October 25, 2012

Kun Li, Michael Maass, and Mike Ralph

Contact: {kunli, mmaass, mralph}@andrew.cmu.edu
http://www.cs.cmu.edu/~mmaass/tpm_tls/proposal.html

1. Summary

We intend to modify an open source Java implementation of TLS to make use of a Trusted Platform Module (TPM). Our modification will isolate sensitive cryptographic operations on Transport Layer Security (TLS) servers. The TPM will be used to manage asymmetric key pairs and to perform operations using the private key. We will make use of late launch technologies to execute symmetric key operations.

2. Project Description

While 15-740 has primarily focused on what hardware can do to improve the performance of parallel systems, computer architectures have also made notable contributions to the field of security. TPMs are now commonly shipped as a part of commodity computing devices such as laptops, desktops, and servers. A TPM is a secure cryptoprocessor useful for many tasks such as storing cryptographic keys, protecting passwords, and assuring platform integrity.

We intend to modify a type-safe implementation of TLS to make use of TPMs. TLS is a cryptographic protocol used to establish a secure communication channel over the Internet [7]. In the typical case, the server side uses an asymmetric key pair, where the public portion has been signed by a trusted third party, to authenticate itself to the client. This key pair is also used to securely exchange key material. The key material is later used to calculate a shared session key. The shared session key is a symmetric key used to encrypt/decrypt all of traffic between the client and the server after the session has been established.

Our primary goal is to cause our chosen TLS implementation to make use of the TPM for storing the private key from the asymmetric key pair and for performing operations using that key. Additionally, we will make use of late launch technologies to isolate the calculation of the session key and operations that use the key. This isolation will prevent other software that is running on the machine from observing the cryptographic operations or stealing any of the secret keys. (NOTE: We can isolate asymmetric operations using the TPM directly because the hardware supports an asymmetric cipher in CipherSuites we can support. However, the hardware does not directly support the symmetric ciphers, thus to gain similar isolation properties for them we must use late launch.) We intend to make these modifications while only making modest compromises in terms of type safety, which will reduce the amount of code where vulnerabilities such as buffer overflows are of concern.

We intend to perform these modifications solely for the case of one combination of algorithms in the TLS implementation's CipherSuite on the server side. If our scope is too large even with this limitation, we will drop late launch requirements for all but the most simple cases where we can apply it. However, assuming we end up with extra time, we will attempt to apply late launch more broadly.

Finally, we intend to address the issue of benchmarking such an infrastructure to determine where and why any slowdowns occur.

3. Plan of Attack and Schedule

Our schedule roughly breaks the work into three components. Each group member should be able to claim primary responsibility for one of the following: integration of jTSS into Sun's provider in the OpenJDK (see section 6), production of Pieces of Application Logic (PALs) to late launch, and test harnesses.
Week Beginning Plan
October 22 Organize team member responsibilities. Ensure all members are familiar with all project ideas. Read hardware/software documentation.
October 29 Perform a detailed inspection of Sun's SSL provider to determine what needs to change to meet the goal. Install Flicker and use a simple PAL. Plan experiments and design test harnesses.
November 5 Begin integrating jTSS into Sun's SSL provider. Plan ingress and egress routes for session key management and encryption/decryption. Have a simple test harness done that allows a client to connect to a server that is using the modified TLS library and PALs.
November 12 Finish integrating jTSS with Sun's SSL provider for asymmetric key management and begin using jTSS for private key operations. Continue implementing symmetric operations as PALs. Continue implementating test harnesses and instrumentation schemes.
November 19 Finish integrating jTSS with Sun's SSL provider for key management and private key operations. Begin integrating modified SSL provider with PALs. Start integrating test harnesses with the modified SSL implementation + PALs.
November 26 Finish integrating all components and gather data.
December 3 Complete project writeup and poster

4. Milestones

By the project milestone, November 20th, we should have test harnesses, PALs, and a modified version of Sun's SSL provider that perform their intended operations independently. That is, PALs should be calculating session keys and encrypting/decrypting data, our version of Sun's SSL provider should be using the TPM to manage the server's private key, and the test harnesses should exist to test and measure the performance of the PALs and Sun's SSL provider independently.

We will abandon integration of the PALs if it turns out to be too problematic given our time constraints.

5. Related Work

Isolating computations using TPMs [8] and late launch [1, 3] is not a new idea [4, 2]. However, applications that have backed TLS using the TPM, such as [5], have not done so for type-safe implementations, nor have they thoroughly addressed the issue of isolating symmetric cryptography using late launch. Furthermore, we have seen no data that breaks down where and how slowdowns occur in these systems. Fortunately, a library already exists that implements the TCG Software Stack API [6] for Java, our type-safe language of choice.

6. Resources Needed

To complete this project we need the following software:

  • OpenJDK6 Source: this contains the full source code to the Java Secure Socket Extension (and much of the Java Development Kit), which contains Sun's SSL provider. We will modify Sun's SSL provider to use the TPM and will recompile jsse.jar for our project. Java applications that wish to use our TPM backed implementation of SSL must reference our version of jsse.jar and not the standard one.
  • jTSS: an open source implementation of a TCG Software Stack for Java. We will use this library in making Sun's SSL provider use the TPM.
  • Flicker: an open source framework for executing minimal TCBs using dynamic roots of trust provided by recent Intel and AMD processor features.
Additionally, we will need hardware that has a v1.2 TPM and either an Intel processor that supports TXT or an AMD processor that supports SKINIT. We definitely have one such machine available, but we should be able to make use of SimNow from AMD and an open source TPM simulator to fill any gaps.

7. Getting Started

Our preparation has not gone beyond reading background material on TPMs and late launch, aside from drafting an overall architecture and picking appropriate supporting libraries. We do not have any constraints that prevent us from moving forward. As a result, we can proceed by starting to set-up a late launch framework and by beginning to make preliminary modifications to our selected TLS implementation.

References

[1] Advanced Micro Devices. AMD64 virtualization: Secure virtual machine architecture reference manual. AMD Publication no. 33047 rev. 3.01, May 2005.

[2] A. M. Dunn, O. S. Hofmann, B. Waters, and E. Witchel, “Cloaking malware with the trusted platform module,” in Proceedings of the 20th USENIX conference on Security, Berkeley, CA, USA, 2011, pp. 26–26.

[3] “Intel Trusted Execution Technology Software Development Guide.” Intel Corporation, Mar-2011.

[4] J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki, “Flicker: an execution infrastructure for tcb minimization,” SIGOPS Oper. Syst. Rev., vol. 42, no. 4, pp. 315–328, Apr. 2008.

[5] “OpenSSL TPM Engine,” SourceForge, Sep-2012. [Online]. Available: http://sourceforge.net/projects/trousers/files/OpenSSL%20TPM%20Engine/. [Accessed: 23-Oct-2012].

[6] “TCG Software Stack (TSS) Specification Version 1.2.” Trusted Computing Group, Mar-2009.

[7] T. Dierks, E. Rescorla. “RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2.” [Online]. Available: http://tools.ietf.org/html/rfc5246. [Accessed: 23-Oct-2012].

[8] Trusted Computing Group. Trusted platform module main specification, Part 1: Design principles, Part 2: TPM structures, Part 3: Commands. Version 1.2, Revision 103, July 2007.