Uni-directional Trusted Path: Transaction Confirmation on Just One Device

Transcription

1 Uni-directional Trusted Path: Transaction Confirmation on Just One Device Atanas Filyanov 1, Jonathan M. McCune 2, Ahmad-Reza Sadeghi 3, Marcel Winandy 1 1 Ruhr-University Bochum, Germany 2 Carnegie Mellon University, USA 3 Technical University Darmstadt, Germany DSN st Annual IEEE/IFIP International Conference on Dependable Systems and Networks Hong Kong, China, June 2011

2 Motivation Malware can have strong power on commodity systems Keyloggers, transaction generators,... (commit online fraud) Credit card companies, banks absorb most liabilities s have disincentive to solve the problem Even e-commerce servers are under attack! Sony: attackers have eventually stolen credit card data from several customers Recently similar attacks at other game companies 2

3 Motivation Malware can have strong power on commodity systems Keyloggers, transaction generators,... (commit online fraud) Credit card companies, banks absorb most liabilities s have disincentive to solve the problem Even e-commerce servers are under attack! Sony: attackers have eventually stolen credit card data from several customers Recently similar attacks at other game companies If all had used our proposed solution, there would have been no problem! :-) 2

4 Threat Scenario issue transaction request confirmation confirmation request transaction request confirmation confirmation Typical scenarios: online purchases, online banking, e-government, enrollment for online services, etc. 3

5 Threat Scenario Adversary issue transaction request confirmation confirmation request transaction request confirmation confirmation Typical scenarios: online purchases, online banking, e-government, enrollment for online services, etc. Adversary: controls network traffic and controls client system only software attacks (no hardware tampering) 3

6 Threat Scenario Adversary issue transaction request confirmation confirmation request transaction request confirmation confirmation Typical scenarios: online purchases, online banking, e-government, enrollment for online services, etc. Adversary: controls network traffic and controls client system only software attacks (no hardware tampering) 3

7 Threat Scenario Adversary issue transaction request confirmation confirmation request transaction request confirmation confirmation Typical scenarios: online purchases, online banking, e-government, enrollment for online services, etc. Adversary: controls network traffic and controls client system only software attacks (no hardware tampering) 3

8 Threat Scenario Adversary issue transaction request confirmation confirmation request transaction request confirmation confirmation Typical scenarios: online purchases, online banking, e-government, enrollment for online services, etc. Adversary: controls network traffic and controls client system only software attacks (no hardware tampering) 3

9 Threat Scenario cannot distinguish between transactions issued/ confirmed by user or malware Adversary issue? transaction request confirmation confirmation request transaction request confirmation confirmation Typical scenarios: online purchases, online banking, e-government, enrollment for online services, etc. Adversary: controls network traffic and controls client system only software attacks (no hardware tampering) 3

10 Our Goals Assurance to a remote server that a user indeed confirmed a proposed action Technical solution without additional devices, but compatible to existing operating systems Minimal/no deviation from normal user experience Assumption: hardware provides some form of secure execution environment 4

11 Our Goals Assurance to a remote server that a user indeed confirmed a proposed action Technical solution without additional devices, but compatible to existing operating systems Minimal/no deviation from normal user experience Assumption: hardware provides some form of secure execution environment Available on commodity platforms: PC: Intel TXT, AMD SVM Mobile: ARM TrustZone; Playstation3: Cell BE 4

12 Idea of the Uni-directional Trusted Path

13 Full Trusted Path Properties: Application Application Application 1. Isolation of I/O channels (integrity & confidentiality) 2. Assurance for user about authenticity of application 3. Assurance for application about user-generated input 6

14 Trusted Path: Existing Approaches Secure GUI (reserved screen area) Requires a secure Secure Attention Sequence (e.g., Ctrl+Alt+Delete) Requires kernel to remain uncompromised Additional hardware indicators (e.g., color LED) Requires kernel to remain uncompromised 7

15 Trusted Path: Existing Approaches Secure GUI (reserved screen area) Requires a secure Secure Attention Sequence (e.g., Ctrl+Alt+Delete) Requires kernel to remain uncompromised Additional hardware indicators (e.g., color LED) Requires kernel to remain uncompromised No widespread adoption, or lack of interest from users (also: usability unclear) 7

16 Uni-directional Trusted Path (UTP) Properties: Application 3 1. Isolation of I/O channels (integrity & confidentiality) 2. Assurance for user about authenticity of application 1 UTP Agent 3. Assurance for application about user-generated input 8

17 Uni-directional Trusted Path (UTP) Properties: Application 3 1. Isolation of I/O channels (integrity & confidentiality) 2. Assurance for user about authenticity of application 1 UTP Agent 3. Assurance for application about user-generated input 8

18 Uni-directional Trusted Path (UTP) Properties: Application 3 1. Isolation of I/O channels (integrity & confidentiality) 2. Assurance for user about authenticity of application 1 UTP Agent 3. Assurance for application about user-generated input Enable remote server to gain assurance about human-initiated action Based on s capability to switch between untrusted and secure execution mode UTP is only available in : Isolated execution environment and control of user I/O devices Ability to provide evidence to remote system what has executed in this mode 8

19 Transaction Confirmation with UTP

20 Transaction Initiation Browser I/O Devices UTP Agent 10

21 Transaction Initiation 1. issues transaction Browser I/O Devices UTP Agent 10

22 Transaction Initiation 2. requests transaction 1. issues transaction Browser I/O Devices UTP Agent 10

23 Transaction Initiation 2. requests transaction 1. issues transaction Browser 3. requests confirmation I/O Devices UTP Agent 10

24 Transaction Confirmation Browser 3. requests confirmation I/O Devices 11

25 Transaction Confirmation Browser 3. requests confirmation I/O Devices 11

26 Transaction Confirmation Browser 3. requests confirmation I/O Devices UTP Agent 11

27 Transaction Confirmation Browser 3. requests confirmation I/O Devices UTP Agent 11

28 Transaction Confirmation 4. show conf. message + request confirmation Browser 3. requests confirmation I/O Devices UTP Agent 11

29 Transaction Confirmation 4. show conf. message + request confirmation 5. confirm/abort I/O Devices Browser UTP Agent 3. requests confirmation 11

30 Transaction Confirmation 4. show conf. message + request confirmation 5. confirm/abort I/O Devices Browser UTP Agent confirm/abort 3. requests confirmation 11

31 Transaction Confirmation 4. show conf. message + request confirmation 5. confirm/abort I/O Devices Browser UTP Agent confirm/abort 3. requests confirmation 6. attestation evidence: - UTP Agent integrity measurement - conf. message from server - confirm/abort from user 11

32 Transaction Confirmation 4. show conf. message + request confirmation 5. confirm/abort I/O Devices Browser UTP Agent confirm/abort 3. requests confirmation 6. attestation evidence: - UTP Agent integrity measurement - conf. message from server - confirm/abort from user Uni-directional Trusted Path 11

33 Transaction Confirmation 4. show conf. message + request confirmation 5. confirm/abort I/O Devices Browser UTP Agent confirm/abort 3. requests confirmation 6. attestation evidence: - UTP Agent integrity measurement - conf. message from server - confirm/abort from user 11

34 Transaction Confirmation 4. show conf. message + request confirmation 5. confirm/abort I/O Devices Browser UTP Agent confirm/abort 7. accept/discard 3. requests confirmation 6. attestation evidence: - UTP Agent integrity measurement - conf. message from server - confirm/abort from user 11

35 Transaction Confirmation 4. show conf. message + request confirmation 5. confirm/abort I/O Devices Browser 7. accept/discard 3. requests confirmation 6. attestation evidence: - UTP Agent integrity measurement - conf. message from server - confirm/abort from user 11

36 Transaction Confirmation 4. show conf. message + request confirmation 5. confirm/abort I/O Devices Browser 7. accept/discard 3. requests confirmation 6. attestation evidence: - UTP Agent integrity measurement - conf. message from server - confirm/abort from user 11

37 Transaction Confirmation 4. show conf. message + request confirmation 5. confirm/abort 8. show result I/O Devices Browser 7. accept/discard 3. requests confirmation 6. attestation evidence: - UTP Agent integrity measurement - conf. message from server - confirm/abort from user 11

38 Security Considerations Transaction generated by malware 1. requests transaction Browser 2. requests confirmation I/O Devices UTP Agent 12

39 Security Considerations Transaction generated by malware 1. requests transaction unexpected Browser 2. requests confirmation I/O Devices UTP Agent 12

40 Security Considerations Transaction generated by malware 1. requests transaction unexpected Browser 2. requests confirmation I/O Devices UTP Agent will notice (unexpected transaction) 12

41 Security Considerations Transaction manipulation + manipulated UTP agent 1. issues transaction Browser 2. requests transaction 3. requests confirmation I/O Devices UTP Agent 13

42 Security Considerations Transaction manipulation + manipulated UTP agent 1. issues transaction Browser 2. requests transaction 3. requests confirmation I/O Devices UTP Agent 13

43 Security Considerations Transaction manipulation + manipulated UTP agent 1. issues transaction Browser 2. requests transaction 3. requests confirmation I/O Devices UTP Agent 13

44 Security Considerations Transaction manipulation + manipulated UTP agent 1. issues transaction expected Browser 2. requests transaction 3. requests confirmation I/O Devices UTP Agent 13

45 Security Considerations Transaction manipulation + manipulated UTP agent 1. issues transaction expected Browser 2. requests transaction 3. requests confirmation I/O Devices UTP Agent 6. attestation evidence: - UTP Agent integrity measurement - conf. message from server - confirm/abort from user 13

46 Security Considerations Transaction manipulation + manipulated UTP agent 1. issues transaction expected Browser 2. requests transaction 3. requests confirmation I/O Devices UTP Agent 6. attestation evidence: - UTP Agent integrity measurement - conf. message from server - confirm/abort from user will notice and reject (UTP integrity violation) 13

47 Security Considerations Transaction manipulation + faked confirmation dialog 1. issues transaction Browser 2. requests transaction 3. requests confirmation I/O Devices 14

48 Security Considerations Transaction manipulation + faked confirmation dialog 1. issues transaction 4. faked conf. message I/O Devices Browser 2. requests transaction 3. requests confirmation 14

49 Security Considerations Transaction manipulation + faked confirmation dialog 1. issues transaction 4. faked conf. message I/O Devices Browser 2. requests transaction 3. requests confirmation 6. attestation evidence: -??? 14

50 Security Considerations Transaction manipulation + faked confirmation dialog 1. issues transaction 4. faked conf. message I/O Devices Browser 2. requests transaction 3. requests confirmation 6. attestation evidence: -??? will notice and reject (no UTP execution) 14

51 Setup: Device Enrollment knows that a human confirmed a transaction But how does the server know which user? Solution: binding the device to the user account Requires to register user devices in a setup phase Establishes a cryptographic credential to perform login (e.g. public key protected by ) Protects against misuse of stolen account data! Attackers cannot use data (e.g. credit card number) because their devices are not registered with that account at the server 15

52 Realization of UTP

53 PC-Based Implementation Evidence attestation: Trusted Platform Module (TPM) Hardware root of trust (secure storage for keys; cryptographic operations) PCRs: registers that can be extended with integrity measurements of code Attestation: cryptographic signature of PCRs with a TPM-protected key : Intel Trusted Execution Technology (TXT) Late Launch creates dynamic root of trust (DRTM) Reinitializes and memory controller into known-good state Resets dynamic PCRs of the TPM (only can reset these registers) Software framework: Flicker Allows to execute very small code in DRTM mode (without any ) During DRTM mode, normal is halted; after switch back, is resumed 17

54 Implementation Architecture Client (Intel TXT) Web Browser Extension HTTPS Webserver Application Script Extension Client Utility Program Verification Program Flicker Launch Secure Mode UTP Agent TPM 18

55 Implementation Architecture Client (Intel TXT) Web Browser Extension HTTPS Webserver Application Script Extension Client Utility Program Verification Program Flicker Launch Secure Mode UTP Agent LOC TPM 18

56 Implementation Architecture Client (Intel TXT) Web Browser Extension Client Utility Program } HTTPS LOC (non-tcb) Webserver Application Script Extension Verification Program Flicker Launch Secure Mode UTP Agent LOC TPM 18

57 Implementation Architecture Client (Intel TXT) Web Browser Extension Client Utility Program } HTTPS LOC (non-tcb) Webserver Application Script Extension Verification Program Flicker Launch TPM Secure Mode UTP Agent 2335 LOC (TCB) LOC 18

58 Screenshot (Transaction Initiation) 19

59 Screenshot (Transaction Initiation) 19

60 Screenshot (Transaction Confirmation) 20

61 Evaluation Code complexity: Very small total TCB: 2335 LOC (sel4 about 9000 [Klein et al. SP 2009]) Including VGA and PS/2 keyboard driver (USB would add another 2000) Deployment: -side: only minor modifications necessary Client-side: users just need to download UTP software Performance: Switching time about 1 sec Remaining actions: waiting for user input, or in untrusted mode Usability: Confirmation message should not be simply "Press OK" (user tend to ignore) UTP is generic, confirmation message can be provided by service providers 21

62 Conclusion Existing solutions against transaction generators are inconvenient or not widely deployed Our proposal: a one-way trusted path to enable service providers to gain assurance about userinitiated transactions Realization based on on-demand isolated execution environment and temporal control of user I/O devices Very small TCB and compatible to existing software Deployable on commodity systems today 22

63 Questions? Contact: Marcel Winandy Ruhr-University Bochum 23

64 BACKUP

65 Implementation of UTP with Flicker 25