RC23064 (W0401-082) January 16, 2004Computer ScienceIBM Research ReportDesign and Implementation of a TCG-Based IntegrityMeasurement ArchitectureReiner Sailer, Xiaolan Zhang, Trent Jaeger, Leendert Van DoornIBM Research DivisionThomas J. Watson Research CenterP.O. Box 704Yorktown Heights, NY 10598Research DivisionAlmaden - Austin - Beijing - Haifa - India - T. J. Watson - Tokyo - ZurichLIMITED DISTRIBUTION NOTICE: This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a ResearchReport for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specificrequests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g. , payment of royalties). Copies may be requested from IBM T. J. Watson Research Center , P.O. Box 218, Yorktown Heights, NY 10598 USA (email: [email protected]). Some reports are available on the internet at http://domino.watson.ibm.com/library/CyberDig.nsf/home .Design and Implementation of a TCG-basedIntegrity Measurement ArchitectureReiner Sailer and Xiaolan Zhang and Trent Jaeger and Leendert van DoornIBM T. J. Watson Research Center19 Skyline Drive, Hawthorne, NY 10532{sailer,cxzhang,jaegert,leendert}@watson.ibm.comAbstractWe present the design and implementation of a se-cure integrity measurement system for Linux. Allexecutable content that is loaded onto the Linux sys-tem is measured before execution and these measure-ments are protected by the Trusted Platform Mod-ule (TPM) that is part of the Trusted ComputingGroup (TCG) standards. Our system is the firstto extend the TCG trust concepts to dynamic exe-cutable content from the BIOS all the way up intothe application layer. In effect, we show that manyof the Microsoft NGSCB guarantees can be obtainedon today’s hardware and today’s software and thatthese guarantees do not require a new CPU modeor operating system but merely depend on the avail-ability of an independent trusted entity, a TPM forexample. We apply the measurement architectureto a web server application where we show how oursystem can detect undesirable invocations, such asrootkit programs, and that measurement is practicalin terms of the number of measurements taken andthe performance impact of making them.1 IntroductionWith the introduction of autonomic computing, gridcomputing and on demand computing there is an in-creasing need to be able to securely identify the soft-ware stack that is running on remote systems. Forautonomic computing, you want to determine thatthe correct patches have been installed on a givensystem. For grid computing, you are concerned thatthe services advertised really exist and that the sys-tem is not compromised. For on demand computing,you may be concerned that your outsourcing part-ner is providing the software facilities and perfor-mance that have been stipulated in the service levelagreement. Yet another scenario is where you areinteracting with your home banking or booksellingwebservices application and you want to make sureit has not been tampered with.The problem with the scenarios ab ove is, who do youtrust to give you that answer? It cannot be the pro-gram itself because is could be modified to give youwrong answers. For the same reason we cannot trustthe kernel or the BIOS on which these programs arerunning since they may be tampered with too. In-stead we need to go back to an immutable root toprovide that answer. This is essentially the securebo ot problem [1], although for our scenarios we areinterested in an integrity statement of the softwarestack rather than ensuring compliance with respectto a digital signature.The Trusted Computing Group (TCG) has defineda set of standards [2] that describe how to take in-tegrity measurements of a system and store the re-sult in a separate trusted coprocessor (Trusted Plat-form Module) whose state cannot be compromisedby a potentially malicious host system. This mecha-nism is called trusted boot. Unlike secure boot, thissystem only takes measurements and leaves it up tothe remote party to determine the system’s trustwor-thiness. The way this works is that when the systemis powered on it transfers control to an immutablebase. This base will measure the next part of BIOSby computing a SHA1 secure hash over its contentsand protect the result by using the TPM. This pro-cedure is then applied recursively to the next portionof code until the OS has been bootstrapped.The TCG trusted boot process is composed of a setof ordered sequential steps and is only defined up tothe bootstrap loader. Conceptually, we would liketo maintain the chain of trust measurements up tothe application layer, but unlike the bootstrap pro-1cess, an op erating system handles a large variety ofexecutable content (kernel, kernel modules, binaries.shared libraries, scripts, plugins, etc.) and the orderin which the content is loaded is seemingly random.Furthermore, an operating system almost continu-ously loads executable content and measuring thecontent at each load time incurs a considerable per-formance overhead.The system that we describe in this paper addressesthese concerns. We have modified the Linux kerneland the runtime system to take integrity measure-ments as soon as executable content is loaded intothe system, but before it is executed. We keep anordered list of measurements inside the kernel. Wechange the role of the TPM slightly and use it toprotect the integrity of the in-kernel list rather thanholding measurements directly. To prove to a re-mote party what software stack is loaded, the sys-tem needs to present the TPM state using the TCGattestation mechanisms and this ordered list. Theremote party can then determine whether the or-dered list has been tamp ered with and, once the listis validated, what kind of trust it associates with themeasurements. To minimize the performance over-head, we cache the measurement results and elim-inate future measurement computations as long asthe executable content has not been altered. Theamount of modifications we made to the Linux sys-tem were minimal, about 1000 lines of code.Our enhancement keeps track of all the softwarecomponents that are executed by a system. Thenumber of unique components is surprisingly smalland the system quickly settles