The axioms of insecurity on commodity computer systems  suggest that an adversary will have an asymmetric advantage over any defender forever. This implies that the defender-adversary arms race on such systems always favors the adversary, as often emphasized by conventional security wisdom. In this presentation, I illustrate how a defender can win against any adversary by establishing root of trust on a commodity system unconditionally; e.g., without any tradeoffs. Then I will show how to maintain the defender's advantage in protecting selected applications, and explain why this is still uncommon on commodity systems.
Establishing root of trust unconditionally. Suppose that a small and simple trusted verifier must boot a trustworthy program on a system that may contain persistent malware. Establishing root of trust (RoT) assures the system has all and only the content chosen by a trusted verifier or the verifier discovers unaccounted content, with high probability. Hence, verifiable boot takes place in a malware-free state. Obtaining such assurance is challenging because a remote adversary's malware can survive repeated secure- and trusted-boot operations and detection by any anti-malware tool; e.g., these tools do not have malware-unmediated access to device controllers' firmware nor prevent remote malware connections over the internet. In this presentation, I will show how to establish RoT unconditionally; i.e., without secrets, trusted hardware modules (e.g., TPMs, RoMs, HSMs), or adversary computation bounds. I will also argue that this is the only unconditional solution to any security or cryptography problem to date .
Maintaining root of trust selectively. Establishing root of trust makes all persistent malware ephemeral and forces the adversary to repeat a malware-insertion attack. Nevertheless repeated successful attacks in commodity systems and applications are hard to deny because of the inherent size and complexity of their software components; aka, the "giants" [1, 3]. To win against an adversary, small and simple software components with rather limited function and high-assurance security properties (aka, the wimps) must be available, since they can, in principle, counter all attacks . In this setting, maintaining root of trust selectively assures a defender that a commodity computer's wimps are isolated from, and safely co-exist with, adversary-controlled giants.
Maintaining RoT selectively also implies that, regardless how secure wimp isolation may be, I/O separation for wimps must also be provably achieved despite use of commodity systems that encourage I/O hardware sharing, not isolation . In this presentation I will also illustrate the basic challenges of I/O separation for wimps and giants, and present an example of an experimental system for on-demand separated I/O transfers, which was designed and implemented at CMU's CyLab.
Hardware-based TPM provides hardware-backed security solutions and a root of trust for various mission critical applications. However, hardware-based TPM has several intrinsic problems such as extremely low performance, off-chip security vulnerability, and a lack of incident response agility. In the upcoming Quantum computing era, it is critical to provide Quantum-Resistant (QR) cryptography functions without harming performance. Unfortunately, hardware-based TPM's rigid hardware and software architecture model makes it extremely difficult for hardware-based TPM to transition to accommodate future QR cryptographic systems. On the other hand, software-based TPMs (e.g., firmware-based TPM) provide a CPU-based, on-chip security solution. They utilize low-level on-chip primitives offered by chipsets such as ARM TrustZone or Intel Software Guard Extensions (SGX) to build a system with a high-level of trust computing environment. A software-based TPM solution provides higher performance, on-chip security, and incident response agility. However, it is lacking in hardware-backed protection and several vital features such as secure key storage, robustness against side-channel attacks, true random number generation, among others. In addition, its implementation is highly dependent on low-level primitives provided by each hardware vendor, which makes it difficult for it to be provided as a generalized solution. In this paper, we propose hybrid-TPM (hTPM), which fully utilizes the advantages of a hardware-based TPM and diminishes a hardware-based TPM's weaknesses through software-based TPM solutions inside a secure container, e.g., Virtualization-Based Security (VBS).
We implemented hTPM as a fully dual mode TPM, i.e., giving end-users full control in choosing between a hardware TPM mode and a software TPM mode based on their needs. We performed and will provide a full risk analysis of the proposed hTPM to show how to best overcome security challenges in realizing hTPM. Finally, we provide a performance analysis of our proposal to show the drastic improvements in cryptographic operations.
The Trusted Platform Module (TPM) can be used to establish trust in the software configuration of a computer. Virtualizing the TPM is a logical next step towards building trusted cloud environments and providing a virtual TPM to a virtual machine promises a continuation of trusted computing concepts. The association between a virtual TPM and a virtual machine is a critical concern. We show that a "trusted'' virtualized platform may fall victim to a Goldeneye attack. In this work, we put forward a formal model for virtualization systems and trusted virtualized platforms. We pair this with a model for establishing trust in a virtualized platform following conventional reasoning over trusted computing systems. We show that if a Goldeneye attack is successful, it would allow a verifier to establish trust in an untrustworthy platform. We discuss attack vectors and possible solutions which would mitigate Goldeneye.
Currently standardized Direct Anonymous Attestation (DAA) schemes have their security based on the factoring and the discrete logarithm problems, and are therefore insecure against quantum attackers. This paper presents a quantum-safe lattice-based Direct Anonymous Attestation protocol that can be suitable for inclusion in a future quantum-resistant TPM. The security of our proposed scheme is proved in the Universal Composability (UC) model under the assumed hardness of the Ring-SIS, Ring-LWE, and NTRU problems. The signature size of our proposed DAA scheme is around 2MB, which is (at least) two orders of magnitude smaller compared to existing post-quantum DAA schemes.
Governments and other bodies stockpile a significant number of zero-day vulnerabilities for offense. But at the same time, they could also have the incentive to help private and commercial organizations patch these vulnerabilities, yet doing so will leak the zero-days, thus removing their offensive capability. This is an offense-defense trade-off. On the other hand, the private organizations might want to share traffic data with the government for zero-day exploit detection, but may be simultaneously worried about abusive surveillance. In other words, these organizations face a security-privacy trade-off. These dilemmas and their trade-off nature give rise to a new problem of mutually suspicious parties working together.
In this paper, we propose an architecture called SeZeDe (Secure Zero-day Detection) which aims at wiping off the above trade-offs with two key underlying technical ideas, one which assures detection and privacy, and one which assures (delayed) accountability against abuse. Specifically, SeZeDe first integrates secure pattern matching with signature-based intrusion detection to protect the data confidentiality of both sides while still supporting main detection functionalities. Second, SeZeDe applies the idea of time-lock encryption to deter turning the detection service into a surveillance mechanism. Our prototype evaluation shows promising detection performance and applicability.
In last years, the security appliance is becoming a more important and critical challenge considering the growing complexity and diversification of cyber-attacks. The current solutions are often too cumbersome to be run in virtual services and Internet of Things (IoT) devices. Therefore, it is necessary to evolve to a more cooperative models, which collect security-related data from a large set of heterogeneous sources for centralized analysis and correlation. In this paper, we outline a flexible abstraction layer for access to security context. It is conceived to program and gather data from lightweight inspection and enforcement hooks deployed in cloud applications and IoT devices. We provide a description of its implementation, by reviewing the main software components and their role. Finally, we test this abstraction layer with a performance evaluation of a Proof of Concept (PoC) implementation with the aim to evaluate the effectiveness to collect data / logs from virtual services and IoT to enable a centralized security analysis.