18731-s09-tcg_lecture

18731-s09-tcg_lecture - 1/27/09 1 1 Trusted Computing...

Info iconThis preview shows pages 1–6. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 1/27/09 1 1 Trusted Computing Jonathan M. McCune [email protected] 2009.01.27 2 What is Trusted Computing? Controversial topic Trusted not to run unauthorized programs • Trusted by whom? – Software vendor – User Advocates • Make computers safer • Protection against viruses and malware Opponents • Too much power and control into software vendors You • Make an informed decision • A potential project topic 1/27/09 2 3 Outline Review of some current approaches for building secure systems Hardware-based attestation • Static Root of Trust (version 1.1b) • Next-generation TCG (version 1.2) • AMD/Intel secure virtual machine extensions Project details (time permitting) 4 Adversary Model Axiom: Every system has at least one more flaw We assume remote adversary who can launch network-based attacks • Adversary can compromise OS and/or applications • Adversary may control network communication We trust local hardware, local hardware attacks are even harder to defend against Realistic model, as remote attacks constitute majority of threats 1/27/09 3 5 Security Properties to Consider Trustworthy device operation • How can we trust operations that our devices perform? Questions to consider • How can we trust App1? • What if App2 has a security vulnerability? • What if Operating System has a security vulnerability? Hardware Operating System App1 App2 App3 6 Some Current Approaches Program code in ROM Secure boot Virtual-machine-based isolation Evaluation metric: size of Trusted Computing Base (TCB) We visualize components in TCB in red: Hardware Operating System A1 A2 A3 1/27/09 4 7 Program Code in ROM Approach: keep entire program in ROM Advantages • Simplicity • Adversary cannot inject any additional software Disadvantages • Cannot update software (without exchanging ROM) • Adversary can still use control-flow attack • Entire system is in TCB, no isolation Verdict • Impractical for current systems, ability to update code for enhancing features or fixing bugs is critical Hardware Operating System A1 A2 A3 8 Secure Boot Each component of the boot process verifies following component to be loaded • Example: digital signature on each boot component; boot loader contains public key and verifies digital signature on OS, etc. Advantages • Only approved software can be loaded (assuming no vulnerabilities) Disadvantages • Adversary only needs to compromise singe component • Entire system is in TCB, no isolation Verdict: Entire system is still part of TCB, Relatively weak security guarantee Hardware Operating System A1 A2 A3 1/27/09 5 9 Virtual-machine-based Isolation Approach: Isolate applications by executing them inside different Virtual Machines Advantages • Smaller TCB • Isolation between applications Disadvantages • VMM is still large and part of TCB • Relatively complex, not well suited for average user...
View Full Document

This note was uploaded on 03/31/2009 for the course ECE 18731 taught by Professor Perrig during the Spring '08 term at Carnegie Mellon.

Page1 / 29

18731-s09-tcg_lecture - 1/27/09 1 1 Trusted Computing...

This preview shows document pages 1 - 6. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online