Weekly Edition
Return to the Front page
| |||||||||||||
Control over our hardware
Security is a much-discussed subject at the moment; it has become clear
that security needs to be improved throughout our community - and, indeed,
in the industry as a whole. But anybody who has lived through the last
decade does not need to be told that many actions carried out in the name
of improving security are, at best, intended to give control to somebody
else. At worst, they can end up reducing security at the same time. A
couple of examples from the hardware world show how "security" often
conflicts with freedom - and with itself.
UEFI secure bootLWN first wrote about the UEFI "secure boot" feature last June. At that point, the potential for trouble was clear, but it was also mostly theoretical. More recently, it has been revealed that Microsoft intends to require the enabling of secure boot for any system running the client version of Windows 8. That makes the problem rather more immediate and concrete. The secure boot technology is not without its value. If an attacker is able to corrupt the system's firmware, bootloader, or kernel image, no amount of good practice or security code will be able to remedy the situation; that system will be owned by the attacker. Secure boot makes such attacks much harder to carry out; the system will detect the corrupted code and refuse to run it. An automated teller machine should almost certainly have this kind of feature enabled, for example. Many LWN readers would likely find that the amount of time they have to put into family technical support would drop considerably if certain family members had their systems protected in this way. Secure boot requires trust in whatever agency applies its signature to the code. A better name for the feature might be "restricted boot," since it restricts the system to booting code that has been signed by a trusted key. The idea is sound enough, except for one little problem: who decides which keys are trusted? Hardware vendors seeking Microsoft certification will create a secure boot implementation that trusts Microsoft's keys. They need not trust any others - not even from other hardware vendors selling Windows-compatible hardware. Secure boot would not be a big problem if users were guaranteed the right to install their own keys or to disable the feature altogether. The owner of a specific computer may well want to restrict the system to booting kernels signed by Red Hat, SUSE, or OpenBSD. They might also want to say that Windows is not a trusted system - but only as long as the driver firmware needed to boot is signed by somebody other than Microsoft. The owners may want to build their own kernels signed with their own keys. Or they may decide that secure boot is a pain that they would rather do without. With this freedom, secure boot could be a beneficial feature indeed. But nobody is guaranteeing that freedom. The ability to disable secure boot, at least, may come standard on traditional "desktop PC" systems, but the role of those systems in the market is declining. Microsoft very much wants to push Windows into tablets, handsets, refrigerators, and other new systems. Such machines do not have a stellar record with regard to enabling owner control even now; it does not seem likely that Microsoft's certification requirements will improve that situation. Just as things seemed to be getting better in that area, we may be about to see them get worse again. That said, loss of control over our systems is not a foregone conclusion. Microsoft will have to be very careful about monopoly concerns in the areas where it is dominant. In the areas where Microsoft has failed to gain dominance, there is no guarantee that it ever will. And, even then, users have been clear enough about their desire for access to their own systems to gain the attention of some big handset manufacturers. Lockdown via secure boot is not a foregone conclusion; in fact, it looks like a battle we should be able to win. But we must certainly keep our eyes on the situation.
Trusted botnetsThe pointer to this paper by Alan Dunn et al [PDF] came via Alan Cox. These investigators have figured out a way to use the trusted platform module (TPM) found in most systems to hide malware from anybody trying to investigate it. In essence, the TPM can be used to create a trusted botnet capable of resisting attempts to determine what the hostile code is actually doing. The TPM provides a number of cryptographic functions along with a set of "platform configuration registers" (PCRs) that can be used to make guarantees about the state of the system. As long as the boot path is trusted, the TPM can sign a message containing PCR values proving that a specific set of software is running on the system. Fears that this "remote attestation" capability would be used to lock down systems from afar have not generally come true - so far. The TPM can also perform encryption and decryption of data, optionally tied to specific PCR values. One other TPM-supported feature is "late launch," a mechanism by which code can be executed in an uninterruptable and unobservable manner. Late launch is used to enable mechanisms like Intel TXT; it is another way of ensuring that only "trusted" code can run on a system. The attack described in the paper requires gaining control of the TPM, an act which may or may not be easy (even after the system itself has been compromised) depending on how the TPM is being used. Once that has been done, the compromised software will be able to attest to a remote controlling node that it is in full control of the system. That node can then send down encrypted code to be run in the late launch mode. This code is limited in what it can do - it cannot call into the host operating system for anything, for example - but it can make important policy decisions controlling how the malware will operate. Understanding - and defeating - malware often depends on the ability to observe it in action and reverse engineer its decision making. If it proves impossible to observe malware in operation or to run it in a virtualized mode, that malware will be harder to stop. The attack is not easy, but experience has shown that the world does not lack for capable, motivated, and well-funded attackers who might just take up the challenge. That would not bode well for the future security of the net as a whole. Needless to say, the protection of botnets seems counter to the objectives that led to the creation of the TPM in the first place. It has always been clear that technology imposed in the name of "security" has the potential to cost us control over our own systems. Now it seems that technology could even hand control over to overtly hostile organizations. That does not seem like a more secure situation, somehow. (Log in to post comments)
Control over our hardware Posted Sep 29, 2011 0:24 UTC (Thu) by geofft (subscriber, #59789) [Link] Hrrm. One can always virtualize the TPM, right?The TPM only means, "Assuming you once trusted the hardware on which you set up the TPM, you can now trust this code." It would be pretty easy to defeat this attack by setting up a virtual TPM and letting that provide services to the malware, while leaving the real TPM untouched. Malware has no way to ever initially trust the hardware. Certainly in the lab, running botnets with vTPMs is easy (and running botnets on VMs is pretty standard, even though botnets tend to try to include VM detection). In practice, if this is a concern, a kernel module that intercepts and virtualizes (or denies) TPM requests should be fairly easy to implement as a generic protection technique.
Control over our hardware Posted Sep 29, 2011 0:43 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
In general, no you can't virtualize TPM without breaking its trust chain.
If you're willing to replace the trust anchor with your own one, then you certainly can virtualize TPM. But I somehow doubt that Next Generation Microsoft DRM would accept it.
Control over our hardware Posted Sep 29, 2011 1:32 UTC (Thu) by zlynx (subscriber, #2285) [Link]
But the hypothetical botnet has no way to verify the TPM's responses, as it presumably does not have the Microsoft key either.
Control over our hardware Posted Sep 29, 2011 1:38 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
It surely can because public keys are, well, public. In fact, any sufficiently privileged application should be able to verify that trust chain is unbroken.
Botnet won't be able to impersonate Microsoft, unless there's a hole somewhere that allows it to inject itself into the boot process.
Control over our hardware Posted Sep 29, 2011 16:38 UTC (Thu) by zlynx (subscriber, #2285) [Link]
Hmm.
Yeah, I guess I didn't think that through before I posted it.
Control over our hardware Posted Sep 29, 2011 6:31 UTC (Thu) by njs (guest, #40338) [Link]
> Many LWN readers would likely find that the amount of time they have to put into family technical support would drop considerably if certain family members had their systems protected in this way.
This sounds very strange to me -- I would have guessed that the number of readers that this applies to was actually zero. Do bootloader viruses still exist in real life? Has anyone actually encountered a situation where securing the bootloader would have turned a successful attack into no-technical-support required situation?
My intuition is that "secure boot" is only useful if you also spend significant effort extending the trust chain (the bootloader only loads a signed kernel, then the kernel only runs signed executables, which only load signed data...). And this worries me, because all the discussions here take this tone that well of course this is a *important feature* where we just have to find the right trade-off, but I can't see how this is useful at all unless you're running a fully-locked-down system like a ChromeBook or iPad or something. Can anyone explain how this feature does anything at all for me, as an ordinary Linux user? Is there any reason we should be ceding that rhetorical ground?
Control over our hardware Posted Sep 29, 2011 9:57 UTC (Thu) by Cato (subscriber, #7643) [Link]
MBR-based malware has had a resurgence in recent years - Mebroot is one example: http://en.wikipedia.org/wiki/Mebroot - and here's another: http://karstenjohansson.blogspot.com/2011/06/old-style-mb...
The "best" ones act as a surrogate OS, with remote crash dump reporting and automatic updates to fix bugs. So securing the boot sequence would at least make it harder to write such malware.
Control over our hardware Posted Sep 29, 2011 11:59 UTC (Thu) by etienne (subscriber, #25256) [Link]
And you have the kernel to load only "secured" modules (in initramfs or the main filesystem), each file has a signature dependant on which compiler version is being used.
Moreover, each application shall be fully checked before being run, that basically means no more paged-in executable. And you'd better not use pre-linked libraries because their signature will be changed, randomized loading addresses may also be a problem.
Updating a system (whatever the system is) to fix bugs will not be done unless you are sure you have the right keys...
Control over our hardware Posted Sep 29, 2011 15:44 UTC (Thu) by jmorris42 (subscriber, #2203) [Link]
> ..but I can't see how this is useful at all unless you're running
> a fully-locked-down system like a ChromeBook or iPad or something.
That is the future planned for us. Look at the design of Windows 8, OS X Lion, etc. Signed binaries bought from 'the' App Store.
Truth be told, there are places where I would want to deploy such a thing under Linux. A locked down server where only signed executables ran would remove a lot of entrances for malware. Layer SELinux on top and it would make me sleep better at night. For that matter, no reason you couldn't even sign scripts and check those before running them. Again, none of this is something I'd want on a desktop machine but on a hardened server exposed to the wide wide world of the Internet, oh heck yes.
So long as I remain in control of the keyrings I don't have a problem with any of this stuff. So long as we have a law requiring disclosure of just who controls the keys labeled clearly on the box there will be little down side. Of course that won't happen.
Not that it will actually provide much security when it gets implemented in the real world. Because to be marketable in the real world, Windows must be able to add/remove keys so the whole point is void. Malware owns Windows, adds itself to the keystore, now things are worse than before.
Control over our hardware Posted Sep 29, 2011 10:39 UTC (Thu) by Curan (subscriber, #66186) [Link] The idea is sound enough, except for one little problem: who decides which keys are trusted? This reminded me of a (by now) rather old short film about Trusted Computing.
Control over our hardware Posted Oct 1, 2011 16:06 UTC (Sat) by thoeme (subscriber, #2871) [Link]
Thanks for the link to the little movie, it is really neat.
About trust Posted Oct 7, 2011 13:10 UTC (Fri) by man_ls (subscriber, #15091) [Link] Really cool, yeah. There is a NSFW-ish image almost at the end, but the rest is impeccable.
Control over our hardware Posted Sep 30, 2011 20:32 UTC (Fri) by robbe (guest, #16131) [Link]
> Microsoft very much wants to push Windows into tablets, handsets, refrigerators, and other new systems.
I can't imagine it being much more successful there than it has been before.
MS can certainly cram this secure UEFI rot down the collective throats of PC motherboard and laptop vendors. They wouldn't dare selling their stuff without the necessary seal of approval. But who would look for the "designed for Windows X" sticker when buying their smartfridge?
That said, those of these devices that exist today are often locked down via much the same methods. Many of them "securely" boot a kernel that is part of this publications name. My bet is that jailbreaking considerations are here to stay. Whether Microsoft's efforts will make it necessary on a desktop PC as well does not a world's difference.
I doubt that, though. There's too much downside for the big buyers, businesses. At least MS has to think of better reasons -- the security horse does not draw every cart out of the mud, or Vista, with its much-vaunted security features, would have been a bigger hit.
Control over our hardware Posted Oct 2, 2011 0:40 UTC (Sun) by rikhard (guest, #80562) [Link]
i am just a gnu/linux user, i am not a developer so i might be wrong, but the way i see it, TPM should be used like this, at least with floss OSs like gnu/linux and the BSDs:
1. the bios allows the user to create a master/root key
2. using this key the bios passes that info to the other devices firmware
3. when i install the system for the first time i sign it with that key, i mean all the files, like i would do with OSSEC, AIDE and Samhain or Tripwire.
4. every time i need to compile a kernel, i sign it with the key
i am probably very wrong, but i would like to know if this is achievable
thanks
Control over our hardware Posted Oct 3, 2011 2:01 UTC (Mon) by giraffedata (subscriber, #1954) [Link] 2. using this key the bios passes that info to the other devices firmware Wbat is "that info" and what is "the other devices firmware"? Also, what problem is this system intended to solve?
Control over our hardware Posted Oct 3, 2011 14:38 UTC (Mon) by rikhard (guest, #80562) [Link]
2. using this key the bios passes that info to the other devices firmware
<i>"Wbat is "that info" and what is "the other devices firmware"?
Also, what problem is this system intended to solve?"</i>
* the info is the root key
* by other devices i mean, hd, vga card, sound card etc
* the problem i wish to solve is to give the user freedom to choose/have their own keys
i know that i'm being naive since the real goal is to take away user's freedom, but hey i am just dreaming!
thanks
Control over our hardware Posted Oct 4, 2011 22:42 UTC (Tue) by giraffedata (subscriber, #1954) [Link] what problem is this system intended to solve?the problem i wish to solve is to give the user freedom to choose/have their own keys OK, that's a problem with some existing TPM implementation. I meant what problem in traditional non-TPM systems does this solve? I.e. how is it better than having no keys at all?
Control over our hardware Posted Oct 14, 2011 8:40 UTC (Fri) by ebirdie (subscriber, #512) [Link]
Just wanted to share following tidbits.
Recently ars technica had interesting article about a technology to "control over our hardware".
http://arstechnica.com/business/news/2011/10/researchers-...
Today I grawled to a blog post of another person experiencing same phenomenon of disappearing ethernet network interface as I did a while back.
http://www.corsac.net/?rub=blog&post=1534
The differences I had with the disappearing ethernet interface phenomenon were that the laptop manufacturer had not announced vPro capabilities, the network card was Marvell 88E8055 driven by sky2 module from 2.6.32 and I hit this after enabling WoL and run the system for hours or couple days after a network boot.
Wikipedia article about Intel Advanced Management Technology hints that AMT might be present in a laptop although the laptop manufacturer does not specifically announce it.
I think, what we really need is simplicity and grassroots verifiability in order to trust Intel and other vendors for partnering with us against rogue third parties. Just saying this out although I find this implied in the above article and comments.
|
|||||||||||||