how we lost the trusted comping base how to regain it
Download
Skip this Video
Download Presentation
How we lost the trusted comping base & how to regain it

Loading in 2 Seconds...

play fullscreen
1 / 40

How we lost the trusted comping base & how to regain it - PowerPoint PPT Presentation


  • 69 Views
  • Uploaded on

How we lost the trusted comping base & how to regain it. [email protected] l [email protected] https://tinyurl.com/thalia2012. Whoami. Agenda. The end of the Trusted Computing Base History of (secure) systems How did it come to be this way? How bad is it?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' How we lost the trusted comping base & how to regain it' - keiki


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
agenda
Agenda
  • The end of the Trusted Computing Base
  • History of (secure) systems
  • How did it come to be this way?
    • How bad is it?
  • What can we do about it
    • ‘brave’ solutions, weak solution
the trusted computing base
The Trusted Computing Base
  • “The trusted computing base of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system.” - Wikipedia
  • “A small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security.” - Authentication in Distributed Systems: Theory and Practice[2]Lampson et al
  • As a concept, the TCB has been very theoretical for a long time now - it hides behind an untrusted user interface.
the trusted crypto base
The “trusted crypto base”
  • We have a base that consists of (discrete) mathematics, information theory, ‘bit-level encryption operations’ (avalanche criterium, diffusion etc)
  • Built on top of that we have rock solid hashes, symmetric cyphers and asymmetric operations
  • With the technology above, we can build systems that are as secure as we want them to be
  • This is a wonder feeling: a solid base to stand on!
the trusted crypto base1
The “trusted crypto base”
  • However! Even on top of this very good base, people keep messing it up all the time by the wrong application of the primitives
    • Reusing keys, leaking knowledge, insufficient error checking etc
  • In addition, we sort of lose our heavenly status when we involve random generators and actual hardware
  • So solve all this we spend a lot of time discussing crypto architecture, and read (& write!) loads of books about it
  • And the we can build things that stand up really well.
  • Compare this to building solutions out of a stack of MySQL, Windows 2008 and Firefox.
doing secure things on a pc or mac or iphone or android
Doing secure things on a PC (or mac, or iPhone, or Android)
  • For most people: “Forget about it”
    • Or at least, ignore it..
    • Would you sign a real contract online?
  • The numbers are stunning - >5% of corporate desktops (which are the most locked down pcs available) are compromised
    • Not even on purpose, “drive by hacks”
  • We still do it because there is no alternative
so how bad is it
So how bad is it?
  • People do realize there is an issue, nobody wants to install applications anymore! Browser is preferred platform
    • Including for “your mom”
  • But if you do - any program you install can do nearly ‘everything’, including uploading all your private files to pastebin
    • But wait! I need to give permission for network access!
      • Yes, but you will ;-)
  • By now, browser is an OS in its own right..
so how bad is it things no one wants to do
So how bad is it: things no one wants to do
  • A phone that could control your pacemaker, and that reports issues to a specialist
    • This exists, but requires separate hardware to provide security
  • Literally nobody has dared to make an automated & integrated glucose meter & insulin pump (lack of trust)
  • Organizations that deal with ‘life or death’ secrets spawn loads of airgap separated networks, because nobody dares to trust that we can connect them safely
    • And thus put their data on USB sticks..
advertisement
* Advertisement *
  • Are you looking for a job?
    • Internship? Graduate with us?
  • Work with exciting people!
  • Are you good with any or more of: C++, Python, Javascript, (JQuery, Javascript MVC for example), Java, Cryptology?
  • Please contact me! [email protected]
  • (we recommend you finish your studies first!)
so some theory
So, some theory
  • Limited definition of keeping things secure: assuring that the operator of the computer is the only one that controls what the machine does. Attacker gets no screwdrivers, no physical access
  • The broader definition of security is completely out of reach of a normal PC on the internet
    • Tamperproof, emission controls, timing attacks..
classic example internet banking
Classic example: internet banking
  • As a user, I want to control where my money goes
  • Bank agrees with me and makes sure I use two-factor access control: something I know plus something I have
  • For this to work:
    • I must be the only one able to send instructions to the bank once logged in
    • The screen should display exactly the orders I gave the website, so I can authorize them
banking malware
Banking malware
  • Giant business, very sophisticated, whole eco-system revolves around this
    • “Crimeware”, botnets, money-mules etc
  • Revolves around hijacking internet banking sessions
    • Keyloggers, browser injection..
  • In The Netherlands, currently being fought heavily through intensive network & transaction monitoring
  • Firewall, virus scanner etc of (very) limited use in protecting
banking malware in other countries
Banking malware in other countries
  • In some countries, it is mandatory to run client-side software which “locks down” the browser to shield it from malware on the PC
    • “Trusteer Rapport” for example
  • In South Korea, mandatory ActiveX plugins serve the same function (mostly implemented for Windows and IE).
  • I hear similar stories about China
    • “Retrusting the Trusted Computing Base”
    • Also used for some online games!
banking security an ongoing fight
Banking security: an ongoing fight
  • This is an ongoing, and ultimately, unsatisfying battle
    • “Arms race”
  • In the UK, it is well accepted that credit cards stop working after a few days abroad
    • “the scammers have won”
  • Banks are, slowly, working on transferring the risk of crime to the consumer
    • Pin & Chip in the UK
  • Banks indicate that “the desktop is lost”
    • Publicly they say that “SSL protects us”
  • Sucks!
some history
Some history
  • We used to have a solid “trusted computing base” on which to build
  • The transistors were fixed
  • The CPU built from those transistors was fixed
  • The operating system was (relatively) fixed
  • There was a system library, on which we ran our programs
  • These programs delivered messages (‘content’) and not code
slide17

Content

Javascript, macros ;-(

Application

Plugins

C Library

“DLL Hell”

OS

Modules, drivers

BIOS

Flash it! Plus add SMM!

CPU

HW

Update the microcode

& firmware!

Transistor

Reprogram the FPGA

protective measures
Protective measures
  • First all these ‘extensions’ or ‘upgrade possibilities’ were added
    • Hard to say no. However, sometimes you wonder..
  • Later on, more and mode checking & warning was implemented because things got out of and (‘Are you sure you want to..’)
  • A large fraction of the ‘weekly patch cycle’ is about insufficient checking
    • Goes for all operating systems
the virtual stack of vulnerabilities
“The virtual stack of vulnerabilities”
  • In the mind’s eye, a vulnerability comes into existence when it is reported (often with the patch ready)
    • This is not the case
  • All these vulnerabilities were around for ages and ages already!
  • So the correct mental picture is: there are hundreds or thousands of vulnerabilities that STILL NEED patching!
    • A patch takes some away, new software adds new problems..
but did we even start clean
But did we even START clean?
  • We’ve been assuming that the computer ‘out of the box’ was safe
  • It might not be for two reasons:
    • There have been many cases of computers shipping ‘pre-infected’ because the guys that filled the computer with crapware had a virus already (even phones have shipped with Windows viruses on them!)
    • Not everybody writing drivers, modules, plugins, firmwares and microcodes might be your friend..
don t firewalls and virus scanners help
Don’t firewalls and virus scanners help?
  • Firewalls are essentially useless unless they are configured to be painful
    • Most pass port 80 and port 443 unmolested. This does not hinder any malware significantly.
    • Blocking port 80 is not an option
      • Smart firewalls can do http-level filtering though
  • Virus scanners run a losing battle since attackers can hone their stuff until it is perfect
    • Did not stop banking malware
slide22

:-(

it sucks at EVERY level!

some examples of what can happen
Some examples of what can happen
  • The un-wipeable disk. When discarding disks, these are often wiped using bit patterns specifically engineered to remove all magnetic traces of the original data
    • Note that these patterns are mostly for very obsolete disks..
  • Let’s say we modify the firmware of a disk to recognize such linear wiping, and report that the sectors are wiped - but not actually do it!
  • Discarded disk gets new firmware upgrade and all data is back!
    • Including passwords..
some examples of what can happen1
Some examples of what can happen
  • The “Window on your RAM”. Ethernet adaptors on the PCI bus have full view of your memory, and are (by definition!) connected to the network.
  • There is even a helpful standard for sharing RAM over IP: RDMA
  • A firmware upgrade for the ethernet card could add RDMA support
  • Remote parties sending the right packets can read & write all your RAM
    • Thanks!
  • Oh, and did you know most wifi cards run a whole operating system? RDMA over air!
infect the very mother board
Infect the very mother board
  • Mother boards come with a very unhelpful featured called System Management Mode
  • This allows the mother board to take over the CPU, and have it execute code in its behalf
    • For example to manage fans and temperature
  • SMM has full and complete control over all aspects of the computer, and can be triggered at any time
  • Nice trick, update the SMM to ‘reinfect’ a cleaned PC!
    • SMM is “invisible” to virus scanners
kill the crypto
Kill the crypto
  • Cryptography always relies on strong random to generate secure (session) keys
    • "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin." - John von Neumann
  • A computer always needs hardware assistance to generate random (would not be a computer otherwise)
  • Modern Intel CPUs offer the RdRand opcode to deliver ‘true hardware random’ at high speeds
  • Upgrade the microcode to turn RdRand into a predictable stream -> break into SSL/RSA because of known (ECDH session) keys!
bend the router
Bend the router
  • Find a customer with a known router/modem - easy to do, pick a large ISP
  • Send email with a piece of javascript that makes the browser log in to the router @192.168.1.1
    • The password might be default, might be cached!
  • Change the DNS settings of the router to malicious servers
  • Reroute select traffic for fun and profit!
the trusted computing base can t be trusted
The trusted computing base.. can’t be trusted

Violence may be required to root out all possible vectors of infection!

so how did this happen
So how did this happen?
  • Hardware basically sucks and is incredibly inflexible (changes take months!)
    • Updating ROM requires physical action and possibly a soldering iron
  • Operating systems and applications are also hard things to change
  • So, everywhere where this is possible, helpful developers have added ways to update the hardware behavior or modules to the application
  • The end result is that we have thousands of fundamental holes in our security!
    • Physical ROM is not even easily available anymore..
what happened to the tcb
What happened to the TCB?
  • The concept of TCB is alive and well. But we did not respect it, and allowed the _data_ that passes through our TCB to redefine our access to it
  • So, the PC might be trustable, but we’ve allowed webpages to take over the operator’s access TO that TCB
    • And is now talking to scripts from Nigeria, which transfer our money that way too
  • “What good is a TCB if you can’t see it”
what is the result
What is the result?
  • Security professionals I know feel really scared about doing internet banking
    • Often have a separate machine for that purpose
    • Banks I speak to have ‘given up on the desktop’
  • This very rich array of holes enable ‘spear phishing’ and many other attacks
  • We now need IDS, IPS, Virus Scanners, Network Access Control, SIEM, Lockdown desktops, Sandboxes and constant monitoring to spot security problems!
what is the result1
What is the result?
  • There are now things that we fear to do with computers (online banking), but we have to
  • There are things we are not considering doing electronically right now, like medical files or voting
some solutions
Some solutions
  • We could make our hardware and software ‘read only’ again.
    • Perhaps using cryptography - history is not promising though
  • However, software is already considered ‘inflexible’. Turning off Javascript in email, disallowing plugins, stopping programs from installing is not overly acceptable.
  • We should still try though. Rop Gonggrijp reminded us of this at GOVCERT 2011 “don’t give up, write secure code”.
reintroduce trusted hardware
Reintroduce trusted hardware
  • On a scale from least trusted to most trusted:
    • Windows PC, Linux PC, Mac PC
    • iPhone / Android
    • Kindle
    • Chromebook
    • Old school “stupid” phones
  • We could envision a limited purpose trusted platform
trusted platform
Trusted platform
  • Might look like a Kindle, with built-in GSM & Wifi for connectivity
  • Heavily restricted hardware platform, non-PC based. All hardware firmware upgrade possibilities are disabled.
  • “Every time you turn it on, it is new”
    • Unattractive target to hack that way
  • Limited internet browser, no Javascript
  • Do authentication via built-in smartcard
shared trusted platform
Shared trusted platform
  • This platform might be expanded to support multiple applications
    • Your bank, taxes, medical files
  • Find signed way of loading different applications
  • Would need very strict control to prevent ‘slide back into generic insecure PC’ territory!
    • “beat people up”
further thoughts
Further thoughts
  • Banks already verify big transactions manually. Issuing ‘high value’ customers with such a dedicated device might save them money from day 0
    • And not just add security
  • iPad and various tables IN THEORY come quite close to this ideal, and have a lot of the cool hardware that makes it possible
  • However, the incentives are all wrong, as is the track record of the devices
other solutions
Other solutions
  • Attackers overcome any security barrier eventually
    • They have unlimited attempts to try it.
    • Also, there are thousands of ways to do so, and this is because of the ‘flexibility push’ described earlier
  • One solution: add barriers they can’t see and can’t try to work around
    • Like the current banking anomaly monitoring
summarizing
Summarizing
  • Generic PC+OS security is riddled with loopholes in the name of flexibility
    • All lower layers can be taken over
  • To the point that is has become a joke to regard a PC (or a Mac) as a trusted platform
    • Makes banking scary..
  • Solutions are:
    • ‘man up’ and fix our computers,
    • move to dedicated devices, or
    • very heavy monitoring
more information
More information
ad