Abstract
In this paper, we analyze the communication mechanism of trusted platform modules via the low-pin-count bus. While the trusted platform module is considered to be tamper resistant, the communication channel between this module and the rest of the trusted platform turns out to be comparatively insecure. It has been shown that passive attacks can be mounted on the TPM and its bus communication with fairly inexpensive equipment, however, similar active attacks have not been reported, yet. We tackle this problem and show how the communication on the LPC bus can be actively manipulated with simple and inexpensive equipment. Moreover, we show how our manipulation can be used to circumvent the chain of trust provided by trusted platforms.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
AMD: Amd64 architecture programmer’s manual. System programming, vol. 2 (2007), http://www.amd.com/us-en/assets/content_type/white_papers_and_tech_docs/24593.pdf , publication No. 24593; Revision 3.14
Chen, L., Ryan, M.: Attack, Solution and Verification for Shared Authorisation Data in TCG TPM. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 201–216. Springer, Heidelberg (2010)
Cihula, J., Wei, J., Wang, S.: Trusted Boot (2007), http://tboot.sourceforge.net/
Corp., I.: Intel trusted execution technology. software development guide (2008), http://download.intel.com/technology/security/downloads/315168.pdf , document Number: 315168-005
Grawrock, D.: Dynamics of a Trusted Platform: A Building Block Approach. Intel Press (2009)
TCG Group, TPM Working Group: TPM Main Part 1 Design Principles (July 9, 2007), Specification available online at: http://www.trustedcomputinggroup.org/files/resource_files/ACD19914-1D09-3519-ADA64741A1A15795/mainP1DPrev103.zip , specification version 1.2 Level 2 Revision 103
Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009)
Intel: Intel Low Pin Count (LPC) Interface Specification, revision 1.1 (August 2002), http://www.intel.com/design/chipsets/industry/25128901.pdf
Intel: Intel i/o controller hub 10 (ich10) family datasheet (October 2008)
Kauer, B.: OSLO: improving the security of trusted computing. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, pp. 16:1–16:9. USENIX Association, Berkeley (2007), http://portal.acm.org/citation.cfm?id=1362903.1362919
Krautheim, F., Phatak, D., Sherman, A.: Introducing the Trusted Virtual Environment Module: A New Mechanism for Rooting Trust in Cloud Computing. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 211–227. Springer, Heidelberg (2010), http://dx.doi.org/10.1007/978-3-642-13869-0_14 , doi:10.1007/978-3-642-13869-0_14
Lawson, N.: TPM hardware attacks (part 2), Blog posting archived at: http://rdist.root.org/2007/07/17/tpm-hardware-attacks-part-2/
Avnet electronics marketing: Spartan-3e evaluation kit from avnet, Product folder available online at: http://www.xilinx.com/publications/xcellonline/xcell_53/xc_pdf/xc_avnet53.pdf , product annoncement of ADS-XLX-SP3E-EVL100 board in Xilinx Xcell Journal Issue #53
McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an execution infrastructure for tcb minimization. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems, Eurosys 2008, pp. 315–328. ACM, New York (2008), http://doi.acm.org/10.1145/1352592.1352625
Pirker, M., Toegl, R., Gissing, M.: Dynamic Enforcement of Platform Integrity. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 265–272. Springer, Heidelberg (2010), http://dx.doi.org/10.1007/978-3-642-13869-0_18 , doi:10.1007/978-3-642-13869-0_18
Schellekens, D., Preneel, B., Kursawe, K.: Analyzing trusted platform communication, https://www.cosic.esat.kuleuven.be/publications/article-591.pdf
Sparks, E.R.: A Security Assessment of Trusted Platform Modules. Tech. rep., Department of Computer Science, Dartmouth College, Hanover, NH 03755, USA (June 28, 2007)
Sparks, E.R., et al.: TPM Reset Attack, http://www.cs.dartmouth.edu/~pkilab/sparks/
Tarnovsky, C.: Hacking the Smartcard Chip, presentation archived at: http://www.blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Tarnovsky
Trusted Compuring Group: TCG Specification Architecture Overview, revision 1.4 (August 2, 2007), http://www.trustedcomputinggroup.org/
Trusted Computing Group: TCG PC Client Specific TPM Interface Specification (TIS), version 1.2 FINAL. For TPM Family 1.2; Level 2 (July 11, 2005), http://www.trustedcomputinggroup.org/
Winter, J.: Eavesdropping Trusted Platform Module Communication (July 2009), presented at 4th European Trusted Infrastructure Summerschool (ETISS) (2009), Slides and report are available online at: http://embedded.iaik.tugraz.at/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Winter, J., Dietrich, K. (2012). A Hijacker’s Guide to the LPC Bus. In: Petkova-Nikova, S., Pashalidis, A., Pernul, G. (eds) Public Key Infrastructures, Services and Applications. EuroPKI 2011. Lecture Notes in Computer Science, vol 7163. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29804-2_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-29804-2_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29803-5
Online ISBN: 978-3-642-29804-2
eBook Packages: Computer ScienceComputer Science (R0)