How we lost the trusted comping base how to regain it
1 / 40

How we lost the trusted comping base & how to regain it - PowerPoint PPT Presentation

  • Uploaded on

How we lost the trusted comping base & how to regain it. bert.hubert@netherlabs.n l Whoami. Agenda. The end of the Trusted Computing Base History of (secure) systems How did it come to be this way? How bad is it?

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' How we lost the trusted comping base & how to regain it' - keiki

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
How we lost the trusted comping base how to regain it
How we lost the trusted comping base & how to regain it





  • The end of the Trusted Computing Base

  • History of (secure) systems

  • How did it come to be this way?

    • How bad is it?

  • What can we do about it

    • ‘brave’ solutions, weak solution

The trusted computing base
The Trusted Computing Base

  • “The trusted computing base of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system.” - Wikipedia

  • “A small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security.” - Authentication in Distributed Systems: Theory and Practice[2]Lampson et al

  • As a concept, the TCB has been very theoretical for a long time now - it hides behind an untrusted user interface.

The trusted crypto base
The “trusted crypto base”

  • We have a base that consists of (discrete) mathematics, information theory, ‘bit-level encryption operations’ (avalanche criterium, diffusion etc)

  • Built on top of that we have rock solid hashes, symmetric cyphers and asymmetric operations

  • With the technology above, we can build systems that are as secure as we want them to be

  • This is a wonder feeling: a solid base to stand on!

The trusted crypto base1
The “trusted crypto base”

  • However! Even on top of this very good base, people keep messing it up all the time by the wrong application of the primitives

    • Reusing keys, leaking knowledge, insufficient error checking etc

  • In addition, we sort of lose our heavenly status when we involve random generators and actual hardware

  • So solve all this we spend a lot of time discussing crypto architecture, and read (& write!) loads of books about it

  • And the we can build things that stand up really well.

  • Compare this to building solutions out of a stack of MySQL, Windows 2008 and Firefox.

Doing secure things on a pc or mac or iphone or android
Doing secure things on a PC (or mac, or iPhone, or Android)

  • For most people: “Forget about it”

    • Or at least, ignore it..

    • Would you sign a real contract online?

  • The numbers are stunning - >5% of corporate desktops (which are the most locked down pcs available) are compromised

    • Not even on purpose, “drive by hacks”

  • We still do it because there is no alternative

So how bad is it
So how bad is it?

  • People do realize there is an issue, nobody wants to install applications anymore! Browser is preferred platform

    • Including for “your mom”

  • But if you do - any program you install can do nearly ‘everything’, including uploading all your private files to pastebin

    • But wait! I need to give permission for network access!

      • Yes, but you will ;-)

  • By now, browser is an OS in its own right..

So how bad is it things no one wants to do
So how bad is it: things no one wants to do

  • A phone that could control your pacemaker, and that reports issues to a specialist

    • This exists, but requires separate hardware to provide security

  • Literally nobody has dared to make an automated & integrated glucose meter & insulin pump (lack of trust)

  • Organizations that deal with ‘life or death’ secrets spawn loads of airgap separated networks, because nobody dares to trust that we can connect them safely

    • And thus put their data on USB sticks..

* Advertisement *

  • Are you looking for a job?

    • Internship? Graduate with us?

  • Work with exciting people!

  • Are you good with any or more of: C++, Python, Javascript, (JQuery, Javascript MVC for example), Java, Cryptology?

  • Please contact me!

  • (we recommend you finish your studies first!)

So some theory
So, some theory

  • Limited definition of keeping things secure: assuring that the operator of the computer is the only one that controls what the machine does. Attacker gets no screwdrivers, no physical access

  • The broader definition of security is completely out of reach of a normal PC on the internet

    • Tamperproof, emission controls, timing attacks..

Classic example internet banking
Classic example: internet banking

  • As a user, I want to control where my money goes

  • Bank agrees with me and makes sure I use two-factor access control: something I know plus something I have

  • For this to work:

    • I must be the only one able to send instructions to the bank once logged in

    • The screen should display exactly the orders I gave the website, so I can authorize them

Banking malware
Banking malware

  • Giant business, very sophisticated, whole eco-system revolves around this

    • “Crimeware”, botnets, money-mules etc

  • Revolves around hijacking internet banking sessions

    • Keyloggers, browser injection..

  • In The Netherlands, currently being fought heavily through intensive network & transaction monitoring

  • Firewall, virus scanner etc of (very) limited use in protecting

Banking malware in other countries
Banking malware in other countries

  • In some countries, it is mandatory to run client-side software which “locks down” the browser to shield it from malware on the PC

    • “Trusteer Rapport” for example

  • In South Korea, mandatory ActiveX plugins serve the same function (mostly implemented for Windows and IE).

  • I hear similar stories about China

    • “Retrusting the Trusted Computing Base”

    • Also used for some online games!

Banking security an ongoing fight
Banking security: an ongoing fight

  • This is an ongoing, and ultimately, unsatisfying battle

    • “Arms race”

  • In the UK, it is well accepted that credit cards stop working after a few days abroad

    • “the scammers have won”

  • Banks are, slowly, working on transferring the risk of crime to the consumer

    • Pin & Chip in the UK

  • Banks indicate that “the desktop is lost”

    • Publicly they say that “SSL protects us”

  • Sucks!

Some history
Some history

  • We used to have a solid “trusted computing base” on which to build

  • The transistors were fixed

  • The CPU built from those transistors was fixed

  • The operating system was (relatively) fixed

  • There was a system library, on which we ran our programs

  • These programs delivered messages (‘content’) and not code


Javascript, macros ;-(



C Library

“DLL Hell”


Modules, drivers


Flash it! Plus add SMM!



Update the microcode

& firmware!


Reprogram the FPGA

Protective measures
Protective measures

  • First all these ‘extensions’ or ‘upgrade possibilities’ were added

    • Hard to say no. However, sometimes you wonder..

  • Later on, more and mode checking & warning was implemented because things got out of and (‘Are you sure you want to..’)

  • A large fraction of the ‘weekly patch cycle’ is about insufficient checking

    • Goes for all operating systems

The virtual stack of vulnerabilities
“The virtual stack of vulnerabilities”

  • In the mind’s eye, a vulnerability comes into existence when it is reported (often with the patch ready)

    • This is not the case

  • All these vulnerabilities were around for ages and ages already!

  • So the correct mental picture is: there are hundreds or thousands of vulnerabilities that STILL NEED patching!

    • A patch takes some away, new software adds new problems..

But did we even start clean
But did we even START clean?

  • We’ve been assuming that the computer ‘out of the box’ was safe

  • It might not be for two reasons:

    • There have been many cases of computers shipping ‘pre-infected’ because the guys that filled the computer with crapware had a virus already (even phones have shipped with Windows viruses on them!)

    • Not everybody writing drivers, modules, plugins, firmwares and microcodes might be your friend..

Don t firewalls and virus scanners help
Don’t firewalls and virus scanners help?

  • Firewalls are essentially useless unless they are configured to be painful

    • Most pass port 80 and port 443 unmolested. This does not hinder any malware significantly.

    • Blocking port 80 is not an option

      • Smart firewalls can do http-level filtering though

  • Virus scanners run a losing battle since attackers can hone their stuff until it is perfect

    • Did not stop banking malware


it sucks at EVERY level!

Some examples of what can happen
Some examples of what can happen

  • The un-wipeable disk. When discarding disks, these are often wiped using bit patterns specifically engineered to remove all magnetic traces of the original data

    • Note that these patterns are mostly for very obsolete disks..

  • Let’s say we modify the firmware of a disk to recognize such linear wiping, and report that the sectors are wiped - but not actually do it!

  • Discarded disk gets new firmware upgrade and all data is back!

    • Including passwords..

Some examples of what can happen1
Some examples of what can happen

  • The “Window on your RAM”. Ethernet adaptors on the PCI bus have full view of your memory, and are (by definition!) connected to the network.

  • There is even a helpful standard for sharing RAM over IP: RDMA

  • A firmware upgrade for the ethernet card could add RDMA support

  • Remote parties sending the right packets can read & write all your RAM

    • Thanks!

  • Oh, and did you know most wifi cards run a whole operating system? RDMA over air!

Infect the very mother board
Infect the very mother board

  • Mother boards come with a very unhelpful featured called System Management Mode

  • This allows the mother board to take over the CPU, and have it execute code in its behalf

    • For example to manage fans and temperature

  • SMM has full and complete control over all aspects of the computer, and can be triggered at any time

  • Nice trick, update the SMM to ‘reinfect’ a cleaned PC!

    • SMM is “invisible” to virus scanners

Kill the crypto
Kill the crypto

  • Cryptography always relies on strong random to generate secure (session) keys

    • "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin." - John von Neumann

  • A computer always needs hardware assistance to generate random (would not be a computer otherwise)

  • Modern Intel CPUs offer the RdRand opcode to deliver ‘true hardware random’ at high speeds

  • Upgrade the microcode to turn RdRand into a predictable stream -> break into SSL/RSA because of known (ECDH session) keys!

Bend the router
Bend the router

  • Find a customer with a known router/modem - easy to do, pick a large ISP

  • Send email with a piece of javascript that makes the browser log in to the router @

    • The password might be default, might be cached!

  • Change the DNS settings of the router to malicious servers

  • Reroute select traffic for fun and profit!

The trusted computing base can t be trusted
The trusted computing base.. can’t be trusted

Violence may be required to root out all possible vectors of infection!

So how did this happen
So how did this happen?

  • Hardware basically sucks and is incredibly inflexible (changes take months!)

    • Updating ROM requires physical action and possibly a soldering iron

  • Operating systems and applications are also hard things to change

  • So, everywhere where this is possible, helpful developers have added ways to update the hardware behavior or modules to the application

  • The end result is that we have thousands of fundamental holes in our security!

    • Physical ROM is not even easily available anymore..

What happened to the tcb
What happened to the TCB?

  • The concept of TCB is alive and well. But we did not respect it, and allowed the _data_ that passes through our TCB to redefine our access to it

  • So, the PC might be trustable, but we’ve allowed webpages to take over the operator’s access TO that TCB

    • And is now talking to scripts from Nigeria, which transfer our money that way too

  • “What good is a TCB if you can’t see it”

What is the result
What is the result?

  • Security professionals I know feel really scared about doing internet banking

    • Often have a separate machine for that purpose

    • Banks I speak to have ‘given up on the desktop’

  • This very rich array of holes enable ‘spear phishing’ and many other attacks

  • We now need IDS, IPS, Virus Scanners, Network Access Control, SIEM, Lockdown desktops, Sandboxes and constant monitoring to spot security problems!

What is the result1
What is the result?

  • There are now things that we fear to do with computers (online banking), but we have to

  • There are things we are not considering doing electronically right now, like medical files or voting

Some solutions
Some solutions

  • We could make our hardware and software ‘read only’ again.

    • Perhaps using cryptography - history is not promising though

  • However, software is already considered ‘inflexible’. Turning off Javascript in email, disallowing plugins, stopping programs from installing is not overly acceptable.

  • We should still try though. Rop Gonggrijp reminded us of this at GOVCERT 2011 “don’t give up, write secure code”.

Reintroduce trusted hardware
Reintroduce trusted hardware

  • On a scale from least trusted to most trusted:

    • Windows PC, Linux PC, Mac PC

    • iPhone / Android

    • Kindle

    • Chromebook

    • Old school “stupid” phones

  • We could envision a limited purpose trusted platform

Trusted platform
Trusted platform

  • Might look like a Kindle, with built-in GSM & Wifi for connectivity

  • Heavily restricted hardware platform, non-PC based. All hardware firmware upgrade possibilities are disabled.

  • “Every time you turn it on, it is new”

    • Unattractive target to hack that way

  • Limited internet browser, no Javascript

  • Do authentication via built-in smartcard

Shared trusted platform
Shared trusted platform

  • This platform might be expanded to support multiple applications

    • Your bank, taxes, medical files

  • Find signed way of loading different applications

  • Would need very strict control to prevent ‘slide back into generic insecure PC’ territory!

    • “beat people up”

Further thoughts
Further thoughts

  • Banks already verify big transactions manually. Issuing ‘high value’ customers with such a dedicated device might save them money from day 0

    • And not just add security

  • iPad and various tables IN THEORY come quite close to this ideal, and have a lot of the cool hardware that makes it possible

  • However, the incentives are all wrong, as is the track record of the devices

Other solutions
Other solutions

  • Attackers overcome any security barrier eventually

    • They have unlimited attempts to try it.

    • Also, there are thousands of ways to do so, and this is because of the ‘flexibility push’ described earlier

  • One solution: add barriers they can’t see and can’t try to work around

    • Like the current banking anomaly monitoring


  • Generic PC+OS security is riddled with loopholes in the name of flexibility

    • All lower layers can be taken over

  • To the point that is has become a joke to regard a PC (or a Mac) as a trusted platform

    • Makes banking scary..

  • Solutions are:

    • ‘man up’ and fix our computers,

    • move to dedicated devices, or

    • very heavy monitoring

More information
More information

  • Cybersecurity:


  • +31-6-22440095