Dynamic Measurement and Protected Execution: Model and Analysis

  • Shiwei Xu
  • Ian BattenEmail author
  • Mark Ryan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8358)


Useful security properties arise from sealing data to specific units of code. Modern processors featuring Intel’s TXT and AMD’s SVM achieve this by a process of measured and protected execution. Only code which has the correct measurement can access the data, and this code runs in an environment protected from observation and interference. We present a modelling language with primitives for protected execution, along with its semantics. We characterise an attacker who has access to all the capabilities of the hardware. In order to achieve automatic analysis of systems using protected execution without attempting to search an infinite state space, we define transformations that reduce the number of times the attacker needs to use protected execution to a pre-determined bound. Given reasonable assumptions we prove the soundness of the transformation: no secrecy attacks are lost by applying it. We then describe using the StatVerif extensions to ProVerif to model the bounded invocations of protected execution. We show the analysis of realistic systems, for which we provide case studies.


Dynamic Measurement Security Property Horn Clause Trust Platform Module Attack Strategy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Advanced Micro Devices: Secure Virtual Machine Architecture Reference Manual. Advanced Micro Devices (2005)Google Scholar
  2. 2.
    Arapinis, M., Ritter, E., Ryan, M.D.: Statverif: verification of stateful processes. In: Proceedings of the 24th IEEE Computer Security Foundations Symposium, pp. 33–47. IEEE Computer Society Press (2011)Google Scholar
  3. 3.
    Coker, G., Guttman, J., Loscocco, P., Herzog, A., Millen, J., O’Hanlon, B., Ramsdell, J., Segall, A., Sheehy, J., Sniffen, B.: Principles of remote attestation. Int. J. Inf. Secur. 10(2), 63–81 (2011)CrossRefGoogle Scholar
  4. 4.
    Datta, A., Franklin, J., Garg, D., Kaynar, D.: A logic of secure systems and its application to trusted computing. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, pp. 221–236. IEEE Computer Society Press (2009)Google Scholar
  5. 5.
    Delaune, S., Kremer, S., Ryan, M.D., Steel, G.: A formal analysis of authentication in the TPM. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 111–125. Springer, Heidelberg (2011)Google Scholar
  6. 6.
    Delaune, S., Kremer, S., Ryan, M., Steel, G.: Formal analysis of protocols based on TPM state registers. In: Proceedings of the 24th IEEE Computer Security Foundations Symposium. IEEE Computer Society Press (2011)Google Scholar
  7. 7.
    Fournet, C., Planul, J.: Compiling information-flow security to minimal trusted computing bases. In: Barthe, G. (ed.) ESOP 2011. LNCS, vol. 6602, pp. 216–235. Springer, Heidelberg (2011)Google Scholar
  8. 8.
    Grawrock, D.: Dynamics of a Trusted Platform: A Building Block Approach. Intel Press, Hillsboro (2009)Google Scholar
  9. 9.
    Gürgens, S., Rudolph, C., Scheuermann, D., Atts, M., Plaga, R.: Security evaluation of scenarios based on the TCG’s TPM specification. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 438–453. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Lin, A.: Automated analysis of security APIs. Ph.D. thesis, MIT (2005)Google Scholar
  11. 11.
    McCune, J., Parno, B., Perrig, A., Reiter, M., Isozaki, H.: Flicker: an execution infrastructure for TCB minimization. ACM SIGOPS Operating Syst. Rev. 42(4), 315–328 (2008)CrossRefGoogle Scholar
  12. 12.
    Millen, J., Guttman, J., Ramsdell, J., Sheehy, J., Sniffen, B.: Analysis of a measured launch. (2007). Accessed 7 Dec 2011

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Wuhan Digital Engineering InstituteWuhanChina
  2. 2.School of Computer ScienceUniversity of BirminghamWest MidlandsUK

Personalised recommendations