applying ‘trusted brokered io’ as trust boundary and policy enforcement point in hardware for...

Applying ‘Trusted Brokered IO’ as trust boundary and policy enforcement point in

Hardware for IoT devices

[email protected] the Trusted Computing Group

…and now that your buzzword Bingo card is already half full, the more pragmatic title:

How to prevent your device from becoming a ‘Brain in a Jar’

IoT devices are all the rave today!

3

• We have a small number but we crave for more• Devices are getting cheaper and cheaper• Each one comes with a new phone app• We are excited when we get a new one• We love to play around with them• Frequent firmware updates with new features• Many small unknown device vendors• The more services they are hooked up to the better

Life is one big spring break beach party!

The unavoidable hangover is looming

4

• Our life is filled with myriads of devices• Devices are deployed in hard to reach places• Everyone single one needs special attention• Which ones are really mine?• Yesterday it worked today it doesn’t – What happened?• How do I replace or dispose a device?• Which device has access to what?• Cloud consumes huge amounts of questionable data• Who else lives on my devices?

What does it take?

5

• Isolated execution – Either by time or physical isolation

• Strong Device Identity – Cryptographic Endorsement Key

• Sealed Storage – Encrypted and bound to separate trust boundaries

• Attestation – Allows 3rd parties to form trust relationships

• Policy Bound Operation – Device and user policies are enforced

Divide and Conquer

6

• Security starts in the platform hardware• Apply principle of least privilege to your device• Enforce defined parameters of operation• Trust nobody, especially not your own code• The design process starts with security and cannot be added

with a firmware update

Create strong defendable trust boundaries inside your device

What does it take?

7






Who the hell are you?!?

8

• No, a MAC address is not a good device identity and some GUID in flash memory is also useless

• A secret seed inaccessible to software• Only accessible by policy restricted hardware• Can never be read directly or indirectly• Is used as a key in a cryptographic algorithm• Can be used to re-establish trust after a break-in• Backed by manufacturer identity service or certificate

Employ Cryptographic Endorsement Key

What does it take?

9






Keeping the lid on things

10

• How to protect data at rest against offline attacks?• Differentiating between using keys and reading them• Controlled object migration in and out of the device• Immutable persisted storage with individual read, write and

lockout policies

Sealed and Protected Storage

What does it take?

11






Mom said to always tell the truth

12

• Only device reset, resets security posture• Secure logging facility to measure device state• Attestation of objects, persisted storage and state with trusted

identities

Trusted Reporting and Attestation

What does it take?

13






Having a reality check

14

• Ensure linear forward progression of time• Dictionary attack protection• Secure monotonic counting• BitFields that behave like fuses• Algorithm and usage restrictions on keys• Flexible object authorization policies

Policy bound operation

15

…and what else?

A good entropy source is also a nice thing.

16

What can a TPM do for a modern MCU?

• Immutable boot loader (CRTM)• Secure seeding of an internal PRNG• Manufacturer authenticated platform boot• Measured boot as tamperproof record of code and data• Establishing ownership and device identity generation• Attestation client to report device state• Confidential storage of device configuration• Secure identity and data protection key import• Firmware rollback protection• Secure forward migration of configuration data There is actually a lot more down here but unfortunately the slide cut that off…

17

…so it looks something like this

MCU

TPM

CRTM

Physically andcryptographically bound

Device Firmwareaka Payload

Bootloader

IO control

Service hookup

18

Now, what is this Trusted Brokered IO thing?

If you are still sitting in the audience I assume that at least to some degree you bought into the 5 bullets of the “What does it take” slide.

- Good, and let me thank you at this point already -

Now we are going off the deep end: So far we created a MCU that adheres to the TCG software platform – This means we are done, right? Everything is secure, right?In a perfect world where software ships free of bugs, processors can interpret the developers intentions and nobody hacks devices on the internet, then by all means yes absolutely! Lets go home early today.

19

Let’s look at that picture again…

MCU

TPM

CRTM


Bootloader

Trustboundary

20


MCU

TPM

CRTM


Bootloader

Trustboundary

Turn on gas, wait30 minutes, ignite.

21


MCU

TPM

CRTM


Bootloader

Trustboundary

22

Why can’t we apply policies to IO?

• If it is good for software why not also apply it to the hardware?• Apply hard formulated policies on IO operations that the MCU cannot

override• Revoke MCU access from critical IO if the MCU is in an unknown state• Provide IO override policy for authorized entities• Provide data attestation on data that the MCU reads• IoT device data with attached attestation meta data provides trust level• Reduction of attack surface for high integrity IO devices

The TPM library specification defines GPIO pins for this purpose

23

Trusted Brokered IO

Trustboundary

Trustboundary

MCU

TPM

CRTM


Bootloader

PrivilegedIO:Igniter and fuel

control

Display,knobs andoven light

PEP

AttestedIO: Oven State

24

Demo: Trusted Door

25

Questions?

applying ‘trusted brokered io’ as trust boundary and policy enforcement point in hardware for...

Documents

device slide

good device identity

trust boundary

jar slide

protected storage slide

user policies

rd parties

trusted computing group