Jeffrey S. Dwoskin

Hardware-rooted trust for secure key management and transient trust

We propose minimalist new hardware additions to a microprocessor chip that protect cryptographic keys in portable computing devices which are used in the field but owned by a central authority. Our authority-mode architecture has trust rooted in two critical secrets: a Device Root Key and a Storage Root Hash, initialized in the device by the trusted authority. Our architecture protects trusted software, bound to the device, which can use the root secrets to protect other sensitive information for many different usage scenarios. We describe a detailed usage scenario for crisis response, where first responders are given transient access to third-party sensitive information which can be securely accessed during a crisis and reliably revoked after the crisis is over. We leverage the Concealed Execution Mode of our earlier user-mode SP (Secret-Protecting) architecture to protect trusted code and its execution [1]. We call our new architecture authority-mode SP since it shares the same architectural lineage and the goal of minimalist hardware roots of trust. However, we completely change the key management hardware and software to enable new remote trust mechanisms that user-mode SP cannot support. In our new architecture, trust is built on top of the shared root key which binds together the secrets, policy and trusted software on the device. As a result, the authority-mode SP architecture can be used to provide significant new functionality including transient access to secrets with reliable revocation mechanisms, controlled transitive support for policy-controlled secrets belonging to different organizations, and remote attestation and secure communications with the authority.

Secure Key Management Architecture Against Sensor-Node Fabrication Attacks

In lightweight mobile ad hoc networks, both probabilistic and deterministic key management schemes are fragile to node fabrication attacks. Our simulation results show that the Successful Attack Probability (SAP) can be as high as 42.6% with the fabrication of only 6 copies from captured nodes comprising only 3% of all nodes. In this paper, we propose two low-cost secure-architecture-based techniques to improve the security against such node fabrication attacks. Our new architectures, specifically targeted at the sensor-node platform, protect long-term keys using a root of trust embedded in the hardware System-on-a-Chip (SoC). This prevents an adversary from extracting these protected long-term keys from a captured node to fabricate new nodes. The extensive simulation results show that the proposed architecture can significantly decrease the SAP and increase the security level of key management for mobile ad hoc networks.

Re-examining Probabilistic Versus Deterministic Key Management

It is widely believed that although being more complex, a probabilistic key predistribution scheme is much more resilient against node capture than a deterministic one in lightweight wireless ad hoc networks. Backed up by the surprisingly large successful attack probabilities computed in this paper, we show that the probabilistic approaches have only limited performance advantages over deterministic approaches. We first consider a static network scenario as originally considered in the seminal paper by Eschenauer and Gligor [1], where any node capture happens after the establishment of all pairwise links, and show that the deterministic approach can achieve a performance as good as the probabilistic one. Furthermore in a mobile network, the probabilistic key management as described in [1] can lead to a successful attack probability of one order of magnitude larger than the one in a static network.

A framework for testing hardware-software security architectures

New security architectures are difficult to prototype and test at the design stage. Fine-grained monitoring of the interactions between hardware, the operating system and applications is required. We have designed and prototyped a testing framework, using virtualization, that can emulate the behavior of new hardware mechanisms in the virtual CPU and can perform a wide range of hardware and software attacks on the system under test. Our testing framework provides APIs for monitoring hardware and software events in the system under test, launching attacks, and observing their effects. We demonstrate its use by testing the security properties of the Secret Protection (SP) architecture using a suite of attacks. We show two important lessons learned from the testing of the SP architecture that affect the design and implementation of the architecture. Our framework enables extensive testing of hardware-software security architectures, in a realistic and flexible environment, with good performance provided by virtualization.

Securing the Dissemination of Emergency Response Data with an Integrated Hardware-Software Architecture

During many crises, access to sensitive emergency-support information is required to save lives and property. For example, for effective evacuations first responders need the names and addresses of non-ambulatory residents. Yet, currently, access to such information may not be possible because government policy makers and third-party data providers lack confidence that todays IT systems will protect their data. Our approach to the management of emergency information provides first responders with temporary, transient access to sensitive information, and ensures that the information is revoked after the emergency. The following contributions are presented: a systematic analysis of the basic forms of trusted communication supported by the architecture; a comprehensive method for secure, distributed emergency state management; a method to allow a userspace application to securely display data; a multifaceted system analysis of the confinement of emergency information and the secure and complete revocation of access to that information at the closure of an emergency.

Scoping security issues for interactive grids

Grid computing allows flexible resource sharing among geographically distributed computing resources in multiple administrative domains. Virtualization of resources allows jobs to be run on remote resources participating in a grid. While this computing paradigm has been used primarily for batch jobs, we study interactive grid applications rich in graphics and multimedia such as scientific visualization and digital content creation. A host of security issues need to be addressed for such interactive grids to gain acceptance, particularly in industry. The purpose of this paper is to study these security issues. The grid security infrastructure (GSI), a component of the Globus Toolkit (I. Foster et al., 1997), creates grid credentials for every user and resource. We describe how this may be extended to securely set up an interactive session on a remote host, and the additional security issues associated with interactive session management. We propose controlled shell and controlled desktop mechanisms that restrict the user to execute only authorized commands and applications, and controlled user and super-user accounts that customize the shell and desktop using policy files. We also propose a new approach to scoping the security needs of grid systems by defining three generic scenarios: mutual trust, partial trust and mutual distrust. New security issues arise when the user may not be trusted, or the user and the host computers owner are mutually suspicious.