|
Research for Advancing Trusted Computing
IBM has pioneered work in applying hardware support to enable
trust in system execution. The IBM
4758 started as a research project to build a secure, tamper-resistant
cryptographic coprocessor. Software whose integrity is necessary
for the correct execution of the business can be run on the 4758
Cryptographic Coprocessor with confidence, even against insider
attacks. A variety of IBM clients use the IBM 4758 and its recently
available successor -- the IBM 4764.
A key aspect in the design of the 4758/4764 is
the design of a mechanism that enables the cryptographic coprocessor
to prove its integrity to remote systems, called attestation.
Attestation protocols enable a remote party to verify that the
software loaded on a system and the order in which it is loaded,
correspond to expectations.
Attestation has become a key mechanism in building secure systems.
The Trusted
Computing Group (TCG) is a consortium of several companies,
including IBM as a promoter member, that aims to standardize a
hardware module and a software stack that enable attestation and
other security services necessary for verifying system integrity.
The idea is that the hardware, called a trusted platform module
(TPM), holds identifying secrets of a system and TPM software
stack (TSS) enables measurement of the software loaded. Because
the TPM has cryptographic signature ability, it can generate messages
that remote systems can use to verify the software running on
the system with the TPM.
The TCG standard sets a possible basis for building
secure systems, but it is still necessary to figure out how to
use the TPM in an open way. IBM Research has been a leader in
answering this question. First, IBM researchers were the first
to provide an open source TPM
driver for Linux. Also, IBM researcher David Safford wrote
an article
describing appropriate uses of the TPM to show that it can be
an open platform basis. Further, the IBM Tokyo Research Lab (TRL)
has developed software to measure the integrity of boot process
using a TPM.
More research is still required to determine
how to use the TPM functionality effectively. Although the TPM
is designed to measure the integrity of a sequential load of software,
as in the boot process, IBM Research has identified broader uses.
For instance, an Integrity Measurement Architecture (IMA) where
the TPM is used to enable verification of application software
running on Linux. IBM researcher Leendert van Doorn's group found
that if the operating system maintains a load sequence, the TPM
can be used to maintain an aggregate value that can be used to
verify the software components loaded and the order in which they
are loaded. A demonstration of a prototype of this approach was
made at the RSA conference in February 2004 which generated much
discussion
and press
coverage. Furthermore, in September 2004 at the Embedded Systems
Conference in Boston, researchers from IBM Tokyo Research Lab
applied this architecture in an TPM-extended embedded controller
that supports an RFID application built using a Trusted JVM and
Open Service Gateway Initiative (OSGi) Framework developed in
IBM Almaden Research Center, and a lightweight WS-Security engine,
to show a comprehensive security framework for pervasive devices.
This demo was also presented in the OSGi World Congress in October
2004 in Barcelona, Spain.
Integrity Measurement
Architecture
IBM Research continues to look at the issues
of applying TCG. The IBM T.J. Watson Research Center recently
showed how IMA can be used to allow a corporation to control access
to its data used by its employees working at home. Also, researchers
in the IBM Zurich Research Lab are examining how to describe a
model of attestation based on properties, so that remote verification
can be simpler. Finally, IBM researchers in New York are looking
at using mandatory access control policies now available in Linux
to generate such properties. The Grand Challenge is to devise
an approach to integrity verification that meets practical concerns
and can be performed in a natural manner in the course of computer
processing.
The TCG standards aim to provide a trusted component
in our systems that could enable computers to work together with
some confidence in each other's integrity, but many problems must
be solved to make such tools practical. IBM Research has been
in the forefront of trusted computing and through the skills in
its labs will continue to explore the hardware, systems, application,
and theoretical approaches to improve system security.
Dyer, J.G., Lindemann, M., Perez, R., Sailer, R.,
Smith, S.W., van Doorn, L., Weingart, S., The
IBM Secure Coprocessor: Overview and Retrospective, IEEE Computer,
October 2001.
David Safford, Jeff Kravitz and Leendert van Doorn.
Take
Control of TCPA, Linux Journal No. 112, August 2003.
Hendricks, J, and Van Doorn, L., Secure
Bootstrap is Not Enough: Shoring up the Trusted Computing Base,
Proc. of the Eleventh SIGOPS European Workshop, ACM SIGOPS, Leuven,
Belgium, September 2004.
Reiner Sailer, Xiaolan Zhang, Trent Jaeger, Leendert
van Doorn. Design
and Implementation of a TCG-based Integrity Measurement Architecture.
13th Usenix Security Symposium, San Diego, California, August 2004.
Reiner Sailer, Trent Jaeger, Xiaolan Zhang, Leendert
van Doorn. Attestation-based
Policy Enforcement for Remote Access. 11th Conference on Computer
and Communications Security, Washington, D.C., October 2004.
Seshadri, A., Perrig, A., van Doorn, L., Khosla,
P., SWATT: SoftWare-based ATTestation
for Embedded Devices, Proc. of the IEEE Security & Privacy Conference,
IEEE, Oakland, CA, May 2004.
Copyright © (2004) by Association
for Computing Machinery, Inc. Permission to make digital or hard
copies of part of all of this work for personal or classroom use
is granted without fee provided that copies are not made or distributed
for profit or commercial advantage. To copy otherwise, to republish,
to post on servers, or to redistribute to lists, requires prior
specific permission and/or a fee.
Copyright © (2001, 2004) by IEEE.
Permission to make digital or hard copies of part or all of this
work for personal or classroom use is granted without fee provided
that copies are not made or distributed for profit. To copy otherwise,
to republish, to post on servers, or to redistribute to lists, requires
prior specific permission and/or a fee.
4758
product
4758
open source system
Embedded
Systems Conference Boston
ESC
Press release |
 |
 |
|
|
What is the most exciting potential
future use for the work you're doing?
I think the big value of
the trusted computing group (TCG) and our Linux integrity
measurement architecture is that it provides the means to
verify the software stack that is running on a remote system.
In today's world, the way we trust a remote system is by
verifying the certificate it presents as part of an SSL
handshake. From a security point of view this is rather
weak mechanism, because we assume that by presenting a valid
certificate the server is also running with a correct and
untampered-with software stack. Unfortunately, this is no
longer true. Buffer overflows or even mundane configuration
errors undermine this assumption. Just imagine providing
your credit card to a Web service that can present you with
a valid certificate, but in reality siphons the data to
a remote site for transactions other than the intended use.
Far-fetched? Unlikely scenario? No, not
really. As became overwhelmingly clear during a recent large-scale
attack on Web sites, the fact that you know the certificate
of your Web site and that you use an SSL-secured channel
to communicate with the site, none of these mechanisms actually
guarantee that you as the consumer are now secure. What
happened during the week of 6/24? A large number of Web
sites got infected with a Trojan horse, which, in turn,
would infect the unsuspecting consumers that would connect
to the site.
Trust is a difficult concept to formalize
and its definition is very much in the eye of the beholder,
in our case the consumer of a service. However, this trust
is derived from claims made by the service provider and
we can loosely define a continuum of the accuracy of these
claims in light of potential threats. To illustrate this,
consider the Trojan attack that was mentioned above. Since
the remote attackers managed to get a Trojan to impersonate
a service, it is highly unlikely that the service itself
could provide a truthful statement about the kind of service
it is providing.
The trust of a consumer, whether this is
a person or another computer system, is a fundamental building
block for secure distributed computing. The ability to attest
that a provider is delivering the correct and properly configured
service is the basis for that trust decision. Our Linux
integrity measurement architecture addresses these concerns
and is a first step towards a solution.
What is the most interesting part
of your research?
The most interesting aspect of this work is to
get a handle on the notion of trust. Not just in a theoretical
sense, but also in practice and especially when reasoning
about a continuum of trust.
What inspired you to go into this
field?
I am very curious and have a very broad interest.
Security was one of the few things I could think of that
allowed me to work on everything IBM is doing. So far this
has been true. I have been involved with CPU design, hypervisors,
operating systems, secure cryptographic coprocessors, wireless
networking, and TCG.
What is your favorite invention
of all time?
My favorite invention of all time (at least for now) is
the TiVo system. It enables me to watch the shows that I
am interested in, on my own schedule, at my own pace --
even helping me by finding similar shows automatically.
|
|
Discipline: