D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management

Title: INDUSTRIAL AND ACADEMIC OPEN SOURCE PROJECTS

Industrial and Academic Open Source Projects

European Multilaterally Secure Computing Base (EMSCB)

The EMSCB project [16, 1], which is partly funded by the German Federal Ministry of Economics and Labour, is an instance of PERSEUS focusing on multilateral security. This means the development of security critical services such that security policies of all involved parties are not violated. EMSCB aims to develop five demonstrators with a micro-kernel-based security architecture using a TCG 1.1b compliant TPM. These five demonstrators will offer hard disk encryption, secure VPN, DRM application, a multilevel security system and a prototype of DRM application that is intended to be used in an embedded automotive platform provided by Bosch/Blaupunkt. Additionally an EMSCB platform consisting of TPM-enabled security critical services like a trusted GUI, trusted storage, application manager, TPM driver, secure bootloader and a security policy manager that uses the trusted GUI which will enable users to define the locally enforced security policy, will be implemented. The source code of the EMSCB platform will be published under an open-source license. 

More information is available in [16] or at http://www.emscb.de. 

Open Trusted Computing (Open TC)

The Open Trusted Computing (OpenTC) consortium is concerned with the development of a secure computing system for conventional computers and embedded systems based on open source software and trusted computing technology. A major goal is to implement an open trusted computing framework supporting TPMs and security enhanced next generation processors from AMD and Intel. This includes the development of a secure operating system that is able to use the features provided by TPMs and security enhanced processors. It will contain virtualization layers, a Trusted Software Stack for Linux and management software for the TPM. OpenTC will also take care of the development and implementation of protocols for policy management, including distributed policy enforcement, security state monitoring and management and network and configuration management. The project also works on the integration of trusted computing into existing public key infrastructures. 

More information is available at http://www.opentc.net. 

TrouSerS

TrouSerS [4] is an open-source TCG Software Stack implementation for Linux operating systems which has been developed and released by IBM. It is provided under the Common Public License (CPL). 

Currently usable TPM services provided through the TSS interface offered by TrouSerS are RSA key pair generation, RSA encryption and decryption using a PKCS#11 compatible interface, RSA signing and verification, storing data in the TPM’s PCRs and logging, sealing of data to arbitrary PCRs, random number generation and secure RSA key storage. 

TrouSers also includes the tpm-tools applications (or suite if helper applications), which can be used for command line based TPM management. 

Enforcer

The Enforcer project provides a Linux Security Module which improves the integrity of a computer running a Linux operating system by ensuring that there has been no tampering to the computer’s file system. The software is able to detect if a file has been changed and to take formerly specified actions when any tampering has been detected. Enforcer is able to store secrets to an encrypted loopback file system which is protected by a TPM. If Enforcer detects a tampered file, the encrypted loopback file system will be dismounted automatically. It is also possible to bind specific files to specific applications so that an application is not able to modify files it is not intended to. 

Trusted Linux Client

IBM has implemented a Trusted Linux Client [83]. It utilizes the Linux Security Module (LSM) that mediates all security relevant features of the Linux kernel, kernel modules and a TPM. The Trusted Linux Client implements three kernel modules. These are the TPM kernel module, the Extended Verification Module (EVM) and the Simple Linux Integrity Module (SLIM). The EVM Module provides policy based verification functions based on authenticated attributes which can be seen as a file’s security meta data which is checked on open or execution of the file. Additionally, it offers symmetric key-based verification functions which use the TPM as secure key store, and access control based on integrity containment which uses the SLIM module for access enforcement. The TPM is used to verify the integrity of the EVM by verifying that all its files are authentic. The SLIM uses the results from EVM’s file verification in order to give trusted process authority to those files which meet all the file verification requirements, only. Hence, the SLIM manages the state of applications during their execution which means that it classifies them into trusted and untrusted ones. 

The TLC offers a kind of “pre-boot” authentication. It is not pre-boot authentication exactly because the system must boot until the initial ram disk has been loaded which might contain the kernel master key which is needed for authentication. The kernel master key is a randomly TPM-generated key which is protected by a TPM. Every user of the system must know this key in order to boot. Multi-user authentication can be realized by assigning a unique authorization password to a unique copy of the kernel master key to each user. The TPM then only releases the kernel master key to the kernel if the PCR values of BIOS, master boot record, GRUB bootstrap loader, Linux kernel and initial ram disk have not been altered. The kernel master key can be stored in the initial ram disk or on an USB flash drive protected by a user authorization password that has to be presented at boot time. The authentication mechanism also supports the use of fingerprint readers. 

The Trusted Linux Client has been implemented and tested on Fedora Core 361 and Red Hat Enterprise 462 systems. 

tcgLinux

The tcgLinux [80] project is run by IBM Research. Its goal is the development and implementation of a TPM-based Linux run-time attestation. This basically means the generation of verifiable information about the software stack running on a Linux system which can be used by remote parties to determine the integrity of the execution environment of this specific system. tcgLinux therefore implements an integrity measurement feature which is an adapted variant of the Linux kernel that is able to measure each executable, library, or kernel module before it is loaded and executed. 

A TPM is used to securely hold an integrity value over the measurement list which is managed by the kernel. The current research mainly considers on how to take advantage of the validated measurement list to justify the security properties of a system’s runtime environment. 

For more information refer to [80]. 

PERSEUS Architecture and Turaya security kernel

PERSEUS [15, 2] was developed at the University of Saarland in 1999 in cooperation with IBM Research, Zurich, and is currently pursued by eurobits (European Competence Center for IT Security) at the University of Bochum, Germany. The PERSEUS Project provides an open computing platform offering a basis for the realization of multilateral security based on trusted computing. It is intended to support a wide range of hardware platforms like PC, PDA and embedded systems. PERSEUS uses a micro-kernel which only contains elementary functions like process management, memory management and interprocess- communication and thus minimizes the security-relevant part of a system which allows formal verification of its implementation. The PERSEUS architecture realizes security critical applications like digital signatures or DRM applications and conventional operating system as separate processes which are only able to communicate to each other or to the system’s hardware by involving the PERSEUS security kernel. 

PERSEUS will enable the realization of policy enforcement, e.g. enforcing license agreements (if accepted by the user) or permitting access to information services only for payment but prevent content providers to gather more private information about the user as needed to provide their service. Thus PERSEUS may serve as basis for DRM solutions and provides compartment mode security to prohibit access to documents outside a desired workflow. It can also be used to realize a secure multi server system which is able to run different isolated services like a web server, database and firewall in parallel on the same hardware. 

The security software layer of PERSEUS consists of a micro-kernel based on the L4 micro-kernels which have been developed at the University of Karlsruhe and the Technical University Dresden. On top of this kernel, a resource management and access control layer has been placed which controls the distribution of the system’s hardware resources to the conventional operating system and all security relevant applications above it. PERSEUS also provides a secure bootloader which has been implemented as a TCG-enabled version of GRUB (Grand Unified Bootloader) to assure that a specific operating system configuration is booted. A secure user interface (Secure GUI) will provide trusted paths between the user and secure applications resp. secure applications and hardware. PERSEUS’s application manager will ensure the controlled installation and update of software since this offers the possibility to infiltrate malicious code.

Conventional operating systems usually run applications with the rights of the user who started them. This results in running applications with more privileges then they actually need. PERSEUS’s application manager will care about privileges of applications since these should be minimal. A trusted computing service will allow virtualization of trusted computing hardware features which will offer attestation and sealing functions to applications. 

Turaya security kernel

Turaya is the published version of the PERSEUS security software layer. The Turaya security kernel is a small security software layer which can be logically divided into a hypervisor layer and a trusted software layer.

The main task of the hypervisor layer is to provide an abstract interface of the underlying hardware resources like interrupts, memory and hardware devices. Moreover, this layer allows sharing these resources and realizes access control enforcement on the object types known to this layer. Currently a microkernel is used as the foundation of the hypervisor layer.

The trusted software layer builds on the hypervisor layer and offers a Trusted GUI, which controls the graphic adapter and the input devices, i.e., mouse and keyboard, to establish a trusted path between the user and an application. The Trusted GUI labels application windows with unique application names. Moreover, the Trusted GUI enforces a strong isolation between applications on the GUI level. Unauthorized applications cannot, for instance, access the graphical output of other applications or fake their interface to look like the usual password dialog. The Application Manager loads applications and measures the integrity of applications. These integrity measurements can then be reported to local applications as well as to remote applications. In cooperation with Trusted Computing hardware this functionality constitutes the basis for elaborate Digital Rights Management applications. The advantage of this approach in contrast to other integrity measurement architectures (e.g., [SZJv04]) lies in enhanced end-user privacy protection and improved manageability, e.g., of software updates. The Storage Manager enables other applications to persistently store their local states. It preserves the integrity, confidentiality, and freshness of the managed data such that only the application or the user having produced the data may later re-access it. Finally, the User Manager identifies and authenticates the users and assigns roles to the users. The user management is not part of the insecure operating system to prevent malicious software from "sniffing" user passwords or "stealing" the user identity.