Schneier on Security

Clive Robinson • December 29, 2012 3:59 PM

Hmm,

For all those talking about DDR3 memory loosing everything when you turn the power of I would be cautious about making that statment.

The reason is there are several low level ways data is “residualy retained” in memory that is not powered up.

This has been an industry known issue as far as I’m aware since befor the first IBM PC hit the streets by several years (ie back in the 1970’s).

Whilst modern designs of various types have reduced the effects it is still an issue if other technniques have not been employed.

As noted by @Nick P above I have prefered options that make things a little more difficult for attackers, but I would be daft to call them secure. This is partly because the technology is not being used correctly and partly because of the weakest links in the security chain “user convenience” and “efficiency”.

For instance Keying Material (KeyMat) is going to be vulnerable if it’s entered from a single point (ie the computer keyboard) because amongst other things the OS does it’s best to store the data in half a dozen buffers that often get writtten to disk in part or full depending on what the OS is doing and why.

The NSA Inline Media Encryptor (IME) gets around this single channel issue by having a KeyMat only channel via the crypto ignition keys.

A few external HD’s with FDE use a keypad on the devices to enable you to enter a PIN that then selects or builds the KeyMat which is stored in the drive electronics. [Whilst this obviates the keyboard route all these FDE external HD systems I’ve seen todate are security wise very weak, for “user convenience”].

Likewise software based encryption has issues to do with human failings in the weakness of passwords and passphrases. They like the keyboard buffer end up being stored in system memory in some form that an OS could for one reason or another put onto the HD etc.

Thus I’m a firm beliver in seperate channels for KeyMat at each level (PC, IME, Ext FDE HD). I just think the current KeyMat channel solutions are not upto the job for various reasons that are not technical. Thus it is the suppliers that are letting us down for one reason or another…

Clive Robinson • January 1, 2013 3:28 PM

@ Perplexed,

Doesn’t the attack in question require either-access to the encrypted volume while it is mounted or-access to an UNencrypted hibernation file

Not in all cases, the attack is actually about illicitly obtaining / recovering crypto Keying Material (KeyMat) to access the encrypted data on secondary storage.

So if you think about it, all this attack requires is for the Keying Material (KeyMat) to be in accessable system memory (RAM, Registers, HD Electronics, or I/O or other peripheral devices) in some form usable to the attacker.

If you consider what happens when a COTS PC/Server computer system boots up it has neither an OS or other executable code in it’s RAM, nor KeyMat for encrypted secondary storage.

What usually happens on a COTS system when a hardware reset (power up etc) occurs is,

1) A ROM chip is switched in to the system memory map to run from the “reset vector”.

2) Generaly the ROM has a minimal lever loader that copies the image of some kind of Basic Input Output System (BIOS) from the ROM into RAM at some other memory location and then jumps to execute the image in RAM. Almost the first thing the BIOS image does is to switch the ROM out of the system memory map altogether.

3) The BIOS (image in RAM) then performs some Power On System Test (POST) diagnostics and basic hardware setup including copying any “expansion card” ROM into memory and then looks around for “bootable media”. If no bootable media is found early PC’s like the Apple ][ or original IBM PC dropped into the ROM BASIC interactive interpreter, where as more modern PCs display an error message and halt, whilst some server systems drop into a basic shell on the designated console that allows an operator to select a boot devicee or do other activites.

4) If a bootable device is found (or selected) the computer system will use a bootstrap loader to either load an OS or another bootstrap loader into RAM and start executing it….

But if the bootable device is fully encrypted the system cann’t do this last step (4), so it needs to get the KeyMat from somewhere first…

There are three basic ways it can get the KeyMat,

1, Ask the user/operator to type the KeyMat in on the console.
2, Read the KeyMat from the bootable media/device.
3, Read the KeyMat from a “fill device”.

The first requires considerable skill from the user, the second is obviously insecure and the third requires an additiional secure storage device.

In Mil/Gov/Dip systems only option three is generaly considered and for the NSA devices such as the Inline Media Encryptor (IME) they use one or more KeyMat fill devices called “Crypto Ignition Key/Devices”.

In commercial/consumer grade systems they have int the past usually used options one or two or more recently a combination of both such that the user/operator types in a PIN/Password/Passphrase which then unlocks the CPU bus connected HD (or fill device) and the KeyMat gets coppied from it into system RAM.

From this point onwards the KeyMat is vulnerable to this or similar attacks.

Now as we all know “users love simplicity and ease of use” and they don’t want to be typing in multiple AES keys etc. Thus many modern iA86 PC motherboards come with a secure tamper evident KeyMat storage device which is the MS / Intel Trusted Platform Managment (TPM) device. Whilst other PCs and servers use a crypto smart card or even a specialised RS232 or USB device (some even pull it across a secure network connection using a modified form of NetROM).

Now the TPM has the KeyMat in it and depending on how it’s configured defines the way KeyMat gets into system RAM at boot up.

In many cases TPMs or other crypto fill devices can be set up to just load the KeyMat automatically on bootup with either a minimal (weak) PIN/Password/Passphrase or no protection at all on the (incorrect) assumption that an attacker cannot get it out of RAM without having hardwired physical access…

So just turning a computer on can in many cases cause the KeyMat to get pulled into memory even though it might not let you procead to fully boot into the OS without entering a user name and password etc…

Thus it’s quite possible to have a computer system with high entropy KeyMat stored in a secure module inside it that is used for full encryption of the data on the HD. That in reality is realy only protected by a four digit PIN or short guessable username and password/passphrase. That can usually be “guessed” in some way with access to the hardware (If I remember Correctly Apple phones and other smart phones suffer from this problem).

Worse this weak “user input” can usually be collected with a suitably small device such as a keyboard logger or miniture CCTV camera hidden in a ceiling fixture etc etc or just picking the users pocket, or reading the sticky note attached to the screen/keyboard where the user has healpfully written it down as an aid memoir.

It’s problems such as these that makes the use of FDE and other “data at rest” security systems a bit pointless for the majority of users. In some respects the whole FDE marketplace is not actually driven by “real security concerns” but “checkbox audit concerns”.

Clive Robinson • January 2, 2013 4:36 PM

@ Wael,

It sometimes helps to understand what threat the TPM in your description protects against

Yes it does, and the two cases you mention are by and large not related to stealing the keys from memory. I mentioned it because in a significant number of case the TPM is configured badly so it putst the keys in memory with insufficient safe guards…

That is it does not matter how good or bad the basic strength of your safe is, if the user leaves the keys or combination of easy reach of it.

A big problem that is begining to buble up with security is the issue of “Real -v- Audit” as it’s driver.

If the driver is for “real security” then the processes as well as the technology are covered effectivly by policy.

However if the driver is for “audit security” then the technology will match the auditors check boxes but the processes will almost invariably only be there for “lip service” reasons.

Whilst the increased level in security means a larger market and (hopefully) reduced prices for the technology, the “audit” driver means that the technology will almost certainly be lacking in one or more ways. An example of this is a supposadly secure external HD that used 256bit AES to encrypt the data, however the AES key was stored internaly and only protected by a short length PIN. Thus you have AES KeyMat with ~256bits of entropy being protected with a 4 digit PIN giving only 13-14bits of entropy…

Clive Robinson • January 5, 2013 10:00 AM

@ Nick P,

I remember Clive liked the TRESOR scheme. knew it would fall eventually. DMA is a pandora’s box for security issues, it seems

I was not ignoring you but waiting for the thread to die down a bit before replying, as my posts have generaly have some length to them (as this one will 😉

If you view the security stack in computing at the bottom of what you might call the physical layer is quantum effects working up through basic device physics transistors logic gates etc. At the top of the traditional ISO OSI seven layer model you have the apllication layer, but as we know from “layer 8/9/10” conversations it goes all the way up into politics.

If you view this stack you discover some quite unpleasant truths, for instance I remember your conversations with @RobertT over the lack of security in the chip design process and your surprise at just how little security there was.

As for the political process well I guess most of us will never realy understand what goes on in there. The machianations of the various performing arts rights holders is enough of an indication that “Money Talks, and civil rights walk.”.

But what many people don’t realise is the dependance relationships of security that is the application layer security is based not just on the layers beneath but the policy layers above.

That is you can undermine computer security as expected from beneath but also from above via protocols standards and upwards to politics and legislation like CALEA.

The thing is many people don’t realise there is a large gulf of no security below what they consider the physical layer that is above the basic logic gate level but below the CPU level they see in abstract terms through software.

If you think about the hierarchie of an actual computer system we have the CPU as the boundry for software. Thus this is where most code cutting software developers consider the “be all and end all” of their mental map. They don’t consider that there are layers beneath such as the memory and IO that can change behind their back and thus effect what they do and make their mental security models entirely invalid.

DMA is just one such way of manipulating the memory beneath the CPU level there is also the Memory Managment Unit and the I/O mechanisms that rule the roost via the interupt mechanisms that run at what you might consider Ring -1. And these are what you might consider the upper layers of this gulf of insecurity. There are other tricks such as the actual CPU microcode or equivalent in all the other state machines.

Normaly we don’t consider them in the security model both currently and in times past. The obvious question thus arising is why?

Well it is because of the idea of “Physical Access Control” preventing “front panel access”. That is the computer room was an “outer perimeter” that could be much more easily defended by the physical means of bricks, mortar, doors, locks and human security such as guards and 24×7 resident operators than it could by using the hardware and software of the system.

Sadly whilst back in the 1960’s and 70’s they were well aware of these below the CPU problems they did not have the computing hardware resources spare to do anything about it. Thus the prevailing view was you had no choice but to do it by physical access control. And with the very resource limited big iron systems of the time running in “time share” not “resource share” this was not realy much of an issue, you just changed a tape or disk pack and reloded the memory.

But the prevailing view became a mind set and few remembered why it just became “this is the way we do things”. Hence as the switch from “time share” to “resource share” happened the development of security still remained firmly set in “big iron” “physical access control” and the outside the perimeter terminals were dealt with by development along the lines of “trusted path”.

Then back in the 70’s and 80’s the physical access control security model broke down, the first Personal Computer resources started that eventually resulted in the demise of big iron and terminals. But the security model and ideas appeared stuck in the big iron model and incapable of keeping up with the changes. Thus rather than put even rudimentry security in the PC the user simply took out the floppy disks put them in a box and into the fire proof safe. Thus in a perverse way the big iron access control security model lived on.

It was not till the late 80’s and early 90’s when PC’s had HD’s as the norm and business networks started to be not just on LANs inside the physical perimeter of the building walls, to WANs outside the physical access control perimeter that people started to wake up and we got the ideas of Firewalls, DMZs, Bastion Hosts etc. But the “big iron” mentality still remained and thus we now have VPN’s, that still have the underlying assumption of “physical access control” and “trusted paths”…

But now we have to deal with the likes of laptops and smart devices the “physical access control” model is clearly broken and only now are people waking up to the fact that the “big iron” security model of “physical access control” does not apply any more…

The upside is that now unlike back before the 90’s we have the hardware resources to deal with the issue. But the hard won expertise of the 60’s and 70’s is long since retired or deceased and the vital papers are scattered in dust covered boxes in peoples lofts and garages and old archives and dark basements where nobody goes any longer.

Many of the papers were restricted or higher security rating paid for by various Governments who have long since tucked them away in locked archives where they probably won’t see the light of day untill after the ideas have been re-invented.

In many respects our Governments have become like the Holy Roman Church, jealously hiding information and burning heretics who try to get the message out. But history tells us they are fighting a losing battle. Whilst they might be able to control “ideas before their time” these ideas will happen to others when their time comes, and it is obvious there is a problem that needs to be solved.

We can see this actually happening currently but there is still the question of the effect of those Layer 8 and above issues pushing down. We saw in the past Crypto was in effect outlawed (it’s use even carried the death penalty in many countries and still does). As I’ve said before the game has moved on the likes of the NSA et al are playing with protocols and standards that become engrained and difficult to change or replace.

But the likes of the DOD have woken up to the fact that not only has the game changed but the “bat and ball” have been taken away from them.

The Gulf in security I’ve mentioned is now hurting the DOD and they are actually putting their hand in their pocket to get industrial and academic researchers to come up with ways to close it down, if it can (which I don’t think it can in a hard assured way).

COTS technology is here to stay, not just in the private sector but all the public sectors including all areas of the Government and thus military, diplomatic and intelligences services. The old days of government contracts to build secure systems are long gone and won’t come back in the way they once were. This is simply because the Western Nations have let the technology ball drop and those in the Eastern nations have taken it back to play on their home turf.

Thus what to do?

Well what might happen is the development of “key components” on home turf. That is to use what little fabrication is available in Western Nations to develop silicon that sits as guardians in the system controling information by segregating the untrusted parts and how information flows between them.

Will such systems be developed I suspect the answer is yes, simply because trying to extend security down into the memory layer is a difficult task all the current ideas about “tagging” memory also fail to methods that are known to exist in this security gulf. And if you think about it to be of use still DMA has to be able to change those tags…

As I’ve indicated in the past one of the ideas behind “Prisons-v-Castles” is “probablistic security” that is you assume you just won’t be able to close the security gulf with hardware solutions you will need to find some other way to mitigate untrusted hardware.

The question that is arising is, ‘Is the computing industry ready to grab this thorny branch of how to make untrusted components work in a trusted way? or continue to ignore it?’.

I think it can be done and I see from one of your comments on another thread that you are thinking about it. Well I should issue a health warning, that the idea is like a wart, in that not only does it grow on you, the more you scratch it the faster it grows 😉

But all that said I still like the basic idea behind TRESSOR, it does what it says on the tin, the problem is that it is not the basic design of TRESSOR tha is wrong it’s the basic design of the CPU that is at fault. If Intel make minor changes to the CPU design such that they add “write only registers” to the CPU to do the crypto then TRESSOR-Hunt would not work as changing the memory irrespective of how would not alow the KeyMat to be read back out of the CPU. It is not as though such write only registers are unknown in CPU designs.

Also with regards to using TPM for FDE logically it should not push KeyMat back to the CPU, the way it should work is the CPU pushes an identifier and passphrase etc into the TPM. The TPM then sets up it’s internal crypto to use the key coresponding to the identifier. The KeyMat thus stays inside the TPM chip and the CPU funnels data for the HD through the TPM which acts as the guardian sitting on the information flow, which is in effect what the NSA IME does. So neither the CPU or system memory gets to see the KeyMat after it’s loaded into the TPM device.

But can the KeyMat be moved across system buses that could be probed without it mattering?

The simple answer is yes, provided both ends of the communication can generate sufficient entropy then there are known protocols for the two ends to create a shared secret with their inter communication being fully monitored.

Such protocols can and have been built into smart cards, thus designing and making your own IME is possible and attacks on the system CPU and Memory won’t alow access to the KeyMat.

Clive Robinson • January 7, 2013 5:38 AM

@ Nick P,

I know more now than I ever did. Yet, the goal seems more difficult now than ever.

Ah ha, you have passed an important step on the path to enlightenment 😉

There is an old story about the various stages of a designer,

When a problem is described to them they say as a,

Young Designer :- No problem, I’ll get right on it.
Mature Designer :- Hmm I can see some issues, tell me more about your requirments.
Guru :- Hmm I don’t think you understand what you ask, walk with me awhile.

I’ve always found the more I know about the surface (froth) of a subject the more I need to know what is below. I’ts one of the reasons I tend not to try and keep up with trends which are often skipping the surface and frequently based on ill found assumptions. I try instead to get to understand the provable fundementals instead, and then build on those.

Speaking of ill found assumptions you mentioned IOMMUs. Like all MMU’s they can indead offer increased security but only if used correctly and the majority of the time that’s the catch.

The problem with an MMU is two fold, the first is what controls it, the second is the issue of the memory that holds the page translation tables.

With single CPU systems there is no choice, the CPU controls the MMU and it’s control busses form part of the CPU side memory or IO map. Usually to make things easy with virtual memory handling, the MMU is either at a hard CPU side address or put in the IO map at a hard address. Likewise the page translation tables.

Obviously whilst this makes things easier for the system designer and kernel developers it makes a hard target for attackers…

If there is a design flaw in the kernel then an attacker can get either at the MMU control lines or at the page translation tables in memory, at which point it’s game over. As I’ve indicated up this thread there are various ways both above and below the CPU level in the stack by which such attacks are possible.

Unfortunatly this problem often get’s carried over into multiple CPU systems, that for various reasons give kernel level access to any of the CPUs.

My prefered solution is that none of the user side CPU’s or for that matter the main kernel CPU(s) have any access to the MMU control lines or memory holding the page translation tables.

That is the security hypervisor controls all MMUs and the page translation tables are stored in it’s private memory area that is entirely seperate from user/kernel memory. That way an attacker cannot see the MMU or it’s tables let alone make any changes directly. This issolation can be further improved by making the hypervisor a Harvard architecture and ensuring the code base is a simplified state machine (all of which we have discussed in the past).

Providing the hypervisor is correctly designed it takes compleat control of memory provision and memory is provided to each user process based on the hypervisor security criteria. This enables the memory allocatio process to be massivly simplified thus reducing complexity and code and thus bugs and attack vectors. The biggest issue becomes that of priority queing to avoid locks for essential processes which can be done by a simple and robust heap mechanism that recognises not just priority but dependancy.

With regards write only registers they go back to the early days of ALU design pre bit-slice processor, and the micro coded state machines that turned them into usable CPUs [1].

A write only register is in effect a D-Type latch, a read write register is the D-Type latch and a tristate buffer feeding back the latch ouput back to the data bus at the input along with some arbitration logic for read and write opperations.

Obviously there are considerably less gates and metalisation with a write only latch thus they were prefered by the resource limited hardware designers. The problem was with writing code, with a well developed state machine such as used in the CPU state machines the microcode had no reason to readback an address or data latch etc. Not so general computer application level software developers their inability to take responsability for maintaining accurate state information within their programs ment reading back control registers and the like became a requirment [2].

As for TPMs yes Wael is right many are of limited functionality at best, and thus have failings that alow people to get around their supposed functionality.

What we need along with IOMMUs is what you might consider to be IOIMEs that is each IO channel is in effect a stream that has an IME sitting as a guardian astride it. The TPM would work as I described and would logicaly be built within the IME or use an entirely seperate channel to get KeyMat from a fill device such as an appropriat EAL smart card.

As @ RobertT has noted as well as Bruce, whilst we have adiquate crypto alogrithms these days it’s the KeyMat handling that lets us down badly and for some reason it’s another area where there is a large gulf in security.

And before anybody says PKI, it’s ill thought out and thus brings as many if not more problems to the table than it solves. Like code signing and other trusted initiatives PKI is based on a number of assumptions that at best only just hold with a following wind. For instance consider the case of initial pairing of Alice and Bob, how does Alice know she is actually talking to directly to Bob and not just some Man In The Middle bridge device that has it’s own PK Cert that claims it’s Bob which Bob is inadvertantly going through (think issues with certain Governments and Fake certificates to catch disident Facebook user etc). You still end up with the need for an initial trusted path between Alice and Bob to transfer their respective public keys, and further this should preferably be “out of band” signaling.

[1] For those that have never seen the logic design of an ALU look up a 74181 or any of the later 2900 series bitslice processors from AMD, I won’t bother giving ECL parts as they realy are difficult to get data sheets on and can twist your mind trying to understand the whys and wherefors of them.

[2] I suspect that some people will think I’m being a little harsh on code cutters who due to the deficiences of other code cutters to accuratly maintain state, have to go out and find it for themselves, especially when dealing with the likes of exceptions. I’m not, it’s the poor design of the software that is to blaim, if they had to maintain state in the program then the program dessign would be more rubust and in all probability less complex and less bug ridden. For some reason nearly all programers are “optomistic” in that they assume exceptions are not going to happen and thus state does not need to be kept. Thus when an exception happens either or both data is lost and the program crashes, neither of which are good especialy when it’s the brakes of your car the program is controling…