Lakshmi Nannapaneni`s presentation on Patterns for Secure Boot

Download Report

Transcript Lakshmi Nannapaneni`s presentation on Patterns for Secure Boot

Patterns for Secure Boot
and Secure Storage in
Computer Systems
By:
Hans L¨ohr, Ahmad-Reza Sadeghi, Marcel Winandy
Horst G¨ortz Institute for IT Security, Ruhr-University Bochum,
Germany
•
•
•
•
•
Introduction
Trusted Computing
Trusted Computing also Includes: System state integrity and the
secure link
In this paper, security patterns was introduced for secure boot and
for secure storage.
Secure boot is at the heart.
It ensures that the integrity of software is verified before accessing
stored data.
Introduction (Contd..)
•
•
•
•
We present the patterns underlying two fundamental TC
concepts: Secure boot and Secure storage.
Secure boot :software that violates the integrity properties
cannot be loaded.
A variant of this pattern, termed Authenticated boot.
Secure storage is a crucial application-level requirement in many
scenarios.
SECURE BOOT PATTERN
Intent:
How to ensure that violations of integrity
properties of the software stack.
Example:
How can the user be sure that the system
software is in the intended operational state?
Context: On conventional platforms, software can be
manipulated or exchanged.
SECURE BOOT PATTERN
Problem:
Before applications can be used on a computer system,
the system has to be bootstrapped.
•
•
•
The bootloader loads the operating system kernel, and
the operating system kernel loads system services,
device drivers, and other applications.
At any stage of the bootstrap process, software
components could have been exchanged or modified by
another user or by malicious software that has been
executed before.
SECURE BOOT PATTERN
•
The following forces have to be resolved:
You want to ensure the integrity of the loaded
software on the system.
You want the computer system to always boot in a
welldefined secure state.
You want to allow modifications of the operating
system or application binaries.
SECURE BOOT PATTERN
Solution:
•
•
Every stage is responsible for checking the integrity of
the next stage.
Integrity checking can be performed in different ways
comparing hash values
verifying digital signatures.
SECURE BOOT PATTERN
SECURE BOOT PATTERN
Figure 1. Elements of the Secure Boot pattern.
SECURE BOOT PATTERN
Known Uses:
AEGIS
The Cell Broadband Engine processor
Consequences:
Example Resolved:
Related Patterns:
Boot Loader
Authenticator
•
•
•
•
SECURE STORAGE PATTERN
Intent:
Secure storage provides confidentiality and
integrity for stored data, and additionally enforces
access restrictions on entities that want to access data.
Example: Consider the problem of storing passwords
(e.g., for webservices) securely on a computer.
Context: You need to provide storage that protects the
confidentiality and integrity of stored data.
SECURE STORAGE PATTERN
Problem:
•
Cryptographic techniques exist to
confidentiality and integrity of data.
protect
the
The following forces have to be resolved:
confidentiality and integrity ofdata
secret cryptographic keys
modifications of the operating system or application
binaries
•
•
•
SECURE STORAGE PATTERN
Solution:
•
•
Root Key
Root Key and Root Key Control are both protected by
trusted hardware
SECURE STORAGE PATTERN
Structure:
Figure 2. Elements of the Secure Storage pattern.
SECURE STORAGE PATTERN
Known Uses:
•
The Cell processor features storage that can only be
accessed when the processor is in a “secure state”.
Example Resolved:
Consequences:
•
•
Only software where the integrity verification
succeeded can access the protected data.
Data can be stored on a system, such that it can be
accessed only when the authorized operating system
and software has been started.
SECURE STORAGE PATTERN
Related Patterns:
•
•
•
Secure Storage requires Secure Boot to protect the
integrity verification data
Secure Storage also requires Controlled Virtual Address
Space
Information Obscurity
CONCLUSION
•
Secure boot
•
Secure storage
•
Variety of
requirements
patterns
based
on
implementation