Visible to the public Trusted Platform Modules (TPMs)

SoS Newsletter- Advanced Book Block

SoS Logo

Trusted Platform Modules (TPMs)

Trusted Platform Module (TPM) is a computer chip that can securely store artifacts used to authenticate a network or platform. These artifacts can include passwords, certificates, or encryption keys.  A TPM can also be used to store platform measurements that help ensure that the platform remains trustworthy.  Interest is in TPMs is growing due to their potential for solving hard problems in security such as composability and cyber-physical system security and resilience.  The works cited here are from 2014.


Akram, R.N.; Markantonakis, K.; Mayes, K., "Trusted Platform Module for Smart Cards," New Technologies, Mobility and Security (NTMS), 2014 6th International Conference on, pp.1,5, March 30 2014-April 2 2014. doi: 10.1109/NTMS.2014.6814058 Near Field Communication (NFC)-based mobile phone services offer a lifeline to the under-appreciated multiapplication smart card initiative. The initiative could effectively replace heavy wallets full of smart cards for mundane tasks. However, the issue of the deployment model still lingers on. Possible approaches include, but are not restricted to, the User Centric Smart card Ownership Model (UCOM), GlobalPlatform Consumer Centric Model, and Trusted Service Manager (TSM). In addition, multiapplication smart card architecture can be a GlobalPlatform Trusted Execution Environment (TEE) and/or User Centric Tamper-Resistant Device (UCTD), which provide cross-device security and privacy preservation platforms to their users. In the multiapplication smart card environment, there might not be a prior off-card trusted relationship between a smart card and an application provider. Therefore, as a possible solution to overcome the absence of prior trusted relationships, this paper proposes the concept of Trusted Platform Module (TPM) for smart cards (embedded devices) that can act as a point of reference for establishing the necessary trust between the device and an application provider, and among applications.
Keywords: data privacy; mobile handsets; near-field communication; smart cards; TEE ;Trusted Execution Environment; UCOM; UCTD; User Centric Tamper-Resistant Device; application provider; cross-device security; deployment model; embedded devices; global platform consumer centric model; multiapplication smart card initiative; near field communication-based mobile phone services; off-card trusted relationship; privacy preservation platforms; trusted platform module; trusted service manager; user centric smart card ownership model; Computational modeling; Computer architecture; Hardware; Mobile communication; Runtime; Security; Smart cards (ID#: 15-3713)


Das, S.; Wei Zhang; Yang Liu, "Reconfigurable Dynamic Trusted Platform Module for Control Flow Checking," VLSI (ISVLSI), 2014 IEEE Computer Society Annual Symposium on, pp.166,171, 9-11 July 2014. doi: 10.1109/ISVLSI.2014.84 Trusted Platform Module (TPM) has gained its popularity in computing systems as a hardware security approach. TPM provides the boot time security by verifying the platform integrity including hardware and software. However, once the software is loaded, TPM can no longer protect the software execution. In this work, we propose a dynamic TPM design, which performs control flow checking to protect the program from runtime attacks. The control flow checker is integrated at the commit stage of the processor pipeline. The control flow of program is verified to defend the attacks such as stack smashing using buffer overflow and code reuse. We implement the proposed dynamic TPM design in FPGA to achieve high performance, low cost and flexibility for easy functionality upgrade based on FPGA. In our design, neither the source code nor the Instruction Set Architecture (ISA) needs to be changed. The benchmark simulations demonstrate less than 1% of performance penalty on the processor, and an effective software protection from the attacks.
Keywords: field programmable gate arrays; formal verification; security of data; trusted computing; FPGA; buffer overflow; code reuse; control flow checking; dynamic TPM design; instruction set architecture; processor pipeline; reconfigurable dynamic trusted platform module; runtime attacks; stack smashing; Benchmark testing; Computer architecture; Field programmable gate arrays; Pipelines; Runtime; Security; Software; Control Flow Checking; Dynamic TPM; Reconfigurable Architecture; Runtime Security (ID#: 15-3714)


Oberle, A.; Larbig, P.; Kuntze, N.; Rudolph, C., "Integrity based relationships and trustworthy communication between network participants," Communications (ICC), 2014 IEEE International Conference on,pp.610,615, 10-14 June 2014. doi: 10.1109/ICC.2014.6883386 Establishing trust relationships between network participants by having them prove their operating system's integrity via a Trusted Platform Module (TPM) provides interesting approaches for securing local networks at a higher level. In the introduced approach on OSI layer 2, attacks carried out by already authenticated and participating nodes (insider threats) can be detected and prevented. Forbidden activities and manipulations in hard- and software, such as executing unknown binaries, loading additional kernel modules or even inserting unauthorized USB devices, are detected and result in an autonomous reaction of each network participant. The provided trust establishment and authentication protocol operates independently from upper protocol layers and is optimized for resource constrained machines. Well known concepts of backbone architectures can maintain the chain of trust between different kinds of network types. Each endpoint, forwarding and processing unit monitors the internal network independently and reports misbehaviors autonomously to a central instance in or outside of the trusted network.
Keywords: computer network security; cryptographic protocols; trusted computing; OSI layer 2; authenticated node; authentication protocol; insider threat; integrity based relationship; network participants; operating system integrity; participating node; trust establishment; trusted platform module; trustworthy communication; Authentication; Encryption; Payloads; Protocols; Servers; Unicast; Cyber-physical systems; Security; authentication; industrial networks; integrity; protocol design; trust (ID#: 15-3715)


Abd Aziz, N.; Udzir, N.I.; Mahmod, R., "Performance Analysis For Extended TLS With Mutual Attestation For Platform Integrity Assurance," Cyber Technology in Automation, Control, and Intelligent Systems (CYBER), 2014 IEEE 4th Annual International Conference on, pp.13,18, 4-7 June 2014. doi: 10.1109/CYBER.2014.6917428 A web service is a web-based application connected via the internet connectivity. The common web-based applications are deployed using web browsers and web servers. However, the security of Web Service is a major concern issues since it is not widely studied and integrated in the design stage of Web Service standard. They are add-on modules rather a well-defined solutions in standards. So, various web services security solutions have been defined in order to protect interaction over a network. Remote attestation is an authentication technique proposed by the Trusted Computing Group (TCG) which enables the verification of the trusted environment of platforms and assuring the information is accurate. To incorporate this method in web services framework in order to guarantee the trustworthiness and security of web-based applications, a new framework called TrustWeb is proposed. The TrustWeb framework integrates the remote attestation into SSL/TLS protocol to provide integrity information of the involved endpoint platforms. The framework enhances TLS protocol with mutual attestation mechanism which can help to address the weaknesses of transferring sensitive computations, and a practical way to solve the remote trust issue at the client-server environment. In this paper, we describe the work of designing and building a framework prototype in which attestation mechanism is integrated into the Mozilla Firefox browser and Apache web server. We also present framework solution to show improvement in the efficiency level.
Keywords: Web services; protocols; trusted computing; Apache Web server; Internet connectivity; Mozilla Firefox browser; SSL-TLS protocol; Web browsers; Web servers; Web service security; Web-based application ;client-server environment; endpoint platforms; extended TLS; mutual attestation mechanism; platform integrity assurance; remote attestation; trusted computing group; trustworthiness; Browsers; Principal component analysis; Protocols; Security; Web servers (ID#: 15-3716)


Chen Chen, Himanshu Raj, Stefan Saroiu, Alec Wolman, “cTPM: a Cloud TPM For Cross-Device Trusted Applications,“ Proceeding s, NSDI'14 Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation, April, 2014,Pages 187-201,    (no doi given) Current Trusted Platform Modules (TPMs) are illsuited for cross-device scenarios in trusted mobile applications because they hinder the seamless sharing of data across multiple devices. This paper presents cTPM, an extension of the TPM's design that adds an additional root key to the TPM and shares that root key with the cloud. As a result, the cloud can create and share TPM-protected keys and data across multiple devices owned by one user. Further, the additional key lets the cTPM allocate cloud-backed remote storage so that each TPM can benefit from a trusted real-time clock and high-performance, non-volatile storage.  This paper shows that cTPM is practical, versatile, and easily applicable to trusted mobile applications. Our simple change to the TPM specification is viable because its fundamental concepts - a primary root key and off-chip, NV storage - are already found in the current specification, TPM 2.0. By avoiding a clean-slate redesign, we sidestep the difficult challenge of re-verifying the security properties of a new TPM design. We demonstrate cTPM's versatility with two case studies: extending Pasture with additional functionality, and reimplementing TrInc without the need for extra hardware.
Keywords:  (not provided) (ID#: 15-3717)


Vijay Varadharajan, Udaya Tupakula, Counteracting Security Attacks In Virtual Machines In The Cloud Using Property Based Attestation, Journal of Network and Computer Applications, Volume 40, April, 2014,  Pages 31-45.  Doi: 10.1016/j.jnca.2013.08.002 Cloud computing technologies are receiving a great deal of attention. Furthermore most of the hardware devices such as the PCs and mobile phones are increasingly having a trusted component called Trusted Platform Module embedded in them, which helps to measure the state of the platform and hence reason about its trust. Recently attestation techniques such as binary attestation and property based attestation techniques have been proposed based on the TPM. In this paper, we propose a novel trust enhanced security model for cloud services that helps to detect and prevent security attacks in cloud infrastructures using trusted attestation techniques. We consider a cloud architecture where different services are hosted on virtualized systems on the cloud by multiple cloud customers (multi-tenants). We consider attacker model and various attack scenarios for such hosted services in the cloud. Our trust enhanced security model enables the cloud service provider to certify certain security properties of the tenant virtual machines and services running on them. These properties are then used to detect and minimise attacks between the cloud tenants running virtual machines on the infrastructure and its customers as well as increase the assurance of the tenant virtual machine transactions. If there is a variation in the behaviour of the tenant virtual machine from the certified properties, the model allows us to dynamically isolate the tenant virtual machine or even terminate the malicious services on a fine granular basis. The paper describes the design and implementation of the proposed model and discusses how it deals with the different attack scenarios. We also show that our model is beneficial for the cloud service providers, cloud customers running tenant virtual machines as well as the customers using the services provided by these tenant virtual machines.
Keywords: Cloud, Malware, Rootkits, TPM attestation, Trusted computing, Virtual machine monitors, Zero day attacks (ID#: 15-3718)


Y. Seifi, S. Suriadi, E. Foo, C. Boyd, Security Properties Analysis In A TPM-Based Protocol, International Journal of Security and Networks, Volume 9 Issue 2, April 2014,  Pages 85-103. Doi:  10.1504/IJSN.2014.060742 Security protocols are designed in order to provide security properties goals. They achieve their goals using cryptographic primitives such as key agreement or hash functions. Security analysis tools are used in order to verify whether a security protocol achieves its goals or not. The analysed property by specific purpose tools are predefined properties such as secrecy confidentiality, authentication or non-repudiation. There are security goals that are defined by the user in systems with security requirements. Analysis of these properties is possible with general purpose analysis tools such as coloured petri nets CPN. This research analyses two security properties that are defined in a protocol that is based on trusted platform module TPM. The analysed protocol is proposed by Delaune to use TPM capabilities and secrets in order to open only one secret from two submitted secrets to a recipient.
Keywords:  (not provided) (ID#: 15-3719)


Danan Thilakanathan, Shiping Chen, Surya Nepal, Rafael A. Calvo, Dongxi Liu, John Zic, CLOUD '14 Proceedings of the 2014 IEEE International Conference on Cloud Computing,  June 2014, Pages 224-231. Doi: 10.1109/CLOUD.2014.39  The trend towards Cloud computing infrastructure has increased the need for new methods that allow data owners to share their data with others securely taking into account the needs of multiple stakeholders. The data owner should be able to share confidential data while delegating much of the burden of access control management to the Cloud and trusted enterprises. The lack of such methods to enhance privacy and security may hinder the growth of cloud computing. In particular, there is a growing need to better manage security keys of data shared in the Cloud. BYOD provides a first step to enabling secure and efficient key management, however, the data owner cannot guarantee that the data consumers device itself is secure. Furthermore, in current methods the data owner cannot revoke a particular data consumer or group efficiently. In this paper, we address these issues by incorporating a hardware-based Trusted Platform Module (TPM) mechanism called the Trusted Extension Device (TED) together with our security model and protocol to allow stronger privacy of data compared to software-based security protocols. We demonstrate the concept of using TED for stronger protection and management of cryptographic keys and how our secure data sharing protocol will allow a data owner (e.g., author) to securely store data via untrusted Cloud services. Our work prevents keys to be stolen by outsiders and/or dishonest authorized consumers, thus making it particularly attractive to be implemented in a real-world scenario.

Keywords: Cloud Computing, Security, Privacy, Data sharing, Access control, TPM, BYOD, Key management (ID#: 15-3720)


Rommel García, Ignacio Algredo-Badillo, Miguel Morales-Sandoval, Claudia Feregrino-Uribe, René Cumplido, A Compact FPGA-Based Processor for the Secure Hash Algorithm SHA-256, Computers and Electrical Engineering, Volume 40 Issue 1, January, 2014, Pages 194-202. Doi: 10.1016/j.compeleceng.2013.11.014  This work reports an efficient and compact FPGA processor for the SHA-256 algorithm. The novel processor architecture is based on a custom datapath that exploits the reusing of modules, having as main component a 4-input Arithmetic-Logic Unit not previously reported. This ALU is designed as a result of studying the type of operations in the SHA algorithm, their execution sequence and the associated dataflow. The processor hardware architecture was modeled in VHDL and implemented in FPGAs. The results obtained from the implementation in a Virtex5 device demonstrate that the proposed design uses fewer resources achieving higher performance and efficiency, outperforming previous approaches in the literature focused on compact designs, saving around 60% FPGA slices with an increased throughput (Mbps) and efficiency (Mbps/Slice). The proposed SHA processor is well suited for applications like Wi-Fi, TMP (Trusted Mobile Platform), and MTM (Mobile Trusted Module), where the data transfer speed is around 50Mbps.
Keywords:  (not provided) (ID#: 15-3721)


Bryan Jeffery Parno, Trust Extension as a Mechanism for Secure Code Execution on Commodity Computers, (book) Association for Computing Machinery and Morgan & Claypool New York, NY, June 2014. ISBN = 978-1-62705-477-5 As society rushes to digitize sensitive information and services, it is imperative that we adopt adequate security protections. However, such protections fundamentally conflict with the benefits we expect from commodity computers. In other words, consumers and businesses value commodity computers because they provide good performance and an abundance of features at relatively low costs. Meanwhile, attempts to build secure systems from the ground up typically abandon such goals, and hence are seldom adopted [Karger et al. 1991, Gold et al. 1984, Ames 1981].  In this book, a revised version of my doctoral dissertation, originally written while studying at Carnegie Mellon University, I argue that we can resolve the tension between security and features by leveraging the trust a user has in one device to enable her to securely use another commodity device or service, without sacrificing the performance and features expected of commodity systems. We support this premise over the course of the following chapters.

  • Introduction. This chapter introduces the notion of bootstrapping trust from one device or service to another and gives an overview of how the subsequent chapters fit together.
  • Background and related work. This chapter focuses on existing techniques for bootstrapping trust in commodity computers, specifically by conveying information about a computer's current execution environment to an interested party. This would, for example, enable a user to verify that her computer is free of malware, or that a remote web server will handle her data responsibly.
  • Bootstrapping trust in a commodity computer. At a high level, this chapter develops techniques to allow a user to employ a small, trusted, portable device to securely learn what code is executing on her local computer. While the problem is simply stated, finding a solution that is both secure and usable with existing hardware proves quite difficult.
  • On-demand secure code execution. Rather than entrusting a user's data to the mountain of buggy code likely running on her computer, in this chapter, we construct an on-demand secure execution environment which can perform security sensitive tasks and handle private data in complete isolation from all other software (and most hardware) on the system. Meanwhile, non-security-sensitive software retains the same abundance of features and performance it enjoys today.
  • Using trustworthy host data in the network. Having established an environment for secure code execution on an individual computer, this chapter shows how to extend trust in this environment to network elements in a secure and efficient manner. This allows us to reexamine the design of network protocols and defenses, since we can now execute code on end hosts and trust the results within the network.
  • Secure code execution on untrusted hardware. Lastly, this chapter extends the user's trust one more step to encompass computations performed on a remote host (e.g., in the cloud).We design, analyze, and prove secure a protocol that allows a user to outsource arbitrary computations to commodity computers run by an untrusted remote party (or parties) who may subject the computers to both software and hardware attacks. Our protocol guarantees that the user can both verify that the results returned are indeed the correct results of the specified computations on the inputs provided, and protect the secrecy of both the inputs and outputs of the computations. These guarantees are provided in a non-interactive, asymptotically optimal (with respect to CPU and bandwidth) manner.   Thus, extending a user's trust, via software, hardware, and cryptographic techniques, allows us to provide strong security protections for both local and remote computations on sensitive data, while still preserving the performance and features of commodity computers. (ID#: 15-3722)




Akshay Dua, Nirupama Bulusu, Wu-Chang Feng, Wen Hu, Combating Software and Sybil Attacks to Data Integrity in Crowd-Sourced Embedded Systems ,  ACM Transactions on Embedded Computing Systems (TECS), Volume 13 Issue 5s, September 2014, Article No. 154. Doi: 10.1145/2629338 Crowd-sourced mobile embedded systems allow people to contribute sensor data, for critical applications, including transportation, emergency response and eHealth. Data integrity becomes imperative as malicious participants can launch software and Sybil attacks modifying the sensing platform and data. To address these attacks, we develop (1) a Trusted Sensing Peripheral (TSP) enabling collection of high-integrity raw or aggregated data, and participation in applications requiring additional modalities; and (2) a Secure Tasking and Aggregation Protocol (STAP) enabling aggregation of TSP trusted readings by untrusted intermediaries, while efficiently detecting fabricators. Evaluations demonstrate that TSP and STAP are practical and energy-efficient.
Keywords: Trust, critical systems, crowd-sourced sensing, data integrity, embedded systems, mobile computing, security, (ID#: 15-3723)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.