labels: revisit all missing and authorities 2b. guard deduction cache also cache goal/conclusion matching Safe Python Analysis: Safe Python restrict python to safe subset: no arbitrary system access no modules os, .. no builtins file, exec, .. no reflection no modules ast, inspect, .. no builtins compile, eval, .. offline analyzer no arbitrary import pruned builtins alternative interface to webserver and storage unchecked_... no access to global & builtins __dict__ Safe Python: module protect restricted namespace restricted fileops: append, remove restricted import pbuf pbufres = app.callback(pbufreq) Safe Python: PBuf list of strings .. Safe Python: PBuf list of strings and pbufs Safe Python: PBuf list of strings and pbufs with protection bit and optional dictionary python iterable & map operations privileged unchecked_.. extensions Safe Python: module protect Secure Persistent Storage confidentiality CTR mode random-access AES integrity Merkle hash tree interface unix fcntl flags: F_SETENC, F_SIGN, F_SIGNED root lockbox: virtualize TPM Storage: Lockbox hierarchy lockbox application table of keys and signatures software seal/sign/encrypt ipc interface minimizes key access (TCB) hierarchy store bundles backed by TPM (or remotely) introspectionfs per process: to display state kernel: process memory, network ports, ipc channels, … nonvolatile statements exported as labels os says netport.80 speaksfor process.www volatile state exported only as authority os says not netport.81 speaksfor process.www may still change define private notions of trust user.bob says os speaksfor user.bob os says ... example revisited example revisited label consumers Is this principal trustworthy? • Every entity that wants to reason about the state of a remote computer can act as a label consumer • Typically, the consumer is looking for a goal formula • The user has one or more labels available labels are combined to create proofs that demonstrate the desired goal formula authorization today Client A A says read(f) File system Access control list for f: [ …. A-(read,write), … ] authorization based on requestor identifier authorization with labels Univ says RC Univ Client A A says read(f) RC says student(A) Univ says RC Univ File system RC says student(A) Policy is decentralized (“speaksfor”) models delegation Policy for read(f): Exists i : 0900 <timeNow < 1700 and i says read(f) and Univ says student(i ) Policy involves state Policy involves deduction 88