Property Attestation---Scalable and Privacy-friendly Security Assessment of Peer Computers

A core security challenge is the integrity verification of the software that is executed on a machine. For example, an enterprise needs to know whether a gateway machine has been infected by malicious code. One prevailing approach is to use directories of configuration check-sums to detect when a configuration has been changed (see www.tripwire.org). These software-only solutions have limitations when the operating system itself is compromised. The tamper-resistant Trusted Platform Module (TPM) specified by the Trusted Computing Group (TCG) allows a TPM-enhanced platform to securely attest to a configuration of a machine. Based on such binary attestation, a verifying peer computer can then decide whether or not to trust the verified platform. In this paper, we argue that the approach of binary attestation is not privacy-friendly, scalable or open and vendor-neutral. The main criticism is that this approach needlessly discloses the complete configuration (i.e., all executed software) of a machine. The focus of binary attestation are the binaries instead of their security. We present a protocol and architecture for property attestation that resolves these problems. With property attestation, a verifier is securely assured of security properties of the verified platform's execution environment without receiving detailed configuration data. This enhances privacy and scalability since the verifier needs to be aware of its few required security properties instead of an huge number of acceptable configurations.

By: Jonathan Poritz, Matthias Schunter, Els Van Herreweghen, and Michael Waidner

Published in: RZ3548 in 2004

LIMITED DISTRIBUTION NOTICE:

This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.

rz3548.pdf

Questions about this service can be mailed to reports@us.ibm.com .