

# @ Oakland 2009











ver 2.1 portions © by TCG, Nokia, Infineon, Intel, IBM , Srini Devadas, Wikimedia Commons, and others

### **Feynman Moment**



"I have much experience only in teaching graduate students [...] and as a result [...] I know that I don't know how to teach."

so: please interrupt and engage

© Copyright California Institute of Technology. All rights reserved. Commercial use or modification of this material is prohibited.

## Trust ?!?!

## "behave in the expected manner for the intended purpose"



### **Usually the Monkey Gets You**

Intro to Trusted Hardware



@ Oakland 2009

Stony Brook Network Security and Applied Cryptography Laboratory

May 23, 2009

## Why Hardware ?

Intro to Trusted Hardware



#### By nature, software *lives* in the Matrix but ...



... hardware *makes up* the Matrix.

May 23, 2009

5



#### Baseline. Pentium 4. 3.6GHz. 1GB RAM. 11000 MIPS. OpenSSL 0.9.7f

DES/CBC: **70MB/sec** RC4: **138MB/sec** MD5: **18-615MB/sec** SHA1: **18-340MB/sec**  Modular MUL 1024: **273000/sec** RSA1024 Sign: **261/sec** RSA1024 Verify: **5324/sec** 3DES: **26MB/sec** 

May 23, 2009

## Now we have Physical Threats

#### Invasive

direct access to components damaging vs. non-damaging

#### Semi-Invasive

no electrical contact

#### **Local Non-Invasive**

close observation of device's operation (consider also knowledge of attacker)

#### Remote

@ Oakland 2009

observation of device's normal i/o





Intro to Trusted Hardware

#### Usual software suspects External I/O Interface Drivers Internal OS Application Bugs



@ Oakland 2009

Stony Brook Network Security and Applied Cryptography Laboratory

May 23, 2009

#### Hundreds

Common Criteria (ISO/IEC 15408)

Federal Information Protection standards (FIPS)

Trusted Computing Group (TCG)



## **Evaluation Assurance Levels (EAL)**

Intro to Trusted Hardware

#### EAL1: Functionally Tested

EAL1 is applicable where some confidence in correct operation is required, but the threats to security are not viewed as serious.

#### **EAL2: Structurally Tested**

Requires the cooperation of the developer in terms of the delivery of design information and test results.

#### EAL3: Methodically Tested and Checked

Maximum assurance from positive security engineering at the design stage without substantial alteration of existing sound development practices.

#### EAL4: Methodically Designed, Tested and Reviewed

Maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources (Suse ES 10, RedHat 5, costs \$2+ mil.)

#### **EAL5: Semi-formally Designed and Tested**

Maximum assurance from security engineering based upon rigorous commercial development practices supported by moderate application of specialist security engineering (Smart cards, IBM z/OS).

#### EAL6: Semi-formally Verified Designed and Tested

Applicable to the development of security for application in high risk situations.

#### **EAL7: Formally Verified Design and Tested**

EAL7 is applicable to the development of security for application in extremely high risk situations. Practical application of EAL7 is currently limited to tightly focused security functionality that is amenable to extensive formal analysis. (a single device so far, smart cards?)

## **FIPS 140-2 Security Levels**

|                                                 | Security Level 1                                                                                                                                                                                                                                          | Security Level 2                                                                                               | Security Level 3                                                                                                                     | Security Level 4                                                                               |  |  |  |
|-------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|--|--|--|
| Cryptographic<br>Module<br>Specification        | Specification of cryptographic module, cryptographic boundary, Approved algorithms, and Approved modes of operation. Description of cryptographic module, including all hardware, software, and firmware components. Statement of module security policy. |                                                                                                                |                                                                                                                                      |                                                                                                |  |  |  |
| Cryptographic<br>Module Ports<br>and Interfaces | Required and optional interfaces. Specification of all interfaces<br>and of all input and output data paths.                                                                                                                                              |                                                                                                                | Data ports for unprotected critical security parameters logically<br>separated from other data ports.                                |                                                                                                |  |  |  |
| Roles, Services,<br>and<br>Authentication       | Logical separation of required<br>and optional roles and services.                                                                                                                                                                                        | Role-based or identity-based operator authentication.                                                          | Identity-based operator authentication.                                                                                              |                                                                                                |  |  |  |
| Finite State<br>Model                           | Specification of finite state model. Required states and optional states. State transition diagram and specification of state transitions.                                                                                                                |                                                                                                                |                                                                                                                                      |                                                                                                |  |  |  |
| Physical<br>Security                            | Production grade equipment.                                                                                                                                                                                                                               | Locks or tamper evidence.                                                                                      | Tamper detection and response<br>for covers and doors.                                                                               | Tamper detection and response<br>envelope. EFP or EFT.                                         |  |  |  |
| Operational<br>Environment                      | Single operator. Executable code. Approved integrity technique.                                                                                                                                                                                           | Referenced PPs evaluated at<br>EAL2 with specified<br>discretionary access control<br>mechanisms and auditing. | Referenced PPs plus trusted<br>path evaluated at EAL3 plus<br>security policy modeling.                                              | Referenced PPs plus trusted path<br>evaluated at EAL4.                                         |  |  |  |
| Cryptographic<br>Key<br>Management              | Key management mechanisms: random number and key generation, key establishment, key distribution, key entry/output, key storage, and key zeroization.                                                                                                     |                                                                                                                |                                                                                                                                      |                                                                                                |  |  |  |
|                                                 | Secret and private keys established using manual methods may be<br>entered or output in plaintext form.                                                                                                                                                   |                                                                                                                | Secret and private keys established using manual methods shall be<br>entered or output encrypted or with split knowledge procedures. |                                                                                                |  |  |  |
| EMI/EMC                                         | 47 CFR FCC Part 15. Subpart B, Class A (Business use).<br>Applicable FCC requirements (for radio).<br>47 CFR FCC Part 15. Subpart B, Class B (Home use).                                                                                                  |                                                                                                                |                                                                                                                                      | Class B (Home use).                                                                            |  |  |  |
| Self-Tests                                      | Power-up tests: cryptographic algorithm tests, software/firmware integrity tests, critical functions tests. Conditional tests.                                                                                                                            |                                                                                                                |                                                                                                                                      |                                                                                                |  |  |  |
| Design<br>Assurance                             | Configuration management<br>(CM). Secure installation and<br>generation. Design and policy<br>correspondence. Guidance<br>documents.                                                                                                                      | CM system. Secure<br>distribution. Functional<br>specification.                                                | High-level language<br>implementation.                                                                                               | Formal model. Detailed<br>explanations (informal proofs).<br>Preconditions and postconditions. |  |  |  |
| Mitigation of<br>Other Attacks                  | Specification of mitigation of attacks for which no testable requirements are currently available.                                                                                                                                                        |                                                                                                                |                                                                                                                                      |                                                                                                |  |  |  |

May 23, 2009 11

## **FIPS 140-2 Physical Requirements**

Intro to Trusted Hardware

|                     | General Requirements<br>for all Embodiments                                                                                                    | Single-Chip<br>Cryptographic Modules                                                                                 | Multiple-Chip Embedded<br>Cryptographic Modules                                                                                                                       | Multiple-Chip Standalone<br>Cryptographic Modules                                                                                                                             |
|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Security<br>Level 1 | Production-grade components (with standard passivation).                                                                                       | No additional requirements.                                                                                          | If applicable, production-grade enclosure or removable cover.                                                                                                         | Production-grade enclosure.                                                                                                                                                   |
| Security<br>Level 2 | Evidence of tampering (e.g.,<br>cover, enclosure, or seal).                                                                                    | Opaque tamper-evident coating<br>on chip or enclosure.                                                               | Opaque tamper-evident<br>encapsulating material or<br>enclosure with tamper-evident<br>seals or pick-resistant locks for<br>doors or removable covers.                | Opaque enclosure with tamper-<br>evident seals or pick-resistant<br>locks for doors or removable<br>covers.                                                                   |
| Security<br>Level 3 | Automatic zeroization when<br>accessing the maintenance<br>access interface. Tamper<br>response and zeroization<br>circuitry. Protected vents. | Hard opaque tamper-evident<br>coating on chip or strong<br>removal-resistant and<br>penetration resistant enclosure. | Hard opaque potting material<br>encapsulation of multiple chip<br>circuitry embodiment or<br>applicable Multiple-Chip<br>Standalone Security Level 3<br>requirements. | Hard opaque potting material<br>encapsulation of multiple chip<br>circuitry embodiment or strong<br>enclosure with<br>removal/penetration attempts<br>causing serious damage. |
| Security<br>Level 4 | EFP or EFT for temperature and voltage.                                                                                                        | Hard opaque removal-resistant<br>coating on chip.                                                                    | Tamper detection envelope with<br>tamper response and zeroization<br>circuitry.                                                                                       | Tamper detection/ response<br>envelope with tamper response<br>and zeroization circuitry.                                                                                     |



"The cryptographic module components shall be covered by potting material or contained within an enclosure encapsulated by a tamper detection envelope (e.g., a flexible mylar printed circuit with a serpentine geometric pattern of conductors or a wire-wound package or a non-flexible, brittle circuit or a strong enclosure) that shall detect tampering by means such as cutting, drilling, milling, grinding, or dissolving of the potting material or enclosure to an extent sufficient for accessing plaintext secret and private keys cryptographic keys ..."

May 23, 2009 13

#### Stony Brook Network Security and Applied Cryptography Laboratory

boratory May 23, 2009

009 14

### Instances

@ Oakland 2009

- Encryption disks
- USB tokens
- RSA SecurID
- TPMs
- Smart Cards
- Secure Co-processors
- CPU-level techniques
- PUFs
- misc others



Intro to Trusted Hardware

## **Full Disk Encryption**



Intro to Trusted Hardware

- Key Management: internal
- Authentication: mostly external (BIOS, or app)
  - Pre-boot authentication
  - "hashed passwords" on drive
  - emergency password recovery file outside
  - multiple users
- Encryption
  - On-board AES <3% overhead / traditional drive
  - "disk erase" = change encryption keys
- **On Chipset:** Intel vPro chipsets might add encryption in the south bridge (PCI/IDE/..., not until 2010)

#### **USB Storage**

Carry secrets on USB token, often un-locked with a password. Allows for 2-factor authentication.



### **RSA SecurID**

Intro to Trusted Hardware



### **Trusted Platform Module (TPM)**



Stony Brook Network Security and Applied Cryptography Laboratory



#### Can the Trusted Platform Module control what software runs?

No. [... it ] can only act as a 'slave' to higher level services and applications by storing and reporting pre-runtime configuration information. [...] At no time can the TCG building blocks 'control' the system or report the status of [running] applications.

#### **Idea: authenticate next link in chain before passing control.** e.g., BIOS to OS, VMM to VM to Guest OS



"measure" = authenticate identity

#### **Measurement**

Intro to Trusted Hardware







"AIK" = attestation identity key (2048 bit RSA generated by TPM)

### **Dynamic vs. static PCRs**

Static PCRs: 0-16 Reset by reboot only

Dynamic PCRs: 17-23

Can be reset to 0 without reboot Reboot sets them to 1 (can remotely distinguish reboot from dynamic reset)

#### **Special PCR 17**

Only hardware CPU command can reset it. SKINIT instruction can trigger that. Software cannot reset PCR 17



May 23, 2009 24

## **Attacking the TPM**

Intro to Trusted Hardware

#### **TPM Reset Attack**

Sean Smith et al., www.cs.dartmouth.edu/~pkilab/sparks/

also

Bernhard Kauer, "OSLO: Improving the security of Trusted Computing", USENIX Security 2007



May 23, 2009 25

## **Programming the TPM**

Intro to Trusted Hardware

26



#### **Trusted Software Stack (TSS) Libraries** Use Windows TSS dll Linux TSS SDK

#### **Developer Support and Software**

http://www.trustedcomputinggroup.org/developers/

## **eXecute Only Memory (XOM)**



Intro to Trusted Hardware

Lie, Thekkath, M. Mitchell, Lincoln, Boneh, J. Mitchell, Horowitz, "Architectural support for copy and tamper resistant software", ASPLOS 2000.

### **Smart Cards/Chips**

Intro to Trusted Hardware



**Contact smart card** 



**RFID smart card** 

**Functionality** DES, RSA(?), MD5, SHA-1, 4-16kb ROM/RAM, soon 1MB (!), 16bit 10-30MHz CPU, 10-80kbps (source: Sharp)

| @ | Oak | land | 2009 |  |
|---|-----|------|------|--|

May 23, 2009 28

## Architecture

Intro to Trusted Hardware



@ Oakland 2009

Stony Brook Network Security and Applied Cryptography Laboratory

May 23, 2009 29

### **Power Analysis**

Intro to Trusted Hardware



#### **US Passport**

Made by Smartrac (Netherlands) and shipped to the US from Europe via Thailand. In 2007 China allegedly stole the RFID chip.

**RFID** 



Stony Brook Network Security and Applied Cryptography Laboratory





@ Oakland 2009

Stony Brook Network Security and Applied Cryptography Laboratory May 23, 2009







Figure 1: (a) Source image of layer 2 after edge detection; (b) after automated template detection.

[Nohl, Starbug, Plötz, and Evans, "Reverse-Engineering a Cryptographic RFID Tag", USENIX Security 2008] [Garcia, van Rossum, Verdult, Schreur, Wirelessly Pickpocketing a Mifare Classic Card, Oakland 2009]







Figure 2: Crypto-1 stream cipher and initialization.

## **Smart Card: Windows login**

Intro to Trusted Hardware



## **Cell Broadband Engine**



Intro to Trusted Hardware



#### Apps: PS3, Xbox 360, IBM BladeCenter, HPC, Video cards etc.

Stony Brook Network Security and Applied Cryptography Laboratory May 23, 2009 36

## Cell BE: Secure Processing Vault

Idea: isolate application.

#### Isolated SPE

- Disengaged from the bus
- SPE LS contains app code + data
- PPE-SPE control mechanisms are disabled
- Only external action possible is cancel: all information in the LS and SPE is erased before external access is re-enabled.
- All LS reads and writes from units on the bus (PPE, SPEs, I/O) have no effect on the locked-up region of the LS.
- Dedicated area of the LS is left open to data transfers.
- Any number of SPEs can be in isolation mode at any given time.



### **Cell BE: Runtime Secure Boot**

38

#### Idea: verify application. Cool: hardware auth.



- 1. Isolation mode is initiated.
- Previous application is stopped and cancelled.
- Application is fetched in and checked by the hardware authenticator
  - based on a hardware key and cryptographic algorithm
- Integrity check fails; execution stopped
  - Application was tampered
- Check succeeds; will kick-start the application's execution in isolation mode.

### **ARM TrustZone**

Intro to Trusted Hardware

**ARM TrustZone:** "allows the system to be more easily partitioned for security while maintaining hardware-backed Monitor protection for the security sub-system." Privileged Secure Non-secure (OS)Privileged Privileged TrustZone adds a "parallel world" to allow trusted programs and data to be safely separated from the User Secure Non-secure operating system and applications (apps) User User Secure Non-secure domain domain

### **TrustZone:** Partitioning



@ Oakland 2009

Stony Brook Network Security and Applied Cryptography Laboratory M

### **TrustZone: Writing Apps**

Intro to Trusted Hardware



@ Oakland 2009

Stony Brook Network Security and Applied Cryptography Laboratory May 23, 2009

### Nokia ObC

Intro to Trusted Hardware

42



### **Texas Instruments M-shield**

Intro to Trusted Hardware



**Secure State Machine** "guarantees policies while entering / executing / exiting secure environment", automatic **secured DMA** transfers (bus-level encryption ?), **secure chip interconnect**, **hardware crypto**, **ARM TrustZone** 

# SKINIT (AMD)/SENTER (Intel)

#### kernel says

"SKINIT <address of SLB>"

#### CPU

disables DMA to SLB, interrupts, debugging resets PCR 17-23 transfers SLB to TPM enters flat 32-bit addressing jumps to entry point

#### TPM

measures SLB into PCR 17



May 23, 2009 44

Intro to Trusted Hardware

## Flicker: using SKINIT (AMD)



**Left:** a traditional computer with an application that executes sensitive code (S). **Right:** Flicker protects the execution of the sensitive code. Shaded portions represent components that must be trusted; applications are included on the left because many run with super-user privileges.

[McCune et al., "Flicker: An Execution Infrastructure for TCB Minimization", EuroSys 2008]



Intro to Trusted Hardware

46



SLB core extends a well known value (function of input/output values of PAL + random nonce from remote party) in PCR 17: allow remote party to distinguish between values generated by the PAL (trusted) and those produced by the resumed OS (untrusted)

### Intel Q35: Trusted Execution (TXT)



Intro to Trusted Hardware



@ Oakland 2009

### **Intel Q45 express chipset**

Intro to Trusted Hardware

-

(intel) Q45

-



48 May 23, 2009

### **Acalis CPU 872 Secure Processor**





Intro to Trusted Hardware

Secure boot Encrypt/decrypt Secure interconnect Hardware firewall Triggered zeroization signal Unique serial code

More? Ryan?

@ Oakland 2009

50



### **CPU872: "Secure Mobile Comp.E."**

Intro to Trusted Hardware



@ Oakland 2009

Stony Brook Network Security and Applied Cryptography Laboratory May 23, 2009

23, 2009 **51** 



Intro to Trusted Hardware

52

"A secure coprocessor is a <u>general-purpose</u> computing environment that withstands <u>physical</u> and <u>logical</u> attacks.

The device must run the programs that it is supposed to, unmolested. You must be able to (remotely) *distinguish between the real device and application, and a clever impersonator*.

The coprocessor must remain secure even if adversaries carry out destructive analysis of one or more devices. "

#### Intro to Trusted Hardware

### **Dyad and Strongbox**



J. D. Tygar, Bennet S. Yee, "Strongbox: A System for Self-Securing Programs", 1991

Bennet S. Yee, "Using secure coprocessors", PhD thesis, CMU, May 1994 (with Doug)

### **Trust Chain**

Intro to Trusted Hardware



@ Oakland 2009

Stony Brook Network Security and Applied Cryptography Laboratory May 23

### **SCPU: IBM 4764-001 PCI-X**

Intro to Trusted Hardware



266MHz PowerPC. 64MB RAM. 64KB battery-backed SRAM storage. Crypto hardware engines: AES256, DES, TDES, DSS, SHA-1, MD5, RSA. FIPS 140-2 Level 4 certified.

### **IBM 4764-001 Architecture**



@ Oakland 2009

Stony Brook Network Security and Applied Cryptography Laboratory May 23, 2009

### **IBM 4764-001 Segments**

| Segment | Description                                                                                                                                                                                                                                                                                                             |  |  |  |
|---------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|
| 0       | Basic code                                                                                                                                                                                                                                                                                                              |  |  |  |
|         | The basic code manages coprocessor initialization and the hardware<br>component interfaces. This code cannot be changed after the<br>coprocessor leaves the factory.                                                                                                                                                    |  |  |  |
| 1       | Software administration and cryptographic routines                                                                                                                                                                                                                                                                      |  |  |  |
|         | <ul> <li>Software in this segment:</li> <li>Administers the replacement of software already loaded to<br/>Segment 1.</li> </ul>                                                                                                                                                                                         |  |  |  |
|         | <ul> <li>Administers the loading of data and software to segments 2 and 3.</li> <li>Is loaded at the factory, but can be replaced using the CLU utility.</li> </ul>                                                                                                                                                     |  |  |  |
| 2       | Embedded operating system                                                                                                                                                                                                                                                                                               |  |  |  |
|         | The coprocessor Support Program includes the operating system; the operating system supports applications loaded into Segment 3. Segment 2 is empty when the coprocessor is shipped from the factory.                                                                                                                   |  |  |  |
| 3       | Application software                                                                                                                                                                                                                                                                                                    |  |  |  |
|         | The coprocessor Support Program includes a CCA application<br>program that can be installed into Segment 3. The application<br>functions according to the IBM CCA and performs access control, key<br>management, and cryptographic operations. Segment 3 is empty<br>when the coprocessor is shipped from the factory. |  |  |  |

### Performance

Intro to Trusted Hardware

58

| Function   | Context                             | IBM 4764                                   | P4 @ 3.4Ghz                                                    |
|------------|-------------------------------------|--------------------------------------------|----------------------------------------------------------------|
| RSA sig.   | 512 bits<br>1024 bits<br>2048 bits  | 4200/s (est.)<br>848/s<br>316-470/s        | 1315/s<br>261/s                                                |
| RSA verif. | 512 bits<br>1024 bits<br>2048 bits  | 6200/s (est.)<br>1157-1242/s<br>976-1087/s | 43/s<br>16000/s<br>5324/s<br>1613/s<br><b>Observed: 43MB/s</b> |
| SHA-1      | 1KB blk.<br>64 KB blk.<br>1 MB blk. | 1.42 MB/s<br>18.6 MB/s<br>21-24 MB/s       | 80 MB/s<br>120+ MB/s                                           |
| DMA xfer   | end-to-end                          | 75-90 MB/s                                 | 1+ GB/s                                                        |
| CPU freq   |                                     | $266 \mathrm{MHz}$                         | $3400 \mathrm{Mhz}$                                            |
| RAM        |                                     | 16-32MB                                    | 2-4GB                                                          |

Table 3: Hardware Performance Overview. SCPUs (e.g., IBM 4764-001 PCI-X) are orders of magnitude slower for general purpose computation than main CPUs (Pentium 4, 3.4Ghz, OpenSSL 0.9.7f). On the other hand, the crypto acceleration in the SCPU shows in direct speedup of crypto operations. Also optimized key setups might result in slightly different numbers for the main CPU.

### **Limitation: Heat**

Intro to Trusted Hardware



### Dissipating heat while being tamper-proof.

@ Oakland 2009







Intro to Trusted Hardware

#### **Possible Attacks**

Probe Penetration Power Sequencing (filter on power supply) Radiation Temperature Manipulation Improper battery removal

**Response** (on tamper detection) Zeroes its critical keys Destroys its certificates Is rendered inoperable



### 4764: Ranges

Intro to Trusted Hardware

|                    | Operating environment                 | Storage environment | Shipping environment                 |
|--------------------|---------------------------------------|---------------------|--------------------------------------|
| Temperature        | +10° C - +40° C<br>(+50° F - +104° F) |                     | -15° C - +60° C<br>(+5° F - +140° F) |
| Relative humidity  | 8 - 80%                               | 5 - 80%             | 5 - 100%                             |
| Wet bulb           | +27° C (+80.6° F)                     | +29° C (+84.2° F)   | +29° C (+84.2° F)                    |
| Pressure (minimum) | 768 mbar                              | 700 mbar            | 550 mbar                             |



@ Oakland 2009

Stony Brook Network Security and Applied Cryptography Laboratory

### **Think Break**

Intro to Trusted Hardware

relationship between
"tamper-evident",
"tamper-resistant",
"tamper-proof" etc.



### Miscellaneous "SCPU"s



### netHSM

Networked shareable cryptographic resource for multiple servers. Just crypto, no tamperXXX CPU.



### **nShield** FIPS 140-2 level 2/3 TPM/SCPU



#### **miniHSM** FIPS 140-2 level 3 mini SCPU

## **Physically Unclonable Function**

Intro to Trusted Hardware

Based on a physical system Easy to evaluate (using the physical system) Its output looks like a random function Unpredictable even for an attacker with physical access



Challenge Combinatorial Circuit

Silicon PUF: no two ICs are the same

### **PUFs as Unclonable Keys**

Intro to Trusted Hardware

65



### **Anonymous Computation**

Run computations remotely and ensure correct results. Return a certificate showing they were run correctly.

### **Software Licensing**

Sell software which only runs on specific PUF-identified chip.



May 23, 2009

66

@ Oakland 2009

Stony Brook Network Security and Applied Cryptography Laboratory

Intro to Trusted Hardware

### Finance

Online banking, ATMS

### Commerce

Energy, Smart-grid, Healthcare

### Government

**Regulatory compliance** 

## Military

Secure battle-field devices



### Server-side SCPU

Intro to Trusted Hardware



A secure co-processor on the data management side may allow for significant leaps in expressivity for queries where privacy and completeness assurance are important.

69

### Regulatory Compliance Systems Relational data processing Oblivious Data Access ("practical PIR") Chip-secured data access Secure Data Storage

### **Regulatory Compliance**



### **Chip-Secured Data Access**

71

[Bouganim, VLDB 2002]



Smartcard: 32 bit RISC processor ( $\approx$  40Mips), limited communication bandwidth (10 to100 Kbps), tiny RAM, writes in EEPROM very costly.

### **Secure Data Outsourcing**

72







### Understand your adversary

e..g., physical, insider vs. software-only, remote

## Understand defenses and cost of attack

\$10<sup>1</sup> of overcoming defenses should not protect \$10<sup>6</sup>



## /bin/yes > /dev/null

Intro to Trusted Hardware



@ Oakland 2009

Stony Brook Network Security and Applied Cryptography Laboratory





### some rare references

G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, and Srinivas Devadas. The aegis processor architecture for tamper-evident and tamper-resistant processing. Technical Report LCS-TM-460, MIT Laboratory for Computer Science, February 2003.

Benjie Chen and Robert Morris. Certifying program execution with secure processors. In HOTOS'03: Proceedings of the 9th conference on Hot Topics in Operating Systems, pages 23–23, Berkeley, CA, USA, 2003. USENIX Association.

David Lie, Chandramohan Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell, and Mark Horowitz. Architectural support for copy and tamper resistant software. In Proceedings of the 9<sup>th</sup> International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-IX), pages 168–177, November 2000.

Bouganim L., Pucheral P., "Chip-Secured Data Access: Confidential Data on Untrusted Servers", Int. Conf. on Very Large Data Bases VLDB 2002.

Ernesto Damiani, S.De Capitani di Vimercati, Sushil Jajodia, Stefano Paraboschi, Pierangela Samarati, "Balancing Confidentiality and Efficiency in Untrusted Relation DBMS", ACM CCS 2003

E. Mykletun and G. Tsudik, On using Secure Hardware in Outsourced Databases, International Workshop on Innovative Architecture for Future Generation High Performance Processors and Systems IWIA 2005.

IBM 4764 PCI-X Cryptographic Coprocessor (PCIXCC). Online at http://www-03.ibm.com/security/cryptocards/pcixcc/overview.shtml.

B. Bhattacharjee, N. Abe, K. Goldman, B. Zadrozny, V. Reddy, M. del Carpio, C. Apte, "Using secure coprocessors for privacy preserving collaborative data mining and analysis", Second ACM International Workshop on Data Management On New Hardware (DAMON) 2006

Kenneth Goldman, Enriquillo Valdez: "Matchbox: Secure Data Sharing", IEEE Internet Computing 2004

"Practical server privacy with secure coprocessors", IBM Systems Journal 2001, S. W. Smith, D. Safford

J. Marchesini, S.W. Smith, "SHEMP: Secure Hardware Enhanced MyProxy", Technical Report TR2005-532, Department of Computer Science, Dartmouth College, February 2005.

A. Iliev, S.W. Smith, "Protecting Client Privacy with Trusted Computing at the Server", IEEE Security and Privacy, March/April 2005

A. Iliev, S.W. Smith, "Private Information Storage with Logarithmic-space Secure Hardware.", 3rd Working Conference on Privacy and Anonymity in Networked and Distributed Systems.

A. Iliev, S.W. Smith, "Prototyping an Armored Data Vault: Rights Management on Big Brother's Computer.", Privacy-Enhancing Technology 2002

E. Mykletun and G. Tsudik, "On using Secure Hardware in Outsourced Databases", International Workshop on Innovative Architecture for Future Generation High-Performance Processors and Systems, January 2005

Maheshwari, Vingralek, and Shapiro, How to build a trusted database system on untrusted storage, OSDI 2000

S. White, S. Weingart, W. Arnold, and E. Palmer. Introduction to the Citadel architecture: security in physically exposed environments. Technical Report RC16672, IBM Thomas J. Watson Research Center, March 1991.

B. Yee. Using secure coprocessors. PhD thesis, Carnegie Mellon University, May 1994.

S. Weingart. Physical security for the uABYSS system. In Proceedings of the IEEE Computer Society Conference on Security and Privacy, pages 38–51, 1987.

B. Gassend, D. Clarke, M. Van Dijk, and S. Devadas. Controlled physical random functions. In Proceedings of the 18th Annual Computer Security Applications Conference, December 2002.

Karsten Nohl, Starbug, Henryk Plötz, and David Evans. Reverse-Engineering a Cryptographic RFID Tag. USENIX Security. August 2008.

@ Oakland 2009

Stony Brook Network Security and Applied Cryptography Laboratory May 23,