 Hello, my name is Roberto Sasso, I am a security engineer at Huawei, and I work on trusted computing. So today I would like to propose a new approach for a testing system to see if the system behaves as expected. And we are doing it in a different way. When we talk about AIMA, we are talking about taking measurements and sending this measurement to a verifier and the verifier says, OK, this system is good because I see all the components that are measured. The solution that I want to propose today is a solution in which instead we don't measure all the components that we send to the verifier, but instead we try to make a TPM key accessible only if the system is enforcing a particular integrity policy. So this work is done as part of the future TPM European project, whose goal is to introduce quantum resistant algorithms in the TPM. And Huawei is involved in this project by creating a demonstrator for device management. In this scenario we have a network management system which controls some router. And we want to attest the integrity of those routers by simply establishing a TLS channel. And basically the TPM allows or denies the access to this TPM key only if the system is enforcing an integrity policy. So first, when the router first connects to the network management system, he has to convince the NMS that the TPM key that it is using is bound to the good software. And the NMS first verifies this in a new certificate extension that is standardized by the TCG. And if the policy that is associated with the TPM key is good, then it releases a certificate for the router. So the router can now establish a TLS connection. So this presentation will be more practical because I would like to claim what the router is able to enforce and then verify with a demo if this is actually true. How we verify that? First, we try when we ask the NMS to generate a certificate, we send false evidence about the router and we see if the NMS is able to detect that the TPM key is actually not a TPM key. And second, we establish a TLS communication and we see only if the router is not compromised, this TLS communication can be established. So the first claim, when the router asks the NMS to give a certificate is, I generated a TPM key, so this key never leaves the TPM. And the NMS can actually verify this because in this extension called the subject key attestation evidence, there are some bits that are signed by the TPM. And if the bit is zero, then it is a software key. If the bit is one, it is a TPM key. It is generated by the internal number generator in the TPM, so the key never leaves the TPM. So the first attack is try to convince the NMS that I am generating a TPM key, but actually I am generating a software key. So I generate with open SL a software key and I am sending it to the NMS, and I pretend that I generated a TPM key. But the NMS, which is running in a different window, is saying that, no, I am checking the bit of the certificate, I see that this bit is zero, so it means that this is a software key. So I cannot issue a certificate for the router. So if instead of the TPM key, I am sending it to a software key, so I cannot issue a certificate for the router. So if instead I generate a key, a TPM key, then the NMS performs the verification, and actually, as you can see, the open SL output is generating the certificate for the router. So this is the first claim. So we know that the router has a TPM key. Second, we want to know that this key is actually usable only when the system is enforcing an integrity policy. So basically we have a TPM and asset authorization, and the system has to load to ask the TPM to check the PCR, the TPM register, which contain the software component measured. So if the list of software components is different, then the TPM, then I access to the TPM key, and I cannot establish a TLS communication. So now I tried, for example, to convince the NMS that I have a good software configuration, but actually my state is different. So what happens is that the TPM detects that I send to the NMS a configuration, which is not mine. So I cannot use the TPM key to generate the certificate signing request. OK. Next is the last problem is to convince the user that when I'm measuring some components, the system is behaving as expected. So this is a big problem, and this is where we provide some contribution, which is called the compressive integrity verification, or CAV. CAV builds on top of existing IMA and EVM, and SA Linux, and provides some extension. One is called the IMA digest list, and the second is IMA integrity models, which now is called the Infoflow LSM, which are presented in LSS in North America. And with the digest list, we are saying, or the system loads approval software, or the TPM key is not accessible, or the system is accessing, so, or the files in the system are assessed by legitimate process, or the TPM key is inaccessible. And we want to present these evidence by just establishing the TLS channel. So now we see that the policy that actually we are associating to the TPM key is a list of software that we approve. So we see that the application read code, read configuration file, and read mutable file. We want to ensure that the TPM key can be used only when the software comes from Fedora, open source, Debian, et cetera. So now I try to execute, so this is what the router is claiming. Now I go into the router, and I show that actually the router enforces this policy. So I create a small application that is a DNS resolver. It's called the MyApp. And this MyApp is just return the address of the server. But if I run software which is not in the TPM key configuration, for example, I run MyApp.bed, which is not approved software, then the router denies access to this file. So we know that the TPM key can be used only when the router run approved the software. Then we have also the protection for mutable file. Mutable file can be written only by system D, by network manager, only by legitimate processes. And if there is an attacker which is outside this critical part of the system and tries to write the mutable file inside this critical part of the system or TCP, then also this operation is denied. For example, MyApp has a mutable file, which contains a number of requests submitted by the user until this point. And this file is updated every time MyApp is executed. So now the root user is outside the critical part of the system. And I'm trying to attack this MyApp and then try to corrupt the file. And I just send the string. And also we see that this operation is denied. So these are the condition to have the TPM key. The TPM key can be used only when I have a good software and the critical part of the system is protected. So the last evidence, so this is just the IMA policy to say that we measure the software only inside the TCP. And the last point is that we also give protection against offline attacks. You probably know that we have extended verification module EVM to protect against offline attack. But the addition that we do to EVM is that we have an HMAC key that is bound to the good software, the approved software. So basically the system can only calculate HMAC only if the system is not corrupted. And now the last attack that I want to do is to try to modify a file of MyApp when the integrity protection is not running. And then when I reboot the system with integrity protection, the system is able to detect that this file is corrupted. It was not created when the software was in a good state. Okay. Now I boot the system and I break in the run disk. So in this case the integrity protection is still not enabled. And I try to do the same attack. I try to append a string to MyApp file. And of course this is allowed. Now we have to reboot the system. And now the last part. So now the system boots. And I try to launch a web server in the router. And I try to establish a TLS communication from my browser. So if the system is in a good state, I can establish the communication. If I load something which is not correct, then the communication cannot be established. Okay. Now let me be sure that I have the correct certificate for the key. So just run again the certificate request to the MS. And I launch the web server. So now I establish the communication. And I using the TPM key. Now I didn't know that the system is still good. So I should be able to access the TPM key. Before we talked about protection, protection means that if there is an action which potentially compromises the system, we deny the operation. But we can also have the detection mode in which we allow the operation. But then the TPM registers the PCR changes and the TPM key is not accessible anymore. Now in the previous demo, I corrupted the file of my app. So if my app now reads the file which was corrupted, now the system is not anymore in a good state and the TPM key should not be accessible. Now I look in again. Okay. So now you see that the string actually creates a buffer overflow in the application. And I try to establish a new TLS connection to the router, to the virtual machine for the demo. And we see if the TPM key can be used. As you can see, the TLS communication cannot be established because the TPM state internally changed. So the TPM is a deny access to the TPM key. And we can see also from the log that actually we have a policy failure. So we did some action that compromises the system. So we should be able to notify to the NMS that the system is not anymore in a good state. So conclusion. The TPM is very powerful, but it's difficult to provide the right truth. We see that we are measuring with AIMA a lot of software components, but it's difficult to infer from this measurement the behavior of the system. And CIV builds on AIMA and provides protection for mutable files, which is currently not possible with the standard AIMA. And also protects the other inter-process communication mechanisms such as socket and pipes. And we give insight on the system behavior runtime, not only during the boot. And we simplify giving the evidence to the NMS by using this TLS channel. So implicit array is less flexible than explicit array because basically the TPM key can be used only if the system is in a good state. But when the system is in a bad state, we don't know what actually happened. So basically we know that the system there is some problem, but we cannot use the TPM key. So we need to, for example, establish a secure communication with a software key in order to see what's happening in the router. And we can have more flexibility by giving the right to an authority to define what is the correct state. So this part of the TPM specification. And yes, we need fallback mechanism to connect to the router when the TPM key is not accessible. And I believe that with this approach of defining in which state the system behavior is expected, give to the people the confidence that what is the value of trusted computing. Because if we leave them to understand what is the behavior from a list of components, that probably is more difficult. If instead we save for them this is the correct software behavior, then maybe it's easy for them to understand the concept. And the behavior of the system is described in the certificate. That's about it. Thank you for the attention. And if you have any questions? Any questions? We have limited amount of time, but for short questions we can take them. You should see closer. Yes, sorry. So basically what you have here is as a Linux but instead of denying access it clears the PCRs, right? So we have two modes. One is the protection. We associate the TPM key to Selenux and policy and we deny every action or detection. We allow the action to happen, but we extend the PCR. Is there a use case for the detection mode? I'm trying to think of other use case where someone actually want behavior to go through that isn't allowed by the policy. Well, for example in a network infrastructure we need to provide availability. So we cannot enforce all the action because there will be maybe some interruption of services. So I think detection will be useful and also give availability guarantee that in this situation is probably one of the priority. So the service can continue running even though it doesn't have its cryptographic keys anymore. So basically you cannot establish the TLS communication by using the TPM key, but you need other means to connect to the router. Okay. I have a quick question. If not, let's thank the speaker again. Thank you.