1、Trusted Computing for the GRID,Dirk Kuhlmann Trusted Systems Lab, HPLabs, Bristol,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid,2,Platform security concerns for GRID,Large number of dynamically managed nodes Reliably identify a particular node Get reliable information abo
2、ut runtime status Protect user data and programsOS and hardware in GRID scenarios Commercial off the shelve elements to save costs Subjected to COTS vulnerabilities Script kiddies and worms dont care whether they attack a private platform or a GRID nodeTrusted platforms Next-generation hardware and
3、software,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid,3,Trusted Nodes as building blocks for Trusted Infrastructure,Are the IT systems on my network the ones I intended to be part of the infrastructure? Is the software and configuration on IT systems what they are intende
4、d it to be? Is the software I deploy on my IT systems going to behave as intended?Trusted Computing could become a foundational component to address the first two question. TC hardware is no silver bullet! Secure product development must address the third issue. Main challenges concern software, in
5、particular OS!,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid,4,Trusted Computing and HPLabs,Trusted Computing Platform Alliance - TCPA Founded October 1999 Compaq, HP, IBM, Intel, Microsoft Created Embedded Security chip Specification v1.1bTrusted Computing Group - TCG Fou
6、nded April 2003 Build on TCPA Expands Trusted Computing to other platform categories and infrastructure HPLabs held HPs Technical Committee chair for TCPA and now for TCG.,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid,5,Trusted Computing evolution,TPM Hardware availability
7、,Tier 0,HW Platform Root-of-Trust,TC Operating Environment - Chain-of-Trust,Tier 1,TC Apps Enterprise, Biz. Critical, Other,Tier 2,Tier 3,Trusted Ecosystems / GRID,Increased integration,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid,6,The Trusted Platform Module - TPM -,Tru
8、sted Computing builds upon a TPM hardware Root of Trust. Think: smartcard-like hardware component embedded into the platform,Available in D530 series desktops and nc4010, nc6000, nc8000, and nw8000 notebooks,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid,7,Main value-propos
9、ition for GRID today: platform authentication,With Trusted Computing Platforms, network resources can be restricted for access from approved devices as well as approved usersAccess granted to devices authenticated using the Trusted Platform Module (TPM or Embedded Security Chip)To grant access to se
10、nsitive applications and services To control access to file servers and databases To control access from peers or remote clients through VPN and segment portions of the network,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid,8,The VPN example,Remote Employee,Internet,ISP,Res
11、ources,TC-enabled,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid,9,Authentication of users and devices,User Authentication,Device Authentication,+,Trusted Computing,Creates a Trusted Entity on the networkProvides enhanced network rights, roles, and responsibility Can be int
12、roduced with no disruption to existing IT infrastructure allows IT managers to dynamically assign granular access controlThe device can also now be used as an authentication factor with: Ease of Use for the mobile professional Reduced Total Cost of Ownership for the IT department,Sep 15, 2004,GGF12
13、Security WS - Sep 20, 2004 - Trusted Computing & Grid,10,Value proposition for GRID tomorrow: trustworthiness of nodes,Research / Development,TPM Hardware availability,Tier 0,HW Platform Root-of-Trust,TC Operating Environment - Chain-of-Trust,Tier 1,TC Apps Enterprise, Biz. Critical, Other,Tier 2,Ti
14、er 3,Trusted Ecosystems,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid,11,Trusted Node Requirements,Allow for device authentication Monitor software integrity during boot-up and runtime Keep node alive and manageable Support standard operating systemsCurrent operating syste
15、ms: Integrity measurements as such do not enhance security Typically not geared towards keep alive,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid,12,Generic vs. hosted OS,Virtualization & Mgmt,Hardware (CPU, Disks, Network etc.),Windows / Linux,Applications,Host OS options:
16、 UM Linux Micro / Exokernels Paravirtualization (Xen) VMware / Plex86,TPM,Secuity enhanced OS (Windows / Linux),Applications,SE Linux BastilleTrustix, Windows NGSCB?,Hardware (CPU, Disks, Network etc.),TPM,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid,13,Chain of trust: TP
17、M + hardened OS,List of trusted drivers, libraries, binaries, config, policies Intercept syscalls open(), exec() etc OS monitor checks memory image for each trusted file Alternative: check complete boot file system image Policy: no further LKM-loading after trusted boot-upOS locked down: restrict ra
18、w disk /memory access etc.Fine grained OS policy to constrain max. possible damage Compartments: essentially sandboxing at user/process group level Processes subjected to group-specific I/O and IPC policy No visibility of processes of other compartments, chrooted List of allowed from/to addresses fo
19、r networking,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid,14,TPM + hardened host OS for UM-Linux,Use hardened OS as host OS Host OS integrity check supported by TC hardware Guest OS integrity checked by trusted SW in host OS think tripwireGuest OS launched inside host OS
20、compartment Guest OS inherits compartment rules network policy enforced outside the guest OS can be restricted further, e.g. by netfilter on guest OSOption: dedicated hosted instances packet filtering, firewall local to platform or guest OS monitor, audit, report,Sep 15, 2004,GGF12 Security WS - Sep
21、 20, 2004 - Trusted Computing & Grid,15,Challenges,Weak TC notion of expected behaviour SW integrity checking (essentially signed binaries) Could be extended to binary + policy No notion of actual runtime behaviour Borrow concepts: anomaly detection, proof carrying code Further extension: runtime +
22、policy + runtime signature Contractual Programming? Commpacts? Management overhead: is it worth it? Main concern: size of Trusted Computing Base Huge TCB for User Mode Linux scenario Who does the validation for OSS? Favours microkernel/virtualization layer, minimal code base,Sep 15, 2004,GGF12 Secur
23、ity WS - Sep 20, 2004 - Trusted Computing & Grid,16,A TCG/Virtualization Artifact,Secure Virtualization Layer,Hardware (CPU, Disks, Network interfaces etc.),TPM,Trusted Infrastructure Interface (TII),+ TCG functionality,Isolated processing environments,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 -
24、 Trusted Computing & Grid,17,Trust Instrumentation: TCG and Secure Audit,Automated Test Results,CERT Vuln.,SW Activity report,System config. report,Process Reports,External Service,agent,probe,sensor,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid,18,Trusted Virtualization L
25、ayer: Proprietary or Public/Open?,There is a lot of effort going into proprietary solutions, esp. Windows NGSCB So far, little complementary efforts in the Open Source field General scepticism about Trusted Computing approach Problem space beyond typical OSS developer communityControversial discussi
26、on about OSS security in generalCo-ordinated effort for Open Source is necessary International approach Academia, industry, and OSS communities Validation as important as design & implementation !,Sep 15, 2004,GGF12 Security WS - Sep 20, 2004 - Trusted Computing & Grid,19,Conclusions,Todays TCG hard
27、ware can be the stepping stone for innovative security capabilities.Trusted Computing is a journey and we are seeing the first technology components appear on the marketIt will be a long and difficult way towards trusted GRID nodes and infrastructure. The main challenges are in the area of software: operating systems and management.Trustworthiness requires peer-review, replicable validation: Open Trusted Computing,HP logo,
