[go: up one dir, main page]

CN101488176B - A TOCTOU Attack Response Method for TPM Trusted Computing - Google Patents

A TOCTOU Attack Response Method for TPM Trusted Computing Download PDF

Info

Publication number
CN101488176B
CN101488176B CN2009100782012A CN200910078201A CN101488176B CN 101488176 B CN101488176 B CN 101488176B CN 2009100782012 A CN2009100782012 A CN 2009100782012A CN 200910078201 A CN200910078201 A CN 200910078201A CN 101488176 B CN101488176 B CN 101488176B
Authority
CN
China
Prior art keywords
tpm
virtual
device program
specific file
content
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009100782012A
Other languages
Chinese (zh)
Other versions
CN101488176A (en
Inventor
常晓林
刘吉强
韩臻
刘博�
何帆
邢彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
Original Assignee
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University filed Critical Beijing Jiaotong University
Priority to CN2009100782012A priority Critical patent/CN101488176B/en
Publication of CN101488176A publication Critical patent/CN101488176A/en
Application granted granted Critical
Publication of CN101488176B publication Critical patent/CN101488176B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention relates to a method for responding TOCTOU attack aiming at a TPM credible computer. The components of the method comprise a virtual TPM device program and a privileged domain proxy module which both have more powerful functions. Just as the prior methods, the method of the invention adopts a method of PCR register information updating, but the methods for enabling and executing event update is different from the prior methods so that a TPM command in the following two conditions can correctly indicate the current state of a client virtual domain platform: the first TPM command condition is that a TPM command processing result is not sent out of the virtual TPM device program when the TOCTOU attack is detected, and the second TPM command condition is that the TPM command is not received by the virtual TPM device program when the TOCTOU attack is detected. While considering the security, the invention also takes the system performance into full consideration and ensures the utilization effectiveness and the expandability of system resources by adopting event drive and avoiding process scheduling of an extra user space.

Description

A kind of TOCTOU attack-response method at the TPM Trusted Computing
Technical field
The present invention relates to computer information safe Trusted Computing field, be meant a kind of TOCTOU attack-response method especially at the TPM Trusted Computing.Response method of the present invention utilizes the Xen virtual machine technique, defends to attack at the TOCTOU of TPM Trusted Computing by the platform information that upgrades the credible platform module storage.
Background technology
The safety problem of computerized information is difficult to depend merely on software and solves.In order to solve the existing structural unsafe problems of PC, the TCPA of credible calculating platform alliance (renaming TCG afterwards as) proposes to guarantee by the security that strengthens existing terminal architecture the safety of total system, and main thought is to introduce credible platform module (the being called credible chip again) TPM with safe storage and encryption function on various terminal hardware platforms; The process that starts the operating system is divided into several relatively independent layers, with the root of trust of TPM as credible calculating platform, lower floor carries out integrity measurement to the upper strata earlier, and will measure among the platform registers PCR that the result deposits the TPM chip in, the operation control of transmission system then, iteration makes up a trust chain layer by layer.Data among the PCR can only be carried out the expansion of digest value behind computer starting, can not reset and distort, so the user can judge whether current running environment is credible, and whether some link safety problem occurs according to the numerical value of corresponding PCR.
Present most of commercial operation system is designed to have superuser right with kernel program (comprising load-on module), and kernel program uses shared linear internal memory so that for improving system effectiveness, this has caused only providing the TCG architecture of software loading checking to suffer the attack of TOCTOU (time of check vstime of use) easily, particularly, the mistiming that the assailant utilizes program tolerance and program to use these two time points, internal memory to program is distorted, and the platform information that causes TPM to provide can't reflect the ruuning situation of actual platform.
Defence is attacked and need be solved two problems at the TOCTOU of TPM Trusted Computing: how (1) detects TOCTOU is attacked; (2) attack response how.The scheme that a kind of TOCTOU of detection attacks is by modification memory management unit (MMU), and it is monitored in real time to memory refreshing, however the poor expandability of this hardware based solution.Meanwhile, utilize open source code virtualization product Xen virtual machine technique can realize a pure software solution with function of above-mentioned detection scheme.The Xen virtual machine comprises a monitor of virtual machine, a virtual computational fields of privilege and a plurality of client virtual computational fields, sees Fig. 1.Operating system of each computational fields operation, monitor of virtual machine is between system hardware platform and virtual computational fields operating system software, be responsible for monitoring lower floor hardware, but and become the entity of management and dispatching to keep supplying layer computational fields hardware abstraction to use, all memory refreshings all will be through the affirmation of monitor of virtual machine; An Xen virtual machine will move monitor of virtual machine and privileged domain at least, and promptly behind the Xen virtual machine activation, privileged domain is the operating system that must and at first enter, and then creates as the case may be and start client virtual domain; The privilege computational fields has the highest authority, and privileged domain is utilized virtual Domain management tool control client computational fields, comprises establishment, deletion, visit physical equipment etc.Fig. 2 is a kind of terminal platform security solution with Intel Virtualization Technology and reliable computing technology combination, and by providing a pure software TPM equipment in privileged domain for client virtual domain, client virtual domain can realize carrying out Trusted Computing.
At how responding detected TOCTOU attack, author (Sergey Bratus, NihalD ' Cunha, Evan Sparks, Sean Smith, TOCTOU, Traps, and Trusted Computing, TRUST 2008) the attack information that has proposed to catch is reflected to the TPM equipment PCR register of client virtual domain rapidly by escape way.Flow process is as shown in Figure 3: the application program memory address that (1) virtual Domain kernel module will be monitored to the monitor of virtual machine report, (2) monitor of virtual machine receives behind the address that virtual Domain transmits, will monitor any modification to them, in case monitoring internal memory distorts, monitor of virtual machine can send a virtual interruption to privileged domain, (3) kernel of privileged domain is had no progeny in receiving, the vTPM rear end drives can forge a TPM instruction bag from client virtual domain, pass to the vTPM device program by the vTPM management tool, this command content is that one group of random number is expanded the PCR content of registers of appointment.
Because the uncertainty of CPU scheduling, there is safety defect in above-mentioned response method under following situation: suppose that a client will be to just carrying out remote validation in detected virtual Domain in the network, then virtual Domain drives one of transmission by the vTPM front-end driven to the vTPM rear end and reads PCR value request package, and this request is placed into the vTPM rear end and drives and vTPM equipment management tool communication pipe; And meanwhile, monitor of virtual machine monitors this virtual Domain internal memory and is distorted, and notifies the driving of vTPM rear end can produce a request of upgrading PCR immediately, and this request also is placed into request queue, might be placed in and before read after the PCR request package; Will occur a problem like this, return to the PCR information that virtual Domain is used for remote validation and can not reflect that internal memory has been distorted, promptly can not reflect the current safe state of client virtual domain platform.
Summary of the invention
A kind of TOCTOU attack-response method at the TPM Trusted Computing for avoiding above-mentioned deficiency of the prior art to provide is provided.Propose a kind of method of upgrading the platform information of TPM storage, response method of the present invention is made up of two parts: the vTPM device program of (1) increased functionality, (2) privileged domain proxy module.
Purpose of the present invention can reach by following measure:
A kind of TOCTOU attack-response method at the TPM Trusted Computing, the method assembly comprises virtual TPM (vTPM) device program and the privileged domain proxy module of increased functionality, the concrete steps of response method are as follows:
Step 1 after the privileged domain proxy module receives the TOCTOU attack message that monitor of virtual machine sends, can be immediately created a special sign file, and content is set to 1 under/proc catalogue, expression virtual Domain internal memory is distorted;
Step 2, when the vTPM device program of increased functionality receives from the TPM of client virtual domain instruction, do not handle earlier the TPM instruction, but check/whether have specific file under the proc catalogue, if do not have or file exists but content is 0, then normal process TPM instruction; Otherwise utilize current system time to be seed, produce a random number, and with this random number the PCR content of registers of appointment is expanded, the content of specific file is set to 0 under the general/proc catalogue simultaneously, and then handles the TPM instruction;
Step 3, the result that the vTPM device program of increased functionality instructs TPM spreads out of before the vTPM device program, also look over earlier/whether have specific file under the proc catalogue, this is to prevent to exist in the client virtual domain virtual Domain to be tampered after sending the TPM instruction; If do not have or file exists but content is 0, then normally spread out of; Otherwise utilize current system time to be seed, produce a random number, and the PCR content of registers of appointment is expanded with this random number, simultaneously/content of that file under the proc catalogue is set to 0, again handle the TPM instruction that received just now for a time then, again the result is passed.
The present invention has following advantage compared to existing technology:
1. defend the attack at the TOCTOU of Trusted Computing more effectively, when monitoring the TOCTOU attack, all TPM requests of also not handled by the vTPM device program all can correctly reflect client virtual domain platform current state.
2. adopt event driven mode of operation, compare the process scheduling that does not have extra user's space with original system, therefore method of the present invention has kept the original system effective utilization rate of resource.
3. this method extendability is strong, can be seamlessly and various surveillance collaborative works based on the Xen virtual machine, and defend the TOCTOU in the TCG system to attack.
Description of drawings
Fig. 1. be the Xen virtual machine component framework synoptic diagram that uses among the present invention.
Fig. 2. carry out the component framework synoptic diagram of the method for Trusted Computing based on virtual TPM for a kind of client virtual domain.
Fig. 3. be the synoptic diagram of the existing defence TOCTOU that mentions among the present invention method of attacking.
Fig. 4. be the assembly synoptic diagram of the TOCTOU attack-response method that designs of the present invention.
Fig. 5. be the workflow diagram of the vTPM device program of the increased functionality that designs of the present invention.
Embodiment
The present invention supposes that the detection system of Fig. 2 system and Fig. 3 disposes, and provides subordinate's step of response method of the present invention below:
Step 1 is replaced the vTPM device program that Fig. 2 method provides with the vTPM device program of increased functionality.
Step 2 loads the privileged domain proxy module in privileged domain.
Below in conjunction with Fig. 4 and Fig. 5 the workflow that the present invention designs TOCTOU attack-response method is described further:
(1) after the privileged domain proxy module receives the TOCTOU attack message that monitor of virtual machine sends, can be immediately under/proc catalogue, to create a special sign file, and content is set to 1, expression virtual Domain internal memory is distorted.
When (2) the vTPM device program of increased functionality receives from the TPM of client virtual domain instruction, do not handle earlier the TPM instruction, but check/whether have specific file under the proc catalogue, if do not have or file exists but content is 0, then normal process TPM instruction; Otherwise utilize current system time to be seed, produce a random number, and with this random number the PCR content of registers of appointment is expanded, the content of specific file is set to 0 under the general/proc catalogue simultaneously, and then handles the TPM instruction.
(3) the vTPM device program of increased functionality spreads out of the result of TPM instruction before the vTPM device program, also look over earlier/whether have specific file under the proc catalogue, this is to prevent to exist in the client virtual domain virtual Domain to be tampered after sending the TPM instruction; If do not have or file exists but content is 0, then normally spread out of; Otherwise utilize current system time to be seed, produce a random number, and the PCR content of registers of appointment is expanded with this random number, simultaneously/content of that file under the proc catalogue is set to 0, again handle the TPM instruction that received just now for a time then, again the result is passed.
Pass through said method, the TPM instruction that belongs to following situation all can correctly reflect client virtual domain platform current state: (1) TPM instruction process result when monitoring the TOCTOU attack also is not sent the TPM instruction of virtual TPM device program, (2) TPM instruction that the vTPM device program does not also receive when monitoring the TOCTOU attack.

Claims (1)

1.一种针对TPM可信计算的TOCTOU攻击响应方法,其特征在于:方法组件包括功能增强的虚拟TPM设备程序和特权域代理模块,响应方法的具体步骤如下:1. A TOCTOU attack response method for TPM trusted computing is characterized in that: the method component includes a virtual TPM device program and a privileged domain agent module with enhanced functions, and the concrete steps of the response method are as follows: 步骤1,当特权域代理模块接收到虚拟机监控器发来的TOCTOU攻击消息后,会立即在/proc目录下创建一个特定文件,并将该特定文件内容置成1,表示虚拟域内存已被篡改;Step 1, when the privileged domain agent module receives the TOCTOU attack message sent by the virtual machine monitor, it will immediately create a specific file in the /proc directory, and set the content of the specific file to 1, indicating that the virtual domain memory has been blocked. tamper; 步骤2,功能增强的虚拟TPM设备程序接收到来自客户虚拟域的TPM指令时,先不处理该TPM指令,而是查看/proc目录下是否存在步骤1创建的特定文件,如果特定文件不存在或者文件存在但文件内容为0,则正常处理该TPM指令;否则利用当前系统时间为种子,产生一随机数,并用该随机数对指定的PCR寄存器内容进行扩展,同时将/proc目录下的特定文件的内容置成0,然后再处理该TPM指令;Step 2: When the function-enhanced virtual TPM device program receives the TPM command from the customer's virtual domain, it does not process the TPM command first, but checks whether the specific file created in step 1 exists in the /proc directory. If the specific file does not exist or If the file exists but the content of the file is 0, the TPM command is processed normally; otherwise, the current system time is used as the seed to generate a random number, and the random number is used to expand the contents of the specified PCR register, and at the same time, the specific file under the /proc directory Set the content of 0 to 0, and then process the TPM command; 步骤3,功能增强的虚拟TPM设备程序将TPM指令的处理结果传出虚拟TPM设备程序之前,必须先查看/proc目录下是否存在步骤1创建的特定文件;如果特定文件不存在或者特定文件存在但是文件内容为0,则功能增强的虚拟TPM设备程序将TPM指令的处理结果传出虚拟TPM设备程序;否则功能增强的虚拟TPM设备程序首先利用当前系统时间为种子,产生一随机数,并用该随机数对指定的PCR寄存器内容进行扩展,同时将/proc目录下的那个特定文件的内容置成0,然后重新处理一遍刚才接收的TPM指令,再将结果传递出去。Step 3, before the virtual TPM device program with enhanced functions transmits the processing result of the TPM command to the virtual TPM device program, it must first check whether the specific file created in step 1 exists in the /proc directory; if the specific file does not exist or the specific file exists but If the file content is 0, the virtual TPM device program with enhanced functions will send the processing result of the TPM command to the virtual TPM device program; otherwise, the virtual TPM device program with enhanced functions will first use the current system time as a seed to generate a random number and use the random The number expands the content of the specified PCR register, and at the same time sets the content of the specific file under the /proc directory to 0, then reprocesses the TPM command received just now, and then passes the result out.
CN2009100782012A 2009-02-20 2009-02-20 A TOCTOU Attack Response Method for TPM Trusted Computing Expired - Fee Related CN101488176B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100782012A CN101488176B (en) 2009-02-20 2009-02-20 A TOCTOU Attack Response Method for TPM Trusted Computing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100782012A CN101488176B (en) 2009-02-20 2009-02-20 A TOCTOU Attack Response Method for TPM Trusted Computing

Publications (2)

Publication Number Publication Date
CN101488176A CN101488176A (en) 2009-07-22
CN101488176B true CN101488176B (en) 2010-06-02

Family

ID=40891062

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100782012A Expired - Fee Related CN101488176B (en) 2009-02-20 2009-02-20 A TOCTOU Attack Response Method for TPM Trusted Computing

Country Status (1)

Country Link
CN (1) CN101488176B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101950333B (en) * 2010-08-05 2013-04-10 北京交通大学 Method for dependably computing TOCTOU attack responding to Xen client hardware virtual domain
WO2012026939A1 (en) * 2010-08-27 2012-03-01 Hewlett-Packard Development Company, L.P. Virtual hotplug techniques
CN107045605A (en) * 2016-02-05 2017-08-15 中兴通讯股份有限公司 A kind of real-time metrics method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1897006A (en) * 2005-07-12 2007-01-17 国际商业机器公司 Method, apparatus for establishing virtual endorsement
CN101178759A (en) * 2006-11-09 2008-05-14 国际商业机器公司 Trusted device integrate circuit and virtualization method for memory device in the same
US7392403B1 (en) * 2007-12-19 2008-06-24 International Business Machines Corporation Systems, methods and computer program products for high availability enhancements of virtual security module servers

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1897006A (en) * 2005-07-12 2007-01-17 国际商业机器公司 Method, apparatus for establishing virtual endorsement
CN101178759A (en) * 2006-11-09 2008-05-14 国际商业机器公司 Trusted device integrate circuit and virtualization method for memory device in the same
US7392403B1 (en) * 2007-12-19 2008-06-24 International Business Machines Corporation Systems, methods and computer program products for high availability enhancements of virtual security module servers

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
孟璟,徐宁,罗芳,周雁舟,刘雪峰.一种基于Xen的可信虚拟机系统的构建与应用.计算机安全 11.2008,(11),2-6.
孟璟,徐宁,罗芳,周雁舟,刘雪峰.一种基于Xen的可信虚拟机系统的构建与应用.计算机安全 11.2008,(11),2-6. *
薛海峰,卿斯汉,张焕国.XEN虚拟机分析.系统仿真学报19 23.2007,19(23),5556-5558,5569.
薛海峰,卿斯汉,张焕国.XEN虚拟机分析.系统仿真学报19 23.2007,19(23),5556-5558,5569. *

Also Published As

Publication number Publication date
CN101488176A (en) 2009-07-22

Similar Documents

Publication Publication Date Title
Ling et al. Secure boot, trusted boot and remote attestation for ARM TrustZone-based IoT Nodes
CN102902909B (en) A kind of system and method preventing file to be tampered
CN103827882B (en) For the system and method for virtual partition monitoring
US8955104B2 (en) Method and system for monitoring system memory integrity
RU2522019C1 (en) System and method of detecting threat in code executed by virtual machine
US7490268B2 (en) Methods and systems for repairing applications
US20070261120A1 (en) Method & system for monitoring integrity of running computer system
US20050132122A1 (en) Method, apparatus and system for monitoring system integrity in a trusted computing environment
CN108027860A (en) For carrying out the hardening event counter of abnormality detection
US20160232354A1 (en) System memory integrity monitoring
CN102436566A (en) Dynamic trusted measurement method and safe embedded system
KR101358815B1 (en) Snoop-based kernel integrity monitoring apparatus and method thereof
CN102930205A (en) A monitoring unit and method
Strackx et al. The Heisenberg defense: Proactively defending SGX enclaves against page-table-based side-channel attacks
CN103218561B (en) Tamper-proof method and device for protecting browser
Viticchié et al. Reactive attestation: Automatic detection and reaction to software tampering attacks
EP3079057B1 (en) Method and device for realizing virtual machine introspection
CN101488176B (en) A TOCTOU Attack Response Method for TPM Trusted Computing
KR101060596B1 (en) Malicious file detection system, malicious file detection device and method
CN101488175B (en) Method for preventing credible client virtual domain starting crash based on polling mechanism
CN109785537B (en) Safety protection method and device for ATM
CN109472147A (en) A security detection method and device for a virtualization platform
Wu et al. A secure and rapid response architecture for virtual machine migration from an untrusted hypervisor to a trusted one
Eresheim et al. On the impact of kernel code vulnerabilities in iot devices
Liu et al. Tzeamm: An efficient and secure active measurement method based on trustzone

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100602

Termination date: 20120220