Flicker: Minimal TCB Code Execution

Flicker is a technique leveraging new features of CPUs from AMD and Intel, including support for dynamic root of trust, to execute application-specific code with an extremely small TCB, while maintaining compatibility with a legacy operating system.

Minimal TCB Code Execution

We propose an architecture that allows a Piece of Application Logic (PAL) to execute in complete isolation from other software while trusting only a tiny software base that is orders of magnitude smaller than even minimalist virtual machine monitors. Our technique also enables more meaningful attestation than previous proposals, since only measurements of the security-sensitive portions of an application need to be included. We achieve these guarantees by leveraging hardware support provided by commodity processors from AMD and Intel that are shipping today.

Prerequisites

Hardware

To use Flicker, a PC platform supporting dynamic root of trust is needed. AMD and Intel have implemented this differently. A v1.2 TPM is also required (and it must be enabled and activated in the BIOS).

The AMD version of Flicker requires a processor supporting the SKINIT instruction, a v1.2 TPM, and a chipset which provides memory protection for the Flicker code. The SKINIT instruction is available with newer AMD64 processors. Look for 'svm' in /proc/cpuinfo. In the BIOS, you must enable hardware virtualization support.

The Intel version of Flicker requires a processor supporting the GETSEC[SENTER] instruction, a v1.2 TPM, and a chipset which provides memory protection for the Flicker code. These features are available on vPro-branded systems supporting Intel Trusted eXecution Technology (TXT). Look for 'smx' and 'vmx' in /proc/cpuinfo. In BIOS, you must enable hardware virtualization support (VT), Trusted eXecution Technology (TXT), and VT-d. There are known-bad (really bad; you could RUIN YOUR MOTHERBOARD) BIOSes out there for TXT. Upgrade your BIOS to the newest available version.

To verify that your system has a v1.2 TPM:
$ modprobe tpm_tis force=1 interrupts=0
$ cat `find /sys -name pcrs`

You should have 24 PCRs listed (0-23). If you have only 16 PCRs (0-15), then you have a v1.1b TPM, and Flicker won't work.

Software

You must use a specific Linux kernel. This release supports v2.6.24 on AMD systems, and v2.6.30 on Intel systems. A kernel config file is included with this release. It is assumed that you know how to build and install a kernel using that config file. Enabling additional drivers for, e.g., storage and networking, should not cause a problem.

Intel requires a chipset-specific SINIT (aka Authenticated Code) module, which can be obtained from the tboot project's web page.

Frequently Asked Questions (FAQ)

  • Q: Which Intel systems will support Flicker?
    The same ones that support Intel's Trusted Boot project (i.e., systems for which Intel has released SINIT AC Modules). Our early prototype runs on systems that include the Intel Q35 chipset (e.g., the Dell Optiplex 755, Lenovo M57p, and HP dc7800). Newer systems (e.g., those with GM45, PM45, and GS45 chipsets) supporting Intel vPro should also have the necessary hardware support, but the Linux TPM device driver is not yet updated.
  • Q: Will Flicker run on my machine?
    If it meets the Prerequisites above, Flicker _should_ run. However, it has only been tested on the machines that we have.
  • Q: I don't have a Flicker-capable machine. Can I still develop a Flicker module?
    Yes, AMD's SimNow supports the _skinit_ instruction. However, there will be no TPM support included. In fact, we have encountered machines in the wild that will execute _skinit_ but do not include a TPM. These can be useful for developing application-specific functionality without requiring a reboot during a debug cycle.
  • Q: I want to buy a machine to run Flicker. What should I buy?
    The AMD version has been tested on:
    Dell PowerEdge T105 server
    Dell Optiplex 740 workstation
    HP dc5750 workstation - runs but buggy - not recommended

    The Intel version has been tested on:
    HP dc7800 workstation
    Dell Optiplex 755 workstation
    Lenovo T400 laptop
    HP 8530p laptop
  • Q: Is Flicker bug-free?
    Certainly not in this version. However, its extremely small size suggests that a bug-free implementation may be attainable by buggy human beings. :) Known problems include excessive I/O permissions to ring 3 PAL code and excessive memory access by PAL segment descriptors due to need to access the TPM from ring 3 without system calls.

Revision History

  • 2009.10.13. Initial public release of Version 0.2. Adds Intel TXT support and an Intel-specific "hellopal" with printf support.
  • 2008.04.15. Initial public release of Version 0.1. Contains Flicker kernel module, barebones PAL with 250-line TCB, and "Hello, world" PAL with debug code. Please send email to Jonathan McCune to request the code.

 

Papers

McCune, Jonathan M., Bryan Parno, Adrian Perrig, Michael K. Reiter, and Arvind Seshadri. "Minimal TCB Code Execution (Extended Abstract)." In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California, May 2007. [ PDF ]

McCune, Jonathan M., Bryan Parno, Adrian Perrig, Michael K. Reiter, and Arvind Seshadri. "How Low Can You Go? Recommendations for Hardware-Supported Minimal TCB Code Execution." In Proceedings of the ACM Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'08), Seattle, Washington, March 1 - 5, 2008. [ PDF ]

McCune, Jonathan M., Bryan Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki. "Flicker: An Execution Infrastructure for TCB Minimization". In Proceedings of the ACM European Conference on Computer Systems (EuroSys'08), Glasgow, Scotland, March 31 - April 4, 2008. [ PDF ]

Presentation Slides

IEEE S&P 2007 [ PPT ]

ASPLOS 2008 [ PPT ]

EuroSys 2008 [ PPT ]

Extended version [ PPT ]

Source Code

Version 0.2 [ please email Jon ]

 

Contact Us