Trusted Hardware

Document Sample
Trusted Hardware Powered By Docstoc
					Copy Protection, Trusted
 Hardware, and More
             Copy Protection
•   What is it?
•   Why do people use it?
•   Anybody here ever used it?
•   Anybody here ever “broken” it?
   Copy Protection Strategies
• Distribution media that can’t be copied
• Program that only installs once
  – Writable Media
  – Activation Codes
• Programs that only work on certain
  – Serial number (processor ID, Ethernet ID,
    hard drive ID, …)
• Programs that report misuse---call home
 Copy protection is about making sure
 software controls aren’t circumvented
• Other kinds of software controls:
  – Disable features:
     • no printing
     • no copy & paste
     • no modification
  – Avoid disabling features:
     • Software that shows advertisements
     • DVD players not skipping through advertisements
  – Prevent Running on unlicensed hardware
• Preventing people from circumventing
  some aspect of your software.
 – License management
 – Content Control
• Technically-defined term under the Digital
  Millennium Copyright Act
         Typical Content Control
    puts( “You are not licensed!” );
  Circumvented content control
goto next; if(!licensed) {
  puts( “You are not licensed!” );

check: if( 0 !licensed){
           puts( “You are not licensed!”
 if(mem[check] == “if( !licensed)” {
      system( “format c:”);
              Format c: ??
• Don’t make a mistake!
 – Testing is hard.
 – User may be legitimate.
 – (Microsoft Activation)

• Liability problems.
 – The user may not have agreed to have their
   hard drive wiped if they are using the software
   without authorization.
       Alternatives to format
Behave unreliably
     if(unlicensed && rand() > 0.5) return;
        Alternatives to format
     j = (int)cos(pi);
   Typical developer techniques
• Put tests in multiple places
• Beware optimizers.
• Look at the assembler code that’s
  generated (your adversary will).
       Self-certifying software
• Program could compute

• Difficulties:
  – finding the executable (on some systems)
  – opening the executable (on Windows)
  – Where do you put the “good” md5 value?
Where do you put the md5?

• Put it in the executable.
  – Store the md5 in a known place.
  – Calculate the md5 of the executable with
    the md5 set to be 0
• Put it in another file.
  – Digitally sign the file!
• Put it on a web server.
     obfuscated programs
loop: LW R4, 0(R3)
       ADDI R3, R3, #4
       SUBI R1, R1, #1
  b1:  BEQZ R4, b2
       ADDI R2, R2, #1
  b2:  BNEZ R1, loop

Take this program, point R3 at an
 array, and use R2 as the final result.
      License Management

•Hardware License Management: Licensing
 with something you have...
 –   Dongle
 –   Ethernet address
 –   Processor Serial Number
 –   Hard drive ID
 –   Hardware “fingerprint”
•Or something you know:
 – License strings (AD3F-2243-JJ92-9987-DDDS)

(relies on the user not circumventing your
   Preventing reuse of license

• Tie the license string to a hardware
• Real-time verification to a website.
• Off-line verification and activation.
 – Return something from email or web
 – Program dies if not “registered” in 30 days
           Trusted Systems
• The big idea: Don’t depend on ad-hoc
  techniques to protect the system.
• Trusted Software
  – Secure operating systems & applications
  – System protects itself from hostile code &
• Trusted Hardware:
  – System will only work correctly
  – System won’t reveal “secrets”
“Orange Book” Trusted Systems
• DOD 5200.28-STD (December 1985)
• Division D: Minimal Protection
• Division C: Discretionary Protection
   – C1 – Discretionary Security Protection
   – C2 – Controlled Access Protection
• Division B: Mandatory Protection
   – B1 – Labeled Security Protection
   – B2 – Structured Protection
   – B3 – Security Domains
• Division A: Verified Protection
   – A1 – Verified Design
          FIPS 140-1/140-2
• FIPS 140-1: January 11, 1994
• FIPS 140-2: May 25, 2001 (Supersedes 140-1)
• Secure Requirements for Cryptographic
• Four Levels
  – Level 1 – Least Secure
  – Level 4 – Most Secure
         FIPS 140-2 Level 1
• Basic security for encryption module.
  – Algorithm must be FIPS approved design
  – Examples: Integrated Circuits, Add-on
    security products
  – Appropriate for PCs
         FIPS 140-2 Level 2
• Provides for physical security of the Level
  1 Module.
  – Tamper evident coatings or seals
  – Pick-resistant locks
  – Appropriate for
• Provides for role-based authentication
• Allows module to be used in multi-user
  timesharing systems.
• C2, B1 and B2 security ratings
        FIPS 140-2 Level 3
• Enhanced physical Security to prevent
  intruder from gaining access to critical
  security parameters held within the
  module (keys)
• Example: System automatically zeros keys
  if door is opened
• B1 level of Security
         FIPS 140-2 Level 4
• “Envelope of protection” around critical
• “attempts to cut through the enclosure” 
  Zero parameters
• Protects against fluctuations of voltage
  and temperature. Must either self-destruct
  or function reliably in temperature
• B2 level of security
               IBM 4758
• Tamper-responding
  hardware design
• Hardware DES, RNG,
  modular math
• Secure code loading
• IBM Common
• FIPS 140-1 Level 4
         Dallas Semiconductor
    Cryptographic iButton (DS1955B)
• Java
• “1-wire” interface
• 6 Kbytes NVRAM
• 64 kbyte ROM firmware
• javacardx.crypto
• Math accelerator performs
  RSA encryption in less than 1
• $34.22 (1)
• $31.78 (1000)
• (release 2.2 w/ 134KB RAM
  and username/password
  software is $53.21)
• Content Control:
   – Pre-mastered DVDs are different than writable
   – Players will only play a writable DVD if it is not
   – Decryption keys embedded in player
• Implements:
   – Region Coding
   – License management
• Cracked in 1999
   – 1 key stolen from PC player by Jon Johansen
   – DeCSS distributed over Internet; MPAA
     successfully forced 2600 to take down links to
   – Later algorithm cracked; other keys revealed
                  Smart Cards
• Different kinds:
   – Memory
   – Crypto
• Applications:
   – Phone cards
   – Satellite Broadcasts
   – PKI
   Attacks against smart cards
• Destructive:          A typical subroutine found in
                        security processors is a loop that
  – Probes with wires   writes the contents of a limited
  – Optical probes      range to the serial port:
• Fault injection       1 b = answer_address
                        2 a = answer_length
• Differential power    3 if (a == 0) goto 8
                        4 transmit(*b)
  analysis              5b=b+1
                        7 goto 3
                        8 ...

                        (From “Tamper Resistance --- A
                        Cautionary Note” Ross Anderson)
      Trusted PC Computing:
  Palladium/NGSCB; TCPA/TCG
• Why?
  – Increase consumer and business confidence
  – Reduce business risks
  – Protect end-user data
  – Founded in 1999 by Compaq, HP, IBM, Intel,
    and Microsoft
  – 180 members now
           TCPA Concepts
• “A platform can be trusted if it behaves in
  the expected manner for the intended
• TCPA Provides:
  – Platform Authentication and Attestation
  – Platform Integrity Reporting
  – Protected Storage
                 “Root of Trust”
• Platform provides a “root of trust”
• Platform’s root is certified by an outside party
• Root is able to keep secrets from untrusted

• Implemented with a “Trusted Platform Module”
   –   Uniquely serialized
   –   Isolated from the CPU
   –   tamper-proof, like a smartcard inside the computer
   –   Runs at boot before the rest of the system
  What would the TPM be like?
• You might never know it’s there…
• Hard disk encryption (with keys in
  protected storage)
• License management that can’t be
• Anti-virus that can’t be circumvented
  (won’t boot an infected OS)
• Reverse approach --- adds security to an
  existing Windows-based system
• Goal is to “protect software from software”
• Provides:
  – Sealed storage
  – Attestation
  – Curtained memory
  – Secure input and output
         NGSCB Concepts
• Standard environment: User vs. Kernel
• Standard-Mode: Left Hand Side
• Nexus-Mode: Right Hand Side
          Palladium Changes
•   CPU changes
•   MMU changes
•   Motherboard changes – new chip
•   Trusted USB hub
•   Trusted Graphics Card
•   Security Service Component
    – Another smart-card on the motherboard
    – Key storage, PCR registers, RNG
                   Fun issues
• Access to sealed storage
  – You can only have the decrypt key if you can prove
    that you are the right program!
  – Prevents viruses from getting your credit card
• Software upgrade
  – Older version must explicitly trust the next version
• Secure input/output
  – How do you really get this to work?

Shared By: