modeling and analysis of networked secure systems with application to trusted computing
DESCRIPTION
Modeling and Analysis of Networked Secure Systems with Application to Trusted Computing. Jason Franklin Joint work with Deepak Garg, Dilsun Kaynar, and Anupam Datta. Motivation. Despite progress in cryptography and security protocols, designing secure systems remains difficult - PowerPoint PPT PresentationTRANSCRIPT
1
Modeling and Analysis of Networked Secure Systems with Application to Trusted
Computing
Jason FranklinJoint work with Deepak Garg,
Dilsun Kaynar, and Anupam Datta
2
Motivation
• Despite progress in cryptography and security protocols, designing secure systems remains difficult
– Network protocols and cryptography rely on secure system assumption
• Problem: Attackers violate secure system assumption by exploiting system design flaws
• Solution: Prove security of system designs
3
Motivating Example
ClientSystem
Network
Network
Server System
4
Trusted Computing
• Question: How do we trust remote servers?
• Proposed Solution: Ask servers what programs they are running?– Server attests to (vouches for) its running software…
5
I’ll ask what programs they
have run!
How do I know if I can trust that server?
Hey server! What code
have you run?
Server System
Details of Proposed Solution
ClientSystem
Network Network
Network Protocol Analysis
System and Network Protocol AnalysisSince I last rebooted, I’ve run
0: Operating System1: Web Server
2: Shopping Cart Server
Request Reply
I trust those programs to
protect my data!
6
In this talk…
• Describe Logic of Secure Systems (LS^2)– Modeling system designs– Analysis of system designs
• Analyze trusted computing protocol
• Limitations, work in progress, and conclusion
7
Hey server! What code
have you run?
Server System
Modeling Protocols as Programs
ClientSystem
Network Networkrequest Reply
Client ≡
request := read question;
send request;
reply := receive;
match /reply/trusted/;
Server ≡
r := receive;
send reply;
Since I last rebooted, I’ve run
0: Operating System1: Web Server
2: Shopping Cart Server
I trust those programs to
protect my data!
8
Components of Model
ExplicitTime
EncryptionDecryption
Hash Sign/Verify
MemoryProtection
Memory
NetworkComm.
Threads
ControlFlow
Key:
AddedExisting
HardwareResets
TrustedComputing
9
Modeling Details
• Memory– Read and write named memory locations
• Example: d := read Mem[x];
• Memory Protection– Exclusive write locks
• Example: lock(Mem[x]);
• Explicit time– Ordering events
• Read at time TR, Write at time TW and TR < TW
– Expressing invariants• Mem[x] contains value V during interval (TR,TW)
10
Server System
New Adversary Model
ClientSystem
Network Network
I can remove, reorder, or
replay messages.
Standard Network Adversary
I can generate messages if I
know their components!
I’m a malicious local thread!
I can write to any unprotected memory location!
I can read any memory location!
I collude with the network adversary!
11
Overview of Protocol Analysis
Analysis
Suppose Client code executed then:
Server is executing trusted programs
Modeling
Client ≡
request := read question;
send request;
reply := receive;
match /reply/trusted/;
12
LS^2, what are you good for?
• Describe Logic of Secure Systems (LS^2)
• Analyze trusted computing protocol
• Limitations, work in progress, and conclusion
13
Hey server! What code
have you run?
MaliciousServer
System
Problems with Trusted Computing Protocol
ClientSystem
Network Networkrequest
Reply
Client ≡
request := read question;
send request;
reply := receive;
match /reply/trusted/;
MALICIOUS_Server ≡
r := receive;
send “linux”;
I trust those programs to
protect my data!
Since I last rebooted, I’ve run linux. Really, I have!
Since I last rebooted, I’ve run malicious code.
Mwhahaha!!!!
14
Server System
Solution: Trusted Coprocessor
ClientSystem
NetworkNetwork
TrustedCoprocessor
15
Trusted Coprocessor
• Trusted Computing– Augments platform with
trusted co-processor
• Coprocessor includes:– Crypto. Primitives– Keys– Append-only log
Coprocessor
Log : A B …
Log.append(A);Log.append(B);
16
Server with Coprocessor
Booting ≡
1. append log, os_code;
os := read os_code;
2. call os;
3. append log, web_server_code;
ws := read web_server_code;
4. call ws;Coprocessor
OS
Web Server
1. Append2. Call
4. Call 3. Append
Log = os_code web_server_code …
Server System
17
ClientSystem
Coprocessor Vouching for Log
Client_Receive ≡
s := receive;
verify s, seq(os_code, ws_code), K
Signer ≡
_ := receive;
w := read log;
s := sign w, K;
send s
Log = os_code ws_code …
s := SIGN K, (os_code, ws_code)
18
Protocol Analysis
Analysis
Suppose Client code executed then:
Server is executing trusted programs
Modeling
Client_Receive ≡
s := receive;
verify s, seq(os_code, ws_code), K
19
Trusted Computing Analysis
Reset
@ T R
Call t
o OS C
ode @
T OS
Read L
og @ T Rea
d
No Resets during TR to TRead
Begin EndVerify
Log @
T V
• Suppose that clients’s thread executes code Client_Receive in time interval [Begin, End) then the following properties hold:
20
Anyone See Security Vulnerability?
• Reset attack possible after read of log
Reset
@ T R
Call t
o OS C
ode @
T OS
Read L
og @ T Rea
d
No Resets during TR to TRead
Begin EndVerify
Log @
T V
Server Reset
Verification of Stale Data
Client believes server can be trusted!
21
Adversaries Attack Assumptions
• Assumptions:– Client is not running in coprocessor– Coprocessor does not reveal its private key– Coprocessor only executes Signer– Programs in memory are write locked
22
Up next…
• Describe Logic of Secure Systems (LS^2)– Designed for modeling and analysis of system
specifications
• Use LS^2 to analyze trusted computing protocols– Specify trusted computing protocols – State security properties and security proof – Discuss implications and analysis of proof
• Limitations, work in progress, and conclusion
23
Limitations and Work In Progress
• Control flow and context sensitive analysis• Composition theorems for modular analysis of
complex systems• Expanding access control policies• Analysis of other trusted computing protocols• Modeling layer diagrams
Hardware
Operating System
User Level Programs
Layer Diagram
24
Related Work
• LS^2 is derived from Protocol Composition Logic [Datta05-07]
• Related work on program correctness:– Concurrent separation logic [Brookes04]– Verification of concurrent systems [TLA,
Lamport84, Owicki&Gries76]
25
Conclusion
• LS^2 is logic for analysis of networked secure systems including local and network adversaries
• LS^2 models abstract memory protections, time, hardware resets, and security primitives
• Described formal analysis of trusted computing– Identified reset attack
• Ongoing work seeks to expand scope of LS^2
26
Take Home Points
• If you are designing secure systems: – LS^2 enables security analysis of system
design before you implement• Avoids costly and embarrassing vulnerabilities• Clarifies security properties of design
• Even if you are just using secure systems:– LS^2 can provide stronger guarantees about
your security
27
Questions?
• Theory of Secure Systems Project (ToSS) – http://www.cs.cmu.edu/~jfrankli/toss
• Publications and Manuscripts:– D. Garg, J. Franklin, D. Kaynar, A. Datta. “Towards a
Theory of Secure Systems” Cylab Technical Report, Feb. 2008.
– D. Garg, J. Franklin, D. Kaynar, A. Datta. “A Logic for Reasoning about Networked Secure Systems.” Under submission to FCS ’08.
– J. Franklin, D. Garg, D. Kaynar, A. Datta. “Modeling and Security Analysis of Trusted Computing.” In progress.
28
2