I recently learned about Intel's P-MAPS research project which provides an alternative way of using TPM+TXT to provide attestations and sealing in the context of a standard OS. Here is a link to the Intel Research blog post:
http://blogs.intel.com/research/2009/04/p-maps_an_on-demand_hardware-r.php and here is an article in Dr Dobbs Journal which goes into more detail: http://www.ddj.com/mobile/218401423 The goal is to allow applications running in a standard OS like Linux or Windows to be able to gain hardware protection from corruption of other processes or of the OS. This is a hard problem to solve due to the complexity of modern OS's. P-MAPS bypasses the OS by loading a Measured Virtual Machine Monitor (MVMM) which runs the OS as a VM. Then a P-MAPS aware application can make special VM calls directly into P-MAPS, going around the OS, to request protection. P-MAPS monitors and virtualizes the OS's page tables and is able to protect all of the application's pages from rogue access, either from the OS or other processes. Because P-MAPS mostly confines its attention to memory management, it can be relatively small for a VMM. It doesn't have to worry about virtualizing devices or networks or I/O or having to load lots of different drivers. It mostly just manages page tables. This means that the OS is removed from the Trusted Computing Base (TCB) which greatly reduces the amount of code which has to be correct in order to achieve security. P-MAPS is also able to perform attestation ("Quote") and sealing on behalf of protected applications, allowing apps to protect secrets from other applications and from the OS, and to attest to outside parties that their data is safe. Among other nice features, P-MAPS uses smart loading, such that when no applications are currently requesting P-MAPS services, it unloads itself completely and switches the OS from being in a VM back to being in a normal, non-virtualized mode. Then when a process requests P-MAPS protection, it re-virtualizes the OS, including doing a TXT launch of the P-MAPS MVMM. All in all this sounds like an amazing range of functionality, a real tour de force to get all of these technologies (TPM, TXT, VM) working together successfully. But the net result is a tremendously useful package that neatly bypasses the dilemma of security vs complexity. Most solutions today either provide potentially high security with relatively limited functionality, like Jon McCune's Flicker, or provide a much wider set of functions, like TBOOT+XEN, at the expense of a large TCB which inherently undercuts security goals. P-MAPS appears to be the first solution I've seen that could provide high security via a small TCB, while retaining the functionality provided by a standard OS. Unfortunately, as a research project it does not sound like something which is likely to be made available to experimenters any time soon. I hope Intel will find a way to make the code available as it has done with TBOOT. P-MAPS is IMO even better suited as a framework for providing meaningful TXT based protections to today's application developers. Hal Finey ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ tboot-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tboot-devel
