[Cryptography Team] Protecting Image
Matthew S. Hamrick
mhamrick at cryptonomicon.net
Wed Jan 11 17:45:41 CET 2006
Hey Ron...
I think you've hit upon a fundamental issue here. Let me tell you
what we're currently investigating in Spoon.
First off... yes, it's a very valid concern. Some of the fundamental
security objectives we're working towards in Spoon are:
1. Sensitive data is to remain sensitive.
2. Operations on data that are sensitive, are to be reserved to
privileged entities.
3. Requests to perform sensitive operations are to honored only if
there is a high degree of assurance in the request's origin (and the
originating entity is privileged to make the request.)
All of these objectives are affected if the image isn't protected
somehow. There are a couple of different ways to protect the image
from malicious modification (or to protect the project or even class
files and changesets.)
An attacker might want to replace data or code in an image file to
complete his nefarious plans. One way to protect against this is for
a trusted source to create image files for distribution on the
Squeak.Org site. I don't know whose job it is to do this right now,
but it's a simple thing to have them generate a key pair used to sign
and verify the complete image. The VM would include code to verify
the image at load time, generating a failure if signature
verification didn't work out.
But the moment the user modifies something in the image and saves it,
you've invalidated the signature. So signing and verifying the whole
image probably won't work.
The approach we're experimenting with in Spoon is to define a set of
classes that define "the core" of the language. These classes are
then signed by a trusted third party (like the person who builds the
image). That person's public key is included in the VM (or if you
want to get fancy, you can add a collection of trusted root
certificates from which the trusted third party's certificate was
issued.) At boot time, the integrity of these classes are checked by
the VM. So you now have a situation where users can modify any non-
core class without invalidating the signature on the core part of the
image. As long as you put sensitive things (like network and file
access and crypto implementation) inside the "core," you can be
assured that it hasn't been modified to do bad things.
There are drawbacks here, of course. One of the things that some
people really love about Smalltalk is the ability to modify anything
and everything, including core classes. The system should be flexible
enough to allow an end user to generate a key pair and have their
public key certified as being allowed to modify core classes _FOR
THEIR INSTANCE_. In other words, you'll want to set it up so that
there is... well... I don't want to use the word PKI or CA... let's
just say an image signing authority. Someone in the Squeak project
who's responsible for identifying which members of the community can
create images that are distributed on Squeak.Org. This person
maintains a certificate signing key and the certificate including the
public key associated with that signing key is distributed along with
the VM. If a user wants to modify core classes, they can do this, but
they have to spin a key pair, generate a self signed cert, and put
the cert in the list of trusted core signers.
There are several implementation challenges here, not the least of
which is how to verify all these classes in a tractable amount of
time. And you still have the problem that people who want to
distribute classes that depend on changes they've made to the core
are going to have to get the people they distribute to to install
their own key pair so that when they modify their core classes, they
don't break the signature check. And if everyone does this without
examining code changes that come their way from anonymous sources on
the internet, what's the point of signing things in the first place?
One of the things we're exploring in Spoon is the idea of
attestation. If you create a class whose instances require changes in
'the core', you can tell the system something to the effect of...
"allow such and such a class, signed by some person to make a call to
this core class, but disallow everyone else." The idea here is that
if you have a sensitive operation in the core, it might be nice to
limit who can perform it. This way, you could distribute signed code
that may have elevated privileges based on the identity of the
signer. End users would then be able to say things like, "Oh... I
trust Ian P. and Dan I. (and hopefully Matt H.) but I don't trust
this random guy over here...)"
I'm working on a Security overview for Spoon that will hopefully come
out sometime before the RSA Conference this year, more info and
analysis should be available then.
But here are a few things to think about:
1. You're probably going to want to have some kind of Image
authentication in the VM. If you depend on code in the image to
authenticate code in the image, then yes, as you pointed out there's
nothing to stop a malicious attacker from modifying the image to not
actually perform the authentication. One of the objectives of
"trusted computing" ( if you can ignore all the DRM and spyware the
big guys are trying to enable under this name ) is to provide
authentication, access control and privacy mechanisms by trusting and
reviewing a small code core where code outside the core depends on
features inside the core to work properly. This is why that Java VM
verifies signatures on JAR files and why the Windoze OS authenticates
authenticode signatures applied to executables and why the NGSCB guys
at MS are trying to get the computing hardware to authenticate
signatures on the OS. The idea is if you get it right in the
hardware, you can use the trust provided by the hardware to
authenticate the OS which then authenticates the VM which then
authenticates code in the Image which then makes decisions about
access control, authentication of entities involved in application
layer protocols and privacy.
2. You probably want to have a flexible code authentication system.
In other words, you don't want to hardwire a verification key inside
the image or inside the VM. Whit Diffie has a quote that I love... "A
secret that is hard to change is a vulnerability." I think the idea
here is that if your system depends on the obscurity of the location
of a key for security, when attackers learn where that key lives,
they'll be able to access it which will obviate the trust given to
that key. If your admin staff or your users can't easily change that
key, then you've locked them into using a version of your software
that the attackers know how to hack.
So what's the practical guidance I'm going for here? Browsers and
OSes that have lists of trusted root keys, generally allow admins to
add or remove root keys and modify the trust of root keys in the root
key database. The guidance is... use a key database that allows
privileged users to add, remove or edit trust settings for
verification keys. Implementing such a database as a simple file is
probably do-able as long as the file is protected from illicit access
by the underlying operating system. If the underlying operating
system doesn't provide file access protections, then you've got all
sorts of other things to worry about.
3. You probably want the VM authentication capabilities to be a
subset of those available to the runtime. The idea here is you might
at some point want to use tools in the image to produce the core
trusted root database. As an example, MacOS X uses a "keychain"
format and splits keys between three primary classes of keychains:
the X.509 root database, system global verification keys, and user-
specific keys.
Okay.. I think there's "more to it," but I've run out of time... So
I'd be interested to hear anyone else's comments?
-Cheers!
-Matt H.
On Jan 11, 2006, at 7:24 AM, Ron Teitelbaum wrote:
> All,
>
>
>
> I’ve been thinking though some of the problems with cryptography.
> I have a question. How do we protect the image? It seems to me
> that the easiest way to circumvent the cryptography features of a
> system would be to change the code to send off plain text after it
> was decrypted. So the question is how do we protect the image from
> being tampered with? Is this even a valid concern, or do we assume
> that once someone has access to the machine, and therefore the
> image, that the system is compromised in general?
>
>
>
> Ron
>
> _______________________________________________
> Cryptography mailing list
> Cryptography at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://liststest.squeakfoundation.org/pipermail/cryptography/attachments/20060111/09a6d2ea/attachment.html
More information about the Cryptography
mailing list