preisacm
/
masterthesis
1
0
Fork 0
Code Issues Releases Wiki Activity
Master Thesis as published at INS in 2022
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
65 Commits
1 Branch
0 Tags
200 MiB
 
 
Tree: a30ee11be8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a30ee11be8'
${ noResults }
masterthesis/thesis/03_conceptfull.tex

305 lines
22 KiB
Raw Blame History

\chapter{Concept}
\label{cha:concept}
In this chapter we define the constraints for the Biometric Sensor as well as a generic attempt for a prototype.
The constraints include a discussion about the attack vectors to the BS.
We explain furthermore which requirements can and will be addressed and how sensible data is processed in the BS.
\section{Definition of the Biometric Sensor}
\label{sec:definition-of-the-biometric-sensor}
The BS itself is defined as edge device within the DigiDow network.
According to the schema shown in \autoref{fig:globalview}, the BS will be placed in a public area (e.g. a checkpoint in an airport or as access control system at a building) to interact directly with the DigiDow users.
There, the BS is the gateway to the DigiDow network.
By providing a biometric property, the user should be able to authenticate itself and the network may then trigger the desired action, like granting access or logging presence.
Depending on the biometric property, the sensor may not be active all the time, but activated when an authentication process is started.
The following enumeration shows the steps of the BS for identifying the interacting person.
\begin{enumerate}
\item \emph{Listen}: Either the sensor hardware itself (e.g. a detection in a fingerprint sensor) or another electrical signal will start the authentication process.
\item \emph{Collect}: Measure sensor data (picture, fingerprint) and calculate a biometric representation (Attribute).
\item \emph{Discover}: Start a network discovery in the DigiDow network and find the PIA corresponding to the present person. It may be necessary to interact with more than one PIA within this and the next step.
\item \emph{Transmit}: Create a trusted and secure channel to the PIA and transmit the attribute.
\item \emph{Reset}: Set the state of the system as it was before this transaction.
\end{enumerate}
Since the BS handles biometric data---which must be held confidential outside the defined use cases---a number of potential threats must be considered when designing the BS.
\section{Attack Vectors and Threat Model}
As mentioned before, the BS will work in an exposed environment.
Neither the user providing biometric data nor the network environment should be trusted for proper function.
There should only be a connection to the Digidow network for transmitting the recorded data.
This assumption of autonomy provides independence to the probably diverse target environments and use cases.
In addition to autonomy, the BS should also ensure proper handling of received and generated data.
The recorded dataset from a sensor is \emph{sensitive data} due to its ability to identify an individual.
Due to its narrow definition, it is affordable to protect sensitive data.
Besides that, \emph{metadata} is information generated during the whole transaction phase.
Timestamps and host information are metadata as well as connection lists, hash sums and log entries and much more (What? Where? When?)
There exists no exact definition or list of metadata which makes it hard to prevent any exposure of it.
Metadata does not directly identify an individual.
However huge notwork providers are able to combine lots of metadata to traces of individuals.
Eventually an action of those traced individuals might unveil their identity.
Consequently, a central goal of DigiDow is to minimize the amount to minimize the risk of traces.
Privacy defines the ability of individuals to keep information about themselves private from others.
In context to the Biometric Sensor, this is related to the recorded biometric data.
Furthermore, to prevent tracking. any interaction with a Sensor should not be matched to personal information.
Only the intended and trusted way of identification within the Digidow network should be possible.
\subsection{Threat Model}
\label{ssec:threatmodel}
To fulfill the Sensor's use case, we need to consider the following attack vectors.
\begin{itemize}
\item \emph{Rogue Hardware Components}: Modified components of the Biometric Sensor could, depending on their contribution to the system, collect data or create a gateway to the internal processes of the system.
Although the produced hardware piece itself is fine, the firmware on it is acting in a malicious way.
This threat addresses the manufacturing and installation of the system.
\item \emph{Hardware Modification}: Similar to rogue hardware components, the system could be modified in the target environment by attaching additional hardware.
With this attack, adversaries may get direct access to memory or to data transferred from or to attached devices,
\item \emph{Metadata Extraction}: The actual sensor like camera or fingerprint sensor is usually attached via USB or similar cable connection.
It is possible to log the protocol of those attached devices via Man in the Middle attack on the USB cable.
\item \emph{Attribute Extraction}: The actual sensor like camera or fingerprint sensor is usually attached via USB or similar cable connection.
It is possible to log the protocol of those attached devices via wiretapping the USB cable.
With that attack, an adversary is able to directly access the attributes to identify individuals.
\item \emph{Modification or aggregation of sensitive data within Biometric Sensor}: The program which prepares the sernsor data for transmission could modify the data before sealing it.
The program can also just save the sensible data for other purposes.
\item \emph{Metadata extraction on Network}: During transmission of data from the sensor into the Digidow network, there will be some metadata generated.
An adversary could use this datasets to generate tracking logs and eventually match these logs to individuals.
\item \emph{Retransmission of sensor data of a rogue Biometric Sensor}: When retransmitting sensor data, the authentication of an individual could again be proven.
Any grants provided to this individual could then given to another person.
\item \emph{Rogue Biometric Sensor blocks transmission}: By blocking any transmission of sensor data, any transaction within the Digidow network could be blocked and therefore the whole authentication process is stopped.
\item \emph{Rogue Personal Identity Agent}: A rogue PIA might receive the sensor data instead of the honest one.
Due to this error, a wrong identity and therefore false claims would be made out of that.
\end{itemize}
\section{Prototype Concept}%
\label{sec:prototype_concept}
Given the threat model and the use cases described in \autoref{sec:definition-of-the-biometric-sensor}, we will introduce a prototype which will address many of the defined requirements.
Any threats adressing the physical integrity of the BS will, however, be omitted.
These threats can be addressed with physical intrusion and vandalism protection like they are available for ATMs.
We will instead focus on the integrity of the system when the BS is operating.
\subsection{Integrity and Trust up to the Kernel}%
\label{sub:integrity_and_trust_up_to_the_kernel}
We decided to use the PC platform as hardware base for the prototype.
There are lots of different form factors available you can extend the system with a broad variety of sensors.
Furthermore the TPM support is implemented to support integrity analysis on the system.
Finally, the platform can run almost all Linux variants and supports relevant pieces of software for this project.
A flavour of Linux supporting all features described in this chapter, will be used as OS platform.
The ARM platform seem to be capable of all these features as well, however, the support of TPM, the amount of available software and the ease of installation is better on the PC platform.
As described in \autoref{sec:trusted_platform_module_tpm_}, the TPM functions can be delivered in three different flavors: As dedicated or mounted device and as part of the processor's firmware.
The fTPM is part of a large proprietary environment from AMD or Intel which which introduces, besides implementation flaws, additional attack surfaces for the TPM.
Hence we will use dedicated TPM chips on the platform, which are pluggable, to gain most control over the functionality.
Any recent PC platform supports TPMs ans consequently Trusted Boot as mentioned in \autoref{sec:trusted_boot}.
The system will describe its hardware state in the PCRs 0\,--\,7 when the EFI\,/\,BIOS hands over to the Bootloader.
We use these PCR values to detect any unauthorized modifications on hardware or firmware level.
It is important to include also \emph{epmty} PCRs to detect added hardware on the PCI bus with an Option ROM, for example.
With these PCR values we can seal a passphrase in the TPM.
The disk, secured with Full Disk Encryption (FDE), can only be accessed, when the hardware underneath is not tampered with.
To further reduce the attack surface, the prototype will not use a bootloader like GRUB.
Instead, the Kernel should be run directly from the UEFI\,/\,BIOS.
Therefore, the Kernel is packed directly into an EFI file, together with its command line parameters and the initial file system for booting.
This \emph{Unified Kernel} is directly measured by the UEFI\,/\,BIOS and is also capable of decrypting the disk, given the correct PCR values.
This setup starts with two sources of trust that are formally defined:
\begin{itemize}
\item \emph{TPM}: The TPM acts as certified Root of Trust for holding the PCRs and for the cryptographic function modifying those.
\item \emph{RTM}: The Root of Trust for Measurement is part of the mainboard's firmware.
The tiny program just measures all parts of the firmware and feeds the TPM with the results.
However, the program is maintained by the mainboard manufacturer and the source is not available to the public.
We have to trust that this piece of software is working correctly,
\end{itemize}
We implicitly assume that the CPU, executing all these instructions and interacting with the TPM, is working correctly.
All parts contributing to the boot phase will be measured into one of the PCRs before any instruction is executed.
Decrypting the disk can then be interpreted as authorization procedure against the encrypted disk.
Consequently only a \emph{known} Kernel with a \emph{known} hardware and firmware setup underneath can access the disk and finish the boot process in the OS.
The disk encryption is, however, only an optional feature which can be omitted in a production environment when there is no sensible data on the disk that must not be revealed to the public.
The system needs to check its integrity on the OS level and summarize that by publishing an attestation message, before any transaction data is used.
\begin{figure}
\centering
\includegraphics[width=0.8\linewidth]{../resources/measurements.pdf}
\caption{Extending trust from the Roots of Trust up to the Kernel}%
\label{fig:measuements}
\end{figure}
\autoref{fig:measuements} illustrates how above proceses extend the trust on the system.
The TPM is the cryptographic root of trust, storing all measurement results and the target values for validation.
SInce the RTM is the only piece of code, which lives in the platform firmware and is executed \emph{before} it is measured, it is an important part in the trust architecture of the system.
An honest RTM will measure the binary representation of itself, which makes the code at least provable afterwards.
Finally, the CPU is assumed to execute all the code according to its specification.
Proving correctness of the instruction set cannot be done during the boot process.
When the roots of trust are honest, the trusted environment can be constructed during booting the platform with the PCR measurements.
We get then a system, where all active parts in the booting process are trusted up to the Linux kernel with its extensions and execution parameters.
\subsection{Integrity and Trust on OS Level}%
\label{sub:integrity_and_trust_on_os_level}
With the trusted kernel and IMA, we can include the file system into the trusted environment.
According to \autoref{sec:integrity_measurement_architecture}, every file will be hashed once IMA is activated and configured accordingly.
By enforcing IMA, the kernel allows access to only those files having a valid hash.
Consequently, every file which is required for proper execution needs to be hashed beforehand before IMA is enforced.
The IMA policy in place should be \texttt{appraise\_tcb}, to analyze kernel modules, executable memory mapped files, executables and all files opened by root for read.
This policy should also include drivers and kernel modules for external hardware like a camera for attached via USB.
\subsection{Prove Trust with DAA}%
\label{sub:prove_trust_with_daa}
The features described above take care of building a trusted environment on the system level.
DAA will take care of showing the \emph{trust} to a third party which has no particular knowledge about the BS.
In the DigiDow context, the PIA should get, together to the biometrical measurements, a proof that the BS is a trusted system acting honestly.
To reduce the complexity of this problem, we consider two assumptions:
\begin{enumerate}
\item \emph{Network Discovery}: The PIA is already identified over the DigiDow network and there exists a bidirecional channel between BS and PIA
\item \emph{Secure Communication Channel}: The bidirectional channel is assumed to be hardened against wire tapping, metadata extraction and tampering.
The prototype will take no further action to encrypt any payload besides the cryptographic features that come along with DAA itself.
\end{enumerate}
The DAA protocol should be applied on a simple LAN, where all parties are connected locally.
The BS will eventually become a member of the Group of sensors, managed by the Issuer.
During signup, Issuer and BS (Member) negotiate the membership credentials over the network.
By being a member of the DAA group, the Issuer fully trusts that the BS is honest and acting according the specification.
The Issuer will not check any group members, since they can now act independently of the Issuer.
When the BS is then authenticating an individual, the process illustrated in \autoref{fig:daa-attestation} will be executed.
\begin{figure}
\centering
\includegraphics[width=0.7\textwidth]{../resources/tpmattest}
\caption[DAA Attestation procedure]{The DAA attestation process requires 5 steps. The PIA may trust the Biometric Sensor afterwards.}
\label{fig:daa-attestation}
\end{figure}
\begin{enumerate}
\item The PIA gets once and independently of any transaction the public key of the BS group.
\item During the transaction, the PIA will eventually ask the BS for attestation together with a \texttt{nonce}.
\item The BS will collect the PCR values, the Integrity Log and the \texttt{nonce} into an Attestation message signed with the Member SK.
\item The Attestation Message will be sent back to the PIA.
\item The PIA checks the signature of the message, checks the entries of the Integrity log against known values, and proves the PCR values accordingly.
\end{enumerate}
\autoref{fig:chainoftrust} shows how the sources of trust will be represented in the final attestation message.
\begin{figure}
\centering
\includegraphics[width=0.8\linewidth]{../resources/chainoftrust.pdf}
\caption{Overview of the Chain of Trust of the BS}%
\label{fig:chainoftrust}
\end{figure}
The four sources of trust are defined as groups which deliver parts of the prototype, but cannot be verified on a cryptographic level.
Hence, suppliers must be manually added to these groups by using a well defined check for trustworthiness.
Any TPM manufacturer has to implement the well defined standard from TCG.
There exists, however no such exact definition for hardware and firmware parts of the platform.
Consequently, these parts should undergo a functional analysis before they are trusted.
Trust means that, when the platform is defined trustworthy, the corresponding PCR values should be published.
The same procedure should be done for the Kernel and the used OS environment and of course the used software.
There, only the Kernel with its parameters have a corresponding PCR value.
Furthermore a hash value should be published for any relevant file on the file system.
We can then build a cryptographic representation of the chain of trust in \autoref{fig:chainoftrust}.
The TPM has a signed Certificate from ist manufacturer, where it derives the Endorsement Key (EK) from it.
When all of the above checks against platform, OS and TPM are good, the DAA Issuer will assign the platform to the group of trusted BS.
The BS has now a member SK for signing its attestation message.
The Verifier can now check the valid membership by checking the signature of the message against the Issuer's PK.
Furthermore it can check the state of the platform by compare the PCR values against known values.
Finally it can check the integrity of the running software by checking the hashes in the IMA log against known values.
PCR 10 represents therefore the end of the hash chain fed by the IMA log entries.
If all values are good, the BS can be trusted and the DigiDow transaction can be continued at the PIA.
\begin{itemize}
\item DONE Definition of sensitive data / privacy / metadata
\item This version of BS is not owned by the user, there is no personal data in the System
\item Rogue Personal Identity Agent (PIA)
\item Metadata Extraction
\item Attribute extraction
\item Sensor Data Modification/manipulation
\item Wiretap between Sensor and System (USB or network)
\item Physical Manipulation of the BS-System
\item Network - Retransmission of sensor data of a rogue BS
\item Network - Blocking Data transmission of a rogue BS
\item Rogue BS Sensor Data aggregation
\item Rogue BS Sensor data modification before transmission
\end{itemize}
\section{Trust and Security}
\label{sec:trust}
Trust is an essential term in this thesis.
In the world of IT security, the term \emph{trusted computing} defines a secured environment where special or confidential computing jobs are dispatched.
This environment or product usually meets the following requirements
\begin{itemize}
\item \emph{Minimalization.} The number of features and hence the complexity must be as low as possible.
\item \emph{Sound definitions.} Every function should be well defined. There should be no margin for interpretation left. Security Engineers should be involved in the development.
\item \emph{Complete testing.} Testing for trusted computing includes a threat analysis and exhaustive testing if possible.
\end{itemize}
Since software and hardware testing is never complete, it is hard to find a good balance between feature set and testing completeness.
However trust in IT is not equal to security.
It defines a subset of IT security where this small well defined environment is embedded in a larger system which is usually untrusted.
Claiming a system \emph{secure} spans the constraints of trust over the complete system, which is not affordable for commodity computers these days.
However it is possible to use the trusted environment to get some guarantees on the untrusted parts of a system as well
In Chapter 3 we will show how trust will be extended in a commodity PC.
%TODO reference to TPM section how to extend trust into untrusted parts of PC
%TODO describe verifiable trust in addition to the previous definition (with example of the ATM?)
Differentiation between trust and security --- and the problem that not everyone is using that right.
\section{Systems of Trust}
\label{sec:trustsystems}
All trust systems are built on the standards of Trusted Computing Group.
\subsection{Secure Boot, TXT, \ldots}
\label{ssec:secureboot-txt}
Trusted Boot is not the same as Secure Boot. Explain the difference
\subsection{TPM1.2}
\label{ssec:tpm12}
Initial Version of the crypto-coprocessor, successfully spread into many systems, but hardly any integration in Trust/security Software
\section{Trusted Boot}
\section{Integrity Measurements}
As described in the previous section, when the boot process is eventually finished, the OS is then responsible for extending the chain of trust.
Given a valid trusted boot procedure, the binary representation of the kernel is already measured.
Therefore the Kernel itself has the responsibility to keep track of everything happening on the platform from the OS point of view.
Soon after the first TPM standard was published, the \emph{Integrity Measurement Architecture} (IMA) for the Linux Kernel was introduced.
Since Kernel 3.7 it is possible to use all IMA features, when the compiler options of the Kernel are set correspondingly.
IMA
Extend the Chain of Trust beyond the boot process.
The Kernel can measure many different types of Resources.
What is a useful set of measurements
\section{Verify Trust with DAA}
\subsection{DAA History}
Direct Anonymous Attestation (DAA) is a cryptographic protocol, which aims to provide evidence that a device is a honest member of a group without providing any identification information.
Brickell, Camenisch and Chen\cite{BriCamChe04} introduce DAA and implement the protocol for the TPM 1.2 standard.
However it supports only RSA and has limitations in verifying attestation signatures.
Hence, DAA is not used with the TPM 1.2 standard.
Since the DAA protocol is quite complex, it is difficult to provide a sound security model for DAA and formally prove the security properties of it.
Chen, Morissey and Smart\cite{chen09} add linkability to the protocol.
Their approach for a formal proof is not correct, since a trivial key can be used for pass verification\cite{camenisch16}
%TODO Chronic of DAA until Camenisch16, Discussion about broken Proofs in previous papers.
Camenisch, Drijvers and Lehmann\cite{camenisch16} developed a DAA scheme for the new TPM 2.0 standard.
It supports linkability and the proves for security and correctness still hold.
Furthermore, RSA and ECC cryptography is supported which makes it practicable for a wider variety of use cases.
However, Camenisch et al.\@ proposed a fix in the TPM 2.0 API to guarantee all requirements necessary for DAA.
Xaptum implemented this DAA-variant including the fixes in the TPM API.
The implementation will be discussed in Chapter 4.%TODO Reference to Xaptum discussion
Analyzing the security and integrity of this scheme would exceed the scope of this thesis.
Hence this thesis describes the DAA protocol and assumes the correctness and integrity.
%TODO: Discussion: sid removed, RL only works with private keys, etc.