IBM has pioneered work in applying hardware support to enable trust in system execution. The IBM 4758 started as a research project to build a secure, tamper-resistant cryptographic coprocessor. Software whose integrity is necessary for the correct execution of the business can be run on the 4758 Cryptographic Coprocessor with confidence, even against insider attacks. A variety of IBM clients use the IBM 4758 and its recently available successor -- the IBM 4764.
A key aspect in the design of the 4758/4764 is the design of a mechanism that enables the cryptographic coprocessor to prove its integrity to remote systems, called attestation. Attestation protocols enable a remote party to verify that the software loaded on a system and the order in which it is loaded, correspond to expectations.
Attestation has become a key mechanism in building secure systems. The Trusted Computing Group (TCG) is a consortium of several companies, including IBM as a promoter member, that aims to standardize a hardware module and a software stack that enable attestation and other security services necessary for verifying system integrity. The idea is that the hardware, called a trusted platform module (TPM), holds identifying secrets of a system and TPM software stack (TSS) enables measurement of the software loaded. Because the TPM has cryptographic signature ability, it can generate messages that remote systems can use to verify the software running on the system with the TPM.
The TCG standard sets a possible basis for building secure systems, but it is still necessary to figure out how to use the TPM in an open way. IBM Research has been a leader in answering this question. First, IBM researchers were the first to provide an open source TPM driver for Linux. Also, IBM researcher David Safford wrote an article describing appropriate uses of the TPM to show that it can be an open platform basis. Further, the IBM Tokyo Research Lab (TRL) has developed software to measure the integrity of boot process using a TPM.
More research is still required to determine how to use the TPM functionality effectively. Although the TPM is designed to measure the integrity of a sequential load of software, as in the boot process, IBM Research has identified broader uses. For instance, an Integrity Measurement Architecture (IMA) where the TPM is used to enable verification of application software running on Linux. IBM researcher Leendert van Doorn's group found that if the operating system maintains a load sequence, the TPM can be used to maintain an aggregate value that can be used to verify the software components loaded and the order in which they are loaded. A demonstration of a prototype of this approach was made at the RSA conference in February 2004 which generated much discussion and press coverage. Furthermore, in September 2004 at the Embedded Systems Conference in Boston, researchers from IBM Tokyo Research Lab applied this architecture in an TPM-extended embedded controller that supports an RFID application built using a Trusted JVM and Open Service Gateway Initiative (OSGi) Framework developed in IBM Almaden Research Center, and a lightweight WS-Security engine, to show a comprehensive security framework for pervasive devices. This demo was also presented in the OSGi World Congress in October 2004 in Barcelona, Spain.
Integrity Measurement Architecture
IBM Research continues to look at the issues of applying TCG. The IBM T.J. Watson Research Center recently showed how IMA can be used to allow a corporation to control access to its data used by its employees working at home. Also, researchers in the IBM Zurich Research Lab are examining how to describe a model of attestation based on properties, so that remote verification can be simpler. Finally, IBM researchers in New York are looking at using mandatory access control policies now available in Linux to generate such properties. The Grand Challenge is to devise an approach to integrity verification that meets practical concerns and can be performed in a natural manner in the course of computer processing.
The TCG standards aim to provide a trusted component in our systems that could enable computers to work together with some confidence in each other's integrity, but many problems must be solved to make such tools practical. IBM Research has been in the forefront of trusted computing and through the skills in its labs will continue to explore the hardware, systems, application, and theoretical approaches to improve system security.
Related Publications
Hendricks, J, and Van Doorn, L., Secure Bootstrap is Not Enough: Shoring up the Trusted Computing Base, Proc. of the Eleventh SIGOPS European Workshop, ACM SIGOPS, Leuven, Belgium, September 2004.
Reiner Sailer, Trent R. Jaeger, Xiaolan Zhang and Leendert Van Doorn. Attestation-based Policy Enforcement for Remote Access. ACM CCS. July 2004.
Reiner Sailer, Xiaolan Zhang, Trent Jaeger, Leendert van Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. 13th Usenix Security Symposium, San Diego, California, August 2004.
Seshadri, A., Perrig, A., van Doorn, L., Khosla, P., SWATT: SoftWare-based ATTestation for Embedded Devices, Proc. of the IEEE Security & Privacy Conference, IEEE, Oakland, CA, May 2004.
Innovator's corner
Leendert van Doorn Researcher
What is the most exciting potential future use for the work you're doing?
I think the big value of the trusted computing group (TCG) and our Linux integrity measurement architecture is that it provides the means to verify the software stack that is running on a remote system. In today's world, the way we trust a remote system is by verifying the certificate it presents as part of an SSL handshake. From a security point of view this is rather weak mechanism, because we assume that by presenting a valid certificate the server is also running with a correct and untampered-with software stack. Unfortunately, this is no longer true. Buffer overflows or even mundane configuration errors undermine this assumption. Just imagine providing your credit card to a Web service that can present you with a valid certificate, but in reality siphons the data to a remote site for transactions other than the intended use.
Far-fetched? Unlikely scenario? No, not really. As became overwhelmingly clear during a recent large-scale attack on Web sites, the fact that you know the certificate of your Web site and that you use an SSL-secured channel to communicate with the site, none of these mechanisms actually guarantee that you as the consumer are now secure. What happened during the week of 6/24? A large number of Web sites got infected with a Trojan horse, which, in turn, would infect the unsuspecting consumers that would connect to the site.
Trust is a difficult concept to formalize and its definition is very much in the eye of the beholder, in our case the consumer of a service. However, this trust is derived from claims made by the service provider and we can loosely define a continuum of the accuracy of these claims in light of potential threats. To illustrate this, consider the Trojan attack that was mentioned above. Since the remote attackers managed to get a Trojan to impersonate a service, it is highly unlikely that the service itself could provide a truthful statement about the kind of service it is providing.
The trust of a consumer, whether this is a person or another computer system, is a fundamental building block for secure distributed computing. The ability to attest that a provider is delivering the correct and properly configured service is the basis for that trust decision. Our Linux integrity measurement architecture addresses these concerns and is a first step towards a solution.
What is the most interesting part of your research?
The most interesting aspect of this work is to get a handle on the notion of trust. Not just in a theoretical sense, but also in practice and especially when reasoning about a continuum of trust.
What inspired you to go into this field?
I am very curious and have a very broad interest. Security was one of the few things I could think of that allowed me to work on everything IBM is doing. So far this has been true. I have been involved with CPU design, hypervisors, operating systems, secure cryptographic coprocessors, wireless networking, and TCG.
What is your favorite invention of all time?
My favorite invention of all time (at least for now) is the TiVo system. It enables me to watch the shows that I am interested in, on my own schedule, at my own pace -- even helping me by finding similar shows automatically.
Research team
Trent Jaeger
Hiroshi Maruyama
Seiji Munetoh
Ronald Perez
Sachiko Yoshihama
Xiaolan Zhang
Former collaborators: Elaine Palmer, Pankaj Rohatgi, David C. Toll, Vernon Austel, Suresh Chari
Related Research
Disciplines: Computer Science
Research Areas: Security and Privacy
Research Labs: Tokyo Research Lab, Watson Research Center, Zurich Research Lab