2011 International Conference on Computer Applications and Industrial Electronics (ICCAIE 2011)

Attestation with Trusted Configuration Machine

M. Lucyantie, H. Habibah, M. I. Mohd Anuar. Center for Computer Engineering Studies, Faculty of Electrical Engineering, Universiti Teknologi MARA Shah Alam, Selangor. lucyantie@salam.uitm.edu.my
Abstract Remote attestation of system integrity is an important part of trusted computing for building and improving trustworthiness in networked environments. Many attestation techniques have been introduced in order to vouch for the accuracy of the information and to protect the privacy of the host platform. Here, we propose an enhanced integrity measurement approach based on white list foundation which can generate integrity proof for remote parties. Since existing implementations of remote attestation do not focus on Endorsement Key certificates, we propose a mechanism to handle the generation and verification of this certificate. This approach employs a trusted environment framework hence enabling high confidence in client-server system integrity. Keywords Trusted Computing; Security; Attestation; Integrity Measurement Attestation Remote

A. A. Norazah. MIMOS Berhad Technology Park Malaysia, Kuala Lumpur azahaa@mimos.my

I. INTRODUCTION Most computing platforms in existence today stand under various security threats because of architectural weaknesses in their hardware and software configuration. Due to that, Trusted Computing Group (TCG) proposed a new approach of securing computing platforms to enhance the security of the hardware and software building block. Trusted Computing (TC) is a technology developed and promoted by a non-profit industry consortium whose main goal is to come up with the specification for a Trusted Platform Module (TPM) [1] and surrounding software architectures like the TCG Software Stack (TSS) [2]. These components have the potential to be used for security and trust related services like attestation and key management. Attestation is a process of assuring that information is accurate and is obviously a critical concept for the trusted platform. This is because the trust in the system is based on the process of collecting measurements and verifying the measurements. If a system is not able to attest the accuracy and nonrepudiation of that information, then the trust to the platform does not exist. The platform integrity is measured during the operating system (OS) bootstrap process and the measured values or what we call integrity measurements are stored in the TPM chip. The measured values are incorporated as signature values, so that the distributed application can verify the values. Attestation is closely related to authentication. In the network environment, anonymous authentication access could facilitate the security mechanism. The authentication concept performed by the access requestor requires an access to the facilities without necessarily revealing their identities to external parties. This requirement stems from

the possible need for each individual to maintain some degree of plausible deniability as to their presence at a convener. Remote attestation is one of the fundamental trusted platform features. However, the protocol of remote attestation implementation is a continuously discussed issue in order to guarantee the trustworthiness and freshness of trusted platform as well as vouching the accuracy of the information and protecting the privacy of the host platform. Hence, our approach provides an enhanced system and protocol for remote attestation which guarantee the trustworthiness and privacy of remote platform. The overall system architecture will be discussed in following section. This paper discusses further on the trusted computing approach which first describes the existing attestation work as well as Integrity Measurement Attestation (IMA) implementation. Next, we demonstrate our proposed framework solutions that are particularly well suited for trusted computing infrastructures. II. RELATED WORK Our approach is to build a remote attestation protocol where the challenger (i.e. client) proves that a program and/or environment owned by the attester (i.e. server) posses enough integrity to be connected and that it has not been modified in an unauthorized manner. The integrity of the program can be represented by a binary property or a configuration list [8] where having undergone an unauthorized modification may result in incorrect or malicious behavior, thus making it unreasonable for a challenger to rely on. Many research works have been done regarding platform measurement to verify the platform integrity. Reiner Sailer et al. [3] demonstrates extended TCG trust measurement concepts to dynamic executable content from the BIOS all the way up into the application layer. The trust measurement is then applied to a web server application where the system can detect undesirable invocations, such as rootkit programs. The authors claimed that the architecture is practical in terms of the number of measurements taken and the performance impact of making them. T. Jaeger. et al [4] proposed an integrity measurement approach based on information flow integrity. The approach is based on IMA and CW-Lite integrity model called the Policy-Reduced Integrity Measurement Architecture (PRIMA). This technique verify codes, data and information flows related to trusted subjects in order to improve integrity measurements and efficiency of attestation in order to guarantee verification by remote

978-1-4577-2059-8/11/$26.00 2011 IEEE

570

parties. By considering the problem of attesting the correctness of program execution, L. Gu et al [5] proposed a measurement of target program and its dependable objects. The attestation of the target program begins with a program analysis of the source code or the binary code in order to find out the relevant executable and data objects. This will include any accessed data object or relevant executables invoked due to the extension of the target platform. The state of these data objects will be measured for attestation. The proposed scheme will not only testify to a programs execution but to support finegranularity attestations and information flow checking. T. A. Tanveer et al [6] proposed a scalable remote attestation idea by using a single Platform Configuration Registers (PCR) for multiple instances of a target application while preserving the privacy of other application instances. By emphasizing at application level attestation, they proposed a technique for measuring and verifying behavior of multiple instances of an application using a single PCR. The technique is said to resolve the privacy problems arising due to the re-use of PCRs by applications belonging to different stakeholders by hiding the behavior logs of other instances of an application. Another dynamic type of remote attestation was presented by C. Kill et al [7] who addressed the problem of remote attestation system integrity. A novel remote attestation system called Remote Dynamic Attestation System (ReDAS) was presented to provide integrity evidence for dynamic system properties. Such dynamic system properties represent the runtime behavior of the attested system, thus enable an attester to prove its runtime integrity to a remote party. By having two types of dynamic system properties for running applications, ReDAS can improve current static attestation technique. M. I. Mohd Anuar et al [8, 9] discussed a mechanism to validate running threads in the kernel space to monitor platform behavior. They proposed integrity measurement, integrity verification and integrity validation in real-time mode. These integrities are used to prove validity of the platform during attestation process. Furthermore, the authors had also mentioned in other publication regarding attestation process for networked application and cloud services [13]. They proposed compartment environment through isolated communication channel used to protect information transmission during attestation process based on Trusted Network Connect (TNC) [7, 11]. Their novelty is a trusted wrapper that is used to transform untrusted network application or services to support attestation process based on trusted computing [7]. Existing implementations require a platform manufacturer of Trusted Platform Module (TPM) to produce an Endorsement Key (EK) certificate to a TPM platform machine. However, not all platform manufacturers provide this mechanism and there is no Trusted Third Party to handle the verification of that certificate. For a remote system to trust a platform, the platforms PCR values, which represent the platform configuration, need to be reported reliably to the remote system. TCGs specifications define a set of functions for reporting PCR values to the application. Among them, "quote" operation provides cryptographic reporting of PCR values. When a remote server sends a TPM command, the TPM_Quote request with a 160 bits of integrity challenge (e.g., 160 bits nonce), the TPM embedded in the local platform digitally signs the current

PCR values together with the given challenge and returns the signature to the server. III. PROPOSED FRAMEWORK The proposed framework provides an enhanced system and protocol for remote attestation which guarantee the trustworthiness and privacy of remote platform. This framework is a continuous research and implementation of identity credential issuance on trusted computing by the group [14]. The overall framework is depicted as Figure 1 below. The proposed design has the following component: Client machine aka verifier with TPM chip hardware. Application server aka challenger with TPM chip hardware. Trusted Privacy Certificate Authority (PCA) which acts as credential issuer that uses Privacy Certificate Authority (CA) protocol embedded in the server with TPM chip hardware and secure storage such as database. Foundation Server with a database which contain blacklisted updated lists and generated white list module.

Figure 1. Framework approach.

The system of proposed framework engages three main steps which initial to create clean trusted platform by maintaining a white list which will be explained later. The first step begins at Foundation server. However, the white lists data must endorsed by Trusted CA as well as produce the application package. Next, the client machine is booted from trusted platform package installation media and finally the run installation package is run. The detailed description of all steps will be explained in the following sections. As mentioned earlier, the foundation server runs to create clean trusted platform by maintaining the white list. A clean trusted platform can be described as a platform that is free from malicious codes or files. This can be achieved through the measurements of hashes combined with a solid attestation method. In order to create a trusted

571

platform, the Foundation server runs on an operating system with a kernel running Integrity Measurement Architecture (IMA) [3] and its applications. Upon reboot, the system is then now equipped with IMA and the platform is then able to measure its OS and get the hash values of all important files specified by its policy. The measured files and their hashes are then stored as a list that will be compared with a black list (a file containing an updated list of malicious file names and hashes). If a black listed entry is found in the list, it will be removed from the list. The removal of black listed entries will then provide us with a white list - a starting baseline to indicate that the platform is now clean. The white list is a list that will be the reference point for creating our clean trusted platform. The files listed in are considered safe, non-malicious and allowed to exist in the machine; and it lists filenames along with their hash values. Since the Foundation server is important to generate the white list, so it must be in isolated environment and to protect the white lists integrity, the list is sealed and signed by the Trusted CA. TCG has developed a solution to attest the accuracy of information whilst protecting the privacy of the host of the TPM. This is achieved by using a trusted third party (Privacy CA) [1]. By securely communicating with the Privacy CA, the TPM acquires an Attestation Identity Key (AIK) certificate from the Privacy CA and then messages will be signed using the AIK instead of EK. The Privacy CA protocol drafted in Computing Alliance Specification (TCPA)s (currently known TPM specification) plays a critical role as credential system and privacy protection model. Trusted CA component fulfill the Privacy CA protocol with additional functionality in order to manage credentials for client as well as store the information of platform credentials into a database. Furthermore, the database also stores information such as latest hash value of sealed white list, unique serial key and PCR index. The TCA Component also has requirements to request and revoke that offers -a possibility to record and eliminate the credentials information from the database. Since the Trusted CA is a main component which the verifier and challenger rely on to act as the root of trust, it also requires TPM to deal in order to process certification (signing) and verification of attestation mechanism. Therefore, Trusted CA component is the best platform to generate installation package of trusted platform to distribute to client. Furthermore, Trusted CA in our approach also use trusted platform to generate serial key based on crypto algorithms and using it to encrypt the media installation package (white list and binary file). In order to install Trusted Platform on a new client, credentials of a client must be verified and the white list from the Trusted CA server needs to be securely transferred to the client machine. To start installation, admin will boot the clients PC using the media (containing installation package and trusted application). The booting process will invoke a trusted application that will extract the EK public key from the clients hardware TPM. Once the EK public key is successfully extracted, the application will request an EK certificate by providing EK public key and PCR values of TPM to the Trusted CA. Upon processing and receiving the request, Trusted CA creates an EK certificate containing clients EK public

key, Trusted CAs public key and white list. After that, EK certificate is sent back to the client. In the client machine, a trusted application will extract the EK certificate and install the white list. Lastly, media initiate with the OS installation and reboot. After reboot process, the Trusted Platform is now installed and will use the white list as its baseline. The process flow of trusted platform installation at client platform is summarized as below: The integrity verification of an application based on a white list starts when the client attempts to execute the application. The installed module compare the hash value of running application with the white list and then run the remote attestation module if the hash value of that application matches. The process of remote attestation starts when the attestation module gets the PCR value and AIK public key which has been generated from the TPM. The AIK private key however remains in the TPM itself. The attestation module then sends the encrypted AIK to the Trusted CA. The AIK is encrypted using EK certificate. Once the attestation module gets the AIK certificate from the Trusted CA, the attestation module sends a blob data containing the AIK certificate and an encrypted PCR value by a serial key to the other party such as an application server. Subsequently, the attestation module receives a blob data of other party once the attestation is valid. However, the process will be terminated if the attestation fails. The attestation module then checks the status of blob data received by the other party with the Trusted CA. The process will proceed to execute the user application if the status checked is valid. On the other hand, the process will be terminated if the status checked is invalid. IV. BASIC SETUP

Since this proposed framework is designed for an isolated environment, there are two host platforms; foundation server and Trusted CA server which are required to be prepared initially. These two platforms must be in a safe network zone since it is important to generate the trusted foundation configuration file in a safe location. Each host platform must be equipped with TPM. In order to achieve the implementation of framework mentioned, the following steps and components must be established in sequence: A new kernel embedded with enhanced IMA application is compiled. A white list based on policy to create property based attestation hash value is extracted. Trousers, TPM Tools, database and remote attestation application module involving the TSS are installed.

572

TPM command to take ownership of the TPM is issued. Remote attestation module to initiate creation of necessary certificates is executed. Baseline for the trusted platform using new enhanced IMA application is installed. Daemon of remote attestation module and IMA application are executed.

world application of our framework to indicate the effectiveness and practicality. REFERENCES
[1] G. David et al., TPM Main Part 1 Design Principles Specification Version 1.2, Trusted Computing Group, Incorporated, Oregon, USA, Spec. Rep. July. 9, 2007. Trusted Computing Group, Incorporated. (2007, March 7). Trusted Computing Group [Online]. Available: http://www.trustedcomputinggroup.org/resources/tcg_software_st ack_tss_specification S. Reiner et al., Design and Implementation of a TCG-based Integrity Measurement Architecture, in Proc. 13th USENIX Security Symp., San Diego, CA, USA, 2004. T. Jaeger et al., PRIMA: Policy Reduced Integrity Measurement Architecture, in Proc. Access Control Models and Technologies ACM Symp., USA, 2006. L. Gu et al., Remote Attestation on Program Execution, in Proc. 3rd Scalable Trusted Computing ACM Workshop, USA, 2008. T. A. Tanveer et al., Scalable Remote Attestation with Privacy Protection, in Proc. Trusted Systems Int. Conf., Berlin, Germany, 2010. C. Kill et al., Remote Attestation to Dynamic System Properties: Towards Providing Complete System Integrity Evidence, U.S. Army Research Office, grant W911NF-08-1-0105. M. I. Mohd Anuar et al., "An Approach to Establish Trusted Application," in Proc. 2nd Network Applications, Protocols and Services Int. Conf., Kedah, Malaysia, 2010. M. I. Mohd Anuar et al., Trusted Real Time Operating System: Identifying its Characteristics, in Proc. Computer Applications and Network Security Int. Conf., Male, Maldives, 2011. A. M. Jamalul-lail et al., Security, Trust and Privacy: A New Direction for Pervasive Computing, in Proc. 15th World Scientific and Engineering Academy and Society Int. Conf. on Computer, 2011. S. Sharifah et al., "Trusted Computing Based Microkernel," in Proc. Computer Applications and Industrial Electronics Int. Conf., Kuala Lumpur, Malaysia, 2010. TCG Trusted Network Connect TNC Architecture for Interoperability, Specification Version 1.3, Revision 6, 2008. Z. A. Wira et al., "Secure Virtual Application Distribution," in Proc. Computer Technology and Development Int. Conf., Kota Kinabalu, Malaysia, 2009. A. A. Norazah and M. Lucyantie, Identity Credential Issuance with Trusted Computing, in Proc. Computing and Informatics Int. Conf., Kuala Lumpur, Malaysia, 2009.

[2]

[3] [4]

V. CONTRIBUTION Based on our current and previous effort, this paper has discussed a framework and method to secure distributed system such as cloud services. Our approach is to secure and verify a remote operating system together with its application using white list in remote attestation. This technique will help a remote user to access and use cloud services securely by maintaining its trusted integrity. Therefore, any user of cloud services can verify it services before using or executing that system or application. Furthermore, it helps also to prevent malicious administrator or attacker to compromise user services. Based on white list, user of cloud services may have more confidence to use the cloud infrastructure because of its security parameter and privacy protection. VI. CONCLUSION In this paper, we introduced the notion of trusted configuration machine which is based on the proposed framework as discussed. The trusted configuration is a file based on IMA and white list combination which acts as a reference point to create clean trusted platform, which later on is used in attestation mechanisms. The file is considered safe, non-malicious and allowed to exist in the machine; and it lists filenames along with their hash values. We also proposed a system to provide Trusted (Certificate Authority) CA platform which embeds the key in media installation package which can be used to sign the EK and AIK of trusted platforms client. Method proposed by [5, 6] have improved the attestation capabilities in order to achieve trustworthiness and privacy of remote platform. However, these approaches did not employ trusted configuration files which are based on a clean trusted platform. The clean trusted platform or called as Foundation server does not reside on machine that can affect the originality of configuration file. Furthermore, the installation package process based on clean trusted platform generates a new trusted platform that can be used confidently. In this paper, we only discussed standard attestation process implementation using IMA. Efforts [6, 7] have been made in order to improve the techniques of measuring and verifying the integrity of a remote platform that later may be used to enhanced to improve our clean trusted platform framework. The future works will focus on the challenge in implementing the framework in order to generate trusted configuration file as well as dealing with of attestation protocol. We plan to obtain experimental result with real-

[5] [6] [7]

[8]

[9] [10]

[11]

[12] [13]

[14]

573