O Preventing Common Application Attacks

Authentication can be provided by using certified strong identities that combine cryptographic keys with corresponding certificates and platform configurations. This way, the user can create a range of identities, some being anonymous if necessary, so as to authenticate and be authenticated to his applications. This authentication can work both ways, as the identity of the application can be known from measuring its executable and configuration files. Doing this extends the traditional login/password paradigm, but necessitates new ways of managing this information.

Authorization is directly implemented in the operating system and is robust thanks to the policy enforcement facilitated by Trusted Computing. This relies on reversing the chain of trust with regards to the property at hand: Applications cannot corrupt the operating system without the modification being noticed; the operating system cannot bypass the security policies specified by the hypervisor; the hypervisor is started in a trustworthy manner on top of hardware components, which are possibly certified to attest for their robustness. This chain of trust ensures that if an attack is performed, you can detect it and thus take appropriate actions, such as notifying system administrators or trying to recover the attacked components. The operating system must decide on the kind of policy to enforce, so bad design and programming can still lead to the same attack vectors being open.

Integrity is a central property to Trusted Computing via the notion of measurement and all the facilities built around it. Trusted Computing, in effect, enables you to verify the integrity of any file and prevent any unauthorized modifications. Nevertheless, application integrity can be a more complicated matter than the integrity of underlying system software, because each application can have very different definitions of what files need to have integrity, including system files such as libraries, and the system would then have to verify the integrity of an extremely large number of files.

Confidentiality can be ensured by binding or sealing data, depending on the application requirements. Full-disk encryption can also be used transparently, if provided by the operating system, thus reducing application complexity. Privacy can also greatly benefit from Trusted Computing as several features are built in: Attestation Identity Keys (AIKs) can be created by the TPM using its Endorsement Key (EK) and certified by Privacy-CAs that are the only entities able to trace the AIK back to its creating EK; the DAA protocols implement a similar mechanism but replace the use of the EK to prove TPM validity with the use of more complicated cryptographic mechanisms (e.g., zero-knowledge proof) to ensure stronger TPM and user anonymity.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment