Dan Kaminsky wrote:
TCPA eliminates external checks and balances, such as antivirus. As the user, I'm not trusted to audit operations within a TCPA-established sandbox. Antivirus is essentially a user system auditing tool, and TCPA-based systems have these big black boxes AV isn't allowed to analyze.
Actually, as the owner of the Trusted Platform Module (TPM), you have complete control over the use of your TPM. This means you can prevent applications from using certain functions of the TPM, including creating and using keys. In addition, the TCG specifications may in fact enhance the AV experience by allowing AV programs to ensure audit log integrity using the Platform Configuration Registers (PCR's, 20-byte registers that store chained SHA-1 hashes) in conjunction with a stored measurement log. These PCR's may then be exported in a signed log (signed by the TPM endorsement key), ensuring that a rogue application has not tampered with the results of the AV scan.

Imagine a sandbox that parses input code signed to an API-derivable public key. Imagine an exploit encrypted to that. Can AV decrypt the payload and prevent execution? No, of course not. Only the TCPA sandbox can. But since AV can't get inside of the TCPA sandbox, whatever content is "protected" in there is quite conspicuously unprotected.
The TCPA (now TCG) does not define a sandbox in which Windows/*nix applications execute. It simply defines the TPM and the software that is responsible for ferrying messages back and forth from the TPM in the appropriate format (TSS - TCG Software Stack). You may be confusing the work of the TCG with work being done by both Microsoft (NGSCB/Palladium) and Intel (LaGrande). While MS may use the TPM to bootstrap an OS capable of executing sandboxed applications, this is not the result of work done by the TCG, which is a consortium of many companies (including MS, Intel, HP, IBM, Sun, AMD, etc.) with varying goals.

So, in your example above, once the exploit code is decrypted, it is *outside* the TPM, and thus subject to all normal system inspection software. So yes, the AV program could in fact prevent execution of an exploit encrypted to a key contained within the TPM trust boundary*. However, a LaGrande/NGSCB system may be subject to the attack you describe.

*I say boundary because the TPM does not in fact store public/private keypairs internally. Rather it encrypts all keypairs using the Storage Root Key (SRK) - a 2048-bit RSA keypair - and then exports the key for storage on the local storage device (most commonly the hard disk). Another noteworthy aspect of all TPM devices on the market today (version 1.1 of the TCG specifications) is that they do NOT perform symmetric encryption, only asymmetric encryption and hashing (RSA and SHA-1, respectively, as required by the standard).


Regards, Mike


--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to