Schneier on Security

Nick P • November 17, 2013 1:55 PM

Ok, now back to the chip discussions. 😉

@ Wael

“Assemble your own system, and build your own BIOS from open source such as http://www.coreboot.org/Welcome_to_coreboot then add some TPM functionality to measure things you care about, which includes option ROM’s (which is actually already done, but you may want to tweak it). After that, disable BIOS updates. Stick this system in a tiered network that suits your needs, or air gap it. Also use open source OS’s. My preference is FreeBSD. Build all your binaries from source (make world). And use different partitions (or drives) for components that you want to keep immutable, make that partition read only. Then encrypt your confidential stuff with a key that’s saved off a token. And protect that key in transit, in usage and at rest. The purpose of this setup? Generic usage ;)”

Good advice. Of course, following my timeline analysis & obscurity mantra, I’m using a RISC machine from a vendor that’s not blindly cooperative. I’m chancing it with the time period but I have almost no luxury spending budget right now. Time to turn a preferrable machine into a secure system is a also a luxury for me so I picked one with plenty BSD/Linux software available. Most of the security will come from keeping dangerous IO away from it and use of up-to-date NIX LiveOS. The next set of systems will be the really strong ones with this as an interim.

Oh btw, we’ve seen no evidence so far that the Chinese processor was compromised by NSA. They have a chip, open firmware, and open source OS platforms. I just think odds that US govt is a risk to such a system, esp if semi or partly airgapped, is pretty low. It also has x86 emulation. wink

@ Winter

It actually is similar to that. The problem is larger than that, though, due to extensive supply chain poisoning by NSA. So, to make it easy, we could do the bootstrap in a way similar to my previous proposal on verified (for correctness) software.

1. Use an extremely simple, yet useful, language for the initial work.
2. Produce certified compilation to object code. Might be formal or informal, but must be believably correct with proof of no subversion being pretty obvious.
3. Several different groups write the compiler using different programming languages, OS’s, instruction sets and supplier locations.
4. Resulting object code and test runs are compared to ensure correctness.

5. Compiler and basic OS are written that way, compiled with that toolchain and verified by all.

6. These resulting diverse binaries are used by each group to (a) run jobs each must trust and (b) improve the trusted tools themselves.

7. The systems are all air gapped with physical security and personnel each group trusts with audits of different compilations regularly done.

That’s just for the software. Hardware might take high level code, low level stuff such as netlists/macros, complex tools that do the conversions, and then it has to run on FPGA or custom chip. I’d say security of all that is still an open issue. Seems easiest to use the diversified, mutually-suspicious compilation strategy on a common typesafe platform and toolset portable to arbitrary hardware. Then, one can simply use a bunch of old hardware. Yes, I cheat to take the easy route whereever possible. 😉

Note: Wael’s suggested LLVM. I was looking at it too as there’s already typesafe languages, including Haskell, on it with a number of backends. One team is also producing a formal semantics of it. If I used it, I’d ensure a careful choice of optimizations that couldn’t make security defeating alterations.

@ Bryan

ARM is a decent choice for the mobile architecture so long as it doesn’t have a bunch of inherent security weaknesses like Intel did. I mean, if it’s complexity lets system security be bypassed easily then what’s the point? So, I’d start with an open core that’s ARM compatible then make some security enhancing modifications. Trusted boot and hardware accelerated compartmentalization of native code alone would greatly improve the robustness of the phone, esp against baseband stacks as entry way. There’s existing and in-development tech to do the compartmentalization quickly with minimal silicon. Various tradeoffs.

My point about legacy-compatible security enhancements is that, if one is gonna drop millions on a processor, might as well put in some enhancements so we aren’t cloning the same hard-to-protect crap that already exists. I want “ARM+1” at a minimum.

@ RobertT

“I suspect the project will go absolutely nowhere without reliable and verifiable answers to these two questions.

Third thing to consider: Legacy software considerations will basically force the chip to be an ARM or i86 compatible device. Is it possible that given this starting point your security goal is already impossible?”

I suspect you’re right. It’s why Bell said the changes will require “selfless acts of security” and why I say developing the secure platform will be a financial loss due to tiny market. A government, big company or private investor is literally going to throw away money to make this happen if it happens. Now, there is certainly money being thrown at stuff like this albeit often at ineffective stuff. So, it’s possible. Just seems less probable stateside all the time due to US govts incentives. However, foreign countries or multinationals might build something to protect their own secrets.

@ Stanislav

Funny you mention that as I was just reading through the Scheme48/W7 work to see the easiest way to apply such concepts to hardware I can build/acquire or a custom core design on FPGA-type hardware. Thing is that the core system was very simple, yet extremely powerful for isolation & development. I like that combo.

“C and Unix ought to be considered backdoors in their own right”

Or a sick joke on the world perhaps: http://mariusbancila.ro/blog/2007/04/04/creators-admit-c-unix-were-hoax/

@ Mike the goat

” I would feel safest with early 90s hardware – the Internet wasn’t ubiquitous and most people had dialup and patchy connectivity anyway so remote backdoors are unlikely. ”

Consistent with my timeline and analysis. And the stuff is pretty cheap on ebay these days.

@ Clive Robinson

Good luck on your recovery. My brain was too stressed to work past few weeks but past 24 hours brain cells were firing so I said “time to hit the blog!” Got a bunch of other stuff done too. Odd enough, happens mainly when I drink a particular relative’s coffee. Gotta figure out what she’s been spiking it with.

Nick P • November 18, 2013 12:48 PM

@ Petrobas

” Just forget them in the initial project.”

I decided to forget them in all my projects quite a while ago. Theo de Raadt inspired it. He didn’t cater to requirements from people who didn’t give a shit enough to make tough tradeoffs. Made his job easier.

“It does not need to be dirt cheap. It may have the same price as the main processor. ”

No, it (the microcontroller) really does need to be very cheap. There are many, many cost-sensitive uses of such chips. A chip that’s reasonably functional, enhances security, and is still cheap will see more use in embedded systems and hobbyist work. Such sales also fund further development. Plus, if it’s cheap enough, someone might be able to try to decompose an entire system onto such chips with a chip dedicated to each function. Currently, this requires a NUMA machine that nobody can afford/trust or a large cluster of cheap boards not designed for that.

“We also need to specify ram-based chips. Or store only encrypted content with shuffling in the RAM.”

It’s not strictly necessary. There’s several options here.

1. Build a trusted RAM interface, incorporate IOMMU, and use memory safe software, then wipe RAM upon shutdown.
2. Use a device in the middle to encrypt RAM or IO for applications that need it. (see HAVEN virtualization project)
3. Use a chip that’s designed not to trust RAM or other hardware. This is more similar to what you’ve mentioned. Examples are Aegis processor, SecureCore/SP, and SecureME.

“It will be difficult to hide a backdoor in 30000 transistors that can be checked easily and totally by anyone motivated enough.”

A chip meeting all your requirements including RAM protection will probably be a lot larger than that. Fortunately, many projects producing safer variants of general purpose processors have been able to use the low end FPGA’s for prototypes. That might indicate the finished chip will be relatively low complexity. Maybe. I still don’t think it will be visually validated or anything like that.

My previous advice was to make at least one chip that could be made at even low end fabs so we have many to choose from. Then, maybe get fabs in several different countries producing the same chip.

“The armrace between NSA and people using air-gapped backdoored systems is in favor of NSA. We need a safe base.”

It’s actually in favor of nobody. The people attacking air gaps are getting pretty clever. However, nobody that’s been compromised was following good air gap advice a la what govt recommends. They use dedicated machines from sources they trust in rooms that block out sound and signals. Any connections to those computers often involve high assurance guards or media encrypters. The trick here is that one must get a PC that isn’t backdoored, use it in a very isolated environment, and ensure any communication happens in a trustworthy way.

@ Wael

“Just having a system not subverted or back-doored is not sufficient to label it as secure, although a good thing to have. ”

Good point. My goal in such systems is finding old hardware that won’t have a clever backdoor in it. They should be very easy to use securely if the only point is air gap use case for content reading or signed message origination. (Mike and I’s main use case.) As for one directly connected, that’s a different situation entirely. My requirements for protecting such a system are sufficiently painful that I switched a long time ago to two system schemes where only one was Internet enabled. It acts as a front end for the other sending the information in a simple way over more trustworthy comms scheme.

@ RobertT

“As has been noticed elsewhere the NSA’s favors attacks on protocols and functional definitions, and often seeds the market with subtlety flawed implementations. I’d expect a project such as your’s to be no exception. ”

If we got working hardware, then it would be worth it. We could fix the implementations later. Matter of fact, there’s already plenty of open implementations of almost everything we might need. The fixes can be incremental. The hardware, though, absolutely must work as advertised for the system to be trustworthy. Ideally, it must also make writing secure software/systems easier as well with its on-chip capabilities.

@ Winter

re Wheeler

I’m aware of his work. I’ve posted his SCM page here a few times as it’s excellent. A real system would certainly consider or include his DDC concept to some degree.

“But you still would need a way to ascertain that the hardware you get is secure. The same as with the compiler binaries in the Trusted Trust attack.”

Which is why I keep saying we need to make the systems portable across architectures, then deploy on a mix of older systems and newer ones from various suppliers. I also prefer keeping the host properties hidden so attacker must guess and possibly give themself away. That trick has worked in the past.

Re secure communication and handhelds

I covered a high security solution here. I posted a mobile version of it once that stretched the meaning of mobile. Think small briefcase rather than phone. 😉 It was necessary, though, as it had to use trustworthy chips and the mobile SOC’s have so much crap in them I couldn’t begin to know their actual attack surface. RobertT’s many posts just made me more sure of that over time.

The cool thing about my design is that it’s simple enough for many IT people to manage and each component can be customized. Makes attackers’ job harder so long as individual components are strong.

@ Bryan

” I’d bet more than a 100,000 secure phones could be sold in the first year to governments and corporations needing security. ”

Ask Cryptophone in Germany (or ask Frank Rieger). They sell premium devices with encryption, hardening, usability, and a few grand price tag. I think their volume might give an idea of what ballpark your solution’s sales would be in. Might be more or less than you think.

Re your device

That’s interesting. I have no comments about it right now. Just make sure you watch the squid forums for my next paper release as it addresses secure SOC’s and bottom-up trust in systems. Reading esp your MMU needs, I’m sure one or two papers have something for you to integrate.

re GCC

The simple route is to just not use GCC. There’s LLVM and simpler portable C compilers. There’s also CompCert whose backend should be getting extended for all sorts of things. The middle end showed itself to be perfect in testing. We have a verified compiler and people aren’t using it for code addressing subversion? Blasphemy! 😉

@ Garfield

The neo900 is interesting. I hope they succeed. However, it seems they have a weakness in privacy as the graphics and baseband stacks are still closed. They say they will restrict the baseband stack somehow. Sounds like they plan to use software to restrict highly integrated and untrustworthy hardware. I’m not in any hurry to buy into this one until I see how they do that. It’s one of the biggest risk factors in any phone and still exists in neo900.

Nick P • November 18, 2013 10:46 PM

@ figureitout and others wanting small all-in-one solution

If the goal is a safe system easily understood through and through, then I can think of at least three pieces of inspiration:

1. Niklaus Wirth’s Lilith project
2. LISP machines
3. JOP Java Processor

Lilith get’s No 1 because it’s exactly the kind of project you refer to: a processor, language/compiler, operating system, and apps that were all both simple and integrated. It was one of the only systems where the hardware was written to comply with the language’s needs rather than vice versa. The various systems were used for real work at ETH Zurich for a long time and extended by students. Active Oberon and Bluebottle A2 are most recent versions of this work that I know of.

Lilith Quick Overview with Pictures
http://www.ethistory.ethz.ch/rueckblicke/departemente/dinfk/forschung/weitere_seiten/lilith/index_EN/popupfriendly/

Full Technical Paper (it’s scanned so it looks ancient haha)
http://www.cfbsoftware.com/modula2/Lilith.pdf

Btw, OS’s such as Bluebottle written in type-safe, higher level code are nearly ideal bootstrap for whatever open CPU that gets designed. Only the few cpu/board specific codes and the backend of a compiler must be ported. Then, any apps are immediately usable and new one’s benefit from language-based security via type system on top of other methods.

LISP machines

The reason I bring them up is you can build anything with LISP. It’s ugly but it’s the most powerful language ever designed far as I know. So flexible that everything from OOP to theorem proving to concurrency was as easy as writing a library, then the language had it. The problem with any interpreted language, though, is the native code underneath and interactions with unsafe features. Unlike LISP interpreters, the LISP machines had processors that processed it natively. I could imagine building in some basic integrity or security features to a LISP processor, then putting something like the Scheme security kernel and/or VLISP on it.

K-machine chip description:
http://fare.tunes.org/tmp/emergent/kmachine.htm

(“IGOR” is a modern prototype LISP chip available on open core site)

Heck, most programming environments still don’t match all of LISP Machine’s features:
http://www.symbolics-dks.com/Genera-why-1.htm

Java Processor

Java processor makes for a good goal due to abundance of Java software and developers. The easy way is to use the safe subset of Java either without native code or with a chip that isolates that. HISC is best way to do the latter. However, it’s patented so designs like JOP are a nice place to start. Their site has many more educational links. Combine JOP processor, JX OS, SpecialJ compiler, external IO handling chip and cryptocoprocessor for a nice solution.

Nick P • November 19, 2013 9:12 AM

@ Clive Robinson

I did consider including ColorForth and Forth chips. They’re in my bookmarks from some prior conversation, maybe with you. Nice pieces of work with ridiculously small code sizes. I specifically excluded it from the list, though.

The reason is that Forth is untyped. I recall from my quick reading of the tutorials that Forth programmers don’t worry about such things. They just compose stack operations basically. I think this makes it easier for them to shoot themselves in the foot. I think it makes it conceptually harder for lower grade programmers, as well. In comparison, Java, Oberon and Scheme have all been used to teach programming languages for years.

So, not being a Forth programmer, I can’t say for sure if it’s an unsafe language or if one must use a lot of care to avoid problems. It just seemed that way from my reading.

Nick P • November 20, 2013 1:00 PM

@ Petrobas

Here a bunch of them
http://www.ultratechnology.com/chips.htm

They certainly can be implemented with few resources and old technology. The point I made to Clive which is VERY IMPORTANT for you to understand is that they are not safe compared to some other designs. The language, if used carefully by smart people, can let you make a working system with minimal code on old chips. The problem is that people developing systems software shoot themselves in the foot regularly with existing languages. I can only imagine how they’d use a low level, stack oriented, typeless language like Forth.

That’s why I promoted chips that have safety built in. The Modula/Oberon projects show particularly that you can use a safer, readable language with good performance & usability. The Vega chips are doing that with enterprise Java, while designs like JOP and SHARP do it in embedded Java. Point is, there’s options for both old and new chips to be safe ground up without using an unsafe language.

(Of course, we should keep Forth chips/environments in the back of our head just in case there’s a situation where the preferred options can’t be used, but it can with some benefit. I’m not prejudiced against it. I just think we have safer options for many use cases.)

Nick P • November 22, 2013 10:32 AM

@ Bryan

” The system can be designed so that only processes of a specific permission set can do certain operations on hardware.”

You’re really just describing a hardware capability system with a specific permission setup. I recommend you look at older one’s as they will have explored some tradeoffs. I’ve thought about reimplementing one of them myself.

There’s been software (eg. EROS) and hardware capability systems. The hardware systems ended up being a lot slower and more expensive as Moore’s Law didn’t benefit them much. There’s some decent modern designs and even FPGA prototypes out there. None of the modern one’s are in production. I’ve always encouraged projects leveraging capability hardware or OS’s as they’ve proven to be quite robust foundations for security.

” It is a possibility on how to have encrypted external RAM and FLASH memory. ”

Already been done from design to implementation. Look at the Aegis secure processor, SP/SecureCore architecture, CODESEAL, and SecureME. Best to not reinvent the wheel as IT industry wastes insane amounts of manpower doing that already. Look at those, look at the problems/solutions they uncovered, and pick what fits your use case. Then, do your own implementation of it if there’s a copyright issue. 😉

“For the internal RAM, an emergency switch could be put across it’s VCC that disconnects it from external VCC, and grounds the internal ram’s VCC to ground. That will kill the data stored quickly. The only allowed reset for the switch should be a full power off reset. A sufficiently large capacitor could be used to keep the memory bank grounded so it would take a few minutes of total power off before a restart could happen.”

The cool thing about having all RAM encrypted like in the projects I described means that only the key and a tiny on-chip memory must be wiped. Either way, destroying the key is measured in cycles and wipes vast majority of data. The rest of memory will be gone in a fraction of a fraction of a second. It can all be done with software after it detects a switch flipping or it’s a routine built into the chip itself. Either way, very simple.

(Note: any peripheral cards or devices often have their own memory and so will have state in them. They can be designed perhaps to wipe their own state on shutdown.)

“If the chip has a dedicated read and write pins for the FLASH memory, the write one could have a jumper installed on it.”

I’m a big fan of hardware write protect. It’s a good idea. If possible, it should also be actual hardware that prevents the write rather than software that merely says no after seeing a switch.

“I’m basing my hardware ideas on a hardware design that can be connected to the net and have a good chance of staying secure. Also if it doesn’t stay secure, on being able to be fully restored to a secure state.”

It’s a good requirement. I think you’re focusing too much on the memory wipe stuff, though. The real focus areas here are:

1. Non-volatile memory with trusted state or boot must be non-volatile.
2. System should have methods to prevent malicious attacks on any privileged software. This is because a system that’s getting compromised repeatedly is usually not so useful if work requires confidentiality.
3. Recovery mechanism must be highly assured to work despite actions of sophisticated, well-funded adversaries who will target it as well.

Because of (1), you’re better off using two BIOS type memories rather than one. The first is a ROM that can’t be changed once written. The second is flash that can be changed with write protect switch. The ROM has an extremely robust initial loader that performs most basic tests (“does MMU work? do crypto instructions work?”), loads the flash into some kind of memory, verifies it, and then passes control to it. This ensures that at least the initial loader always runs during startup and can be guaranteed to perform certain checks.

The next security feature I devised was a different image for updates and production. Do the update of firmware/drivers/coreOS in an entirely different running mode. The updates are downloaded in production mode, checked, an update flag is marked, and system reboots. Upon reboot, after ROM, an update software is loaded and verified from flash. It can access the filesystem although does it with extremely safe, minimalist code with all checks on. Everything about this system is full of safety/security checks. It only temporarily creates a filesystem service, pulls the update into memory, checks its hash/signature, and then destroys filesystem service/privileges. It then prepares for flash write, ensure write protect switch is off and writes it. It then loads it back up, checks integrity to ensure write happened correctly, and then tells user to turn on write protect switch. It then reboots whereby new flash loads into production.

Orange Book guidelines suspended all applications before opening a trusted path for user into security kernel. I took this further in my trusted boot or update designs to say nothing should be running when these happen except the trusted software itself. They should also be developed with the highest assurance techniques we have as they’re the most important parts of the software.

I’m off to work now so I’ll try to address other aspects of your posts later.

Nick P • December 17, 2013 8:44 AM

@ Petrobras

Why thank ya! That might come in handy at some point. 🙂

Nick P • December 18, 2013 4:44 PM

@ Petrobras

Nice that you mention Inmos Transputer chip. Their design, esp use of Occam, was quite radical. Good that your mind is open enough to catch such a radical possibility. 🙂

With regard to your process node choices, it’s all interesting but our specialist here has dimmed my hope of such stuff working.

Of course, the coversations also pointed toward certain specialized or embedded chips likely being safe because there’s no reason to exploit them. There’s the chips designed to be cheap as can be, the DSP’s Clive mentioned, the boatload of uncommon chips I mentioned, adn RobertT even cleverly suggested GPU’s. I decided to disregard GPU’s at the time, but remember it for later. Now, there’s crypto, general purpose, and security type code going on extremely powerful GPU systems. It’s time to reconsider all of these as components of a secure system.

Fab problem: an endrun around production?

So, this leads me to a shortcut with fabs. Both new and existing ventures have a decent risk of being compromised. As I’ve outlined, there are many useful types of chips that are probably not compromised. These chips specs, logic, masks, etc have already been made. So, a shortcut occurred to me to simply evaluate (under NDA) an existing design, work with (or pay off) fab personnel to validate that it’s the design that’s been in production, and just keep using (and replacing) those same cells/masks.

Our conversations, along with my looking at older systems, show that many current chips can be combined in interesting ways to make secure [enough] systems. Many types. So, they can continue to sell for their existing use cases (with new safety/security benefits) and be used in ventures that need subversion resistance. Such a plan based on reuse of inherently marketable and existing designs might shave off tons of cost compared to other options. Not to mention I’m not thinking inspection based routes are viable anyway…

@ RobertT

Back on topic of chip validation, studying how the chips are made gave me an idea. The design process eventually produces hardware like masks that’s used to put the logic on silicon. I’m wondering if a similar process can be used to produce a layer of hardware that can verify chip functionality instead. Regular reversing would strip layers off of audited chips to get them down to silicon. Then, they’d be put on this material or process to show a probabilistic match. If the production was changed at some point, the patterns on the chip would start to change.

Think of it as a checksum for hardware. Rather than inspecting every bit, a function is run across many points to come up with a number than can perform the probabilistic check. The algorithm might be trained on the first batch of chips. Then it’s used for the rest. This is for process node tech that’s not super tiny. You’ve showed us how difficult such stuff is to work with.

Nick P • March 13, 2014 10:30 AM

Backdoor found in Samsung Galaxy devices.

http://www.phoronix.com/scan.php?page=news_item&px=MTYyODE