Bootstrapping Trust in Modern Computers

Trusting a computer for a security-sensitive task (such as checking email or banking online) requires the user to know something about the computer's state. We examine research on securely capturing a computer's state, and consider the utility of this information both for improving security on the local computer (e.g., to convince the user that her computer is not infected with malware) and for communicating a remote computer's state (e.g., to enable the user to check that a web server will adequately protect her data). Although the recent "Trusted Computing" initiative has drawn both positive and negative attention to this area, we consider the older and broader topic of bootstrapping trust in a computer. We cover issues ranging from the wide collection of secure hardware that can serve as a foundation for trust, to the usability issues that arise when trying to convey computer state information to humans. This approach unifies disparate research efforts and highlights opportunities for additional work that can guide real-world improvements in computer security.

[1]  Sean W. Smith,et al.  Securing Web servers against insider attack , 2001, Seventeenth Annual Computer Security Applications Conference.

[2]  Stephen W. Smith,et al.  Webalps: Using trusted co-servers to enhance privacy and security of web transactions , 2000 .

[3]  Michael Baentsch,et al.  The Zurich Trusted Information Channel - An Efficient Defence Against Man-in-the-Middle and Malicious Software Attacks , 2008, TRUST.

[4]  Satish Narayanasamy,et al.  Respec: Efficient Online Multiprocessor Replay via Speculation and External Determinism , 2010, ASPLOS 2010.

[5]  Adrian Perrig,et al.  Lockdown: A Safe and Practical Environment for Security Applications (CMU-CyLab-09-011) , 2009 .

[6]  Michael K. Reiter,et al.  How low can you go?: recommendations for hardware-supported minimal TCB code execution , 2008, ASPLOS.

[7]  David Chaum,et al.  Distance-Bounding Protocols (Extended Abstract) , 1994, EUROCRYPT.

[8]  Helena Handschuh,et al.  Hardware intrinsic security from D flip-flops , 2010, STC '10.

[9]  Stefan Berger,et al.  Trustworthy and personalized computing on public kiosks , 2008, MobiSys '08.

[10]  Claudio Soriente,et al.  On the difficulty of software-based attestation of embedded devices , 2009, CCS.

[11]  Chris J. Mitchell,et al.  On a Possible Privacy Flaw in Direct Anonymous Attestation (DAA) , 2008, TRUST.

[12]  Xi Wang,et al.  Intrusion Recovery Using Selective Re-execution , 2010, OSDI.

[13]  Thomas Pöppelmann,et al.  Trusted virtual domains on OpenSolaris: usable secure desktop environments , 2010, STC '10.

[14]  N. Asokan,et al.  Secure device pairing based on a visual channel , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[15]  Claudio Soriente,et al.  HAPADEP: Human-Assisted Pure Audio Device Pairing , 2008, ISC.

[16]  Jonathan M. McCune,et al.  Memoir: Practical State Continuity for Protected Modules , 2011, 2011 IEEE Symposium on Security and Privacy.

[17]  Sean W. Smith,et al.  Building a high-performance, programmable secure coprocessor , 1999, Comput. Networks.

[18]  Ahmad-Reza Sadeghi,et al.  TCG inside?: a note on TPM specification compliance , 2006, STC '06.

[19]  Paul C. van Oorschot,et al.  A generic attack on checksumming-based software tamper resistance , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[20]  Sean W. Smith,et al.  Building the IBM 4758 Secure Coprocessor , 2001, Computer.

[21]  Ruby B. Lee,et al.  A framework for testing hardware-software security architectures , 2010, ACSAC '10.

[22]  Martin Pirker,et al.  A PrivacyCA for Anonymity and Trust , 2009, TRUST.

[23]  Stephen A. Benton,et al.  Physical one-way functions , 2001 .

[24]  Trent Jaeger,et al.  Establishing and Sustaining System Integrity via Root of Trust Installation , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[25]  Jonathan M. McCune,et al.  A Contractual Anonymity System , 2010 .

[26]  David Wetherall,et al.  Toward trustworthy mobile sensing , 2010, HotMobile '10.

[27]  Joshua D. Guttman,et al.  Analysis of a Measured Launch , 2007 .

[28]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[29]  Dhananjay S. Phatak,et al.  Introducing the Trusted Virtual Environment Module: A New Mechanism for Rooting Trust in Cloud Computing , 2010, TRUST.

[30]  Jennifer Rexford,et al.  Accountability in hosted virtual networks , 2009, VISA '09.

[31]  G. Edward Suh,et al.  AEGIS: architecture for tamper-evident and tamper-resistant processing , 2003 .

[32]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[33]  Calton Pu,et al.  Reducing TCB complexity for security-sensitive applications: three case studies , 2006, EuroSys.

[34]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[35]  Stefan Katzenbeisser,et al.  The PUF Promise , 2010, TRUST.

[36]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[37]  Johannes Winter,et al.  Trusted computing building blocks for embedded linux-based ARM trustzone platforms , 2008, STC '08.

[38]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[39]  Yongdae Kim,et al.  Remote Software-Based Attestation for Wireless Sensors , 2005, ESAS.

[40]  Butler W. Lampson,et al.  A Trusted Open Platform , 2003, Computer.

[41]  Sean W. Smith,et al.  Trusting Trusted Hardware: Towards a Formal Model for Programmable Secure Coprocessors , 1998, USENIX Workshop on Electronic Commerce.

[42]  Morrie Gasser,et al.  The Digital Distributed System Security Architecture , 1989 .

[43]  Tao Zhang,et al.  Hardware assisted control flow obfuscation for embedded processors , 2004, CASES '04.

[44]  Dan Boneh,et al.  Architectural Support For Copy And Tamper-Resistant Software PhD Thesis , 2003 .

[45]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[46]  Sergey Bratus,et al.  The diversity of TPMs and its effects on development: a case study of integrating the TPM into OpenSolaris , 2010, STC '10.

[47]  Trent Jaeger,et al.  Toward Automated Information-Flow Integrity Verification for Security-Critical Applications , 2006, NDSS.

[48]  李幼升,et al.  Ph , 1989 .

[49]  Abhinav Srivastava,et al.  Efficient Monitoring of Untrusted Kernel-Mode Execution , 2011, NDSS.

[50]  Julien Signoles,et al.  Slicing for Security of Code , 2008, TRUST.

[51]  Carl M. Ellison,et al.  Public-key support for group collaboration , 2003, TSEC.

[52]  Ahmad-Reza Sadeghi,et al.  A practical property-based bootstrap architecture , 2009, STC '09.

[53]  Sean W. Smith Trusted Computing Platforms - Design and Applications , 2005 .

[54]  Ross J. Anderson Cryptography and competition policy: issues with 'trusted computing' , 2003, PODC '03.

[55]  Adrian Perrig,et al.  Help Me Help You: Using Trustworthy Host-Based Information in the Network (CMU-CyLab-09-016) , 2009 .

[56]  Michael K. Reiter,et al.  Safe Passage for Passwords and Other Sensitive Data , 2009, NDSS.

[57]  R. Sailer,et al.  sHype : Secure Hypervisor Approach to Trusted Virtualized Systems , 2005 .

[58]  Carsten Rudolph,et al.  Covert Identity Information in Direct Anonymous Attestation (DAA) , 2007, SEC.

[59]  Adrian Perrig,et al.  Bootstrapping Trust in Commodity Computers , 2010, 2010 IEEE Symposium on Security and Privacy.

[60]  Andreas Haeberlen,et al.  Accountable Virtual Machines , 2010, OSDI.

[61]  Michael K. Reiter,et al.  Minimal TCB Code Execution (Extended Abstract) , 2007 .

[62]  Claudio Soriente,et al.  Secure pairing of interface constrained devices , 2009, Int. J. Secur. Networks.

[63]  Adrian Perrig,et al.  Refutation of "On the Difficulty of Software-Based Attestation o f Embedded Devices" , 2010 .

[64]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[65]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[66]  Trent Jaeger,et al.  Scalable Web Content Attestation , 2012, IEEE Trans. Computers.

[67]  Butler W. Lampson,et al.  Usable Security: How to Get It , 2009 .

[68]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[69]  Michael K. Reiter,et al.  Usability Testing a Malware-Resistant Input Mechanism , 2011, NDSS.

[70]  Deepa Srinivasan,et al.  Scalable integrity monitoring in virtualized environments , 2010, STC '10.

[71]  René Mayrhofer,et al.  Shake Well Before Use: Intuitive and Secure Pairing of Mobile Devices , 2009, IEEE Transactions on Mobile Computing.

[72]  Thomas E. Anderson,et al.  ETTM: A Scalable Fault Tolerant Network Manager , 2011, NSDI.

[73]  Sean W. Smith Outbound authentication for programmable secure coprocessors , 2004, International Journal of Information Security.

[74]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[75]  Ahmad-Reza Sadeghi,et al.  A protocol for property-based attestation , 2006, STC '06.

[76]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[77]  Frederik Armknecht,et al.  A Formal Foundation for the Security Features of Physical Functions , 2011, S&P 2011.

[78]  Trent Jaeger,et al.  Justifying Integrity Using a Virtual Machine Verifier , 2009, 2009 Annual Computer Security Applications Conference.

[79]  Frank Stajano,et al.  The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks , 1999, Security Protocols Workshop.

[80]  Bernt Schiele,et al.  Smart-Its Friends: A Technique for Users to Easily Establish Connections between Smart Artefacts , 2001, UbiComp.

[81]  Diomidis Spinellis,et al.  Reflection as a mechanism for software integrity verification , 2000, TSEC.

[82]  Alptekin Küpçü,et al.  Incentivizing outsourced computation , 2008, NetEcon '08.

[83]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[84]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[85]  Dawn Song,et al.  Hash Visualization: a New Technique to improve Real-World Security , 1999 .

[86]  Naomaru Itoi Secure Coprocessor Integration with Kerberos V5 , 2000, USENIX Security Symposium.

[87]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[88]  Sean W. Smith,et al.  SAM: a flexible and secure auction architecture using trusted hardware , 2001, Proceedings 15th International Parallel and Distributed Processing Symposium. IPDPS 2001.

[89]  Sean W. Smith,et al.  Open-source applications of TCPA hardware , 2004, 20th Annual Computer Security Applications Conference.

[90]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[91]  Ulrich Kühn,et al.  Realizing property-based attestation and sealing with commonly available hard- and software , 2007, STC '07.

[92]  Alec Wolman,et al.  I am a sensor, and I approve this message , 2010, HotMobile '10.

[93]  Bruce Schneier,et al.  Cryptographic Support for Secure Logs on Untrusted Machines , 1998, USENIX Security Symposium.

[94]  Xinwen Zhang,et al.  Remote Attestation of Attribute Updates and Information Flows in a UCON System , 2009, TRUST.

[95]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[96]  Blake Hannaford,et al.  "Are You with Me?" - Using Accelerometers to Determine If Two Devices Are Carried by the Same Person , 2004, Pervasive.

[97]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[98]  Adrian Perrig,et al.  Turtles all the way down: research challenges in user-based attestation , 2007, WRAITS '08.

[99]  Leendert van Doorn,et al.  A Practical Guide to Trusted Computing , 2007 .

[100]  Serge Vaudenay,et al.  Secure Communications over Insecure Channels Based on Short Authenticated Strings , 2005, CRYPTO.

[101]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[102]  Bart Preneel,et al.  Embedded Trusted Computing with Authenticated Non-volatile Memory , 2008, TRUST.

[103]  Sven Türpe,et al.  Attacking the BitLocker Boot Process , 2009, TRUST.

[104]  Sven Laur,et al.  Efficient Mutual Data Authentication Using Manually Authenticated Strings , 2006, CANS.

[105]  Wu-chang Feng,et al.  The case for network witnesses , 2008, 2008 4th Workshop on Secure Network Protocols.

[106]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[107]  Nick Feamster,et al.  Packets with Provenance , 2008 .

[108]  Steve H. Weingart Physical Security for the μABYSS System , 1987, 1987 IEEE Symposium on Security and Privacy.

[109]  Patrick Röder,et al.  A Robust Integrity Reporting Protocol for Remote Attestation , 2006 .

[110]  Bryan Parno,et al.  Bootstrapping Trust in a "Trusted" Platform , 2008, HotSec.

[111]  Steve H. Weingart,et al.  Validating a High-Performance , Programmable Secure Coprocessor , 1999 .

[112]  Barry D. Gold,et al.  KVM/370 in Retrospect , 1984, 1984 IEEE Symposium on Security and Privacy.

[113]  Srinivas Devadas,et al.  Virtual monotonic counters and count-limited objects using a TPM without a trusted OS , 2006, STC '06.

[114]  Ahmad-Reza Sadeghi,et al.  TruWallet: trustworthy and migratable wallet-based web authentication , 2009, STC '09.

[115]  A. Einstein On the Electrodynamics of Moving Bodies , 2005 .

[116]  Bennet S. Yee,et al.  Using Secure Coprocessors , 1994 .

[117]  Martin Pirker,et al.  Towards Trust Services for Language-Based Virtual Machines for Grid Computing , 2008, TRUST.

[118]  Evan R. Sparks A Security Assessment of Trusted Platform Modules , 2007 .

[119]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[120]  Fabian Monrose,et al.  Distributed Execution with Remote Audit , 1999, NDSS.

[121]  Ruby B. Lee,et al.  Architecture for protecting critical secrets in microprocessors , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).