Remote Attestation with Constrained Disclosure

Trusted Platform Modules (TPMs) are used for remote attestation to ensure the authenticity and integrity of software running on a computer system. However, measuring software executed as containers or virtual machines can be challenging as it is measured concurrently, resulting in a jumbled measurement log that is difficult to disentangle. Moreover, disclosing the entire measurement log in traditional binary remote attestation raises privacy and intellectual property concerns. To address these issues, we propose a remote attestation method with constrained disclosure, allowing for selective disclosure of entries in the measurement log using a non-interactive zero-knowledge (NIZK) proof with Schnorr signatures. Our approach is evaluated for security and privacy and proven to be correct, sound, and satisfies the properties of a NIZK proof. Formal verification of our solution with ProVerif also supports our claims. Furthermore, the performance evaluation of our proof-of-concept implementation shows that our contribution is feasible, and the overhead introduced is negligible.


Remote Attestation
• Involved Entities/Roles: • RACD preserves integrity and authenticity of TPM Quote (digital signature over the TPM's internal state) and event log (R1).
• Partial verifiers aren't allowed to communicate with each other (R6). •

Limitations
•Nonce (as a salt or freshness key) might seem simpler and more elegant compared to our NIZK method, it comes with limitations.For instance, all verifiers must be online during the (measured) boot process to supply the nonce.
•Our NIZK approach offers the advantage of transferability, eliminating the need for verifiers to be online during boot-up.
•NIZK also securely proves the validity of the data without disclosing the underlying secret and allows for the verification of the obfuscated hash.
• The computational burden associated with using NIZK for information security and limited disclosure is acknowledged.We also concur that increasing the volume of log entries would proportionally elevate the processing time.

DAA and EPID
•Our RACD approach targets the secrecy of binary measurements during remote attestation.There exists the Direct Anonymous Attestation (DAA) protocol to keep the identity of a TPM secret.
•However, DAA, Enhanced Privacy ID (EPID), etc., are orthogonal to our approach and can be used in conjunction with it.

•ooo
Attester Produces evidence to be appraised by the verifier • Verifier o Appraises the validity of evidence from the attester and produces attestation results • Relying Party o Consumes attestation results from the verifier 39th Annual Computer Security Applications Conference (ACSAC 2023) -4Digitally signed claims about the platform configuration, including measurements of software binaries and files • Reference Values o Verifier uses as a whitelist of known good measurements of software binaries and files to appraise evidence • Attestation Result o Produced by the verifier and that includes information about the trustworthiness of the attester Use Case: Containerized Edge Node 39th Annual Computer Security Applications Conference (ACSAC 2023) -4-8 December 2023 Source : https://www.alibabacloud.com/knowledge/what-is-edge-Following the exact steps of the protocol • Dishonest Partial Verifier o Passively listening • Objective: o Obtain information about the software (versions) running on the attester's system o Query CVE database to identify and exploit vulnerable software 39th Annual Computer Security Applications Conference (ACSAC 2023) -4-8 December 2023 Requirements 39th Annual Computer Security Applications Conference (ACSAC 2023) -4-8 December 2023 • Integrity and authenticity (R1) o The TPM-anchored event log (with all loaded software) must be maintained • Secure communication (R2) o Confidential communication must be established between attester and (partial) verifier • Mutual authentication (R3) • Suitable elliptic curve (R4) • Securely disclose any subset of event log entries (R5) • Partial verifiers must not collude with each other (R6) Software Measurement Process 39th Annual Computer Security Applications Conference (ACSAC 2023) -4-8 December 2023 9 Remote Attestation Process 39th Annual Computer Security Applications Conference (ACSAC 2023) -4-8 December 2023 Security Considerations 39th Annual Computer Security Applications Conference (ACSAC 2023) -4-8 December 2023 Verification results of ProVerif on the RACD protocol Evaluation 39th Annual Computer Security Applications Conference (ACSAC 2023) -4-8 December 2023 • Proof-of-Concept implementation on a Raspberry Pi 3 Model B V1.2 running Raspberry Pi OS lite "bullseye" • LetsTrust TPM featuring an Infineon Optiga SLB 9670 TPM 2.0 attached to the GPIO ports • Measurements taken from two Raspberry PIs: one attester system and one verifier Performance Assessment 39th Annual Computer Security Applications Conference (ACSAC 2023) -4-8 December 2023 Remote Attestation between Attester and Partial Verifier Conclusions and Future Work • Extended existing remote attestation architecture to include constrained disclosure • Leveraged non-interactive zero-knowledge proof (NIZK) for selective disclosure • RACD verification took ~180 ms longer than traditional remote attestation • Future Work o Deeply investigate RACD in the context of VMs and software containers o Investigate alternative selective disclosure techniques o Integrate RACD into Linux kernel 39th Annual Computer Security Applications Conference (ACSAC 2023) -4-8 December 2023 39th Annual Computer Security Applications Conference (ACSAC 2023) -4