LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Hibernation doesn't work?

Hibernation doesn't work?

Posted Sep 14, 2012 19:48 UTC (Fri) by hummassa (subscriber, #307)
In reply to: Hibernation doesn't work? by raven667
Parent article: LSS: Secure Boot

> If there is malware running on the system when it is hibernated then the malware will be written to the hibernate volume and restored with it so the system is no more or less compromised, it all seems like a no-op.

No, because crafting a special restore-image/swapfile and forcing a reboot you can, for instance, boot a whole another OS altogether, totally bypassing the "secure" boot nonsense.

> Even in the case where there is malware running on a system you should still be able to perform a clean boot with verification up to the point where your trust chain stops. Then the problem is post-boot (re)compromise and you can use many tools to combat that, if you can get them into your trusted base.

No, because at that point the "phantom" OS can just behave like the "original" OS with a rootkit, rendering symptoms of infection invisible to the original OS.

Suppose the machine is running Windows8, ok? The malware prepares an image that will run some OS that will run Windows8 in an emulated, censored environment that can make a lot of bad things, invisibly to W8. Everytime W8 tries to reboot, it goes thru the hoops again and boots instead the other OS.

(Log in to post comments)

Hibernation doesn't work?

Posted Sep 14, 2012 20:59 UTC (Fri) by raven667 (subscriber, #5198) [Link]

I don't think your points actually disagree with my points, I think we are actually in agreement on the technical issues.

- Hibernate images are outside the trust boundary because they contain arbitrary code
- The fix is to not restore hibernate images
- The proposed signature checking on hibernate images could protect an un-compromised system on disk from being modified before being restored
- There is no security added for a system booted in a VM
- There is no attestation in Secure Boot, a running system can't tell if it's been compromised or not

I don't think Secure Boot attempts or claims to solve the problems of running arbitrary code it only allows you to build a beachhead, ideally an execution chain all the way until user space starts that can't be modified without throwing alarms. That means that re-compromise of a system needs to happen via the normal startup sequence and tools started before the malware can run can potentially block the malware. Once the malware runs it's Blue Pill all the way, you can't trust anything on the system after that.

Hibernation doesn't work?

Posted Sep 14, 2012 22:56 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

> No, because crafting a special restore-image/swapfile and forcing a reboot you can, for instance, boot a whole another OS altogether, totally bypassing the "secure" boot nonsense.

Yes, and if you can get private information out of the kernel then you can probably also get private information *into* the kernel, and then you can just make the kernel execute your other OS without doing anything with hibernation.

Hibernation doesn't work?

Posted Sep 15, 2012 2:03 UTC (Sat) by raven667 (subscriber, #5198) [Link]

Or run it in a VM, Secure Boot isn't designed to protect from a rogue hypervisor. Secure Boot is a fairly basic tool and only covers a small part of the security process, maybe you were expecting something more?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds