PRIMAPaper By: Trent Jaeger, Reiner Sailer, andUmesh ShankarPresented By: Wyatt Lloyd, Robert MelervyOverview• How PRIMA meets the 6 requirements– Trusted Subjects– Trusted Code/Data– Information Flow– Initial Verification– Filtering Interfaces– Filtering Subjects• Verification of CW-Lite Formally– High Integrity Code Loaded in Trusted Subjects– CW-Lite Information Flow Requirements– Initial Verification– Filtering Interface CorrectnessTrusted SubjectsThe set of trusted subjects in the MAC policy must betrusted by the remote party.Add trusted subjects to measurement list, and their hashesto the hash chain.H(Xi+1) = H(Xi || H(T))Mi+1= Mi || mTRemote party verifies that it trusts all subject onmeasurement list, and that hashes checks.Trusted Code/DataAll code and static data loaded for any trusted subject mustcorrespond to known and trusted hashes by the remote party.Measure code/data, subject and role (optional) if subject istrusted.md = (d || s || r)H(Xi+1) = H(Xi || H(md))Mi+1= Mi || mdRemote party verifies that code/data, subject, and role(optional) are all of high integrityInformation FlowAll information flows to a trusted subject must come fromanother trusted subject.MAC policy => information flow, so PRIMA measuresinformation flow by measuring MAC policy.H(Xi+1) = H(Xi || H(p))Mi+1= Mi || mPRemote party uses hashes to verify measurement list, then usesMAC policy => information flow, then verifies all flows totrusted subjects are from trusted subjects.Initial VerificationThe initial verification procedure code must be of highintegrity and the verification must be successful.No new measurements are needed to capture the IVP!IVP subject and IVP code covered by code/datameasurement, IVP code then measures the result of the IVPtest.Filtering InterfacesAny claim that a particular interface discards or upgrades all lowintegrity inputs must be verifiable.Part of trusted subjects, so it’s code is already measured!Filtering SubjectsThe permission to receive low integrity inputs must only beavailable to filtering subjects, and these subjects must only runwithin the context of a filtering interface.Extend mT to include if the subject has an associated filteringsubject.This allows the remote party to verify the filtering interfaces.Review of MeasurementsCode and static dataMAC Policy*Trusted Subjects*Code-Subject Mapping** means new measurementVerification of CW-LiteFormallyThis is what the remote party must do to trust you.High Integrity Code Loaded inTrusted Subjects.Requirement: Remote party must verify code/data digestis known and of high integrity. Must verify the role aswell if it is specified.What PRIMA does: Prima measures all code loaded intotrusted subjects, and the code/subject mapping.CW-Lite Information FlowRequirementsRequirement: For every trusted subject, all directlyconnected information flows must be from trustedsubjects. For filtering and untrusted subjects there areno requirements.What PRIMA does: PRIMA measures the MAC policy=> information flow so we can verify all trustedsubjects only have inputs from trusted subjects.Initial VerificationRequirement: The IVP subject must pass the regular “HighIntegrity Code loaded in Trusted Subjects” requirements. It alsomust be trusted to do integrity verification, and the integrityverification must succeed.What PRIMA does: The IVP is a trusted subject, so its code ismeasured. The IVP can then run with trusted results.Filtering InterfaceCorrectness and UseRequirement: Any trusted subject with an associatedfiltering subject, must pass the “High Integrity CodeLoaded into Trusted Subjects Requirement” and be trustedto only activate filtering subjects within filtering interfaces.What PRIMA does: Filtering interface code is measured,and its existence is indicated in trusted subject list. Theremote party must check that filtering subjects are only usedat filtering interfaces, and that the filtering interfaces aretrusted to discard or upgrade low integrity data.PRIMA’s Big Advantages1) Captures information flow and allows upgrading of lowintegrity inputs!2) Doesn’t measure untrusted
View Full Document
Unlocking...