Channels ▼
RSS

Security

Protecting Critical Applications on Mobile Platforms


Remote Attestation

A protected application typically involves the handling of secret data that are provisioned by an entity (provisioning server) in the network. The protected application must assure the remote entity that the application is indeed executing in the specified protected environment before receiving the secret data. A set of trusted entities participate to enable this mechanism.

Here are some of the trusted entities and their roles.

  • Trusted platform module (TPM) and its owner (e.g., an end user or an IT administrator). The owner sets the TPM authentication password and is responsible for password protection.
  • Endorsement certificate authority (CA) . The TPM device is provisioned with the endorsement key (EK) and an EK certificate from the endorsement CA at manufacture and ship time. The certificate provides attestation for the TPM manufacturer, signed by a TTP, such as VeriSign.
  • Privacy CA server. This is a TTP used by the provisioning server to verify the EK certificate from a TPM with an assurance of keeping the identity of the TPM host confidential.
  • Intel TXT components (CPU/Chipset, ACM). The ACM works in concert with the CPU and chipset to verify hardware conformance; for example, it verifies that the TPM being used is physically attached to the platform. The ACM also extends the TPM PCR registers to record the measurement of the P-MAPS core -- this property is used during the operation of the P-MAPS core to associate application credentials to the local TPM.
  • P-MAPS core. The core enforces protection via page table changes. The P-MAPS core uses TPM to generate attestation identity keys (AIKs). These keys are used to sign (appropriately tagged) application-specific data and to sign the TPM's current PCR values (TPM_Quote). The provisioning server verifies the TPM quote (based on PCRs and locality) to ensure the platform has the necessary software posture before sharing confidential data.

As part of the Intel TXT dynamic launch, PCR 17 is updated with the identity of the ACM, and the P-MAPS core measurement is recorded in PCR 18. When the P-MAPS core is launched, it protects (virtualizes) TPM access and denies host OS access to TPM at locality 2. The P-MAPS core requests the TPM to generate an AIK pair and to associate this AIK with PCRs 17 and 18 and locality 2. It provides the TPM's EK certificate to the privacy CA and requests a certificate for this AIK. When the P-MAPS core needs to attest its state to a remote server it provides a TPM quote signed by the AIK and includes values of PCRs 17 and 18.

Figure 9: Remote Attestation of Protected Applications (Source: Intel Corporation, 2009)

The remote server can use the privacy CA to verify the AIK. The AIK can be used by the P-MAPS core to send the public portion of an RSA key pair. The above mechanism follows a standard protocol recommended by the TCG. The remote server can use the public key to encrypt a secret before sending it to the P-MAPS core for provisioning. This interaction is illustrated in Figure 9.

Once provisioning is complete, an application may need to store a secret (which may be a key) that is subsequently required during steady-state operation. The application sends the secret to the P-MAPS core for protection, and the core uses the TPM to seal the secret to PCRs 17 and 18 and locality 2. The encrypted secret is given back to the application to store as it pleases. When the secret is needed, the application requests the P-MAPS core to unseal the secret and deposit it into protected memory.

Usages

The P-MAPS core can be used to protect critical applications. Applications are deemed critical, either from a user-data perspective or from a security perspective: for example, banking applications, security software, such as anti-virus or rootkit prevention, are all critical applications. Additionally, P-MAPS can be used to extend hardware services to integrity-verified drivers thus creating protected hardware extensions in software.

Performance Evaluation

We implemented P-MAPS on an Intel mobile platform enabled with Intel VT and Intel TXT. Our Intel TXT loader is written for Windows XP and is based on the Trusted Boot Project [10]. The platform hardware configuration, previously codenamed Montevina [11], consists of an Intel GM45 Express Chipset, an Intel Core 2 Duo Processor P8600 (3M Cache, 2.40 GHz, 1066 MHz FSB), 2GB RAM, and an Infineon TPM [12]. We measured the time required to launch the P-MAPS core, via a Windows XP kernel service, to be 300 msec on average. This includes the time taken from the GETSEC[SENTER] instruction to the instruction run after control comes back into the OS-specific launcher (from the measured P-MAPS core). A large portion of the time is spent in interaction with the TPM over the serial LPC bus, and in reconfiguring the MTRRs. Table 5 breaks out the time spent in the different activities that occur during the launch and teardown processes.


<b>Launch: from GETSEC[SENTER] to resume                                   300 msec</b> 
GETSEC[SENTER]: ACM verification, execution (entry to trampoline)
Trampoline: execution (entry to P-MAPS core)
P-MAPS core: setup, guest creation and resume
<b>Tear Down: from VMCALL to resume                                     0.54 msec</b>

Table 5: Initialization and Teardown for P-MAPS Core (Source: Intel Corporation, 2009)

For further details on Intel TXT, the reader is referred to the Intel technical reference book for Intel TXT [13].

Conclusion

We have demonstrated via a research proof-of-concept how Intel TXT and Intel VT hardware can be used to reduce the TCB of current PC systems, on-demand (dynamically), from the full OS software to a substantially smaller P-MAPS core module that provides runtime protection for applications. We describe how this system can be used to provide protection without interfering with the typical scheduling and operation of the OS, including unprotected applications. We can use this application protection mechanism to make a white-list of critical applications and thus mitigate 0-day software attacks on these protected applications. We continue to analyze different applications of the P-MAPS core.

References

[1] R. S. Cox et al. "A Safety-Oriented Platform for Web Applications." In Proceedings of the 2006 IEEE Symposium on Security and Privacy. 2006.

[2] Source lines of code. At http://en.wikipedia.org

[3] "Intel Virtualization Technology for Directed I/O." At http://download.intel.com

[4] TPM Specification, Version 1.2. At http://www.trustedcomputinggroup.org

[5] Intel Trusted Execution Technology—Measured Launched Environment Developer's Guide. At http://www.intel.com

[6] Intel 64 and IA-32 Architectures Software Developer's Manual. At http://www.intel.com

[7] "OS Independent Run-Time System Integrity Services." IT Innovation and Research, November 2005, Intel Corporation. At http://blogs.intel.com

[8] Ravi Sahita et al. "Mitigating the lying endpoint problem in network access control frameworks." IEEE/IFIP DSOM, 2007. At http://www.springerlink.com

[9] Ravi Sahita et al. "Towards a Virtualization-based Framework for Information Traceability." Advances in Information Security—Insider Attack and Cyber Security ISBN 978-0-387-77321-6. At http://www.springerlink.com

[10] Joseph Cihula et al. "Trusted Boot project on sourceforge.net." At http://sourceforge.net

[11] Intel Montevina Platform. At http://ark.intel.com

[12] Infineon Trusted Platform Module. At http://www.infineon.com

[13] David Grawrock. "The Intel Safer Computing Initiative." ISBN-10: 0976483262. At http://www.intel.com

Acknowledgments

We thank our colleagues who contributed to various facets of this research project and the proof-of-concept development: David Durham, Joseph Cihula, Andy Anderson, Michael Kinney, Ranjit Narjala, and Ansuya Negi.

This article and more on similar subjects may be found in the Intel Technology Journal, June 2009 Edition, "Advances in Internet Security".


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Video