A protected application typically involves the handling of secret data that are provisioned by an entity (provisioning server) in the network. The protected application must assure the remote entity that the application is indeed executing in the specified protected environment before receiving the secret data. A set of trusted entities participate to enable this mechanism.
Here are some of the trusted entities and their roles.
- Trusted platform module (TPM) and its owner (e.g., an end user or an IT administrator). The owner sets the TPM authentication password and is responsible for password protection.
- Endorsement certificate authority (CA) . The TPM device is provisioned with the endorsement key (EK) and an EK certificate from the endorsement CA at manufacture and ship time. The certificate provides attestation for the TPM manufacturer, signed by a TTP, such as VeriSign.
- Privacy CA server. This is a TTP used by the provisioning server to verify the EK certificate from a TPM with an assurance of keeping the identity of the TPM host confidential.
- Intel TXT components (CPU/Chipset, ACM). The ACM works in concert with the CPU and chipset to verify hardware conformance; for example, it verifies that the TPM being used is physically attached to the platform. The ACM also extends the TPM PCR registers to record the measurement of the P-MAPS core -- this property is used during the operation of the P-MAPS core to associate application credentials to the local TPM.
- P-MAPS core. The core enforces protection via page table changes. The P-MAPS core uses TPM to generate attestation identity keys (AIKs). These keys are used to sign (appropriately tagged) application-specific data and to sign the TPM's current PCR values (TPM_Quote). The provisioning server verifies the TPM quote (based on PCRs and locality) to ensure the platform has the necessary software posture before sharing confidential data.
As part of the Intel TXT dynamic launch, PCR 17 is updated with the identity of the ACM, and the P-MAPS core measurement is recorded in PCR 18. When the P-MAPS core is launched, it protects (virtualizes) TPM access and denies host OS access to TPM at locality 2. The P-MAPS core requests the TPM to generate an AIK pair and to associate this AIK with PCRs 17 and 18 and locality 2. It provides the TPM's EK certificate to the privacy CA and requests a certificate for this AIK. When the P-MAPS core needs to attest its state to a remote server it provides a TPM quote signed by the AIK and includes values of PCRs 17 and 18.
The remote server can use the privacy CA to verify the AIK. The AIK can be used by the P-MAPS core to send the public portion of an RSA key pair. The above mechanism follows a standard protocol recommended by the TCG. The remote server can use the public key to encrypt a secret before sending it to the P-MAPS core for provisioning. This interaction is illustrated in Figure 9.
Once provisioning is complete, an application may need to store a secret (which may be a key) that is subsequently required during steady-state operation. The application sends the secret to the P-MAPS core for protection, and the core uses the TPM to seal the secret to PCRs 17 and 18 and locality 2. The encrypted secret is given back to the application to store as it pleases. When the secret is needed, the application requests the P-MAPS core to unseal the secret and deposit it into protected memory.
The P-MAPS core can be used to protect critical applications. Applications are deemed critical, either from a user-data perspective or from a security perspective: for example, banking applications, security software, such as anti-virus or rootkit prevention, are all critical applications. Additionally, P-MAPS can be used to extend hardware services to integrity-verified drivers thus creating protected hardware extensions in software.
We implemented P-MAPS on an Intel mobile platform enabled with Intel VT and Intel TXT. Our Intel TXT loader is written for Windows XP and is based on the Trusted Boot Project . The platform hardware configuration, previously codenamed Montevina , consists of an Intel GM45 Express Chipset, an Intel Core 2 Duo Processor P8600 (3M Cache, 2.40 GHz, 1066 MHz FSB), 2GB RAM, and an Infineon TPM . We measured the time required to launch the P-MAPS core, via a Windows XP kernel service, to be 300 msec on average. This includes the time taken from the GETSEC[SENTER] instruction to the instruction run after control comes back into the OS-specific launcher (from the measured P-MAPS core). A large portion of the time is spent in interaction with the TPM over the serial LPC bus, and in reconfiguring the MTRRs. Table 5 breaks out the time spent in the different activities that occur during the launch and teardown processes.
<b>Launch: from GETSEC[SENTER] to resume 300 msec</b> GETSEC[SENTER]: ACM verification, execution (entry to trampoline) Trampoline: execution (entry to P-MAPS core) P-MAPS core: setup, guest creation and resume <b>Tear Down: from VMCALL to resume 0.54 msec</b>
For further details on Intel TXT, the reader is referred to the Intel technical reference book for Intel TXT .
We have demonstrated via a research proof-of-concept how Intel TXT and Intel VT hardware can be used to reduce the TCB of current PC systems, on-demand (dynamically), from the full OS software to a substantially smaller P-MAPS core module that provides runtime protection for applications. We describe how this system can be used to provide protection without interfering with the typical scheduling and operation of the OS, including unprotected applications. We can use this application protection mechanism to make a white-list of critical applications and thus mitigate 0-day software attacks on these protected applications. We continue to analyze different applications of the P-MAPS core.
 R. S. Cox et al. "A Safety-Oriented Platform for Web Applications." In Proceedings of the 2006 IEEE Symposium on Security and Privacy. 2006.
 Source lines of code. At http://en.wikipedia.org
 "Intel Virtualization Technology for Directed I/O." At http://download.intel.com
 TPM Specification, Version 1.2. At http://www.trustedcomputinggroup.org
 Intel Trusted Execution Technology—Measured Launched Environment Developer's Guide. At http://www.intel.com
 Intel 64 and IA-32 Architectures Software Developer's Manual. At http://www.intel.com
 "OS Independent Run-Time System Integrity Services." IT Innovation and Research, November 2005, Intel Corporation. At http://blogs.intel.com
 Ravi Sahita et al. "Mitigating the lying endpoint problem in network access control frameworks." IEEE/IFIP DSOM, 2007. At http://www.springerlink.com
 Ravi Sahita et al. "Towards a Virtualization-based Framework for Information Traceability." Advances in Information Security—Insider Attack and Cyber Security ISBN 978-0-387-77321-6. At http://www.springerlink.com
 Joseph Cihula et al. "Trusted Boot project on sourceforge.net." At http://sourceforge.net
 Intel Montevina Platform. At http://ark.intel.com
 Infineon Trusted Platform Module. At http://www.infineon.com
 David Grawrock. "The Intel Safer Computing Initiative." ISBN-10: 0976483262. At http://www.intel.com
We thank our colleagues who contributed to various facets of this research project and the proof-of-concept development: David Durham, Joseph Cihula, Andy Anderson, Michael Kinney, Ranjit Narjala, and Ansuya Negi.
This article and more on similar subjects may be found in the Intel Technology Journal, June 2009 Edition, "Advances in Internet Security".