Marcel Winandy's Research Blog

Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments

2011-01-14T17:47:00.011+01:00

This is the title of a paper I wrote together with Hans Löhr, Thomas Pöppelmann, Johannes Rave, and Martin Steegmans (all from Ruhr-University Bochum). I presented the paper at ACM STC 2010 in Chicago last year. I think it's worth to share the main idea here, too. Moreover, below you find the links to the paper and the slides of my talk.

Trusted Virtual Domains (TVDs) are a new framework for the implementation of secure multi-domain / single-infrastructure computer networks like centralized data centers or single organizational LANs that span over different physical places. A Trusted Virtual Domain is a set of virtual hosts that are distributed across multiple physical machines and that share a common security policy. Computational resources from different owners share the same physical infrastructure, while strong isolation is enforced between members of different TVDs by the underlying security framework.

Since most existing TVD implementations are research prototypes, not available for the public, and focus on servers and data centers, there are only few efforts on secure desktop environments. To fill this gap, we present in this paper an open-source implementation of TVDs based on the OpenSolaris operating system. We leverage several of its existing features (e.g., lightweight virtualization, security labels and a secure graphical user interface) and extend OpenSolaris with components for automated management and policy enforcement to create a usable desktop implementation of TVDs. This includes the transparent encryption of external storage and home directories of users, restriction of copy-and-paste according to the TVD policy, efficient deployment of images for user environments, and a central management interface for the administration.

The picture above shows the architecture of our TVD on OpenSolaris implementation. The general idea of our architecture is to use the built-in lightweight virtualization features of OpenSolaris, i.e., the zones, to separate the different TVDs from each other. The global zone executes the necessary management code, and deploys and starts the virtualized environments (zones)
representing a TVD. Our system relies on the OpenSolaris kernel which enforces and provides security features such as mandatory and discretionary access control. For intra-TVD communication, our TVD layer establishes logical links between the virtualized environments on different platforms that belong to the same TVD. This logical network is completely isolated from any network traffic from outside that TVD, thus establishing secure channels between the TVD members. The transmission of policies and keys, as well as management messages, is separated in another logical network which cannot be accessed by any TVD. This management network is also used for accessing the network storage that is provided to every user as persistent storage mechanism.

OpenSolaris offers several interesting features, the most prominent ones we used are the filesystem ZFS for our zone image deployment, and the secure graphical user interface (Secure GUI). The screenshot below shows the graphical desktop environment with the trusted path functionality: The GUI system always shows to which TVD a window or virtual screen belongs to (red TVD or green TVD in this example), and this information cannot be faked as the top-most menu bar, the trusted stripe, is under control of the Secure GUI system. Applications running in the TVD zones cannot modify or fake this information.

In this work, we have shown that it is possible to implement TVDs for end-user desktop systems based on OpenSolaris. Our TVD framework features integrated management and transparent data encryption, an efficient deployment of zone images, and puts a particular focus on the ease of administration. Our implementation adds a TVD layer to the OpenSolaris system without any modification of the existing kernel or core security features. Demo videos and source code will be available on the project website.

Paper | Slides

A Note on the Security in the Card Management System of the German E-Health Card

2010-12-20T17:19:00.003+01:00

This is a paper I wrote about the German E-Health Card ("Gesundheitskarte"), where I've analyzed the security implications of the Card Management System (CMS). I presented the paper at eHealth 2010 in Casablanca, Morocco, last week. While previous work did a lot of security analysis concerning the German Healthcare Telematics infrastructure -- including network security, access control, peripheral parts, and platform security -- the card management system was neglected and got less or no notice from security experts. However, taking a closer look into the specifications from Gematik, one can find serious security flaws and conflicting requirements that ultimately lead to a loss of data sovereignty of the patient, i.e., the patient is not under control of his/her data stored in electronic health records (EHR) any more. The good news are that the deployment of the CMS and especially the EHR within the telematics is currently on hold. But the bad news are that the specification of the CMS is still in an insecure state and might be used in future when EHR systems are going to be deployed that use the eHC.

From the abstract:
The German compulsory health insurance system will introduce an electronic health card (eHC) in the near future. The eHC is supposed to enable new applications like securely storing electronic health records of patients in a central data center infrastructure so that health professionals can access these data via a common network. In this context, the card management system (CMS) is of special interest since it is used to personalize, issue, and maintain the cards. In this paper, we analyze the functional requirements specification of the CMS in Germany and identify several conflicting and ambiguous requirements. As the most important result, the specification defines technical measures that are insufficient to protect the data and data sovereignty of the patient. We discuss the resulting consequences, which might be helpful to improve the system design before its final deployment.

[Paper] [Slides]

Securing the E-Health Cloud

2010-11-13T05:15:00.004+01:00

This is the title of a paper I wrote together with Hans Löhr and Ahmad-Reza Sadeghi. Today, I have presented it at IHI 2010 in Arlington, Virginia, USA. In this paper, we point out several shortcomings of current e-health solutions and standards, particularly they do not address the client platform security, which is a crucial aspect for the overall security of e-health systems. To fill this gap, we present a security architecture for establishing privacy domains in e-health infrastructures. Our solution provides client platform security and appropriately combines this with network security concepts.

We present two models of e-health clouds: a simple one pertaining Personal Health Records (PHRs), and an advanced one pertaining Electronic Health Records (EHRs). We point out the difference in the paper, and discuss three major security problem areas: (i) data storage and processing, (ii) infrastructure management, and (iii) usability.

To solve on of the problems, i.e., that of client platform security, we propose to construct privacy domains for the patients’ medical data as a technical measure to support the enforce- ment of privacy and data protection policies: Systems (e.g., a client PC) must be able to partition execution environ- ments for applications into separate domains that are iso- lated from each other. Data is kept within a privacy domain, and the domain infrastructure ensures that only authorized entities can join this domain. Moreover, data leakage from the domain is prevented by the security architecture and the domain infrastructure. Therefore, the same system can be used for different work flows that are strictly isolated. The following picture shows the architecture:

Moreover, we discuss in the paper open research challenges in e-health scenarios, in particular those related to healthcare telematics infrastructures.

[Paper] [Slides]

Patterns for Secure Boot and Secure Storage in Computer Systems

2010-08-21T19:13:00.004+02:00

This is a paper I wrote together with Hans Löhr and Ahmad-Reza Sadeghi. It was presented at the SPattern 2010 workshop, co-located to the ARES 2010 conference. This paper describes two fundamental concepts of trusted computing in terms of security patterns, namely the Secure Boot pattern and the Secure Storage pattern. Although security patterns exist for operating system security, access control, and authentication, there have not been any on trusted computing particularly (to the best of our knowledge). Secure boot is at the heart of most security solutions and secure storage is fundamental for application-level security: it ensures that the integrity of software is verified before accessing stored data. Our paper aims at complementing existing system security patterns by presenting the common patterns underlying the different realizations of secure boot and secure storage.

Here's the link to the paper (pdf).

A Pattern for Secure Graphical User Interface Systems

2010-08-20T01:16:00.005+02:00

This is a paper I wrote together with Thomas Fischer and Ahmad-Reza Sadeghi. It was presented at SPattern 2009 workshop in Linz. Several aspects of secure operating systems have been analyzed and described as security patterns. However, previous patterns do not cover explicitly the secure interaction of users with the user interface of applications. A secure user interface system has to provide a trusted path between the user and the application the user intends to use. The trusted path must be able to ensure integrity and confidentiality of the transmitted data, and must allow for the verification of the authenticity of the end points. Our paper presents a pattern for secure graphical user interface systems and evaluates its use in different implementations. This pattern shows how to fulfill the security requirements of a trusted path while preserving, in a policy-driven way, the flexibility that graphical user interfaces generally demand.

The central idea is to mediate all user input/output through a Secure User Interface (SUI) system, and to separate the content drawn by applications from what is actually displayed on the screen. The SUI controls solely the graphics rendering hardware and the input events from the user input devices (typically, keyboard and mouse). The picture shows the participating elements.

Here's the paper (pdf).

Videos on YouTube About Hacking Online Games Are Actually Phishing Attacks

2009-04-30T14:17:00.006+02:00

Recently, a member in an online game mentioned that his account was hacked. He said all his virtual items and virtual gold were lost. He was very angry because he found a video on YouTube describing how easy it is to hack accounts on that online game.

So I also watched that video and quickly recognized that this was a phishing attack using social engineering tricks. Moreover, after a quick research on Youtube I discovered several such videos for different games. They all share a common pattern and trick the users to send their password to a certain e-mail address.

Basically, all these videos promise something like "how to hack an account" or "how to get 1000 gold". They claim that they discovered a hidden function that usually would be used by the game masters of that online game. To activate the function, you would only need to send an e-mail with a certain structure to a particular e-mail address. Within those structures is always the account name and account password (that's the phishing indicator #1 - NEVER send passwords via e-mail somewhere!).

Moreover, all those videos name as e-mail address to send the request for the hidden function some address which is never under the domain of the corresponding company developing or running the online game. Mostly, these are semi-anonymous e-mail address @gmx.net or @gmail.com (phishing indicator #2 - similar, but not exactly correct internet addresses).

Here are some examples, just search on YouTube:
(Warning: Phishing attacks! Do not follow what they tell you!!)

Phishing video "How to Scam an account on WoW!!!"

Phishing video "WoW Account Hack [Easy]" (german)

Phishing video "Herr der Ringe Online Account Hack [Easy]" (german)

And there are even more. Some of them are online since two years and more! I can't believe this still works. But, like other Phishing in e-commerce and online banking, there are still a lot of people who are tricked by these attacks.

I think it would be a good idea and help users to describe these attacks on the web sites of the online game manufacturers and also on the welcome screen when you log in to your account in the game. There are still people who do not understand these attacks -- we need to tell them!

Trusted Privacy Domains -- Challenges for Trusted Computing in Privacy-Protecting Information Sharing

2009-04-27T16:34:00.008+02:00

This is a paper I wrote together with Hans Löhr, Ahmad-Reza Sadeghi, and Claire Vishik. It was presented at ISPEC 2009 in Xi'an, China, two weeks ago. It is mainly a position paper about privacy challenges that could be solved with concepts based on trusted computing, especially so called Trusted Virtual Domains (TVD). Our main idea is to transform the TVD concept into an enforcement architecture for privacy policies. But in addition to discussing challenges and describing the idea, we also detail out some fundamental building blocks of TVD infrastructure, which has not been done before as to our knowledge. Namely, we describe the details of how to establish a member node of a TVD on a local platform, and how trusted computing functionality, such as provided by a TPM, is used in the protocols for TVD establishment.

From the abstract:
In this paper, we propose a conceptual framework for user-controlled formal privacy policies and examine elements of its design and implementation. In our vision, a Trusted Personal Information Wallet manages private data according to a user-defined privacy policies. We build on Trusted Virtual Domains (TVDs), leveraging trusted computing and virtualization to construct privacy domains for enforcing the user's policy. We present protocols for establishing these domains, and describe the implementation of the building blocks of our framework. Additionally, a simple privacy policy for trusted privacy domains functioning between different organizations and entities across networks is described as an example. Finally, we identify future research challenges in this area.

We propose to support the enforcement of privacy policies by establishing trusted domains. These policies enables individual users or organizations to specify fine-grained instructions for the use of private information. To enforce policies, we propose a "guardian agent" for the user: a Trusted Personal Information Wallet that is transferable between platforms and performs "verification" of the trustworthiness of a remote IT system, i.e., compliance to a specified policy. The verification helps guarantee the enforcement of the user's privacy policy when sensitive information is transmitted.

Does New Research on "Instant On" Computing Pose a Challenge on Trusted Computing?

2009-04-22T23:36:00.007+02:00

Trusted Computing in general, and in particular the TCG model, relies on a trusted bootstrap mechanism, i.e., authenticated or secure boot. Based on this mechanism, all other functions are built, e.g., attestation and sealing. Attestation allows a local or remote party to verify the booted configuration of system components (e.g., BIOS, bootloader, operating system, etc.). Sealing enables to encrypt data in such a way that it can only be decrypted when the system has booted in the same constellation as at the time of encryption of the data.

Now, recent research in transistor technology paved the way for computer systems that would be "instant on", meaning, they would not need to boot, they would be available instantly on power-on. This research has added so-called ferroelectric capabilities to standard computer transistors. Materials with such capabilities can be found, e.g., in smart-cards.

But if we have computers that do not need to boot at startup, a trusted bootstrap mechanism will be meaningless. If a computer system is instantly on, maybe exactly in the same state as left at last usage (similar to suspend and resume functionality), we cannot verify the current state via attestation. What should be attested? The configuration the system was originally bootstrapped, possibly months ago? No, that would not help to make any judgement about the trustworthiness of a computer's state.

Fortunately, there are already some techniques available to handle such situations. For example, Intel's Trusted Execution Technology (TXT) includes a so-called Dynamic Root of Trust for Measurement (DRTM). This DRTM allows to "boot" small pieces of code or entire new operating systems during runtime, and takes the measurement of the loaded code to store it in a protected place of a TPM chip. With that mechanism one can reliably check the state of that loaded code. After execution of that code, the system returns to the original state before calling the DRTM.

However, it would not be of practical use to always start a new OS because that would introduce new time to wait for startup, which we just wanted to reduce with "instant on" systems. Instead, it would be better to just start small pieces of application code directly with that method, as was demonstrated by the Flicker project on newer AMD64 processors. One drawback of this method is, though, that the original system is "halted" while the specific application code is executed that was started via DRTM. Thus, in order to use, e.g., operating system services, the system has to "switch back" to the original state, and then restart the application via DRTM again, and so on. This introduces new costs of "context switches", which are much higher than normal process context switches.

To conclude, it is important to think about alternative ways of realizing attestation and sealing without relying on authenticated boot methods. I think runtime integrity monitoring seems to be the answer to that question. But, although there are some promising approaches, this is an unsolved problem yet.

Modeling Trusted Computing Support in a Protection Profile for High Assurance Security Kernels

2009-04-20T18:37:00.005+02:00

This is a paper I wrote together with Hans Löhr and Ahmad-Reza Sadeghi (RUB), Christian Stüble (Sirrix), and Marion Weber (BSI). Two weeks ago I presented the paper at Trust 2009 conference in Oxford, UK.

Abstract of the paper:

This paper presents a Common Criteria protection profile for high assurance security kernels (HASK-PP) based on the results and experiences of several (international) projects on design and implementation of trustworthy platforms. Our HASK-PP was motivated by the fact that currently no protection profile is available that appropriately covers trusted computing features such as trusted boot, sealing, and trusted channels (secure channels with inherent attestation).

In particular, we show how trusted computing features are modeled in the HASK protection profile without depending on any concrete implementation for these features. Instead, this is left to the definition of the security targets of a an IT product which claims conformance to the HASK-PP. Our HASK protection profile was evaluated and certified at evaluation assurance level five (EAL5) by the German Federal Office for Information Security (BSI).

The HASK protection profile itself can be downloaded from the Sirrix homepage: http://www.sirrix.com/media/downloads/54500.pdf

Information Security Conference (ISC 2008) Day 3

2008-09-18T23:00:00.025+02:00

The last day of the conference included again several talks on cryptography, hash functions, and related stuff. However, there were a few talks on system security and authentication, too.

Xuhua Ding: Proxy Re-Signatures in the Standard Model

This talk discussed signature schemes with a proxy that re-signs messages. In proxy re-signature schemes, the proxy cannot sign arbitrary messages, instead the proxy needs an "allowance" of the original signer to do so. The signatures are indistinguishable, i.e., one cannot distinguish whether party A (the original signer) or party B (the proxy) has signed the message. Technically this works as follows: there are two additional operations (besides KeyGen, Sign, Verify as usual): ReKey and ReSign. The ReKey operation takes as input asymmetric key pairs of A and B, and outputs a new key for B. This key transforms A's signature into that of B. The ReSign operation takes this key and the old signature, and outputs a new signature which can be verified by the same public key.

An attack (key recovery attack) on an existing scheme in the random oracle model was shown, and a new scheme (Homomorphic Compartment Signatures) was presented which the authors claim to be secure in the standard model. (slides)

I wonder whether these proxy re-signature schemes can be used for signing credentials of a virtual TPM (vTPM)? Since the vTPM does not have a vendor certificate for its endorsement key (vEK), it cannot request certificates for its attestation identity keys (vAIK) directly. But what if the hardware TPM signs with its AIK the vAIK of the vTPM, and a Proxy has the transformation key to make vAIK and AIK signatures indistinguishable? The vTPM could sign vPCRs with its vAIK, and the Proxy could transform the signature as if it was signed by the real TPM, hence, letting verifiers use the AIK certificates to verify the signature!? Well, just a rough idea...

David Champagne: The Reduced Address Space (RAS) for Application Memory Authentication

This talk presents a new method for application memory authentication, i.e., the procedure that an application can verify what it reads from memory is what it has written there before. The approach assumes the CPU and the application as being trusted, and that an on-chip engine can authenticate the initial state of the application (David mentioned TPM, XOM, AEGIS, SP, and SecureBlue as such related works). Existing approaches use hash trees to verify the memory integrity: data blocks and the hash tree are on off-chip RAM, the root hash is on-chip. Hash trees on the physical address space (PAS) are insecure because of a so-called "branch splicing attack" (in an untrusted OS: possible substitution of data blocks via page table corruption). Hash trees on the virtual address space (VAS) are impractical because they are too wide.

In the proposed RAS tree, the data blocks (leaf nodes) are address ranges of used memory regions only (contents of code, data, heap, and stack). When new memory pages are touched, a partial tree is constructed, and the RAS tree is expanded, i.e., the old tree is "merged" with the partial one.

RAS trees are resistant against branch splicing attack. But they require additional hardware: a Tree Management Unit (TMU) and a hash engine. The TMU is located between TLB/cache and bus controller. The prototype does not support shared memory yet (e.g., necessary for shared libraries). (slides)

While the approach of RAS trees is very interesting and the technique behind seems sound, the underlying assumption of operating the application on an untrusted operating system is somehow strange and artificial. So, the application can now verify the integrity of its memory. But in reality, an application needs a lot services from the OS, e.g., I/O, libraries, resources like files, etc. But if the OS is untrusted, why care about memory integrity? The application would not be able to communicate its operational results to some other subject (either processes or the user) because therefore it would need the services of the OS, which are untrusted by assumption. I think this seems only usable for a limited range of applications (e.g., on special-purpose devices, embedded systems or alike).

Ersin Uzun: HAPADEP - Human-Assisted Pure Audio Device Pairing

This talk presented the HAPADEP system, a way to pair devices (e.g., bluetooth phone and headset) via audio a human person can control. The public keys for the cryptographic pairing are encoded as audio streams, and played and recorded on each device. In the verification phase, the devices play an audio encoding of the digest of the exchanged keys, and the user has to compare the audio samples. What the user hears can either be a melody or a (grammatical correct, but non-sense) English sentence. Results of a (small) usability study showed that sentences are more convenient for the verification phase. (slides)

Cormac Herley: One-Time Password Access without Changing the Server

This was about web authentication using a proxy. The proxy has a set of symmetric encryption keys ek₁,...,ek_n. The user has to compute encrypted passwords E(pwd,ek₁),...,E(pwd,ek_n) on a trusted machine and store the resulting list, e.g., on a mobile phone. The Proxy redirects URLs (e.g., paypal.urrsa.com) to avoid any proxy configuration in the web browser, hence, the proxy has a fixed address (urrsa.com). The user enters an encrypted password in the web browser, which sends it to the proxy. The proxy decrypts the password and inserts the clear-text password in the original login site.

The approach assumes DNS works correctly (i.e., no protection against DNS poisoning). Moreover, it does not bind the passwords/keys to any URLs or SSL certificates. The proxy just decrypts the password and sends it to the web site, configured in the mapping of, e.g., paypal.urrsa.com to www.paypal.com website. Users have a transparent usage experience, except that all (security-sensitive) URLs are now of the form *.urrsa.com. (slides)

Cormac Herley: Can "Something You Know" be Saved?

Cormac Herley gave another talk, this time he questioned whether there is a fundamental problem with challenge-response protocols for web authentication. Based on the attack model that an adversary can observe anything on a PC (e.g., due to malware, keylogger, etc.), and that the adversary can observe login attempts many times, one can simply imply that it is generally not a good idea to enter passwords in clear-text on untrusted machines. Instead, users should perform challenge-response protocols where they do not reveal the secret. They enter some value computed by a response function that takes the secret and a challenge as input. However, this scheme is constrained by the human capabilities of memorizing bits and doing computations in head.

Framed by these conditions, it is analyzed what effects it has when parameters of generic challenge-response protocols are modified, e.g., number of bits of secret that are necessary for every response bit. This results in a generic brute force attack: secrets that are close (differ only in a few bits relevant for responses) do have closes responses, and this allows to easily find values that are close to the secret. In other words, the adversary does not need to know the whole secret, but instead only those bits that are relevant to compute valid responses. (slides)

Information Security Conference (ISC 2008) Day 2

2008-09-17T23:00:00.003+02:00

The second day had only cryptanalysis talks on the agenda. So I decided to do some other work. In the afternoon, there was a tour to the Taiwan National Palace Museum. On the ISC08 website you can find photos from the museum tour. In the evening, there was the gala banquet, for which you can also have a look on some photos

Information Security Conference (ISC 2008) Day 1

2008-09-16T23:00:00.008+02:00

The 11th Information Security Confernce (ISC 2008) was held in Teipei, Taiwan. This is a short summary of some presentations I attended.

Marcel Winandy: Property-Based TPM Virtualization

This was actually my presentation. See my older post and my slides

Endre Bangerter: A Demonstrative Ad Hoc Attestation System

The proposal is to use a trusted device for ad hoc attestation of computing platforms, i.e., showing to the user "PC is ok" or "PC is not ok". It is a server-based approach, where the server sends remote procedure call (RPC) to the PC, and the PC displays flickering barcods on the screen. The trusted device is hold in front of the screen and receives the RPC, i.e., decodes the barcode. Finally, the device displays whether PC is OK nor not.

The decision the device displays is actually based on a remote attestation done between the server and the PC. The trusted device is just used as local "trusted display" of the remote server. For each attestation, the flickering barcode will be different (i.e., includes a counter value) to prevent simple replay attacks. (slides)

Hans Löhr: Property-Based Attestation without a Trusted Third Party

This is an improved protocol for property-based attestation. Instead of having a Trusted Third Party (TTP) issuing certificates for properties, the verifier has a-priori a list of configurations. The attestee creates a proof that its configuration is within a defined list of configurations, without revealing which exact configuration it has. The proof is based on group signatures (ring signature scheme) without revealing the secret key used to sign the commitment. (slides)

Xuhua Ding: An Efficient PIR Construction Using Trusted Hardware

Paper about private information retrieval. Improves reshuffeling of database form O(n) to O(sqrt(n)). Records are colored black and white. On each query, they fetch two records of different colors. Retrieved records are colored black. Shuffeling is done only on black ("touched") records. (slides)

Charalampos Papamanthou: Athos - Efficient Authentication of Outsourced File Systems

Outsourced filesystems means they are stored on a server. The server is completely untrusted (i.e., there is no trusted hardware on the server side). Accessing the files are queries to the server, and accompanied by a "proof" of authenticity, both for file system content and hierarchy. This proof is based on cryptographic hashing, and uses authenticated skip lists and authenticated dynamic trees. It is an efficient scheme (similar to Merkle hash trees), the client only has to maintain a O(1) trusted storage. Query operations have O(k log n) time. (slides)

Property-Based TPM Virtualization

2008-06-27T13:45:00.004+02:00

This is the title of paper I have written together with Ahmad-Reza Sadeghi and Christian Stüble. We will present it at the 11th Information Security Conference (ISC 2008) in Taipei, Taiwan. I will also give a presentation about it at the HGI Seminar at Ruhr-University Bochum on 10th July 2008.

Virtualization and hypervisors enable useful and cost-efficient means to manage IT infrastructure, especially migration of virtual machines (VMs) between hardware platforms. A challenge in this context is the virtualization of
hardware security modules like the Trusted Platform Module (TPM) since the intended purpose of TPMs is to securely link software and the underlying hardware. Existing solutions for TPM virtualization, however, have various
shortcomings that hinder the deployment to a wide range of useful scenarios. In our paper, we address these shortcomings by presenting a flexible and privacy-preserving design of a virtual TPM that in contrast to existing
solutions supports different approaches for measuring the platform's state and for key generation, and uses property-based attestation mechanisms to support software updates and VM migration. Our solution improves the maintainability and applicability of hypervisors supporting hardware security modules like the TPM. The following figure shows the design.

For each VM that needs a vTPM, there is a separate vTPM instance. We assume the underlying hypervisor to protect the internal state and operations of each vTPM from any unauthorized access. The main building blocks of our vTPM are the following: PropertyManagement represents the virtual PCRs and manages different mechanisms to store and read measurement values; KeyManagement is responsible for creating and loading keys; vTPMPolicy holds the user-defined policy of the vTPM instance, defining which properties are going to be revealed during an attestation operation; CryptographicFunctions provide monotonic counters, random number generation, hashing, etc.; MigrationController is responsible for migrating the vTPM to another platform.

To improve flexible migration and to preserve the availability of sealed data after migration or software updates, an essential step is to support other measurement strategies. Applying property-based measurement and attestation to a vTPM allows much more flexibility in the choice of the hypervisor and for easier updates of applications -- a VM can still use sealed data or run attestation procedures if the properties of the programs remain the same.

Our vTPM design is based on a plug-in-like architecture for various vPCR extension strategies. Each extension strategy is realized by a PropertyProvider module implementing different translation functions. A translation function translates measurements (i.e., hash values of program binaries) into property representations. Each PropertyProvider has its own vector of virtual PCRs. Thus there is a matrix of vPCR values for each vTPM. This allows us to choose, according to the vTPM policy, which PropertyProvider to use on particular sealing or attestation operations.

Depending on the implementation of the PropertyProvider, we can realize property-based sealing and property-based attestation without any change to the interface of the vTPM from the perspective of the associated VM. This enables the availability of protected data and cryptographic keys of the vTPM after migrating to another platform that provides the same security properties but may have a different binary implementation. TPM-enabled applications executed in a VM can directly profit from this flexibility without the need for modification.

Tools for Maintaining a Personal Research Journal

2008-06-14T00:22:00.004+02:00

To keep a journal of research activities, especially when studying for a PhD, is generally considered a good idea (see for example desJardins' guide How to Succeed in Graduate School). Such a journal helps to organize ideas, to record the progress of research, and to leverage building new ideas. On the web, you can find also other guidelines which give more examples what to include in the journal, e.g., Notes on the Personal Research Notebook / Journal.

While I used such a journal concept intuitively during my diploma thesis, I wrote it on separate sheets of papers which I transformed later into the written thesis. This worked out very well at that time and on that project. However, now I want to use a tool which can automate those time-consuming things like searching and copy&paste. Today, I have several subprojects and small parts which are sometimes (at least at the beginning) very unrelated. Using a paper notebook as a journal would not be very efficient. So, I wondered which software tools would work out as a research journal for a PhD.
I have tried out several tools, starting from simple text files to journal and todo list functions in KDE Kontact. But the information is still scattered throughout several files on my disk in several different formats (text files, LaTeX files, OpenOffice files, pictures, etc.). I need something that can combine everything and provides a fast search and kind of sorting function (like tagging in Web 2.0 applications).

Finally, I have found two applications which are suiteable for this task: Journler for Mac OS X. This is exactly what I needed. You can enter journal entries in chronological order, add tags, pictures, URLs, PDFs, whatever. When you click on a tag, Journler automatically shows up a list of all entries with this tag. And of course, it makes use of the fast search engines of Leopard to quickly scan your entries for keywords. This is great!

Unfortunately, I have to work on a PC laptop at work. So I can't use Journler there. But I have something similar: BasKet Note Pads for KDE on Linux. It has similar functionalities, and I have started to use it. One good feature I noticed: you can import notes from KNotes and simple text files (now it pays back to have used text files!*g*).

RapidWeaver and RapidBlog

2007-11-28T18:31:00.001+01:00

I have begun to use RapidWeaver as web development tool. Although it is only available for Mac, I did not find any similar tool for Linux or even Windows. RapidWeaver works and looks like iWeb, the Apple web-site tool in the iLife package. It is very easy to create a web site with navigation bar, blog, picture gallery, etc. It supports themes, which are actually stylesheet packages including background images and the like.

RapidWeaver also supports Add-on. There is one interesting add-on I have found: RapidBlog. This add-on extends the blogging module of RapidWeaver with synchronization of a Google Blogger (Blogspot) account. This is very nice since it allows you to write your blog posts online on any web browser and system, using the Blogger web interface. But you can still write and manage your posts in the RapidWeaver application.

Now, there is one interesting question: Does RapidBlog automatically synchronize the Blog when you write a new post on the Google Blogger web interface or do you need to run the sync within RapidWeaver manually?

Update: Yeah, this works automatically! Thanks to the PHP script, this site automatically includes the latest posts from the original Blogspot site.

Holisticly provide access

2007-10-19T19:04:00.000+02:00

“Bonjour: Holisticly provide access to ethical communities vis-a-vis client-focused.”

Funny description of network technology. This was posted on the Apple website announcing the new Mac OS X Leopard. But they have changed the text now… :-)

See also:
Martin Pittenauer’s blog or the various links you can find using the Internet search engine of your choice.

Compartmented Security for Browsers - Or How to Thwart a Phisher with Trusted Computing

2007-07-16T19:00:00.002+02:00

This is the title of a paper written by Sebastian Gajek, Ahmad-Reza Sadeghi, Christian Stüble, and me. We already presented and published it at the Second International Conference for Availability, Reliability and Security (ARES 2007). It is an improved version of the paper “Towards Multicolored Computing”, which I previously announced here. Our approach is based on the ideas of compartmentalization (for isolating applications of different trust level) and a trusted wallet (for storing credentials and authenticating sensitive services on behalf of the user). However, we do not rely on a trusted browser this time. The following figure shows our basic architecture.

In this paper, we show that the wallet can handle the whole authentication process mutually after it has been setup by the user once. We also improved the setup procedure by cryptographically embedding a web site-bounded random value into the account password. This value is unknown to the user. On the one hand, we prevent that the user applies low-entropy passwords to set up an account. On the other hand, we ensure that the user does not use the same password for different accounts.

To realize a transparent usage and in order to provide a safe environment during the account setup, the wallet also works as a network proxy. Hence, the wallet must be capable to parse HTML web sites and to react accordingly, e.g., by initiating the setup procedure.

To protect the confidentiality of the user’s credentials, we use the sealing functionality of a Trusted Platform Module (TPM): We bind the secret data to the integrity measurements of the wallet and the underlying security kernel. This means, the credentials are encrypted using a key that never leaves the TPM, and the decryption is only possible if the same measurement values are logged into the TPM during the boot process as they were taken at encryption time.

The paper is also available as technical report.

CeBIT 2007

2007-03-19T18:30:00.000+01:00

On Saturday I took my annual trip to Hannover to visit the CeBIT trade fair. I just want to give my impressions what I have found to be interesting there.

Plasma TVs can have lower power consumption than LCD TVs

This is quite interesting since people still believe Plasma TVs have a high power consumption. However, in contrast to LCD TVs, which always have a constant power consumption (about 160-240 W, depending on the model), Plasma TVs can very in their consumption depending on the current image to display. If the image is very bright, e.g., a white screen or a snow landscape, Plasma TVs have a high power consumption (let’s say 200 W, depending on the model of course). But if the image is dark, e.g. black screen or a night scene in a movie, Plasma TVs consume very less than their maximum consumption (e.g., 60 W only). So, depending on your TV watching habits, a Plasma TV might even save energy compared to a LCD TV!

Mobile phones for older people become more usable and cheaper

I discovered a mobile phone which was especially designed for older people. The “emporiaLife” phone has larger buttons than usual phones, a large display that shows the dialed numbers much bigger, and a special emergency button, which you only have to press to get connected to a number you have previously defined (there can be up to five different emergency numbers). The device is dual-band, can send and receive SMS, and has included a flashlight. At the booth they told me the price will be about 200 Euros.

Car navigation devices get more functionality

There seems to be the trend to integrate a variety of functionality into car (or mobile) navigation devices. I have seen the integration of DVB-T TV or Bluetooth connection to mobile phones at several vendors. One example is Naviflash. Some interesting detail I have also discovered: Naviflash has a flexible bracket with some kind of “ground support” to stabilize the device when attached at the windshield.

Digital picture frames

A lot of vendors now offer digital picture frames, for instance Samsung and its SPF-07N. A digital picture frame displays a digital photo, similar as a normal “hard-cover” picture frame. But a digital picture frame can store several pictures and display them alternately, e.g., changing them periodically or at command. This might become a new big trend; at least if prices are acceptable.

“I’ll call you by trousers”

In the Future Parc, they showed (amongst others) smart textiles. These are clothes which integrate some digital functionality, usually control panels for electronic devices. Funny example: leather trousers with a control panel for a mobile phone. :-)

Phishing Attacks Predicted among Top Security Threats for 2007

2007-01-07T19:46:00.000+01:00

On TechNewsWorld, there is an article about the prediction of the top security threats for the year 2007. Most of the predicted attacks mentioned are related to phishing attacks and identity theft. The prediction is given by the companies McAcfee and MessageLabs. Besides faked Web sites that try to steal passwords, more and more phishing attacks will use malware to achieve their goals, e.g., malicious code distributed through video files, spoofing of IM (instant messaging) identities. Interestingly, they also predict phishing attacks through VoIP (voice over IP) using spoofed phone calls.

Security by Configuration

2006-12-23T18:40:00.000+01:00

There is an interesting article on Linux.com about configuration-centered security, “Configuration: The Forgotten Side of Security” (by Bruce Byfield). Whereas most security products on the market follow the approach of reactive security (e.g., anti-virus scanners, patches), a proactive approach includes security aspects in the design and installation of a computer system. Intuitively, taking security into account right from the start should be the better approach because design flaws in a software architecture are harder to fix later. The article gives some hints why the computer industry has not followed this approach. One reason mentioned is the tradeoff between security and convenience. But counter-examples are given (for instance, Mac OS X *g*), and an IT professional is cited that “usability and security are not mutually exclusive”. And I think that is absolutely right.

The article lists the basic goals of system configuration, which are derived from basic security principles (e.g., least privilege, containment, etc.):

Build for a specific purpose and only include the bare minimum needed to accomplish the task.

Protect the availability and integrity of data at rest.

Protect the confidentiality and integrity of data in motion.

Disable all unnecessary resources.

Limit and record access to necessary resources.

I think these goals should be applied especially for online banking applications in the context of phishing attacks. Having full-featured, complex web browser applications seems not to be the right basis for such tasks, does it? Well, maybe the idea of browser compartments is a good starting point…

Towards Multicolored Computing - Compartmented Security to Prevent Phishing Attacks

2006-10-07T20:00:00.001+02:00

This is a paper that I have written together with Sebastian Gajek, Ahmad-Reza Sadeghi, and Christian Stüble. I have presented the paper at the 1st Benelux Workshop on Information and System Security (WISSec 2006) in Antwerpen, Belgium, last month. The paper aims at making the first steps towards the design and implementation of an open source and interoperable security architecture that prevents both classical phishing (e.g., e-mails luring unaware users to faked web sites) and the new emerging malware phishing, i.e., malicious software specifically tailored to certain services.

Our approach is based on the ideas of multicolored computing (e.g., red for the risky and green for the trusted domain), and a trusted wallet for storing credentials and authenticating sensitive services. Our solution requires no special care from users for identifying the right web sites while the disclosure of credentials is strictly controlled. In the paper we present the main idea of how to integrate countermeasures against phishing and malware into one sound security architecture. We also briefly sketch how to implement this architecture based on the PERSEUS security framework, which utilizes Trusted Computing functionality and virtualization. The former is used to preserve system integrity, and the latter provides compartment isolation and software re-use.

To establish a trusted path to the trusted wallet we make use of the Secure GUI subsystem that is developed by the EMSCB project for the PERSEUS system. the Secure GUI subsystem provides to each compartment an isolated graphics framebuffer, which are then multiplexed or switched to on the screen. To enable the user to authenticate the currently displayed compartment, the Secure GUI has a reserved area on the screen to which no compartment has access. The Secure GUI displays the compartment identifier and the color indicating a trusted (green) or untrusted (red) compartment there.

You can download the paper as PDF.

TCG Inside? - A Note on TPM Specification Compliance

2006-07-16T15:00:00.002+02:00

This is a paper that I have written together with Ahmad-Reza Sadeghi, Marcel Selhorst, Christian Stüble and Christian Wachsmann, and I am going to present it at the First ACM Workshop on Scalable Trusted Computing (STC’06) in Fairfax, Virginia, USA, next month. The paper describes the first steps towards having an independent means for testing the compliance of Trusted Platform Module (TPM) chips according the TCG specifications. Besides presenting a test strategy, we have also developed a prototype test suite. Although the currently implemented tests do not cover the complete TCG specification, our test results show that many TPM implementations do not meet the TCG specification and have bugs. We also discuss that non-compliance may have crucial impact on security. For instance, non-compliant error return codes may be useful for profiling TPM chip models. These profiles may then be used in further attacks, e.g., password dictionary attacks.

We have already published first results of our tests in a technical report, which was also mentioned in the c’t magazine (“Sicherheits-Chips auf den Zahn gefühlt”, in German). For more information, see our project website on TPM Compliance Tests.