Building a trusted environment for security applications

Security controls (such as encryption endpoints, payment gateways, and firewalls) rely on correct program execution and secure storage of critical data (such as cryptographic keys and configuration files). Even when hardware security elements are used (e.g. cryptographic accelerators) software is still—in the form of drivers and libraries—critical for secure operations. This chapter introduces the features and foundations of Trusted Computing, an architecture that exploits the low-cost TPM chip to measure the integrity of a computing platform. This allows the detection of static unauthorized manipulation of binaries (be them OS components or applications) and configuration files, hence quickly detecting software attacks. For this purpose, Trusted Computing provides enhanced security controls, such as sealed keys (that can be accessed only by good applications when the system is in a safe state) and remote attestation (securely demonstrating the software state of a platform to a remote network verifier). Besides the theoretical foundation, the chapter also guides the reader towards creation of applications that enhance their security by using the features provided by the underlying PC-class trusted platform

[1]  James Newsome,et al.  CARMA: a hardware tamper-resistant isolated execution environment on commodity x86 platforms , 2012, ASIACCS '12.

[2]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[3]  Jean-Pierre Seifert,et al.  Model-based behavioral attestation , 2008, SACMAT '08.

[4]  Christian Stüble,et al.  µTSS - A Simplified Trusted Software Stack , 2010, TRUST.

[5]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[6]  Antonio Lioy,et al.  The Trusted Platform Agent , 2011, IEEE Software.

[7]  Ahmad-Reza Sadeghi,et al.  Extending IPsec for Efficient Remote Attestation , 2010, Financial Cryptography Workshops.

[8]  Adrian Perrig,et al.  Lockdown: Towards a Safe and Practical Architecture for Security Applications on Commodity Platforms , 2012, TRUST.

[9]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[10]  Jack Harris,et al.  Building a trusted image for embedded systems , 2010, CSIIRW '10.

[11]  Ronald Perez,et al.  Linking remote attestation to secure tunnel endpoints , 2006, STC '06.

[12]  Ahmad-Reza Sadeghi,et al.  Beyond secure channels , 2007, STC '07.

[13]  Frederik Armknecht,et al.  An efficient implementation of trusted channels based on openssl , 2008, STC '08.

[14]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[15]  Emin Gün Sirer,et al.  Logical attestation: an authorization architecture for trustworthy computing , 2011, SOSP.

[16]  Mohammad Nauman,et al.  Towards platform-independent trusted computing , 2009, STC '09.

[17]  Jakob Jonsson,et al.  Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 , 2003, RFC.