Abstract
A key component in building trusted computing services is a highly secure anchor that serves as a Root-of-Trust (RoT). There are several works that conduct formal analysis on the security of such commodity RoTs (or parts of it), and also a few ones devoted to verifying the trusted computing service as a whole. However, most of the existing schemes try to verify security without differentiating the internal cryptography mechanisms of the underlying hardware token from the client application cryptography. This approach limits, to some extent, the reasoning that can be made about the level of assurance of the overall system by automated reasoning tools. In this work, we present a methodology that enables the use of formal verification tools towards verifying complex protocols using trusted computing. The focus is on reasoning about the overall application security, provided from the integration of the RoT services, and how these can translate to larger systems when the underlying cryptographic engine is considered perfectly secure. Using the Tamarin prover, we demonstrate the feasibility of our approach by instantiating it for a TPM-based remote attestation service, which is one of the core security services needed in today’s increased attack landscape.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), London, UK, pp. 104–115. ACM, January 2001
Arapinis, M., Phillips, J., Ritter, E., Ryan, M.D.: StatVerif: verification of stateful processes. J. Comput. Secur. 22(5), 743–821 (2014)
Arthur, W., Challener, D.: A Practical Guide to TPM 2.0: Using the Trusted Platform Module in the New Age of Security. Apress, Berkeley (2015)
Basin, D., Cremers, C., Dreier, J., Meier, S., Sasse, R., Schmidt, B.: Tamarin prover (v. 1.6.1), August 2021. https://tamarin-prover.github.io
Brickell, E.F., Camenisch, J., Chen, L.: Direct anonymous attestation. In: ACM Conference on Computer and Communications Security (CCS), Washington, DC, pp. 132–145. ACM, October 2004
Chen, L., Ryan, M.: Attack, solution and verification for shared authorisation data in TCG TPM. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 201–216. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12459-4_15
Cheval, V., Cortier, V., Turuani, M.: A little more conversation, a little less action, a lot more satisfaction: global states in ProVerif. In: IEEE Computer Security Foundations Symposium (CSF), Oxford, UK, pp. 344–358, July 2018
Delaune, S., Kremer, S., Ryan, M.D., Steel, G.: Formal analysis of protocols based on TPM state registers. In: IEEE Computer Security Foundations Symposium (CSF), Cernay-la-Ville, France, pp. 66–80. IEEE, June 2011
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)
Fotiadis, G., et al.: Repository for SAPiC/Tamarin models, October 2021. https://github.com/jmor7690/stm2021-rot-abstractions
Goldman, K.: Attestation protocols. Technical report, IBM, December 2017
Goldman, K., Perez, R., Sailer, R.: Linking remote attestation to secure tunnel endpoints. In: ACM Workshop on Scalable Trusted Computing (STC), Alexandria, VA, pp. 21–24. ACM, November 2006
Greene, J.: Intel trusted execution technology: hardware-based technology for enhancing server platform security (2013)
Hongwei, Z., Zhipeng, K., Yuchen, Z., Dangyang, W., Jinhui, Y.: TSGX: defeating SGX side channel attack with support of TPM. In: Asia-Pacific Conference on Communications Technology and Computer Science (ACCTCS), Shenyang, China, pp. 22–24. IEEE, April 2021
Kremer, S., Künnemann, R.: Automated analysis of security protocols with global state. J. Comput. Secur. 24(5), 583–616 (2016)
Lowe, G.: A hierarchy of authentication specifications. In: IEEE Computer Security Foundations Workshop (CSFW), Rockport, MA, pp. 31–43. IEEE, June 1997
Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_48
Moghimi, D., Sunar, B., Eisenbarth, T., Heninger, N.: TPM-FAIL: TPM meets timing and lattice attacks. In: USENIX Security Symposium (USENIX Security), pp. 2057–2073. USENIX Association, August 2020
Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC 8446, RFC Editor, August 2018. https://www.rfc-editor.org/rfc/rfc8446.txt
Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: USENIX Security Symposium (USENIX Security), San Diego, CA. USENIX Association, August 2004
Shao, J., Qin, Y., Feng, D.: Formal analysis of HMAC authorisation in the TPM2.0 specification. IET Inf. Secur. 12(2), 133–140 (2018)
Shao, J., Qin, Y., Feng, D., Wang, W.: Formal analysis of enhanced authorization in the TPM 2.0. In: ACM Symposium on Information. Computer and Communications Security (ASIA CCS), Singapore, pp. 273–284. ACM, April 2015
The FutureTPM Consortium: FutureTPM use case and system requirements. Deliverable D1.1, FutureTPM, June 2018
The FutureTPM Consortium: Demonstrators implementation report - first release. Deliverable D6.3, FutureTPM, April 2020
Trusted Computing Group (TCG): Trusted Platform Module Library Specification, Part 1: Architecture (Family “2.0”, Level 00, Revision 01.59), November 2019
Trusted Computing Group (TCG): Trusted Platform Module Library Specification, Part 2: Structures (Family “2.0”, Level 00, Revision 01.59, November 2019
Trusted Computing Group (TCG): Trusted Platform Module Library Specification, Part 3: Commands - Code (Family “2.0”, Level 00, Revision 01.59), November 2019
Trusted Computing Group (TCG) - Infrastructure Work Group: Subject Key Attestation Evidence Extension (Version 1.0, Revision 7), June 2005
Weiser, S., Werner, M.: SGXIO: generic trusted I/O path for Intel SGX. In: ACM Conference on Data and Application Security and Privacy (CODASPY), New York, NY, pp. 261–268. ACM, March 2017
Wesemeyer, S., Newton, C.J.P., Treharne, H., Chen, L., Sasse, R., Whitefield, J.: Formal analysis and implementation of a TPM 2.0-based direct anonymous attestation scheme. In: ACM Asia Conference on Computer and Communications Security (ASIA CCS), Taipei, Taiwan, pp. 784–798. ACM, October 2020
Xi, L., Feng, D.: Formal analysis of DAA-related APIs in TPM 2.0. In: Au, M.H., Carminati, B., Kuo, C.-C.J. (eds.) NSS 2014. LNCS, vol. 8792, pp. 421–434. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11698-3_32
Acknowledgements
We would like to thank François Dupressoir and Robert Künnemann for useful discussions. We would also like to thank the anonymous reviewers for their insightful comments. This work was partially supported by the European Union’s Horizon 2020 Research and Innovation programme under grant agreements No. 779391 (FutureTPM) and No. 952697 (ASSURED), and by the UK Engineering and Physical Sciences Research Council (EPSRC) under grant EP/R012598/1.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
A Create a TPM Key with PCR Policy
We show a simplified example on the usage of EA. We note that, for clarity, we are omitting many details on TPM internals and TPM objects; see [3, 25,26,27]. In brief, the user executes the command TPM2_StartAuthSession(TRIAL) in order to initiate a fresh trial session. The TPM creates a handle \(trial_\text {sh}\) for this session, initiates the policy digest \(trial_\text {pd}\) to zero and returns \(trial_\text {sh}\) to the user. The user executes the command TPM2_PolicyPCR(\(trial_\text {sh}, pcr_\text {h}, swHash\)), which asks the TPM to update the policy digest of the trial session as:
where \(H(\ )\) is a hash function. The user executes TPM2_PolicyGetDigest(\(trial_\text {sh}\)) in order to obtain \(trial_\text {pd}\) and calls TPM2_Create(\(trial_{pd}\)). The TPM will create a new object (key) \(k = (key_{priv}, key_{pub})\) with authorization policy \(key_\text {ap} = trial_\text {pd}\) and returns to the user the protected object blob. Now the user creates a policy session s with \( \texttt {TPM2\_StartAuthSession}\texttt {(EA)} \) and the TPM sets \(s_\text {pd} = nil\) and returns the handle \(s_\text {h}\) to the Client. Then, the Client executes the command \( \texttt {TPM2\_PolicyPCR}(s_\text {h}, pcr_h, swHash)\) in order to update the policy digest \(s_\text {pd}\), and then \(\texttt {TPM2\_Load}(s_\text {h}, objectBlob)\) and obtains \(k_\text {h}, k_\text {pub}, k_\text {name}\). This procedure is summarized in Fig. 4.
B SAPiC Syntax
Figure 5 describes the SAPiC syntax. The syntax allows to define a protocol as a process. It is then translated into a set of Tamarin MSRs that adhere to the semantics of the calculus, which is a dialect of the applied pi-calculus [1]. The calculus comprises an order-sorted term algebra with infinite sets of publicly known names \( PN \), freshly generated names \( FN \), and variables \(\mathcal {V}\). It also comprises a signature \(\varSigma \), i.e., a set of function symbols, each with an arity. Messages are elements from a set of terms \(\mathcal {T}\) over \( PN \), \( FN \), and \(\mathcal {V}\), built by applying the function symbols in \(\varSigma \). Events in SAPiC are similar to Tamarin action facts, and they annotate specific parts of the process to be used to define security properties. We denote \(\mathcal {F}\) the set of Tamarin action and state facts. As opposed to the applied pi-calculus [1], SAPiC’s input construct in (M, N); P performs pattern matching instead of variable binding. See [4, 15] for the complete details.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Fotiadis, G. et al. (2021). Root-of-Trust Abstractions for Symbolic Analysis: Application to Attestation Protocols. In: Roman, R., Zhou, J. (eds) Security and Trust Management. STM 2021. Lecture Notes in Computer Science(), vol 13075. Springer, Cham. https://doi.org/10.1007/978-3-030-91859-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-91859-0_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91858-3
Online ISBN: 978-3-030-91859-0
eBook Packages: Computer ScienceComputer Science (R0)