StaticTrust: A Practical Framework for Trusted Networked Devices

Given the proliferation of malware and malicious activities, the integrity of communication systems is an ever growing concern. In this work, we propose StaticTrust, an integrity measurement framework which enables a system to evaluate the integrity and state of a remote client prior to providing trusted communication services. StaticTrust is designed for a specific class of network devices that have software images that change infrequently and require tight configuration control (e.g. routers, switches, trusted gateways, or high-low guards). StaticTrust exploits the relatively static nature of these communication systems and uses a Trusted Platform Module (TPM) to measure the state and provide identity verification for the device. This framework, coupled with the attestation and dynamic firewall exception services we authored, enables remote parties to confirm the integrity of clients, thereby limiting the effects and the proliferation of malware in a compromised system. We implement a prototype of the StaticTrust framework and measure the performance of our system to show that our design choices for constructing the software image result in efficient measurement and verification of system integrity.

[1]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[2]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[3]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[4]  Ulrich Kühn,et al.  Realizing property-based attestation and sealing with commonly available hard- and software , 2007, STC '07.

[5]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[6]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[7]  Bryan Parno,et al.  Bootstrapping Trust in a "Trusted" Platform , 2008, HotSec.

[8]  Sergey Bratus,et al.  TOCTOU, Traps, and Trusted Computing , 2008, TRUST.

[9]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[10]  Paul England,et al.  Practical Techniques for Operating System Attestation , 2008, TRUST.

[11]  Martin Bergander,et al.  Next generation secure computing base - Microsofts datasäkerhetslösning ur ett verksamhetsperspektiv , 2004 .

[12]  Michael K. Reiter,et al.  An Execution Infrastructure for TCB Minimization , 2007 .

[13]  Trent Jaeger,et al.  Attestation-based policy enforcement for remote access , 2004, CCS '04.

[14]  Trent Jaeger,et al.  Establishing and Sustaining System Integrity via Root of Trust Installation , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).