[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Broken dream of mine :(

From: Sam Mason
Subject: Re: Broken dream of mine :(
Date: Tue, 22 Sep 2009 00:05:04 +0100
User-agent: Mutt/1.5.13 (2006-08-11)

On Tue, Sep 22, 2009 at 12:42:17AM +0200, Michal Suchanek wrote:
> Yes, the trivial attack is to replace the boot medium but that's local
> access attack, not remote attack.  The remote attacker cannot overwrite
> it, and the boot loader and initial environment can enforce any policy
> you wish (get the list of valid checksums from your server using SSL
> for example).

But where does the trust in the boot sequence come from?  That's what
TPM gives you.  Retrieving checksums from servers using SSL does nothing
as far as I can see.

> So decide against which attack you are trying to defend.

I want something upon which to bootstrap my trust in the code that a
server is running.  This is a difficult problem and I'm not aware of
anything outside of TPM that allows me to do this.  I trust the physical
security of the machines, but I'm unsure how far down the stack my trust
in the software goes.  TPM allows me to include the BIOS, but I'm not
sure about CPU microcode.

> > Physical security does nothing about remote/software attacks though.
> Yes, and TPM does no more for remote attacks than a boot CD and a BIOS
> with flash protection.

Hum, fun.  I'll have to think on that.  You obviously can't check the
BIOS, but I'm not sure how much that matters.

> >> You have to rely on the TPM
> >> manufacturer quite a bit because the devices come as blackboxes with
> >> unknown internals.
> >
> > Yes, but they're implementing a public spec and the economic incentives
> > all seem to be pointing the right way with this.  If the manufacturer
> > screws up their implementation they're going to look bad to the people
> > who matter.
> But it will break your system.

No it effing will not and stop being so silly.  You choose whether your
computer is going to run an OS that's going to surrender its authority
to somebody else.  If not then anything we do won't matter anyway.

> >> Then netboot the machines. No need for reimaging and users staring at
> >> broken machines.
> >
> > An attacker can modify the bios so that it points to somewhere it
> > controls.  Again, this isn't for normal PCs.
> Attacker from where? If it's the user you cannot allow users near the
> PC.

Bugs are fact of life.  Confinement allows you to put a reasonable upper
bound on how far its going to go, but if the worst does come to the
worst you need some trusted path to bring it all back up again.

> If it's remote then this can be prevented with and without TPM.

I'm still trying to figure out if you get the same level of assurance
with this.

  Sam  http://samason.me.uk/

reply via email to

[Prev in Thread] Current Thread [Next in Thread]