Maat: A Platform Service for Measurement and Attestation

Software integrity measurement and attestation (M&A) are critical technologies for evaluating the trustworthiness of software platforms. To best support these technologies, next generation systems must provide a centralized service for securely selecting, collecting, and evaluating integrity measurements. Centralization of M&A avoids duplication, minimizes security risks to the system, and ensures correct ad- ministration of integrity policies and systems. This paper details the desirable features and properties of such a system, and introduces Maat, a prototype implementation of an M&A service that meets these properties. Maat is a platform service that provides a centralized policy-driven framework for determining which measurement tools and protocols to use to meet the needs of a given integrity evaluation. Maat simplifies the task of integrating integrity measurements into a range of larger trust decisions such as authentication, network access control, or delegated computations.

[1]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[2]  Bu-Sung Lee,et al.  Flogger: A File-Centric Logger for Monitoring File Access and Transfers within Cloud Computing Environments , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[3]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[4]  Thomas Morris,et al.  Trusted Platform Module , 2011, Encyclopedia of Cryptography and Security.

[5]  Frederik Armknecht,et al.  A security framework for the analysis and design of software attestation , 2013, CCS.

[6]  Ryan K. L. Ko,et al.  Progger: An Efficient, Tamper-Evident Kernel-Space Logger for Cloud Data Provenance Tracking , 2014, 2014 IEEE 7th International Conference on Cloud Computing.

[7]  Jonathan M. McCune,et al.  OASIS: on achieving a sanctuary for integrity and secrecy on untrusted platforms , 2013, CCS.

[8]  Bu-Sung Lee,et al.  TrustCloud: A Framework for Accountability and Trust in Cloud Computing , 2011, 2011 IEEE World Congress on Services.

[9]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[10]  J. Aaron Pendergrass,et al.  Linux kernel integrity measurement using contextual inspection , 2007, STC '07.

[11]  Joshua D. Guttman,et al.  Attestation: Evidence and Trust , 2008, ICICS.

[12]  Lorrie Faith Cranor,et al.  Operating system framed in case of mistaken identity: measuring the success of web-based spoofing attacks on OS password-entry dialogs , 2012, CCS '12.

[13]  Butler W. Lampson,et al.  A Trusted Open Platform , 2003, Computer.

[14]  Raluca Diaconu,et al.  Big ideas paper: Policy-driven middleware for a legally-compliant Internet of Things , 2016, Middleware.

[15]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[16]  Vipin Samar,et al.  Making login services independent from authentication technologies , 1995 .

[17]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[18]  Liehuang Zhu,et al.  A Secure Robust Integrity Reporting Protocol of Trusted Computing for Remote Attestation under Fully Adaptive Party Corruptions , 2012 .

[19]  Patrick Röder,et al.  A Robust Integrity Reporting Protocol for Remote Attestation , 2006 .

[20]  Trent Jaeger,et al.  Attestation-based policy enforcement for remote access , 2004, CCS '04.

[21]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[22]  Adrian Perrig,et al.  SAKE: Software attestation for key establishment in sensor networks , 2008, Ad Hoc Networks.

[23]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[24]  Ryan W. Gardner,et al.  Detecting Code Alteration by Creating a Temporary Memory Bottleneck , 2009, IEEE Transactions on Information Forensics and Security.

[25]  Imad M. Abbadi,et al.  A framework for establishing trust in the Cloud , 2012, Comput. Electr. Eng..