Trusted execution in the cloud



Demo 4 Complete

17 Nov 2014

Demo 4, our last demonstration for our first contract year, is complete and successful. This demonstration extends previous demos by including explicit certification of the \(AIK\) by an external certificate authority.

  1. Attestation agent takes ownership of its vTPM
  2. Appraiser sends a request \(\langle D,n,PCRSelect\rangle\) to an attestation agent for PCRs
    • \(D=[d_0,d_1,…,d_n]\) - desire evidence
    • \(n\) - nonce
    • \(PCRSelect\) - PCRs to include in the TPM quote
  3. Attestation agent selects a protocol based on \(D\)
  4. Attestation agent executes the selected protocol:
    • Creates an \(AIK\) for signing a quote
    • Requests \(AIK\) authentication by a certificate authority
    • Receives \(\{CAcert\}_{k}\) and \(\{k,AIKdigest\}_{EK}\) where
      • \(CAcert\) is \([AIK]_{CA^{-1}}\), the \(AIK\) signed by the certificate authority
      • \(AIKdigest\) is \(\#AIK\), the hash of public \(AIK\)
    • Decrypts \(k\) and uses it to decrypt \(CAcert\)
    • Gathers evidence makes calls to the measurer based on the requst, \(D\), to gather \(E\)
    • Receives \(E\)
    • Creates an evidence package, \(\{\langle E,n\rangle\}\)
    • Creates a quote \(q=\langle\#\langle E,n,CAcert\rangle,PCR\rangle_{AIK^{-1}}\).
      • \(\#\langle E,n,CAcert\rangle\) guarantees integrity of the evidence, the nonce, and the CA certification
      • \(PCR\) is a PCR composite built using \(PCRSelect\) sent with the request.
  5. Attestation returns the quote, evidence and CA certification
  6. Appraiser checks the returned quote and evidence
    • Checks integrity of evidence, nonce and \(CACert\) using \(\#\langle E,n,CACert\rangle\) from the quote
    • Checks \([AIK]_{CA^{-1}}\) authenticity using \(CA\) public key
    • Checks the signature of the quote using the now certified \(AIK\)
    • Recreates and checks the PCR composite
    • checks \(n\) against the original nonce sent to the attestation manager
    • checks \(E=[e_0,e_1,…,e_n]\) against known good values

All data exchanged among the appraiser, attestation manager, measurer, and Privacy CA is in the form of standard JSON structures. This supports integration with other trusted computing components outside the ArmoredSoftware ecosystem.

In addition to executing successful runs, the demo checks a number of cases that should cause the protocol to fail or give bad results. These include:

  1. Bad measurement values
  2. Bad PCR values
  3. Bad nonce
  4. Uncertified or improperly certified \(AIK\)
  5. Bad quote or quote signature

The demo is quite close to being a complete and valid attestation protocol execution. Following are remaining limitations:

  1. The Privacy CA is currently simulated, but can easy be replaced by an existing operational Privacy CA.
  2. The vTPM is currently a stand-alone Berlios TPM emulator

Note that the measurer is now being called explicitly and is no longer simulated.

TPM Uptake

01 Aug 2014

Here’s a link to a nice article on TPM Uptake from Computer Weekly. Most enterprise computers have a hardware TPM on board, but they are rarely used. Microsoft’s BitLocker is one application that does and I’ve heard Chromebooks use a TPM to protect information in the cloud. However, broad uptake has been slow. This article suggests that might be changing. Furthermore, TCG is introducing the TPM 2.0 shortly that will be more flexible than the current 1.2. Only time will tell.

Demo 2 Complete

01 Aug 2014

Demo 2 is in the books. Demo 2 adds explicit execution of an attestation protocol and interaction with the measurer. This demo continues to be naive, but uses an attestation protocol and returns an evidence package. The evidence package integrity is guaranteed and linked to the quote by the hash returned in the quote. The quote is used to evaluate the data and the data in turn used to evaluate the target system.

  1. Appraiser sends a request \(\langle D,n\rangle\) to an attestation agent for PCRs
    • \(D=[d_0,d_1,…,d_n]\) - desire evidence
    • \(n\) - nonce
  2. Attestation agent selects a protocol based on \(D\)
  3. Attestation agent executes the protocol
    • Gathers evidence, \(E\), from application
    • Creates an evidence package, \({\langle E,n\rangle}_{k^{-1}}\)
    • Creates a quote \(q=\langle\#\langle E,n\rangle,PCR\rangle_{k^{-1}}\)
  4. Attestation returns the quote and evidence
  5. Appraiser checks the returned quote and evidence
    • checks the signature of the quote
    • checks the evidence package using \(\#\langle E,n\rangle\)
    • checks \(n\)
    • checks \(E=[e_0,e_1,…,e_n]\)
  6. Provide an argument for correctness

The attestation protocol receives \(D\) from the appraiser and translates its components into calls the measurer to generate \(E\). The evidence package and quote are generated by individual protocol steps.

The demo is limited for several reasons:

  1. The signing key, \(k\) is not maintained by a TPM or vTPM
  2. The quote is not generated by a TPM or vTPM
  3. PCRs are dummy values
  4. The measurer is currently being simulated rather than called explicitly

The first three limitations will be eliminated in Demonstration 3 when we integrate a TPM. The last limitation is an operating system issue that will be resolved when we move from CentOS to Fedora in the next demonstration.

We are now working full time on Demonstration 3.

Demo 1 Complete

01 Jul 2014

Today we did our first internal demonstration of an ArmoredSoftware attestation among two virtual machines. Demo 1 implemented an exceptionally naive appraisal whose intent was shaking out infrastructure issues including cryptography functions and communication. The demo uses a traditional asymmetric key, k, rather than an AIK or EK for signing and assumes the appraiser has a public key for the target’s TPM.

  1. Appraiser sends a request <d,n> to an attestation agent for PCRs
    • d - desired PCRs
    • n - nonce
  2. Attestation agent creates a quote sign{q,n}{k} signed with a traditional asymmetric key, k
  3. Attestation returns the quote to the appraiser
  4. Appraiser checks the returned evidence
    • checks the signature
    • checks the nonce
    • checks PCR values

Here’s what we learned:

  1. Communication among VMs with vchan through a Haskell interface is working for us. Some issues remain concerning communcating large data objects, but we have what we need to move forward.
  2. Static IPs are still a problem in our cloud configuration.
  3. Data is transmitted over the control network rather than the data network. This is an easy fix.
  4. We need to address key and ID management after Demo 2.

We’re now off and running for Demo 2 where we will add quite a bit including protocol selection and execution, interaction with the measurer, and complex data requests.

HCSS and ArmoredSoftware

03 May 2014

HCSS’14 will be May 6-8 in Annapolis where we will be presenting our first poster presentation on ArmoredSoftware. We will also be holding our initial kickoff meeting with the sponsor May 9.

KU and TCG

10 Apr 2014

KU and ITTC are now formally participants in the Trusted Computing Group Liaison Program. We will actively be contributing to TCG standards for systems such as the TPM, Virtualized TPM and Mobile platforms.

January New Project Members

19 Jan 2014

Welcome to Justin Dawson and Jason Gevargizian. Justin will be working with Andy Gill on the system architecture and Jason will be working with Prasad on measurement.

Up And Going

28 Sep 2013

ArmoredSoftware is officially up and going. Our contract started 27 September 2013 and we are happily at work. Thanks to everyone who got our contract in place!