David Plaquin

Trusted virtual platforms: a key enabler for converged client devices

This paper introduces our work around combining machine virtualization technology with Trusted Computing Group technology. We first describe our architecture for reducing and containing the privileged code of the Xen Hypervisor. Secondly we describe our Trusted Virtual Platform architecture. This is aimed at supporting the strong enforcement of integrity and security policy controls over a virtual entity where a virtual entity can be either a full guest operating system or virtual appliance running on a virtualized platform. The architecture includes a virtualization-specific integrity measurement and reporting framework. This is designed to reflect all the dependencies of the virtual environment of a guest operating system. The work is a core enabling component of our research around converged devices -- client platforms such as notebooks or desktop PCs that can safely host multiple virtual operating systems and virtual appliances concurrently and report accurately on the trustworthiness of the individually executing entities.

A trusted process to digitally sign a document

This paper describes a method of increasing the trust in open computing platforms, such that a person can have confidence in producing a digital signature using open platforms.The process of using a digital signature to sign a digital document is well understood. Most descriptions assume the correctness of the process of signing a document within a computing platform. In an increasing connected world, this assumption is no longer true when open computing platforms are used. This paper proposes the signing of a document in a general-purpose computing platform using a trusted process. That trusted process creates a signature over a digital image that represents the document and uses a trusted display controller in the platform plus a smart card owned by the prospective signer. The trusted display controller is part of the video processing path, and can display video data on a monitor without interference or subversion by any software components at the platform. The smart card is able to authenticate the trusted display controller, and demonstrate to the signer the results of that authentication using the trusted display controller.The most unusual aspects of the method are: (1) a thumbnail image is stored in the smart card, and used as a surround or background for an image (on a display) that is to be signed; (2) the smart card signs image data on the authority of the trusted display controller, without direct authorisation from the signer.

Trusted integrity measurement and reporting for virtualized platforms

Verifiable trust is a desirable property for computing platforms. Current trusted computing systems developed by Trusted Computing Group (TCG) provide verifiable trust by taking immutable snapshots of the whole set of platform components. It is, however, difficult to use this technology directly in virtualized platforms because of complexity and dynamic changes of platform components. In this paper, we introduce a novel integrity management solution based on a small Software-based Root of Trust for Measurement (SRTM) that provides a trusted link to the integrity measurement chain in the TCG technology. Our solution makes two principal contributions: The first is a key management method, by which a verifier can be convinced that the SRTM is a trusted delegatee of a Trusted Platform Module (TPM). The second is two integrity management services, which provides a novel dependency relation between platform components and enables reversible changes to measured components. This extended abstract of the paper focuses on the key management method and shows the high level idea of these two services. Details of the dependency relation, the reversible changes, and the Xen implementation may be found in the full version of the paper.

Trust record: high-level assurance and compliance

Events such as Enrons collapse have changed the regulatory and governance trends increasing executive accountable for the way companies are run and therefore for the underlying critical IT systems. Such IT functions are increasingly outsourced yet executives remain accountable. This paper presents a Trust Record demonstrator that provides a real time audit report helping to assure executives that their (outsourced) IT infrastructures are being managed in line with corporate policies and legal regulations.

Co-processor-based Behavior Monitoring: Application to the Detection of Attacks Against the System Management Mode

Highly privileged software, such as firmware, is an attractive target for attackers. Thus, BIOS vendors use cryptographic signatures to ensure firmware integrity at boot time. Nevertheless, such protection does not prevent an attacker from exploiting vulnerabilities at runtime. To detect such attacks, we propose an event-based behavior monitoring approach that relies on an isolated co-processor. We instrument the code executed on the main CPU to send information about its behavior to the monitor. This information helps to resolve the semantic gap issue. Our approach does not depend on a specific model of the behavior nor on a specific target. We apply this approach to detect attacks targeting the System Management Mode (SMM), a highly privileged x86 execution mode executing firmware code at runtime. We model the behavior of SMM using invariants of its control-flow and relevant CPU registers (CR3 and SMBASE). We instrument two open-source firmware implementations: EDKII and coreboot. We evaluate the ability of our approach to detect state-of-the-art attacks and its runtime execution overhead by simulating an x86 system coupled with an ARM Cortex A5 co-processor. The results show that our solution detects intrusions from the state of the art, without any false positives, while remaining acceptable in terms of performance overhead in the context of the SMM (i.e., less than the 150 us threshold defined by Intel).