Fedora reexamines "trusted boot" [LWN.net]

Fedora reexamines "trusted boot"

Posted Jun 30, 2011 14:33 UTC (Thu) by gmaxwell (subscriber, #30048)
In reply to: Fedora reexamines "trusted boot" by brendan_wright
Parent article: Fedora reexamines "trusted boot"

I thought I was clear enough that my concern was mostly related to the default install.

If it's something someone has to go through an effort to activate it won't be imposed casually by third parties.

Though you seem to be suggesting that it's a useful system security feature. It is not. If your system is compromiseable without trusted boot it will be just as vulnerable with it.

Iff linux and much of the userspace were redesigned you _might_ be able to use it to detect rootkits, but even then its unlikely to help... Attackers already aren't rebooting your systems into new kernels for rootkit purposes: They usually use intentionally exposed features (or bugs) to add code to the kernel without rebooting. ... so TPM would attest to you that it booted your trusted kernel but it wouldn't matter.

(Log in to post comments)

Fedora reexamines "trusted boot"

Posted Jun 30, 2011 16:46 UTC (Thu) by alonz (subscriber, #815) [Link]

You're touching on the most important point here:

trusted boot is not really about security anymore.

Trusted boot has been proven totally ineffective as a security measure, time and time again. It only remaining business case is to enforce lock-in. But many people still believe the old hype about trusted boot as “the security technology that will rid us of those pesky rootkits”, and serve as unknowing shills for the commercial interests behind the technology.

Even the name of the technology hints at its shortcomings: trusted—by whom? boot—not a trusted system, but only the boot process is trusted.

(Full disclosure: I design security products, and my company even sells “trusted boot” solutions.)

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 14:32 UTC (Fri) by geofft (subscriber, #59789) [Link]

I'd like to know more about why you say it's ineffective as a security measure?

I'm thinking (only thinking, no real plans) about deploying it in a large academic environment, where we're able to take kernel updates all the time and in fact have auto-updates, and the local machines are also stateless so we can reinstall them at any time. Trusted boot would let us know whether or not the system was booted normally or e.g. from a CD or in single-user mode, and whether the disk had been tampered with since last time it was trusted-booted. We're fine assuming that we take updates often enough to avoid rootkits (and in fact we have no network login on these machines), and that in case we suspect something we just want to trigger a remote reinstall.

Will trusted boot and remote attestation not work here?

Note that we have no desire to prevent people from rebooting terminals into a live CD. We just want them not to mess with the hard disk when doing so, and we want to know if they _left_ it booted into a live CD.

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 15:01 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

There have been various flaws in Intel chipsets that allow attacks, the most entertaining being an exploit in the BIOS flasher code that would allow you to flash unsigned BIOS images and replace the sinit. I don't believe there are any <em>known</em> flaws in current systems, but http://theinvisiblethings.blogspot.com/search/label/trust... discusses some of the ones that have been found.

So I don't think there's any direct evidence that it's ineffective, merely that history suggests that anything that's never been seriously attacked and which has a track record of holes tends to have more holes that haven't been found yet...

Fedora reexamines "trusted boot"

Posted Jul 3, 2011 12:04 UTC (Sun) by alonz (subscriber, #815) [Link]

OK, I'll qualify my statements above a bit:
Trusted Boot has been shown to be ineffective as a general security measure for open environments.

If your system is managed centrally, and does not permit execution of locally-introduced code, you're likely OK. Also, if the only purpose of your trusted boot solution is access control to centrally-managed systems, your risk is at least controllable.

The issue with trusted boot is that it's often presented as a “magic bullet”—e.g., claiming that trusted boot (from a local disk!) is an effective countermeasure against rootkits.

Fedora reexamines "trusted boot"

Posted Jul 3, 2011 10:57 UTC (Sun) by brendan_wright (subscriber, #7376) [Link]

> Trusted boot has been proven totally ineffective as a security measure, time and time again.

So are you saying that most systems that have fully deployed trusted boot have been and/or can be made to incorrectly attest themselves as secure when they were actually booting compromised code? If so I'm interested to know how, when and why.

If not, in what way has it failed? I get the impression it's seldom fully implemented outside of DoD & Chrome OS and maybe a few others...

Fedora reexamines "trusted boot"

Posted Jul 3, 2011 10:45 UTC (Sun) by brendan_wright (subscriber, #7376) [Link]

> Though you seem to be suggesting that it's a useful system security feature. It is not. If your system is compromiseable without trusted boot it will be just as vulnerable with it.

It may not prevent compromise but the idea is it can reveal it through remote attestation - see: http://lwn.net/Articles/137306/

A successful compromise might still be a denial-of-service attack, but by immediately taking the compromised system offline you can have confidence that your computers aren't really "owned" by a bunch of hackers.

> Iff linux and much of the userspace were redesigned you _might_ be able to use it to detect rootkits, but even then its unlikely to help... Attackers already aren't rebooting your systems into new kernels for rootkit purposes: They usually use intentionally exposed features (or bugs) to add code to the kernel without rebooting. ... so TPM would attest to you that it booted your trusted kernel but it wouldn't matter.

The idea is that the signing process continues after boot and no code is run without first being checked. If you can extend that to all code in the system (which I agree is a lot of work) then you can detect code changes after boot. Presumably NX bits help here too.

Fedora reexamines "trusted boot"

Posted Jul 3, 2011 12:13 UTC (Sun) by alonz (subscriber, #815) [Link]

I'm afraid I have to disagree with you, at least partially…

For example, you write
> It may not prevent compromise but the idea is it can reveal it through remote attestation
Here you are assuming that the main purpose of the system is access to some (single!) remote service, which can perform the attestation often enough to matter. But this isn't the case for most modern uses, especially when even “connected” devices often use cellular (= intermittent) connections.

Likewise,
> The idea is that the signing process continues after boot and no code is run without first being checked
This assumes a completely closed software ecosystem—which, again, is far from the normal case in almost all modern use-cases.

The concepts of “trusted boot” looked OK on paper, in the context of early security research (which dealt with monolithic managed systems, when software distributions were small and organizations were large). But they don't fit most modern use cases.

Fedora reexamines "trusted boot"

Posted Jul 4, 2011 2:31 UTC (Mon) by brendan_wright (subscriber, #7376) [Link]

> Here you are assuming that the main purpose of the system is access to some (single!) remote service, which can perform the attestation often enough to matter. But this isn't the case for most modern uses, especially when even connected devices often use cellular (= intermittent) connections.

If a firewall is setup to check the security of severs or desktops siting behind it, it can take them offline as soon as they fail a trust check. A mobile device like an Android integrates with online systems such as the update system that could in theory perform such checks for you (alerting your by email perhaps). A lot is possible if the software can be sorted properly...

> > The idea is that the signing process continues after boot and no code is run without first being checked

> This assumes a completely closed software ecosystemwhich, again, is far from the normal case in almost all modern use-cases.

Really? Don't many distros and Anrdoid already only download correctly signed code updates by default? Linux is already much more "closed" or at least "centralized" in one sense than Windows in that most software is installed via apt-get or whatever.

It's not hard to imagine extending this framework to include the TPM, so that your system can attest it is running the code as provided by the update servers, not some code compromised in transit or after it was installed on your machine.

Fedora reexamines "trusted boot"

Posted Jul 4, 2011 8:57 UTC (Mon) by etienne (subscriber, #25256) [Link]

> The idea is that the signing process continues after boot and no code is run without first being checked.

How do you check system-wide libraries? They can be loaded at different time and so different addresses on two successive boots (depending on timing issues or randomized loaded), and they are lasy loaded (http://en.wikipedia.org/wiki/Lazy_loading) so they are constantly being modified - if those memory pages are loaded in memory at all.

Fedora reexamines "trusted boot"

Posted Jul 4, 2011 23:12 UTC (Mon) by brendan_wright (subscriber, #7376) [Link]

> How do you check system-wide libraries?

You check the library loading code, and then the library code that is about to be loaded & relocated - if they haven't changed then the output can't have changed (except for addresses), so if they are "secure" then so should the output be.