Transcript Title Place here - University of Pittsburgh

Enforcement of Security
Policy Compliance in
Virtual Private Networks
Prof. José Carlos Brustoloni
Dept. Computer Science
University of Pittsburgh
[email protected]
Joint work with Haidong Xia and Jayashree Kanchana
Motivation
Users often telecommute from home
computers shared with children, or from
computers borrowed at kiosks or cybercafés
♦ However, virtual private network (VPN)
gateways usually authenticate only the user,
not the computer the user is employing
♦ Attackers can easily bypass firewalls by
infecting such computers
♦
SSI 2005
Jose' Brustoloni
2
Previous proposed solutions
♦
♦
♦
Verify node’s configuration before accepting node in
network
Node sends list with node’s software configuration and
versions to a network server
Server may:


♦
accept node’s configuration, or
confine node to restricted network that allows updating node’s
software
Expected to become common in a few years



SSI 2005
Cisco’s Network Admission Control (NAC)
 some routers with proprietary protocols commercially
available
Microsoft’s Network Access Protection (NAP)
TCG’s Trusted Network Connect (TNC)
Brustoloni
3
 some architecture Jose'
documents
out, but important details
Continuing vulnerability
♦
Malicious node can spoof list with node’s
software configuration and versions
♦
How can network server be sure of
node’s configuration?
SSI 2005
Jose' Brustoloni
4
Secure coprocessors
Trusted Computing Group (TCG) has
standardized secure coprocessors (TPM) for
just this type of problem
♦ Low cost ($4)
♦ Present in increasing number of computers
from Lenovo/IBM, HP, Dell, and others
♦
SSI 2005
Jose' Brustoloni
5
Our contributions
1.
How to integrate secure coprocessors with operating system?
Straightforward answer is vulnerable to buggy components other
than the kernel
→ TCB prelogging
♦ Straightforward answer is also vulnerable to tampering by
privileged users
→ Security association root tripping
♦
2.
How to keep node under its owner’s control?
Danger of software lock-in
→ Sealing-free attestation confinement
♦
3.
How to integrate secure coprocessors with network protocols?
Straightforward answer is vulnerable to man-in-the-middle (MITM)
attacks
→ Bound Keyed Attestation (BKA)
♦
SSI 2005
Jose' Brustoloni
6
Authenticated boot
Core Root
of Trust for
Measurement
=
BIOS
boot
block
Measurement
Agents
TPM
e.g., daemons and configuration files
SSI 2005
Jose' Brustoloni
7
How to fit many measurements
into a small TPM
♦
TPM contains only a limited number of Platform Configuration
Registers (PCRs) for storing measurements

♦
♦
TPM 1.1: 16 PCRs, each 160 bits long
PCRs are initialized to known value at boot time
Measurement agent (MA) stores a measurement in a PCR by
concatenating current value of PCR with measurement,
 computing secure hash (SHA-1) of concatenation, and
 storing the result into PCR

♦
MA also records measurement in measurement log:
each record contains module name, version, supplier name or URL,
and actual measurement of each software module in chain of trust
 stored in ordinary, unprotected memory outside TPM
 tampering revealed by inconsistency with PCRs inside TPM
 infeasible to alter log and maintain consistency with PCR

SSI 2005
Jose' Brustoloni
8
Attestation
Challenger sends nonce to node
♦ Node’s operating system asks node’s secure
coprocessor to sign quote (software digests currently
stored in coprocessor)
♦ Signature uses private key generated within
coprocessor
♦ A trusted third party previously verified that a
compliant secure coprocessor is bound to node and
issued a certificate that gives secure coprocessor’s
public key
♦ Node’s operating system sends measurement log (with
each software component’s secure hash), quote, and
SSI 2005
Jose' Brustoloni
certificate to challenger
9
♦
TCB prelogging
♦
Trusted Computing Base (TCB):


anything that could compromise node’s security
includes kernel, configuration files, daemons, root setuid
applications
How can we be sure that TCB is measured?
♦ Our solution: use TCB list (itself part of TCB)
♦ Kernel:
♦



SSI 2005
Prelogs items in TCB list into secure coprocessor at boot time
Measures these items, as well as any daemons and root setuid
applications, at open or exec time
In case of discrepancy, logs it into secure coprocessor and
breaks any security associations that depend on the TCB list
Jose' Brustoloni
10
Security association root tripping
♦
Privileged users (e.g., root) can change
configuration after boot time

♦
e.g., sysctl, ifconfig
Our solution: If user insists in logging in as
root:
1.
2.
SSI 2005
Drop any security associations that depend on TCB
list
 e.g., destroy keys necessary for network access
Log event into secure coprocessor
 node will need to reboot before regaining access
Jose' Brustoloni
11
Sealing-free attestation confinement
♦
♦
Secure coprocessor also enables sealing data such that
data retrieval is possible only when platform has the
same configuration
Danger of software lock-in: software seals to itself
node owner’s data


♦
can’t use competing applications
may lose data if software provider disappears
Our solution:


SSI 2005
Operating system supports attestation but not sealing
Integrate attestation only with intranet access control
protocols, which typically cannot cross firewalls
Jose' Brustoloni
12
MITM attack against attestation
conformant
host
nonce
MITM
quote
authentication
server
tunnel (e.g. TLS)
SSI 2005
Jose' Brustoloni
13
Our solution: Bound Keyed Attestation
Combine attestation with Diffie-Helman to
generate shared secret
♦ Cryptographically bind secret with tunnel’s
keys
♦
→ Guarantee that attestation and tunnel
endpoints are the same
SSI 2005
Jose' Brustoloni
14
BKA protocol
SSI 2005
Jose' Brustoloni
15
Experimental results
♦
♦
♦
♦
Implemented all mechanisms on FreeBSD 4.8 running on IBM
ThinkPad T30 with 1.8 GHz Pentium 4 and TPM 1.1b secure
coprocessor
Integrated BKA with IKE
VPN gateway was Dell computer with 2.4 GHz Pentium 4
without secure coprocessor
TCB prelogging, security association root tripping, and sealingfree attestation confinement have negligible impact on FreeBSD
4.8 boot latency or run-time performance
SSI 2005
Jose' Brustoloni
16
IKE latency and projected throughput
with or without BKA
Unmodified IKE
IKE + BKA
Latency (s)
1.2
3.6
Projected
throughput
(clients/min)
428
277
• All of the difference between latency with or without BKA can be
attributed to secure coprocessor’s quote time (2.5 s)
• Throughput with BKA can be easily increased by using multiple
authentication servers
SSI 2005
Jose' Brustoloni
17
Related work
♦
♦
♦
♦
♦
NAP, NAC, TNC
Bear
TcgLinux
Microsoft’s NGSCB / Intel’s LT
Terra
SSI 2005
Jose' Brustoloni
18
Conclusions
♦
♦
♦
♦
VPN gateways need to authenticate not only users, but also
users’ computers
Several commercial proposals to authenticate nodes’
configuration, but they are vulnerable to spoofing
Secure coprocessors can block spoofing, but have challenges of
their own
We introduced several new solutions to these challenges:
TCB prelogging
 Security association root tripping
 Sealing-free attestation confinement
 Bound Keyed Attestation

♦
Experiments show that our techniques have acceptable overhead
SSI 2005
Jose' Brustoloni
19