The present invention relates to the field of computer security, in particular, attesting the state of computer platforms using trusted computing.
A primary goal of trusted computing is ensuring that computers behave in known and predictable ways, which creates a safer computing environment. The Trusted Computing Group (TCG) is a not-for-profit organization formed to develop, define and promote open, vendor-neutral, industry standards for trusted computing building blocks and software interfaces across multiple platforms. The TCG has defined mechanisms for achieving trusted computing using hardware and software components that identify trusted software and enforce behavior so that only known and trusted software can execute. TCG specifications for the hardware based Trusted Platform Module (TPM), a PC Client (PC), and Trusted Network Connect (TNC) specifications define such mechanisms. The TPM is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the “TPM chip” or “TPM Security Device.” The TNC is an open architecture for network access control, promulgated by the TCG.
One such mechanism involves generating cryptographic hashes of static executable files prior to their execution in order to uniquely identify the software so that it can be compared against a list of hashes of trusted software files. A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the cryptographic hash value, such that an accidental or intentional change to the data will change the hash value. For example, when a computer boots, a cryptographic hash function may be performed on values within predetermined registers of the computer's basic input/output system (BIOS). The resulting hash value is cryptographically signed and stored by the computer. If the computer reboots, a new cryptographic hash function will be computed on the values and the resulting hash value will be cryptographically signed and stored by the computer. In the case when the hash values are stored inside the TPM, these values are not signed.
Unwanted, e.g., viral, software that is executed on the computer may change the data on the computer files, thus creating a new hash value. The difference between the new hash value and the old hash value will be an indicator that the computer has been rebooted or hacked. This would be a red flag that unwanted software has infiltrated the computer. As such, the computer may no longer be trusted.
Unknown and therefore untrusted software can be blocked from execution locally or reported to a remote party that can make an assessment of the computer's state. If the computer is deemed to be running in an untrusted state, it might be restricted from accessing network or other resources. Decisions on what software should be trusted can be evaluated locally or remotely through a process called attestation.
The process of measuring or identifying trusted software on a computer can be rooted in software tied to the lowest layers of the computer's hardware including its BIOS and its TPM. PC defines the trusted software known as root of trust for measurement (RTM) located in the boot block of the BIOS software.
Although RTM measurements are taken and recorded in a well-defined sequence, there are no protocols or mechanisms currently defined to associate an absolute or relative time with these measurements. Therefore, their freshness during an attestation exchange cannot be verified.
Hash values reported through attestation can be used to identify the software or configuration files loaded during the booting of the computer and its operating system. In the case of Integrity Measurement Architecture (IMA), executables, configuration files, and libraries loaded into memory that are identified by a configurable policy are hashed and extended into platform configuration registers (PCRs) prior to loading or execution. PCRs are TPM registers for storing platform configuration measurements. The hashes are also recorded in a manifest file for later reporting to the attester.
The existing attestation protocols defined by TCG include a nonce to prove that the quoting of the measurements is fresh. In security engineering, a nonce is an abbreviation of number used once. It is often a pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused. To ensure that a nonce is used only once, it should be time-variant (including a suitably fine-grained timestamp in its value), or generated with enough random bits to ensure a probabilistically insignificant chance of repeating a previously generated value. However, the nonce mechanism alone does not provide an indication of when the measurements were actually taken. As a result, there is a possibility of getting a fresh quote of stale measurements. Stale measurements may not accurately reflect the current state of the computer.
Unfortunately, freshness in reporting does not guarantee freshness in measurement. When the elapsed time between the measurement of software and the reporting of the measurement values of resulting PCRs to a remote attester is significant, i.e., possibly days or even months in the case of a server, the measurement may no longer accurately reflect the state of the running processes and may be considered stale. In fact, it is widely believed that a longer time between the time of measurement and time of reporting corresponds to a reduction in our assurance that the measurement accurately identifies the current executing software. The potential for compromise increases once the software executes in system memory.
What is needed is a method for measuring staleness of TPM measurements such that attestation decisions can be made correctly.