The Research And Implementation Of Trusted Execution Environment Based On Trusted Computing Platform

Network security is based on computer system's security. The essenceof information security is management of security risks. Absolute security doesn'texist.We expect to devise a trusted computer platform,whose behavior is predictableunder almost any operating condition. Working in such a controllable way, thecomputer will be highly resistant to subversion by various risks and remain in a securestate. Trusted Computing technology is making great efforts to make the computertrustwothy. Trusted Computing is based on both hardware and software technology.Itprovides the root of trust for the running system, and it also provides assistantmechanism for collecting,storing and attesting the system integrity information. Basedon the root of trust,inserting control points before OS loading and applicationexecution, we could collect integrity information, make attestation and providerestoration if attestaion fails.In such a way we could make the root of trust betransferred to OS and applications.So establishing the complete chain of trust in thecomputer system is one objective of the thesis.Motivated by economic interests, malware authors are more likely to use highlystealthy technology to cover their traces. The rapid spread of rootkit technologyrecently has proved that. More attackers have moved their code from user mode tokernel mode for gaining privileges. With full system privileges they could modifycritical data areas in the kernel memory to hide themselves and change the systemfunctions to work as they want. Once the malware embedded with rootkits have beenexecuted, the system could no longer be trusted. Since their stealth and advantage,current defensive technology seems useless to it. So the other objective of the thesis isto make the computer remain trustworthy, protecting the integrity of critical memoryspace and finding out the stealthy behavior. It's very critical for maintaining the trustrelationship and indispensable for the whole chain of trust.For the two objective described above, the research work is supported by thenational "863 project" (2005AA142030). Based on the ideas from the trustedcomputing, the thesis has made a study of establishment of the remainder chain oftrust, and the maintenance of the trust quality by detecting the kernel rootkits. It hasset up the authenticated execution environment to establish the whole trust chain byprotecting the file system with integrity attestation;it also has the ability to maintainthe trust quality by protecting critical kernel space with behavioral analysis. So thesystem is able to run in a trusted state and the computer security can be guaranteed.The thesis included five parts: 1. It analyzed current security technology and requirements for its developmentfrom both the defensive and offensive points of view. It pointed out the direction forsolving the problems of computer system security. 2.It introduced the concept, composition, and research situation of the trustedcomputing platform. It also introduced the development and implementation of rootkittechnology. 3.It brought forward the architecture to establish chain of trust based on TCGspecification and build an authenticated execution environment.Based on thisarchitecture, the thesis put emphasis on the protection of file system, the third phaseof establishing chain of trust, including the hierarchy, function and interface.4. Under the guidance of proactive defending, using behavioral analysis, the thesismade a comparison of current four detecting methods,then it brought forward a morerobust cross view based method to find out hidden processes;Meanwhile it used aheuristic method to check malicious modification to System Service Dispatch Table.Implementing those methods in the memory protection module can detect rootkits andmaintain the trust quality of system.5. It put the trusted system under practical environment, tested it against virusesand rootkits. Comparing with other related security products, the results demonstratedthat the system possesses the trust quality, having the ability to build an authenticatedenvironment and protect the critical memory space, which gains the advantage overcurrent security products.