fyi: bear/enforcer open-source TCPA project

Sean Smith sws at cs.dartmouth.edu
Mon Sep 8 17:55:35 EDT 2003


The Bear/Enforcer Project
Dartmouth College

http://enforcer.sourceforge.net
http://www.cs.dartmouth.edu/~sws/abstracts/msmw03.shtml

How can you verify that a remote computer is the "real thing, doing
the right thing?"  High-end secure coprocessors are expensive and
computationally limited; lower-end desktop enhancements like TCPA and
the former Palladium have been mainly limited to Windows and
proprietary development.

In contrast, this code is part of our ongoing effort to use open
source and TCPA to turn ordinary computers into "virtual" secure
coprocessors---more powerful but less secure than their high-assurance
cousins.

Our current alpha release includes the Linux Enforcer Module, a TCPA
enabled LILO, and a user-level TCPA library.  All source is available
from the SourceForge site.

The Linux Enforcer Module is a Linux Security Module designed to help
improve integrity of a computer running Linux.  The Enforcer provides a
subset of Tripwire-like functionality.  It runs continuously and as
each protected file is opened its SHA1 is calculated and compared to a
previously stored value.

The Enforcer is designed to integrate with TCPA hardware to provide a
secure boot when booted with a TCPA enabled boot loader.  TCPA
hardware can protect secrets and other sensitive data (for example,
the secrets for an encrypted loopback file system) and bind those
secrets to specific software.

When the Enforcer detects a modified file it can, on a per-file basis,
do any combination of the following: deny access to that file, write an
entry in the system log, panic the system, or lock the TCPA hardware.
If the TCPA hardware is locked then a reboot with a un-hacked system is
required to obtain access to the protected secret.

We developed our own TCPA support library concurrently with, but
independently from, IBM's recently announced TCPA library.  Our library
was an initial component of the Enforcer project.  However, our
in-kernel TCPA support and the enforcer-seal tool are derived from
IBM's TCPA code because of its ease of adaptation for in-kernel use.
We plan to use our more complete library for user-level applications.
(IBM's TCPA code and documentation is available from
<http://www.research.ibm.com/gsal/tcpa/>.)

For more information on our project, see Dartmouth College Technical
Report TR2003-471 available from
<http://www.cs.dartmouth.edu/~sws/abstracts/msmw03.shtml>

Or contact Omen Wild at the Dartmouth PKI Lab: 
Omen Wild <Omen.Wild at Dartmouth.EDU>



-- 
Sean W. Smith, Ph.D.                         sws at cs.dartmouth.edu   
http://www.cs.dartmouth.edu/~sws/       (has ssl link to pgp key)
Department of Computer Science, Dartmouth College, Hanover NH USA




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list