A Secure and Reliable Bootstrap Architecture - AEGIS by 0jsPsqI4


									A Secure and Reliable Bootstrap
     Architecture - AEGIS
        William A. Arbaugh
         David J. Farber
        Jonathan M. Smith
      Presented by Vytautas Valancius
      Claims                Assumptions
• Secure bootstrap will   • BIOS is not
  work on commodity         compromised
  hardware                • There is signature for
• Failed software will be   every component in a
  restored                  system
• Boot process is         • Every component is
  guaranteed to end up      able to check its
  in secure state           children
                          • There is connectivity
                            to trusted network
        Secure Boot Process

• Level 0 is trusted                                Level 5

• Level n checks Level              OS
                                                    Level 4
• Level n needs to store         Boot Block
                                                    Level 3
  hashes for Level n+1     Expanssion
• Level n does not            ROMs
                                                    Level 2

  check Level n-1!                       BIOS2
                                                    Level 1

                            AEGIS ROM + BIOS
                                                    Level 0

                           Processor Reset Vector
       Flaws (or Features?)
• Level n does not check Level n-1
  – User trusts the hardware but how about OS?
• Why asymmetric keys are not used?
• How do we manage hashes?
  – How do we make such management secure?
• How do we make network recovery
• Where do we go next?
    Trusted Computing Platform
•   Explored by Michael a week ago
•   PKI has taken a tangible role
•   Level n checks Level n-1
•   Uses:
    – Sealing, Binding
      • Windows Vista Bitlocker, Linux Enforcer
    – Remote Attestation
      • Microsoft Next-Generation Secure Computing
         Trusted Computing
• Possible uses:
  – MS Office can encrypt your files
    • So that only trusted software can open them
  – Data sent by you is read only by trusted
    • Or entities that your employer trusts
  – Content can be revoked
    • Injunctions can be easily enforced
  – Sure, movies can be sold securely online
          Discussion TPM
• What are the possible use of TPM?
• What uses are dangerous and what can
  we do about them?
• What should be management interfaces to
• How do we ensure freedom of choice?
          Discussion -AEGIS
• Where are the public/private keys gone?
• Can OS be sure it was booted securely?
• How do we manage hashes?
• How do we know hash management is secure?
• What if software has a bug? Can we exploit it
  automatically every time we load system?
• Do you like recovery without user intervention?

To top