A Practical Property-based Bootstrap ArchitectureRené [email protected] [email protected] Stü[email protected] Zhan∗1,[email protected] Görtz Institute for IT-SecurityRuhr-University Bochum, Germany2Sirrix AG secur ity technologiesGermany3Computer SchoolWuhan University, ChinaABSTRACTBinary attestation, as proposed by the Trusted ComputingGroup (TCG), is a pragmatic approach for software integrityprotection and verification. However, it has also variousshortcomings that cause problems for practical deploymentsuch as scalability, manageability and privacy: On the onehand, data bound to binary values remain inaccessible aftera software update and the verifier of an attestation resulthas to manage a huge number of binary versions. On theother hand, the binary values reveal information on platformconfiguration that may be exploited maliciously.In this paper we focus on property-based bootstrap ar-chitectures with an enhanced boot loader. Our proposalimproves the previous work in a way that allows a practi-cal and efficient integration into existing IT infrastructures.We propose a solution of the version rollback problem that,in contrast to the existing approaches, is secure even if theTPM owner of the attested platform is untrusted withoutrequiring an interaction with a trusted third party.Finally, we show how our architecture can be applied tosecure boot mechanisms of Mobile Trusted Modules (MTM)to realize a ”Property-Based Secure Boot”. This is especiallyimportant for human users, since with secure boot, users canrely on the fact that a loaded system is also in a trustworthystate.Categories and Subject DescriptorsD.4.6 [Operating Systems]: Security and ProtectionGeneral TermsSecurity∗Jing Zhan is a PhD student at Wuhan University in China.She is currently doing research at Ruhr-University Bochumin Germany under the support of China Scholarship Council(CSC) Scholarship Program.Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.STC’09, November 13, 2009, Chicago, Illinois, USA.Copyright 2009 ACM 978-1-60558-788-2/09/11 ...$10.00.KeywordsTrusted Computing (TC), Property-based Attestation, Se-cure Boot, Mobile Trusted Module (MTM)1. INTRODUCTIONBinary attestation, as proposed by the Trusted Comput-ing Group (TCG) based on the Trusted Platform Module (TPM)[22, 23, 24], is a pragmatic approach of performing softwareintegrity protection.Especially in the context of centrally managed IT infras-tructures, as it is common in medium-sized and large en-terprises, binary attestation and binary sealing can help en-forcing security policies by authenticating both hardwareplatforms and software configurations.However, as already pointed out by previous work (e.g.,[17, 9]), the use of binary measurements (hash values overbinary codes) has several disadvantages. For instance, theyrender sealed data inaccessible after software updates andleak platform configuration information allowing remote at-tackers to optimize their attacks.In order to solve these problems, the concept of property-based attestation and sealing was introduced [17, 12]. Themain idea is to use software properties instead of binary mea-surements for attestation and sealing, which ensures thatsealed data is available after a software update as long as thenew software provides the same properties. Several concreteschemes have been proposed based on different trust modelsand assumptions. While some solutions require changes tothe current TPM, others (such as [12]) present a property-based attestation and sealing architecture that can be in-stantiated by the existing TCG-compliant hardware usingan extended bootstrap architecture.Contribution. In this paper we put forward the work on aproperty-based bootstrap architecture of [12]bypresentingadesign and a prototype implementation of a Property-BasedBoot Loader (PBBL) including efficiency measurements. Weextend the concepts defined in the previous work to allow arealization based on a common PKI (Public Key Infrastruc-ture). In addition, we solve the version rollback problem of[12] in such a way that it is secure even if the TPM ownerof the client is untrusted. In contrast to the solution of[12], our proposal does not require an interactive protocolbetween the boot loader and a trusted third party (TTP)during the installation phase of the boot loader.Moreover, we show how such a property-based bootstraparchitecture can be integrated into typical centralized IT in-frastructures of enteprises such that software updates can29efficiently be distributed in this environment without affect-ing security or accessibility.Finally, we show how our concept can be applied to thesecure boot mechanisms as defined in the Mobile TrustedModule (MTM) specification to realize a ”Property-basedSecure Boot”. This feature is particularly important, sincewith secure boot, end-users can rely on the fact that a loadedsystem is also in a trustworthy state.Outline. Section 2 is devoted to related work while givingan overview of important concepts necessary for property-based attestation. Section 3 introduces the general con-cepts of property-based bootstrap architectures and Sec-tion 4 presents the underlying model of our proposal bypresenting an extended application environment, detaileddesign decisions, and implementation details including a per-formance and security evaluation. We also provide an appli-cation with MTM in Section 5. Section 6 concludes with ashort summary and future work.2. RELATED WORKThere have been several proposals in the literature forprotecting and proving the integrity of computing platformsbased on cryptographic techniques and trusted components.Known aspects in this context are secure and authenticated(or trusted) booting: The former means that a system canmeasure its own integrity and terminates the boot processin case the integrity check fails, whereas the latter aims atproving the platform integrity to a (remote) verifier usingbinary attestation [3, 7, 18, 20, 26].A more general and flexible extension to the binary at-testation is