![Page 1: 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007](https://reader030.vdocuments.site/reader030/viewer/2022032703/56649d145503460f949e9940/html5/thumbnails/1.jpg)
1
Minimal TCB Code ExecutionMinimal TCB Code ExecutionJonathan McCune, Bryan Parno, Adrian Perrig,
Michael Reiter, and Arvind Seshadri
Carnegie Mellon University
May 22, 2007
![Page 2: 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007](https://reader030.vdocuments.site/reader030/viewer/2022032703/56649d145503460f949e9940/html5/thumbnails/2.jpg)
2
CPU, RAMTPM, Chipset
CPU, RAMTPM, Chipset
Trusted Computing Base (TCB)
DMA Devices (Network, Disk,
USB, etc.)
OS
App
SS
App1 …
DMA Devices (Network, Disk,
USB, etc.)
OS
AppApp1 …
SS
ShimShim
![Page 3: 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007](https://reader030.vdocuments.site/reader030/viewer/2022032703/56649d145503460f949e9940/html5/thumbnails/3.jpg)
3
Contributions• Isolate security-sensitive code execution
from all other code and devices
• Attest to security-sensitive code and its arguments and nothing else
• Convince a remote party that security-sensitive code was protected
• Add < 250 LoC to the software TCB
ShimShim
SSSoftwareTCB < 250 LoC
![Page 4: 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007](https://reader030.vdocuments.site/reader030/viewer/2022032703/56649d145503460f949e9940/html5/thumbnails/4.jpg)
4
TPM Background• The Trusted Platform Module (TPM) is a
dedicated security chip
• It can provide an attestation to remote parties– Platform Configuration Registers (PCRs)
summarize the computer’s software state– TPM provides a signature over PCR values
• TPM spec v1.2 includes dynamic PCRs– Values can be reset without a reboot
![Page 5: 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007](https://reader030.vdocuments.site/reader030/viewer/2022032703/56649d145503460f949e9940/html5/thumbnails/5.jpg)
5
Late Launch Background• Supported by new commodity CPUs
– SVM for AMD– TXT (formerly LaGrande) for Intel
• Designed to launch a VMM without a reboot– Hardware-based protections ensure launch integrity
• New CPU instruction (SKINIT/SENTER) accepts a memory region as input and atomically:– Resets dynamic PCRs – Disables interrupts– Extends a measurement of the region into PCR 17– Begins executing at the start of the memory region
![Page 6: 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007](https://reader030.vdocuments.site/reader030/viewer/2022032703/56649d145503460f949e9940/html5/thumbnails/6.jpg)
6
Adversary Capabilities
• Run arbitrary code with maximum privileges
• Subvert any DMA-enabled device– E.g., network cards, USB
devices, hard drives
• Perform limited hardware attacks– E.g., power cycle the
machine– Excludes physically
monitoring/modifying CPU-to-RAM communication
CPU, RAMTPM, Chipset
DMA Devices (Network, Disk,
USB, etc.)
OS
AppApp1 …
ShimShim
SS
![Page 7: 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007](https://reader030.vdocuments.site/reader030/viewer/2022032703/56649d145503460f949e9940/html5/thumbnails/7.jpg)
7
Architecture Overview• Core technique
– Pause current execution environment– Execute security-sensitive code with hardware-
enforced isolation– Resume previous execution
• Extensions– Preserve state securely across invocations– Attest only to code execution and protection– Establish secure communication with remote parties
![Page 8: 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007](https://reader030.vdocuments.site/reader030/viewer/2022032703/56649d145503460f949e9940/html5/thumbnails/8.jpg)
8
Execution Flow
TPMTPM
PCRs:
K-1
7 2 9 …0 0 0
CPUCPU
OS
App
ShimShim
SSModuleModule
RAM
OS
App
ModuleModule
SKINITReset
InputsOutputsModuleModule
0 h 00 H 00
ShimShim
SS
00 0
![Page 9: 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007](https://reader030.vdocuments.site/reader030/viewer/2022032703/56649d145503460f949e9940/html5/thumbnails/9.jpg)
9TPMTPM
PCRs: 0
K-1
…
TPMTPM
PCRs:
K-1
…
0 0 0
ShimShim
SS Inputs
Outputs
Attestation
![Page 10: 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007](https://reader030.vdocuments.site/reader030/viewer/2022032703/56649d145503460f949e9940/html5/thumbnails/10.jpg)
10
TPMTPM
PCRs:
K-1
…
000
ShimShim
SS Inputs
Outputs
AttestationWhat code areyou running?
ShimShim
SS InputsOutputsSign( ), K-1
Sign ), K-1
…
OS
AppAppSS
App5
App5
App4
App4
App3
App3
App2
App2
App1
App1
(
Versus
![Page 11: 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007](https://reader030.vdocuments.site/reader030/viewer/2022032703/56649d145503460f949e9940/html5/thumbnails/11.jpg)
11
Potential Applications• Server applications
– Password authentication, SSL keys, Certificate Authority (CA), etc.
• Verifiable distributed computing– SETI@Home, Folding@Home, distcc, etc.
• Client-side applications– Secure password entry
![Page 12: 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007](https://reader030.vdocuments.site/reader030/viewer/2022032703/56649d145503460f949e9940/html5/thumbnails/12.jpg)
12
Ongoing Work
• Extracting security-sensitive code from existing applications
• Containing malicious or malfunctioning security-sensitive code
• Coping with slow security-sensitive code
• Creating a trusted path to the user
![Page 13: 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007](https://reader030.vdocuments.site/reader030/viewer/2022032703/56649d145503460f949e9940/html5/thumbnails/13.jpg)
13
Related Work• Secure coprocessors
– Dyad [Yee 1994], IBM 4758 [JiSmiMi 2001]
• System-wide attestation– Secure Boot [ArFaSm 1997], IMA [SaZhJaDo 2004],
Enforcer [MaSmWiStBa 2004]
• VMM-based isolation– BIND [ShPeDo2005], AppCores [SiPuHaHe 2006],
Trustworthy Kiosks [GaCáBeSaDoZh 2006], Proxos [TaLiLi 2006]
![Page 14: 1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007](https://reader030.vdocuments.site/reader030/viewer/2022032703/56649d145503460f949e9940/html5/thumbnails/14.jpg)
14
Conclusions
• Explore how far an application’s TCB can be minimized
• Isolate security-sensitive code execution
• Provide fine-grained attestations
• Allow application writers to focus on the security of their own code