Hardware, and Trust Security: Explain it like I’m 5!
1. Hardware, and Trust Security:
Explain it like I’m 5!
Teddy Reed
teddy.reed@gmail.com
…or maybe 15, 27, 55??
Nicholas Anderson
nanderson7@gmail.com
2. DEFCON 0x17=23 Hardware and Trust Security
Objectives
2
To simplify some otherwise complex
explanations of hardware security
Provide an overview of obscure protocols, technologies, features
Satisfy our burning desire for lego & Pokémon references
Highlight previously controversial uses of hardware security
1.
2.
4.
Inspire hardware security and trust enthusiasm3.
3. DEFCON 0x17=23 Hardware and Trust Security
Outline
3
Designer and administrator goals
Failures, uses, and use cases
Hardware security building blocks
1.
2.
4.
Components; technologies, protocols, features3.
4. DEFCON 0x17=23 Hardware and Trust Security
Outline
4
Designer and administrator goals
Failures, uses, and use cases
Hardware security building blocks
1.
2.
4.
Components; technologies, protocols, features3.
5. DEFCON 0x17=23 Hardware and Trust Security
Outline
5
Designer and administrator goals1.
We want to protect processes and code
the same way we protect machines on a network
Authentication, confidentiality, trust relationships
Isolate, reduce attack surface, audit
Use:
to protect:
9. DEFCON 0x17=23 Hardware and Trust Security9
privileged
0
3
unprivileged
user
root
most
privileged
-1
10. DEFCON 0x17=23 Hardware and Trust Security10
privileged
0
3
unprivileged
user
root
most
privileged
-1
11. DEFCON 0x17=23 Hardware and Trust Security11
Crossing a protection domain
defined by the architecture, not the operating system
this is NOT checking capabilities, comparing integers or
consulting a bitmask mode of permissions
API defined by instruction set architecture
operating system implements both domains
some instructions [rdmsr] limited to privileged
1.
2.
4.
concept should apply to all forms of memory*3.
*virtual address translation logic within MMU
12. DEFCON 0x17=23 Hardware and Trust Security12
Crossing a protection domain
defined by the architecture, not the operating system
kernel user
there are LOTs of ways to cross
‘most’ cause a context switch
rippling effects on performance of the process
and the system in general!
0 3
13. DEFCON 0x17=23 Hardware and Trust Security13
static inline long long unsigned time_ns(struct timespec* const ts) {
if (clock_gettime(CLOCK_REALTIME, ts)) {
exit(1);
}
return ((long long unsigned) ts->tv_sec) * 1000000000LLU
+ (long long unsigned) ts->tv_nsec;
}
int main(void) {
const int iterations = 10000000;
struct timespec ts;
const long long unsigned start_ns = time_ns(&ts);
for (int i = 0; i < iterations; i++) {
if (syscall(SYS_gettid) <= 1) {
exit(2);
}
}
const long long unsigned delta = time_ns(&ts) - start_ns;
return 0;
} by Benoit Sigoure
@github.com/tsuna/contextswitch
Measure context switch impact
14. DEFCON 0x17=23 Hardware and Trust Security14
static inline long long unsigned time_ns(struct timespec* const ts) {
if (clock_gettime(CLOCK_REALTIME, ts)) {
exit(1);
}
return ((long long unsigned) ts->tv_sec) * 1000000000LLU
+ (long long unsigned) ts->tv_nsec;
}
int main(void) {
const int iterations = 10000000;
struct timespec ts;
const long long unsigned start_ns = time_ns(&ts);
for (int i = 0; i < iterations; i++) {
if (syscall(SYS_gettid) <= 1) {
exit(2);
}
}
const long long unsigned delta = time_ns(&ts) - start_ns;
return 0;
} by Benoit Sigoure
@github.com/tsuna/contextswitch
Measure context switch impact
Various cache invalidations, and look-
aside buffer trampling, scheduling on
different hardware threads (affinity)
17. DEFCON 0x17=23 Hardware and Trust Security17
Crossing a ‘protection’ domain
process net
TCP/443
your PC LAN
You defined a protocol to handle/serve requests
that separates two trust domains
API defined by protocol and RFC*
operating system implements both domains
lots of capability limited to service*
1.
2.
4.
concept should apply to all forms of memory3.
18. DEFCON 0x17=23 Hardware and Trust Security18
Hardware and trust security
The operating system (software) provides primitives
that help us build and secure network services
…hardware provides primitives to build and secure
operating systems and software
Begins at primitives, then forms features and technology
often encapsulated into a security-focused capability
19. DEFCON 0x17=23 Hardware and Trust Security19
Hardware and trust stack
primitives
features and specifications
technologies
capability
20. DEFCON 0x17=23 Hardware and Trust Security20
Hardware and trust stack
primitives
features and specifications
technologies
capability
21. DEFCON 0x17=23 Hardware and Trust Security21
Hardware and trust stack
primitives
features and specifications
technologies
capability
22. DEFCON 0x17=23 Hardware and Trust Security22
primitives
features and specifications
technologies
capability
23. DEFCON 0x17=23 Hardware and Trust Security23
primitives
features and specifications
technologies
capability or implementation
24. DEFCON 0x17=23 Hardware and Trust Security
Outline
24
Designer and administrator goals
Failures, uses, and use cases
Hardware security building blocks
1.
2.
4.
Components; technologies, protocols, features3.
25. DEFCON 0x17=23 Hardware and Trust Security
Outline
25
Hardware security building blocks2.
Consider building the perfect Pokémon team
…pretty much always on our minds
26. DEFCON 0x17=23 Hardware and Trust Security26
Psychic:
Poison, Fighting
Water/Ice Hybrid:
Fire, Grass, Dragon, Rock, Ground, Flying
Grass, Electric
Electric:
Water, Flying vs. Ground, Grass
Dragon:
Dragon vs. Ice
Fire:
Grass, Bug, Ice
Rock, Ground, Water
Normal, or Fighting:
Creativity
The line up is well understood
based on a series of attributes
each lineup attribute is a primitive
27. DEFCON 0x17=23 Hardware and Trust Security27
Psychic:
Poison, Fighting
Water/Ice Hybrid:
Fire, Grass, Dragon, Rock, Ground, Flying
Grass, Electric
Electric:
Water, Flying vs. Ground, Grass
Dragon:
Dragon vs. Ice
Fire:
Grass, Bug, Ice
Rock, Ground, Water
Normal, or Fighting:
Creativity
28. DEFCON 0x17=23 Hardware and Trust Security28
Pro tip: Information security
Like balancing your Pokémon team
eventually you’ll get beat by a 12 y/o
suck it up and always hold grudges
29. DEFCON 0x17=23 Hardware and Trust Security
Reminder
29
Designer and administrator goals
Failures, uses, and use cases
Hardware security building blocks
1.
2.
4.
Components; technologies, protocols, features3.
35. DEFCON 0x17=23 Hardware and Trust Security
Building blocks
35
dedicated storage
DRAM
0x0
0x7FFFFFFFFFFF…
NVRAM
0x0
0x800000
*Memory sizes not to scale
36. DEFCON 0x17=23 Hardware and Trust Security
Building blocks
36
dedicated storage
DRAM
0x0
0x7FFFFFFFFFFF…
NVRAM
0x0
0x800000
*Memory sizes not to scale
open, inw, outw
byte transfer over bus
(1)
(2)
(3)
37. DEFCON 0x17=23 Hardware and Trust Security
Building blocks
37
dedicated storage
means plus
providing a policy enforcement point
or limiting transformation
38. DEFCON 0x17=23 Hardware and Trust Security
Building blocks
38
dedicated storage
providing a policy enforcement point
or limiting transformation
plus equals
39. DEFCON 0x17=23 Hardware and Trust Security
Building blocks
39
dedicated storage
providing a policy enforcement point
or limiting transformation
plus equals
40. DEFCON 0x17=23 Hardware and Trust Security
Building blocks
40
dedicated storage
providing a policy enforcement point
or limiting transformation
plus
MISTY CANT
USE ASH’S
POKEMON
equals
41. DEFCON 0x17=23 Hardware and Trust Security
Building blocks
41
dedicated storage
providing a policy enforcement point
or limiting transformation
magic
42. DEFCON 0x17=23 Hardware and Trust Security
Building blocks
42
algorithm implementations
read/write
43. DEFCON 0x17=23 Hardware and Trust Security
Building blocks
43
algorithm implementations
sign, encrypt/decrypt
44. DEFCON 0x17=23 Hardware and Trust Security
Building blocks
44
algorithm implementations
sign, encrypt/decrypt
provide algorithm in as
hardware fast path
caller provides all data
including keying materials
61. DEFCON 0x17=23 Hardware and Trust Security
Secure Boot
61
Secure Boot: Enabled
Misty runs
Linux & used
MOKutil!
62. DEFCON 0x17=23 Hardware and Trust Security
Boot “trust”
62
Secure Boot: Verify that the firmware has been digitally signed
…or the user has manually approved the boot loaders digital signature
Trusted Boot: Verify the digital signature of the Windows 8.1 Kernel
…including boot drivers, startup files and ELAM
Measured Boot: Check measurements against TPM
63. DEFCON 0x17=23 Hardware and Trust Security63
fetch code and size
compute hash and extend:
H(V1) || H(V0)
apply signature check using
certificate store and blacklist
allow signing of extended hashes
make decision
Boot “trust”
64. DEFCON 0x17=23 Hardware and Trust Security64
…the leg firmware is connected to the… ______ firmware
…the ______ firmware is connected to the… boot-loader
Boot “trust”
65. DEFCON 0x17=23 Hardware and Trust Security
Reminder
65
Designer and administrator goals
Failures, uses, and use cases
Hardware security building blocks
1.
2.
4.
Components; technologies, protocols, features3.
66. DEFCON 0x17=23 Hardware and Trust Security
TrustZone
66
Highly configurable hardware and software specifications for SoC on ARM
ARM Cortex-A57
ARM Cortex-A53
ARM Cortex-A17
ARM Cortex-A15
ARM Cortex-A9
ARM Cortex-A8
ARM Cortex-A7
ARM Cortex-A5
ARM1176
Hardware layer Software layer
67. DEFCON 0x17=23 Hardware and Trust Security
TrustZone
67
A privilege domain providing an execution environment (TEE)
Applications (TA) run in a secure world protected by
memory controllers and interrupts
dedicated storage
algorithm implementations
tamper resilience
extendable trust
isolated execution
monitoring & auditingstate maintenance
dedicated I/O
69. DEFCON 0x17=23 Hardware and Trust Security69
Isolated Execution
TrustZone
Guarantee Confidentiality and Integrity;
while also providing standard execution functionality
75. DEFCON 0x17=23 Hardware and Trust Security
TrustZone & SecureCore
75
privileged
0
Qualcomm’s SecureMSM
Implements custom Secure Boot
and TrustZone application API
76. DEFCON 0x17=23 Hardware and Trust Security
TXT, IOMMU
76
privileged
0
Isolate devices on MMU
Measure specific executions
then isolate by CPU & memory
Oracle for attestation
78. DEFCON 0x17=23 Hardware and Trust Security78
Hardware & Trust enabled auditing
privileged
exec
OS X kauth sysent[exec]()
Good idea? (y/n)
Audit
event
Log
sent
79. DEFCON 0x17=23 Hardware and Trust Security79
Hardware & Trust enabled auditing
privileged
exec
OS X kauth sysent[exec]()
Good idea? (y/n)
Audit event
to OOB
Log
sent
80. DEFCON 0x17=23 Hardware and Trust Security80
Hardware & Trust enabled auditing
Audit event
to OOB
Log
sent
API defined by hardware features
no software trapping required (fast)
privileged mode not needed, but helpful
1.
2.
4.
signing, buffering, compression supported3.