LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Qubes beta 1 released

Qubes beta 1 released

Posted Apr 14, 2011 7:15 UTC (Thu) by cmccabe (guest, #60281)
In reply to: Qubes beta 1 released by jarrett.miller
Parent article: Qubes beta 1 released

Let's say that I'm Random Q. Blackhat. I compromise your system, get root, and install a malicious firmware upgrade on your ethernet device. Something really nasty that sends a copy of every packet you send to blackhat.example.com.

How is TXT going to stop me? The ethernet device is part of the "web of trust," right? You have to trust it.

Another example. FooCorp makes wireless chipsets and wireless drivers. Their wireless driver has a buffer overflow which can be exploited by a certain packet sent by the access point. How is TXT going to stop MyBlackHatAccessPoint from rooting all the passers-by with that chipset?

(Log in to post comments)

Qubes beta 1 released

Posted Apr 14, 2011 10:41 UTC (Thu) by jarrett.miller (guest, #60765) [Link]

I think you have a fundamental misunderstanding about what TXT and/or trusted computing are for. They are not technologies that prevent compromise. There main point of their existence is for you to be able to get a a verifiable list of software on your machine. Nothing more and nothing less. IOW the main point is so that you can reliably tell when you have been rooted not to prevent being rooted.

Now for specific examples. In a TXT enabled hypervisor the ethernet device is not part of the tree of trust. That is the point behind TXT. In classical Trusted Computing (TC) it would have been but TXT was created so that a hypervisor does not have to trust the: BIOS, system firmware, or OS that launched it.

Now for your wireless driver buffer overflow example. In a TXT style system there is going to be a hypervisor and it protects itself from all of the OS's that it is in control of via hardware protections (basically IOMMU with page protection lists). Some OS partition will be where that wireless driver exists. So when someone exploits that flaw and roots that OS partition then the hypervisor should be able to tell (new executable pages come in to existence or the contents of executable pages change). So it has done its job and let you know that said partition is rooted.

I will repeat this to make it crystal clear. TXT is not a mechanism to protect you from software faults. Its just the most basic mechanism to allow you to reliably know what software is running on your machine. You still have to build the rest of your security stack on top of that. Its just trying to lay a sound foundation on which to build better security, It in and of itself is not some silver bullet.

Qubes beta 1 released

Posted Apr 14, 2011 21:07 UTC (Thu) by job (guest, #670) [Link]

Is it common to seek hardware assistance for keeping track of which software you run? I can understand it if you have a locked down environment with whitelisted software, but not for servers.

That trusted software of yours might have holes in it. And when an attacker successfully tricks that software into running his code, it'll be just as trusted as anything else. Just witness all those game consoles out there, they have a lot more elaborate protection than TXT but every single one has been hacked to run unsigned ("homebrew") code.

Qubes beta 1 released

Posted Apr 14, 2011 22:02 UTC (Thu) by cmccabe (guest, #60281) [Link]

Please don't interpret me as "attacking" TXT. I'm just trying to get a sense of what it is and is not.

The truth about the PC platform is that there are a lot of gaping holes in the security model at the hardware level. For example, the PCI bus allows PCI devices to do arbitrary DMA transfers to and from system memory. ACPI bytecode is loaded into the kernel and executed at ring level 0. If TXT allows Intel to work around some of these problems, then it will be a good thing.

However, you can never really completely get away from the need to trust your hardware vendor. That is what I was getting at with the first example, and I think you missed it. Once the data leaves the motherboard and flows to, for example, a separate ethernet card, that card can do whatever it wants. TXT may be able to protect my system memory, but it can't prevent the firmware in my ethernet card from doing something unexpected.

Countries buying military hardware are increasingly concerned about the possibility of "kill switches" being embedded in it. Trusting Intel, an American company, probably isn't something that they're that excited about. Intel, like every other company, has had exploitable bugs in their software in the past. I remember Joanna Rutkowska pointing out an exploitable flaw in an SMM. It would also be relatively easy for them to embed a backdoor into TXT or into the processor itself if they really wanted to.

Of course this whole discussion ignores the many exploitable flaws in the software stack. Until those are fixed, many organizations will quite reasonably regard spending money on implementing TXT as closing a mouse hole, while leaving the barn door open. Chinese hackers only needed to exploit a few vulnerabilities in Adobe (PDF) Reader to steal the secrets of dozens of Fortune 500 companies.

Long story short, TXT is an interesting technology, but it does not allow you to "reliably know what software is running on your machine." That is something that you probably can never do. You can only get closer and closer to certainty, but never reach it.

Qubes beta 1 released

Posted Apr 15, 2011 12:49 UTC (Fri) by jarrett.miller (guest, #60765) [Link]

I am afraid you are just plan wrong on that last statement. Please go read the docs.

As long as you believe that Intel correctly implemented the hardware and correctly implemented the AC module (and here I define correct to mean it implements the semantics of the GETSEC[SENTER] instruction without error) then TXT does indeed allow you to know what is running on your computer reliably.

Heck even classical Trusted Computing lets you do that the problem with the old style of it was that you didn't have to just trust Intel to get the hardware and the AC module right you had to trust the BIOS and all the firmware were not doing anything shady (A bad assumption).

Qubes beta 1 released

Posted Apr 16, 2011 21:29 UTC (Sat) by cmccabe (guest, #60281) [Link]

> As long as you believe that Intel correctly implemented the hardware and
> correctly implemented the AC module (and here I define correct to mean it
> implements the semantics of the GETSEC[SENTER] instruction without error)
> then TXT does indeed allow you to know what is running on your computer
> reliably.

Even if I believe that-- and I already discussed some reasons why I shouldn't-- exploit in another layer of the stack will allow an attacker to run something different on my computer. And even if I magically was able to audit all of that software, it still wouldn't tell me anything about what software is running on, for example, my RAID card, or inside my computer mouse.

You can get closer and closer to certainty, but never reach it.

Qubes beta 1 released

Posted Apr 20, 2011 18:29 UTC (Wed) by PaXTeam (subscriber, #24616) [Link]

> [...] then TXT does indeed allow you to know what is running on your computer reliably.

not exactly. it tells you what was running at the time SENTER executed, it says nothing about the future. in a post somewhere above you tried to dismiss the problem of exploitable bugs by saying this:

> Some OS partition will be where that wireless driver exists. So when
> someone exploits that flaw and roots that OS partition then the
> hypervisor should be able to tell (new executable pages come in to
> existence or the contents of executable pages change). So it has done
> its job and let you know that said partition is rooted.

so this hypervisor wouldn't let guest kernels modify themselves (think of the alternatives mechanism in linux) or load kernel modules? can you name a single widespread (or heck, any) distro which would be able to run on this hypervisor? so you can't do this. but then runtime code generation must be allowed for the guest kernels and that means any kernel exploit is back in business, TXT/hypervisor/etc didn't improve anything, you still don't know what code runs on your box.

Qubes beta 1 released

Posted Apr 15, 2011 1:01 UTC (Fri) by njs (guest, #40338) [Link]

> a hypervisor does not have to trust the: BIOS, system firmware, or OS that launched it.

I think you need to elaborate on what you mean by "trust" here -- it's a notoriously polysemous word. Certainly if some program's correctness depends on its ability to send packets, then it has to trust the ethernet driver to actually do that. Of course, right now the ethernet driver can also go ahead and read any random piece of host memory that it wants to via DMA -- fixing that would certainly improve things.

> In a TXT style system there is going to be a hypervisor and it protects itself from all of the OS's that it is in control of via hardware protections (basically IOMMU with page protection lists).

Not a critical point, but this is exactly how the kernel works now.

> So when someone exploits that flaw and roots that OS partition then the hypervisor should be able to tell (new executable pages come in to existence or the contents of executable pages change).

We already have NX protection, which does essentially the same thing -- prevents buggy programs from creating new executable code. It helps, but it's by no means a guarantee. There are the clever tricks for accomplishing exploits without generating executable code (return-to-libc and all that), and if you can exploit an environment that contains a JIT or dynamic language runtime then you can perform arbitrary actions without triggering the protections.

So I don't really see how TXT makes that much of a difference.

Qubes beta 1 released

Posted Apr 15, 2011 13:00 UTC (Fri) by jarrett.miller (guest, #60765) [Link]

1. Trust in the context of that sentence can be defined as trusting the BIOS, firmware, or spawning OS to not disable (either remove it or prevent it from being scheduled or receiving interrupts that it requires) as well as not tamper with (read,write or over write memory owned by the hypervisor).

2. Why are you brining correctness in to this. I never said that TXT had anything to do with correctness. So don't conflate the argument. All I said is that it allows you to get a reliable list of whats running on your computer.

3. On IOMMU. Are you sure you are correct? Last time I went over the kernel source (maybe 12 months ago) the kernel did not use IOMMU to prevent a DMA device from overwriting portions of kernel memory.

4. As it pertains to your last paragraph. TXT makes a big difference when you are talking about kernel level or firmware root kits and not application level exploits.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds