Title: Modeling and Analysis of Networked Secure Systems with Application to Trusted Computing
1Modeling and Analysis of Networked Secure Systems
with Application to Trusted Computing
- Jason Franklin
- Joint work with Deepak Garg, Dilsun Kaynar, and
Anupam Datta
2Motivation
- Despite progress in cryptography and security
protocols, designing secure systems remains
difficult - Network protocols and cryptography rely on
- secure system assumption
- Problem Attackers violate secure system
assumption by exploiting system design flaws - Solution Prove security of system designs
3Motivating Example
Client System
Network
Server System
4Trusted Computing
- Question How do we trust remote servers?
- Proposed Solution Ask servers what programs they
are running? - Server attests to (vouches for) its running
software
5Details of Proposed Solution
Since I last rebooted, Ive run 0 Operating
System 1 Web Server 2 Shopping Cart Server
System and Network Protocol Analysis
Ill ask what programs they have run!
How do I know if I can trust that server?
Hey server! What code have you run?
I trust those programs to protect my data!
Network Protocol Analysis
Network
Server System
Client System
Request
Reply
6In this talk
- Describe Logic of Secure Systems (LS2)
- Modeling system designs
- Analysis of system designs
- Analyze trusted computing protocol
- Limitations, work in progress, and conclusion
7Modeling Protocols as Programs
Since I last rebooted, Ive run 0 Operating
System 1 Web Server 2 Shopping Cart Server
Hey server! What code have you run?
I trust those programs to protect my data!
Network
Server System
Client System
request
Reply
Client request read question send
request reply receive match /reply/trusted/
Server r receive send reply
8Components of Model
Key
Added
Existing
Explicit Time
Memory Protection
Memory
Control Flow
Hardware Resets
Trusted Computing
Encryption Decryption
Hash
Sign/Verify
Network Comm.
Threads
9Modeling Details
- Memory
- Read and write named memory locations
- Example d read Memx
- Memory Protection
- Exclusive write locks
- Example lock(Memx)
- Explicit time
- Ordering events
- Read at time TR, Write at time TW and TR
- Expressing invariants
- Memx contains value V during interval (TR,TW)
10New Adversary Model
I can remove, reorder, or replay messages.
I can generate messages if I know their
components!
Im a malicious local thread! I can write to any
unprotected memory location! I can read any
memory location! I collude with the network
adversary!
Network
Server System
Client System
Standard Network Adversary
11Overview of Protocol Analysis
Modeling
Analysis
Client request read question send
request reply receive match /reply/trusted/
Suppose Client code executed then Server is
executing trusted programs
12LS2, what are you good for?
- Describe Logic of Secure Systems (LS2)
- Analyze trusted computing protocol
- Limitations, work in progress, and conclusion
13Problems with Trusted Computing Protocol
Since I last rebooted, Ive run malicious
code. Mwhahaha!!!!
Hey server! What code have you run?
I trust those programs to protect my data!
Since I last rebooted, Ive run linux. Really, I
have!
Network
Malicious Server System
Client System
Reply
request
Client request read question send
request reply receive match /reply/trusted/
MALICIOUS_Server r receive send linux
14Solution Trusted Coprocessor
Server System
Trusted Coprocessor
Client System
Network
15Trusted Coprocessor
- Trusted Computing
- Augments platform with trusted co-processor
- Coprocessor includes
- Crypto. Primitives
- Keys
- Append-only log
Coprocessor
Log
A
B
Log.append(A) Log.append(B)
16Server with Coprocessor
Server System
Booting 1. append log, os_code os read
os_code 2. call os 3. append log,
web_server_code ws read web_server_code 4.
call ws
Web Server
3. Append
4. Call
OS
2. Call
1. Append
Coprocessor
Log
os_code
web_server_code
17Coprocessor Vouching for Log
Signer _ receive w read log s
sign w, K send s
os_code
ws_code
Log
s SIGN K, (os_code, ws_code)
Client System
Client_Receive s receive verify s,
seq(os_code, ws_code), K
18Protocol Analysis
Modeling
Analysis
Client_Receive s receive verify s,
seq(os_code, ws_code), K
Suppose Client code executed then Server is
executing trusted programs
19Trusted Computing Analysis
- Suppose that clientss thread executes code
Client_Receive in time interval Begin, End) then
the following properties hold
Read Log _at_ TRead
Verify Log _at_ TV
Call to OS Code _at_ TOS
Reset _at_ TR
Begin
End
No Resets during TR to TRead
20Anyone See Security Vulnerability?
- Reset attack possible after read of log
Verification of Stale Data
Read Log _at_ TRead
Verify Log _at_ TV
Client believes server can be trusted!
Call to OS Code _at_ TOS
Reset _at_ TR
Begin
End
No Resets during TR to TRead
21Adversaries Attack Assumptions
- Assumptions
- Client is not running in coprocessor
- Coprocessor does not reveal its private key
- Coprocessor only executes Signer
- Programs in memory are write locked
22Up next
- Describe Logic of Secure Systems (LS2)
- Designed for modeling and analysis of system
specifications - Use LS2 to analyze trusted computing protocols
- Specify trusted computing protocols
- State security properties and security proof
- Discuss implications and analysis of proof
- Limitations, work in progress, and conclusion
23Limitations and Work In Progress
- Control flow and context sensitive analysis
- Composition theorems for modular analysis of
complex systems - Expanding access control policies
- Analysis of other trusted computing protocols
- Modeling layer diagrams
User Level Programs
Operating System
Hardware
Layer Diagram
24Related Work
- LS2 is derived from Protocol Composition Logic
Datta05-07 - Related work on program correctness
- Concurrent separation logic Brookes04
- Verification of concurrent systems TLA,
Lamport84, OwickiGries76
25Conclusion
- LS2 is logic for analysis of networked secure
systems including local and network adversaries - LS2 models abstract memory protections, time,
hardware resets, and security primitives - Described formal analysis of trusted computing
- Identified reset attack
- Ongoing work seeks to expand scope of LS2
26Take Home Points
- If you are designing secure systems
- LS2 enables security analysis of system design
before you implement - Avoids costly and embarrassing vulnerabilities
- Clarifies security properties of design
- Even if you are just using secure systems
- LS2 can provide stronger guarantees about your
security
27Questions?
- Theory of Secure Systems Project (ToSS)
- http//www.cs.cmu.edu/jfrankli/toss
- Publications and Manuscripts
- D. Garg, J. Franklin, D. Kaynar, A. Datta.
Towards a Theory of Secure Systems Cylab
Technical Report, Feb. 2008. - D. Garg, J. Franklin, D. Kaynar, A. Datta. A
Logic for Reasoning about Networked Secure
Systems. Under submission to FCS 08. - J. Franklin, D. Garg, D. Kaynar, A. Datta.
Modeling and Security Analysis of Trusted
Computing. In progress.
282