|
The Integrity Measurement Architecture is an enhancement of Linux by a
TPM-based Linux Security Module that is currently being developed by IBM
research in close collaboration with
various
product groups and the IBM Linux Technology
Center. Its main goal is to generate
verifiable
representative information about the
software
stack running on a Linux system. This
information
can be used by remote parties to determine
the integrity of the execution environment.
The project consists of three building
blocks:
- Integrity Measurement Architecture LSM. We instrumented the Linux kernel to trigger
a measurement for each executable, library,
or kernel module loaded into the run-time
before they affect the system. Our measurement
consists of computing a SHA1 hash value of
the file representing the executable content.
We store all measurements since the booting
of the system in a kernel-held measurement
list. A measure library call allows applications to independently measure sensitive input
before consuming it (e.g. configuration or script files). First experiments
show that this solution accumulates about 400-600 measurements on a Redhat
system running X-windows and Gnome Desktop, and about 400 measurements
on a Redhat system running an Apache web server and Jakarta Tomcat servlet
machine. We have compiled some examples:
- a complete annotated measurement list of an IBM Thinkpad T40 including boot and post-boot measurements.
- the XML Schema describing the structure of the attestation response.
- an exemplary attestation Request and Response: The real response will include the measurement values and ordinal numbers
only. We have added some more information (status and file name) for demonstration
purposes.
- TPM-based Attestation. We use a Trusted Platform Module (TPM) to securely maintain an integrity
value over the measurement list residing in the kernel. Consequently, each
new measurement added to a kernel-held measurement list, is also extended
into a protected hardware Platform Configuration Register (PCR) of a TPM
security chip attached to the system. Therefore, this PCR always contains
an aggregate of the current measurement list. When retrieved remotely,
this aggregate (integrity value) is signed by the TPM hardware. A remote
party can now validate the integrity of the measurement list by comparing
the signed integrity value and a locally computed aggregate of this measurement
list. Thus, compromised systems can manipulate the kernel-held measurement
list, but they cannot adjust the TPM-protected aggregate to fit the manipulated
measurement list. Cheating systems are thus recognized when validating
the measurement list against the signed aggregate of the measurement list.
- Determination of System Properties. Taking advantage of the validated measurement
list to reason about the security properties
of a system's runtime is the central point
of our current research.
Currently, we experiment measuring the information flow on SELinux systems
to reason about isolation properties of a system. For this purpose, we
modified tcgLinux to run as an LSM kernel module stacked on top of SELinux.
We also envision to extend our attestation method to integrate virtualization
technology and partition the attestation space of a system using the information
flow policies enforced therein. Here is an overview of our most recent
papers related to this project (please request copies by e-mail):
Trent Jaeger, Reiner Sailer, Umesh Shankar. PRIMA: Policy-Reduced Integrity Measurement Architecture. ACM Symposium on Access Control Models and Technologies (SACMAT), California, June, 2006 (accepted for publication).
Reiner Sailer, Xiaolan Zhang, Trent Jaeger, Leendert van Doorn. Design and Implementation of a TCG-based
Integrity Measurement Architecture. 13th Usenix Security Symposium, San Diego, California, August, 2004. (Final Paper on Usenix Server, Presentation Slides PDF. This publication constitutes a heavily revised version of IBM Research
Report 23064)
Reiner Sailer, Leendert van Doorn, James P. Ward: The Role of TPM in Enterprise Security. Datenschutz und Datensicherheit (DuD), September, 2004. (also IBM Research Report 23363)
Reiner Sailer, Trent Jaeger, Xiaolan Zhang, Leendert van Doorn: Attestation-based Policy Enforcement for Remote Access. 11th ACM Conference on Computer and Communications Security (CCS) 2004, Washington, October, 2004. (Final Paper in ACM Electronic Library. Presentation Slides PDF. This publication constitutes a heavily revised version of IBM Research Report 23205)
The Trusted Computing Group has posted a good overview of the TCG Architecture and TPM, which explains basic functions of the
TPM and the idea behind them.
| 