Secure Virtual Application Distribution

2009 International Conference on Computer Technology and Development

Secure Virtual Application Distribution

Wira Zanoramy A. Zakaria, Mohd Azuddin Parman, Zharfan Hamdan, Mohd Saufy Rohmad & Mohd Anuar Mat Isa Information Security Cluster MIMOS Berhad, Technology Park Malaysia 57000 Bukit Jalil Kuala Lumpur, Malaysia e-mail: {zanoramy.ansiry, azuddin.parman, zharfan.hamdan, msaufy.rohmad, anuar.isa}@mimos.my

Abstract—This paper describes about a framework for secure assignment of virtual application from server to client. The server is a gateway to many applications, which the client can utilize it by requesting the server through the client’s interface. The communication of this system is based on trust, where the Trusted Platform Module plays main role in communication part of this framework. Client machine applies virtualization technology, which is used to run the virtual application downloaded from the server.

•

Keywords-virtual machine; virtualization; trusted platform module; on-demand systems; platform configuration registers

I.

For example, Microsoft has its own method, called as Group Policy which is implemented through the usage of Active Directory-based domains and Windows-based operating system. By using this, all of the clients’ computing machine in the organization can be centrally controlled and maintained by the IT department. Once the user is connected to the network domain within his organization, his computing machine will automatically obey the preconfigured software policy of that domain. Everybody who is the member of that particular domain, will receive the same software and with the same configurations.

INTRODUCTION

Nowadays, most IT departments face huge challenges in maintaining, deploying and protecting organizational computer operations and data processing. The primary task of the IT department is to provide a well-functioning computer and applications to all staff inside the organization. This is done to promote efficient working infrastructure and to produce quality deliverables on time. The IT department is responsible for all computing equipments and applications, this includes (but not limited to) configuration for network access, setting up and making changes to existing workstations and assigning access right for various levels. Because of now there is a lot of computing devices has been invented to improve the quality of work, the IT department is facing a complex problem. They are facing huge challenges in maintaining, deploying and protecting computer operation and data processing. The major challenges for IT department are: •

•

II.

SYSTEM DESIGN

The system consists of: the Application Server and the Clients. The Application Server contains a list of applications and a database that contains a list of legitimate users and its information. The clients are computing platforms that is installed with a virtual machine monitor or hypervisor (refer to Fig. 1). As usual, the clients communicate with this server through using a web browser. The Application Server will always listen to this request and offer the requested application to the client’s platform. The server also monitors the activities of the connected client. When the client requests a particular application, the server will authenticate the client first. If the client is correctly authenticated, the server will provide the client with a list of available applications. The client will select it

The diversity computing platforms - IT department have to support multiple platforms such as multiple OS (Windows, UNIX, Mac OS, Linux, BSD and etc.) and multiple hardware examples RISC and x86 processors. System and application dependent – each application depends on specific operating system and libraries in order to operate. For example, Apple’s office suite,

978-0-7695-3892-1/09 $26.00 © 2009 IEEE DOI 10.1109/ICCTD.2009.56

iWork, only works on Mac OS. Meanwhile, Microsoft’s office suite has two versions; for Windows and for Mac OS. Computing platforms are open to attacks, especially software vulnerabilities attacks – operating systems and applications softwares are expose to attacks such as viruses, worms, spam, email bombs, exploits, bugs and information leakage (e.g. corporate espionage). Such proprietary softwares are the popular target of these attacks.

81

and the server will offer to the client’s platform. The application is transferred to the client through utilizing a secure channel using TLS\SSL. After the application is fully downloaded by the client, it will run on the client’s platform. The application runs on top of a preinstalled hypervisor inside the client’s platform. To start utilizing the binaries on the Application Server, the user just need to fire up his favourite Internet browser, for example Microsoft Internet Explorer or Mozilla Firefox. Inside the browser, the user needs to point to the website of the server and key-in some identity informations. The client platform need to authenticate itself with the Application Server first in order to make sure that the client is allowed to request the applications hosted on the organization’s Application Server. After the authentication process is completed, the client will be allowed for a communication session with the Application Server. At this stage, the user will only need to provide the server with his username and password. The username and password of each registered clients are stored inside a user identity database on the Application Server. After the user has been verified by the server, the server will list the available applications to the user, based on the user’s authorization level. For example, lower ranked executives can only access certain applications, while the higher ranked executives can access the important data processing applications. The applications will be listed and offered based on the type of task that the user will carry out. The scopes of task and privileges of each user are recorded inside the user identity database. For example, if the user is a human resource staff, he can only access payroll and staffing applications. If the user is a finance manager, he can access the company auditing applications. The client will select the particular application from the list, and the application will be pushed by the server towards the client’s machine. Once the application is finished uploaded to the client’s machine, it will automatically executed locally. The user on the client machine will proceed with utilizing the pushed application and carry out his task. After the user saved his work and selects to quit the running application, the application will be shutdown and deleted from the client’s machine.

In order to ensure that the communication between the clients and the Application Server is secure from Internet attacks, this system utilizes the Trusted Platform Module (TPM). TPM is a secure crypto-processor that is designed to store secured information. Sometimes, it is also being called as Fritz chip or TPM Security Device. The design and workability of this chip is based on the specification provided by the Trusted Computing Group (TCG). The latest version of this specification is 1.2 Revision 103, which was published on 9th July 2007. This specification document is open to everyone and it is available at TCG’s official website [1]. TPM is a single-chip security subsystem that protects the end user’s privacy by providing tamper-proof storage and management of the user’s identity, passwords and encryption keys. In other words, this small chip is responsible in verifying the trustworthiness of a computing platform. Before the user and his client computing platform are allowed to get the applications from the Application Server, the platform must first register at the server. During the registration process, the server will challenge the client with some security policies. This process requires attestation to ensure the service runs only from the trusted clients. Attestation is verification method introduced by the TCG [12]. It is a way of verifying that the remote platform that we are communicating to is the platform that we expected it to be. It is a method proposed by the TCG, in order to verify the trustworthiness of the remote platform [12]. At the beginning, clients need to register with the Application Server by providing appropriate information such as credential to prove validity of the identity. Besides that, the certificate authority inside the Application Server will issue an attestation identity key (AIK) credential for the client [2]. During this process, the client needs to utilize trusted software stack (TSS) and TPM to gather all information required to generate AIK [3]. The AIK credential encloses descriptions about the TPM, platform root of trust and conversely it not discloses the privacysensitive information [2]. The AIK commonly being used for signing data [3, 11] and information sent as part of an attestation processes between client and application server. We used the AIK to sign integrity measurement values of the applications and sign the keys used to protect the applications that are being transported across the network from possible attacks. After the client has successfully handshake with the Application Server, now the issue is on how we can secure the communication by means of trusted and secure environment. Therefore, we choose to implement the present solutions based on Trusted Network Connect (TNC) specification to facilitate secure communication (Refer to Fig. 2) [4]. For this system, we implement a simple attestation process between client and cloud server through platform authentication and endpoint policy compliance (authorization). Platform authentication is a process to verify network access requestor (client) by means of

User application space Virtualization software Host operating system Computer Figure 1. The standard structure of virtualization platform. This figure depicts the architecture of our client computers.

82

providing a proof of identity of client platform and the integrity verifier will do verification on proof given by client [4]. Endpoint policy compliance is a process to ensure the client machine runs at trusted state, within a level that acceptable to do operation and the integrity is preserve at the original state [4]. According to these classifications, we imposed a policy on the Application Server to run these tasks: •

•

Integrity Measurement Verifiers TNC Server

TPM

Network Access Authority

Internet

Challenging client machine to provides integrity measurements. For example, sign client’s PCR value using AIK certificate and send it to the integrity verifiers (Application Server). Integrity verifiers do verification on the measurement and send the result to the Application Server.

Integrity Measurement Collectors TNC Client

TPM

Network Access Requestor Figure 2. Simplified architecture of the Trusted Network Connect [4].

Application server does checking the policy and configuration and decides either to allow or not this client to use the applications provided by the Application Server. After the client is successfully being challenged by the Application Server, the server then will allow the client to proceed with its requests. Originally the parties that involved only client and VM server that request and give the download permission to the client. However, with the trusted computing technology, any parties can measure the platform configuration registers (PCR) value of the client to ensure the client integrity before giving access to download the VM. Integrity Server will measure the client PCR value and store in integrity database in specific table. The integrity database also access by the VM server to check the client integrity status and session flags. Actually before the entire process starts, client need to register its PCR value to Integrity Server and will update the Integrity Database. After the registration is done and the value stored accordingly in the database, client need to attest itself every time to get the VM from VM server. The process start with client send the platform id to the IS and the server will reply with sending nonce value back to client. Nonce value is random value send to client in order to prevent reply attack. Then client will concatenate the PCR with nonce and hash to produce integrity measurement and send it to server. The value compared between the server and client is either in the form of direct PCR value or the hash value of the PCR and nonce that is sends by the server. Nonce value is random number that generated by the server in order to prevent reply attack and man in the middle attack. This formula is a standard basic calculation for applications measurement value [1]:

future enhancement, this value will be change according to our new analysis and design of new attestation protocol. The client platform needs to have TPM chip to enable the PCR reading. PCR value [5, 6] defined by trusted computing group as the platform configuration register that stored platform strategic binary hash values. Then client read the PCR value through trusted software stack interface define by Trusted Computing Group (TCG). This software stack called as Trousers [7] and functions as a mediator between the TPM hardware and user applications. This software stack also multiplexes all calls to TPM hardware from applications. This implementation also integrates with what we define as virtual disk. Virtual disk is actually network file system [8] that is configured in the VM server and accessed accordingly by the client. Client can choose their disk to be attached to the kernel virtual machine images. This makes the client can reuse the same data and store any personal data on their personal storage location. After the VM server granted access to client to execute execvm(), client will mount the remote directory and then download the VM image. Client will append the remote disk as second hard disk to and the VM image as first disk. After finish using the VM, client will remove the VM and the connection with server is closed. Integrity server is the interface between the integrity database and client. It establishes socket communication to client and receives multiple connections from many clients. It processes accordingly all client requests and makes database checking for client integrity value send. When particular client is in attestation session, client flag is set to one. IF the flags is set to one, notification to allow client to execute execvm() is send to client from attestation server.

Measured value = SHA1(PCR | Nonce) The value compared is direct and simple compared to other implementation of attestation protocol. We try to produce simple and working prototype for integrity measurement and we plan to enhance in near future. For

III.

IMPLEMENTATION

We simulate the application services with minimal components such as server machine, client machine,

83

control panel and server information. Server monitoring dashboard will allow administrator to monitor client activity. It will display client accessing this web server at run time. Administrator also can get client information like IP address and its location using this dashboard. Administration control panel allow administrator to store an application or services image into server. This control panel also provide interface for administrator to register client. Info like username, password, name and position need to be filling in order to register new client. Administrator also used this panel to delete existing client in database. Server information is panel which display all about the server specification. Server operating system, server name, and IP address are information display at this panel. Administration also can view run time physical memory usage by the server. Therefore admin can monitor the performance of the server. This application is develop using Microsoft Visual Basic Express 2008. It can freely download at Microsoft website. This tool is chosen because of its capabilities and it is easy to use. Microsoft visual basic express 2008 come with Windows Vista’s user interface. This feature allows creating more presentable user interface. Microsoft visual basic express 2008 also support with code snippet. This snippet can be used for simple expansions of common programming structures. The code snippets are formatted to automatically include the references they require, and contain replacement fields to allow easy customization. Basically Microsoft visual basic is based on C language programming. Therefore it is not very hard to code.

application, operating system (Win PE), Trusted Platform Module (TPM) and application services manager. Preinstallation Environment (PE) is designed to help end-users or corporate IT professionals to deploy operating systems onto new hardware or system recovery [9]. This part we cover a basic deployments scenario using Windows PE (Win PE) to simulate a running operating system with trusted computing elements to protect users from phishing activities. Here we choose to run the Windows XP-PE in the compartment (virtual machine), but there is still have another option such as Bart PE (Windows), Knoppix or other Linux customized compiled kernel. Before that, we need to prepare a customized Windows XP PE image. Indeed, based on the Intel configuration and deployment utilities, drivers and our customized software embedded into Win PE [2]. We used Winbuilder [10] to build a script that customizes windows components, compile it and runs as bootable ISO image. This system basically is an integrated and customizable web browser. It is hosted by the Apache web server inside the Application Server. On client side, the interface runs inside a web browser and it provides some information about client, his platform and applications. The information included client operating system, platform available memory, client username and its authorization. For the server side, it shows the server dashboard which is monitoring the client activity. It also has an administration control panel which allow administrator to manage user and virtual machine or application image. The first window that will run on this server is the authentication program. This window indicates the status of client platform attestation between client and attestation server. During this process, the client platform will sent some of PCR measurement to attestation server. Server will compare the measurement stored in database with the current PCR value to verify whether the platform has been temper or not. It’s only proceeds to the main window when the platform is not tampered. The interface is a web browser. This web browser will launch the default welcome webpage which the user needs to log in with their username and password for authentication and authorization purpose. After process is completed, server will list down all the services that the client has authorized to use it based on the client profile. The higher rank, the more services the client can use. When the client selects one service that he need, server will attest the selected service and push the attested service to the client. After the downloading is completed, client can utilize the services and save the job if he needed so. All the applications downloaded to the client’s hard disk will be deleted after the client closes the application. On the server side, the server administrator need to key in their unique username and password in order to run administrative application. This application is a manager for the Application Server. On main window, it has three section which is server monitor dashboard, administration

REFERENCES [1] Trusted Computing Group, www.trustedcomputinggroup.org/specs/TPM/ [2] Intel Server Utilities Deployment Procedure for Windows Pre-installation Environment, Intel Website (2009). Revision 2.0, pp. 6, 19 April 2008, Available: http://download.intel.com/support/motherboards/server/sb/wh itepaperintelserverutilitiesprocedureforwinpe.pdf [3] Kuntze, N., Schmidt, A.U., “Employing Trusted Computing for the forward pricing of pseudonyms in reputation systems”, Workshop Virtual Goods at the Conference AXMEDIS 2006, Leeds, UK, 13-15 December 2006. [4] TCG Trusted Network Connect TNC Architecture for Interoperability, Specification Version 1.3, Revision 6, pp. 838, 28 April 2008. [5] Sadeghi, A. R., “Trusted Computing: Special Aspects and Challenge, Lecture Notes on Computer Science (LNCS)”. [6] TPM How to – TPM Laboratory 1 European Trusted Infrastructure Summer School 2007. Available: www.selhorst.net/data/Sirrix_TPM_LAB_SummerSchool_Bo chum_2007.pdf [7] TSPI Manual, http://trousers.sourceforge.net/ [8] Network File System, http://en.wikipedia.org/wiki/Network_file_system

84

[9] Windows® Pre-installation Environment Technical Overview. Microsoft Website (2009). [Online]. pp. 7 Available: http://download.microsoft.com/download/d/6/d/d6d8c7722588-4ea4-918798bec8cd2e49/Technical_Overview_sul_beneficio_WINPE_i ng.pdf [10] Nuno Brito (2008). Winbuilder website. Available: http://winbuilder.net/ [11] TCG Credential Profiles, Specification Version 1.1, Revision 1.014 for TPM Family 1.2, Level 2, pp 10-20, May 2007. [12] Trusted Computing: TCG Proposals, http://www.cs.bham.ac.uk/~mdr/teaching/modules/security/le ctures/TrustedComputingTCG.html

85