CIS 4360 Secure Computer Systems Secured System Boot

Similar documents
Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

Deploying Secure Boot: Key Creation and Management

CIS 4360 Secure Computer Systems SGX

Unicorn: Two- Factor Attestation for Data Security

TUX : Trust Update on Linux Kernel

Advanced x86: BIOS and System Management Mode Internals UEFI SecureBoot. Xeno Kovah && Corey Kallenberg LegbaCore, LLC

CIS 4360 Secure Computer Systems. Trusted Platform Module

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

GSE/Belux Enterprise Systems Security Meeting

I Don't Want to Sleep Tonight:

CIS 4360 Secure Computer Systems. Trusted Platform Module

Flicker: An Execution Infrastructure for TCB Minimization

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Windows 8 BIOS Boot settings

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

From TPM 1.2 to 2.0 and some more. Federico Mancini AFSecurity Seminar,

INF3510 Information Security Spring Lecture 4 Computer Security. University of Oslo Audun Jøsang

OVAL + The Trusted Platform Module

Windows 8 Uefi Bios Update Step By Step Guide Msi Usa

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

Microsoft UEFI Certification Authority

Strengthening the Chain of Trust. Kevin Lane HP Jeff Bobzin Insyde Software

BIOS Setup. User s Guide. (For Skylake-W Platform) Rev.1.1

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

How to create a trust anchor with coreboot.

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

Attacking and Defending the Platform

INF3510 Information Security. Lecture 6: Computer Security. Universitetet i Oslo Audun Jøsang

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

TPM v.s. Embedded Board. James Y

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Platform Configuration Registers

OS Security IV: Virtualization and Trusted Computing

Trusted Computing and O/S Security

Lecture Embedded System Security Trusted Platform Module

EXTERNALLY VERIFIABLE CODE EXECUTION

The Future of Security is in Open Silicon Linux Security Summit 2018

Defeating Invisible Enemies: Firmware Based Security in OpenPOWER Systems. Linux Security Summit George Wilson IBM Linux Technology Center

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Jonathan M. McCune. Carnegie Mellon University. March 27, Bryan Parno, Arvind Seshadri Adrian Perrig, Michael Reiter

An Introduction to Platform Security

AMD Security and Server innovation

Implementing Secure Boot: A Refresher on Key & Database Configuration

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

Manufacturing Tools in the UEFI Secure Boot Environment

Big and Bright - Security

Software Vulnerability Assessment & Secure Storage

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

Trusted Computing and O/S Security. Aggelos Kiayias Justin Neumann

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Trusted computing. Aurélien Francillon Secappdev 24/02/2015

One-Stop Intel TXT Activation Guide

Old, New, Borrowed, Blue: A Perspective on the Evolution of Mobile Platform Security Architectures

Lecture 3 MOBILE PLATFORM SECURITY

Android Bootloader and Verified Boot

An Introduction to Trusted Platform Technology

Windows IoT Security. Jackie Chang Sr. Program Manager

UEFI 2.1 Features. Added protocols. New member functions or equivalent

ARM Security Solutions and Numonyx Authenticated Flash

CSPN Security Target. HP Sure Start HW Root of Trust NPCE586HA0. December 2016 Reference: HPSSHW v1.3 Version : 1.3

Intelligent Terminal System Based on Trusted Platform Module

Expert Reference Series of White Papers. BitLocker: Is It Really Secure? COURSES.

UEFI Secure Boot with Dell PowerEdge 14G with VMware ESXi 6.5

EFI Secure Boot, shim and Xen Current Status and Developments

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

Hitachi Virtual Storage Platform (VSP) Encryption Board. FIPS Non-Proprietary Cryptographic Module Security Policy

One-Stop Intel TXT Activation Guide

The Early System Start-Up Process. Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu

Industrial IoT Security Attacks & Countermeasures

Protecting your system from the scum of the universe

Mobile Platform Security Architectures A perspective on their evolution

Provisioning secure Identity for Microcontroller based IoT Devices

UEFI Secure Boot and DRI. Kalyan Kumar N

WHERE THE GUARDIANS OF THE BIOS ARE FAILING

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

Sirrix AG security technologies. TPM Laboratory I. Marcel Selhorst etiss 2007 Bochum Sirrix AG

Security Fundamentals

Atmel Trusted Platform Module June, 2014

MU2b Authentication, Authorization and Accounting Questions Set 2

SSN Lab Assignment: UEFI Secure Boot

Hacking the Extensible Firmware Interface. John Heasman, Director of Research

Certifying Program Execution with Secure Processors. Benjie Chen Robert Morris Laboratory for Computer Science Massachusetts Institute of Technology

Technical Brief Distributed Trusted Computing

Windows Devices. Device Capabilities. Premium. Entry

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci

Embedded System Security Mobile Hardware Platform Security

Embedded System Security Mobile Hardware Platform Security

THE CHAIN OF TRUST. Keeping Computing Systems More Secure. Authors: Richard Wilkins, Ph.D. Phoenix Technologies, Ltd.

The Phantom Menace: Intel ME Manufacturing Mode. Mark Ermolov & Maxim Goryachy

Operating system hardening

Trusted Platform for Mobile Devices: Challenges and Solutions

Cisco Secure Boot and Trust Anchor Module Differentiation

Trusted Computing. William A. Arbaugh Department of Computer Science University of Maryland cs.umd.edu

SecureDoc Disk Encryption Cryptographic Engine

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Project Cerberus Hardware Security

Transcription:

CIS 4360 Secure Computer Systems Secured System Boot Professor Qiang Zeng Spring 2017

Previous Class Attacks against System Boot Bootkit Evil Maid Attack Bios-kit Attacks against RAM DMA Attack Cold Boot Attack CIS 4360 Secure Computer Systems 2

Outline UEFI Secure Boot Windows s Trusted Boot Intel s Trusted Boot CIS 4360 Secure Computer Systems 3

UEFI Secure Boot Part of UEFI Spec. UEFI Version 2.3.1, Errata C, 2012 Secure Boot is a technology where the System Firmware checks that all other pre-os code is signed with an authorized key and prevents the execution of unsigned code A type of Boot Path Validation technologies Pre-OS code: f/w drivers, option ROMs, UEFI drivers on disk, UEFI applications, or UEFI boot loaders PKI is at the core of the security for Secure Boot CIS 4360 Secure Computer Systems 4

Question Does UEFI Secure Boot rely on TPM? No, UEFI Secure Boot does not rely on TPM. It makes use of several public keys stored in non- voladle memory and these keys are protected against remote agacks CIS 4360 Secure Computer Systems 5

Keys in UEFI Secure Boot Platform Key (PK) Allows modification of KEK Initialized by the h/w vendor Key Exchange Key (KEK) Allows modification of db and dbx Can be multiple Authorized Database (db) Legal CAs, signatures and hashes Forbidden Database (dbx) Illegal CAs, signatures and hashes CIS 4360 Secure Computer Systems 6

Authorized Code Only If Secure Boot is enabled, it will only execute binaries which has a sha-256 hash in db and not in dbx or has a signature and that signature is in db but not in dbx or has a signature signed by either a key in KEK or db and the key does not appear in dbx CIS 4360 Secure Computer Systems 7

Question Examine Bios- kits and Bootkits under Secure Boot Neither Bios- kits nor Bootkits will succeed under Secure Boot, as the System Firmware will nodce that the firmware or boot loader code is unauthorized. CIS 4360 Secure Computer Systems 8

Question What should you do if you want your system to execute a custom boot loader You can (1) add a hash value to db, or (2) add a key to db and use that key - to sign your binary, or (3) add a KEK key and use that key - to sign your binary CIS 4360 Secure Computer Systems 9

Two Modes In Setup Mode, all the keys can be altered arbitrarily and Secure Boot is off in this mode In User Mode, all key changes are authorized E.g., an update of KEK should be singed by PK - E.g., a change of db should be signed by a key in KEK Only firmware administrator can enter the Setup mode; remote attackers cannot enter this mode CIS 4360 Secure Computer Systems 10

How Secure is Secure Boot Secure Boot is indeed very effective for fighting firmware rootkits and bootkits. But how secure is it? The integrity of System Firmware is obviously critical. It relies on an Authenticated BIOS Update mechanism NIST 800-147 (a well-written document; highly recommended!) A public key is contained and protected as part of the firmware The firmware on the system flash checks the signature of the new firmware to be installed. So this is not a problem nowadays. How about the Firmware Administrator Password (recall that the admin can disable Secure Boot or change the keys)? It is largely a joke, as most vendors allow you to use the jumper trick to clear Firmware Passwords easily. A physical lock may be needed to provide some But Mac is an exception. Since 2011, it uses a dedicated chip (Atmel) to store and protect firmware passwords CIS 4360 Secure Computer Systems 11

How to Clear Firmware Passwords (on most modern computers) Dell, as an example, gives detailed instructions on its website about how to reset Firmware Passwords CIS 4360 Secure Computer Systems 12

Question How will you agack your roomate s PCs? Install a Hardware- based Keylogger DMA AGack Cold Boot AGack Evil Maid AGack CIS 4360 Secure Computer Systems 13

Question How to launch the Evil Maid AGack against a computer protected by Secure Boot? If you simply overwrite the disk with a malicious boot loader, due to Secure Boot, the System Firmware will simply refuse to execute the malicious boot loader. So you need to (1) Clear the firmware password and enter the Setup Mode of Secure Boot (2) Add a hash of the malicious boot loader to db (3) Enter the User Mode of Secure Boot CIS 4360 Secure Computer Systems 14

Outline UEFI Secure Boot Windows s Trusted Boot Intel s Trusted Boot CIS 4360 Secure Computer Systems 15

With Secure Boot, Firmware and Boot Loaders now can be trusted (at least against remote agacks), but how about drivers in the kernel mode? CIS 4360 Secure Computer Systems 16

Windows 8 Boot Process It is secured in three phases Secure Boot: it ensures only authorized firmware and boot loaders can be executed Trusted Boot: the boot loader loads a trusted Windows 8 OS loader, which loads a trusted kernel, and the kernel in turn loads authenticated Windows components including the ELAM drive ELAM (Early Launch Anti Malware): before any third-party driver is loaded, a trusted kernel-mode anti-malware program is loaded and runs first; it checks all non-microsoft boots drivers Starting with Windows 10, version 1607, Windows will not load any new kernel mode drivers which are not signed by Microsoft Windows 8 also supports Measured Boot and Remote Attestation CIS 4360 Secure Computer Systems 17

Firmware Signing Flash-based UEFI components are verified only during the update process when the whole BIOS image has its signature verified http://c7zero.info/stuff/windows8secureboot_bulygin-furtak-bazhniuk_bhusa2013.pdf 18

UEFI Secure Boot DXE verifies non-embedded XROMs, DXE drivers, UEFI applications and boot loader(s) This is the UEFI Secure Boot process http://c7zero.info/stuff/windows8secureboot_bulygin-furtak-bazhniuk_bhusa2013.pdf 19

Windows 8 Secure Boot Microsoft Windows 8 adds to the UEFI secure boot process Establishes a chain of verification UEFI Boot Loader -> OS Loader -> OS Kernel -> OS Drivers http://c7zero.info/stuff/windows8secureboot_bulygin-furtak-bazhniuk_bhusa2013.pdf 20

CIS 4360 Secure Computer Systems 21

All X-86 PCs with Windows Logo They must have Secure Boot enabled by default They must trust Microsoft s certificate (and thus any bootloader Microsoft has signed). They must allow the user to configure Secure Boot to trust other bootloaders. They must allow the user to completely disable Secure Boot Windows RT devices based on ARM cannot disable Secure Boot, though CIS 4360 Secure Computer Systems 22

Keys in Windows Certified PCs Key/db Name Variable Owner Notes PKpub Microso_ CorporaDon KEK CA 2011 Microso_ Windows ProducDon CA 2011 Microso_ UEFI driver signing CA PK (pla]orm key) KEK (Key Exchange Key) OEM Microso_ Allows updates to db and dbx: db Microso_ This CA in the Signature Database (db) allows Windows to boot: db Microso_ Microso_ signer for 3rd party UEFI drivers and Apps signed through the DevCenter program CIS 4360 Secure Computer Systems 23

Sadly, for Linux Boot Loaders On the other hand, nowadays almost all PCs contain Microsoft s keys The PCs would simply refuse to boot Linux if its boot loader is not accepted by Microsoft s key Although the UEFI spec. allows users to add/delete keys in PK/KEK/db, it is unrealistic to expect all users to have the skills So what the Linux distros do is to request Microsoft (its DevCenter program) to sign their boot loaders Sigh CIS 4360 Secure Computer Systems 24

Outline UEFI Secure Boot Windows s Trusted Boot Intel s Trusted Boot CIS 4360 Secure Computer Systems 25

Recall TPM Passive I/O device Special Registers: PCR Operations supported: Seal/Unseal Remote Attestation (Quote) Primitive crypto services: RSA, HMAC, PRNG CIS 4360 Secure Computer Systems 26

Static Root of Trust Measurement (SRTM) It refers to the measurement upon reboot BIOS ROM BIOS FLASH BOOT LOADER OS kernel PCI ROMs PCR Usage (convention) 0 BIOS ROM & FLASH 1 Chipset config 2 PCI ROMs 3 PCI config 4 bootloader 5 bootloader config 6... 7... PCR0 PCR1 PCR2 PCR3 PCR4... 8 e.g. OS kernel TPM CIS 4360 Secure Computer Systems 27

Applications and Limitations of SRTM Example Applications: BitLocker Remote Attestation Limitations of SRTM It only measures until the kernel. It does not measure code that is running after the boot It requires reboot The measurement is not stable due to any change in the boot path CIS 4360 Secure Computer Systems 28

Dynamic Root of Trust Measurement (DRTM) It starts when a special security instruction is invoked It first resets PCRs 17-22 and then measures the code and configuration data according to the predefined policy It does not require reboot Designed to launch VMM with the confidence of the execution environment and the code integrity of VMM CIS 4360 Secure Computer Systems 29

DRTM The dynamic PCRs contain measurement of: PCR17 DRTM and launch control policy PCR18 Trusted OS start-up code (MLE) PCR19 Trusted OS (for example OS configuration) PCR20 Trusted OS (for example OS Kernel and other code) PCR21 as defined by the Trusted OS PCR22 as defined by the Trusted OS CIS 4360 Secure Computer Systems 30

DRTM Implementations Intel s Trusted Execution Technology (TXT) Formally known as LaGrande A set of h/w extensions and primitives Measurement upon SENTER instruction Root of trust: the processor microcode first verifies the SINIT ACM (Authenticated Code Module) AMD s Secure Virtual Machine (SVM) SKINIT (Secure Kernel Initialization) instruction Chipset extensions and support CIS 4360 Secure Computer Systems 31

How TXT works CIS 4360 Secure Computer Systems 32

Trusted Boot (tboot) An open source project by Intel Trusted Boot (boot) is the name of an open source, pre-kernel/vmm module for Linux, that uses Intel TXT to perform a measured and verified launch of an OS kernel/vmm Intel TXT provides a hardware-based root of trust to ensure that a platform boots with a known good configuration of firmware, BIOS, virtual machine monitor, and operating system. CIS 4360 Secure Computer Systems 33

Summary UEFI Secure Boot: firmware and boot loader Windows s Trusted Boot: kernel and drivers Intel s Trusted Boot: measure the boot and enforce policies upon good/bad boot CIS 4360 Secure Computer Systems 34

References UEFI Secure Boot in Windows 8.1 https://answers.microsoft.com/en-us/windows/forum/windows8_1-security/ uefi-secure-boot-in-windows-81 Secure the Windows 8.1 boot process https://technet.microsoft.com/en-us/windows/dn168167.aspx Advanced x86: BIOS and System Management Mode Internals. UEFI SecureBoot Attacking Intel TXT http://invisiblethingslab.com/resources/bh09dc/attacking%20intel%20txt %20-%20slides.pdf Intel TXT https://en.wikipedia.org/wiki/trusted_execution_technology https://www.kernel.org/doc/documentation/intel_txt.txt https://www.slideshare.net/slkevin/txt-introduction Comparison between secure boot, trusted boot, and tboot https://firmwaresecurity.com/tag/verified-boot/ CIS 4360 Secure Computer Systems 35

Backup Is BitLocker + TPM vulnerable to Evil Maid AGack? No! When disk is protected by BitLocker with TPM, the key is sealed by TPM, and TPM releases the key only when it finds the boot path (including the firmware and boot loader) is intact But people have described agacks that exploit some implementadon flaws: hgp://theinvisiblethings.blogspot.com/2009/10/evil- maid- goes- a_er- truecrypt.html Another agack is the Fake Prompt agack described in next slide CIS 4360 Secure Computer Systems 36

How will you agack your roomate s PC whose disk is protected by BitLocker+TPM? Question BitLocker + TPM means that if there is any change in the boot path, including the firmware and boot loader for BitLocker, TPM will not release the key sealed by TPM But the trick is that you can install a modified BitLocker loader, which fools your roommate by showing a fake password input prompt Later, when your roommate inputs the password the malware can log it. Although your roommate will no9ce that her computer refuse to boot (since TPM refuse to release the key) So a_er logging the password, the malware should clear itself and reboot hgp://theinvisiblethings.blogspot.com/2009/10/evil- maid- goes- a_er- truecrypt.html CIS 4360 Secure Computer Systems 37

Backup How about BitLocker + TPM + Secure Boot The agacker has to disable Secure Boot first (e.g., by reseeng the firmware password and then change the firmware seeng). Otherwise, I do not think the agacker would have any chance, as the system would refuse to execute malicious firmware/boot code CIS 4360 Secure Computer Systems 38

CIS 4360 Secure Computer Systems 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback