3.4 Understand security capabilities of information systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)

How can we protect our physical computing devices?  Let’s dig deeper into the hardware details – much of this may not be in the scope of a normal security professional’s knowledge, but having the background is important.

Memory Protection

  • It is very important to protect the memory.  Memory protection must be designed when developing an operating system.

  • We want to make sure that on a computer running multiple applications, no application can access a portion of the memory that is not assigned to it.  That is, every application has access to only the portion of the memory that stores its data.

  • The memory can operate in two modes

    • The operating system has the privileged mode that allows it to execute any command that it requires

    • Each program runs in unprivileged mode.  It can only access the portion of the memory that the operating system dictates.

    • If the program attempts to do something that is not permitted, then the operating system can shut it down

  • Address Space Layout Randomization (ASLR)

    • The operating system should be able to randomly select the portion of memory that each program uses.  That prevents a hacker from knowing what portion of the memory to read when looking for sensitive data.

Secure Cryptoprocessor

  • A secure cryptoprocessor is one with with a limited attack surface

  • It also includes a hardware based random number generator

  • It provides for the secure storage of keys

  • It provides for encryption and decryption through a hardware based cryptographic accelerator

  • Ideally, it will have tamper resistance, and shielding to prevent spying through probes

  • It also includes the hardware root of trust – the cryptoprocessor verifies the digital signature of any software that it runs.  The cryptoprocessor has the public key of any software that it trusts physically burned into its ROM.   

Virtualization

  • When we have multiple virtual computers on the same physical computer, we want to make sure that each operating system can only access resources assigned to it.

  • That means that the operating system (or virtual machine) should not be able to break through the virtualization layer and talk directly to the hardware.

  • Virtualization makes it easy to conserve hardware and to recover from corrupted systems.

Trusted Platform Module (TPM)

  • A chip that stores cryptographic keys for encryption is called a TPM.  The TPM is usually integrated into the system board.

  • We use a TPM to provide full disk encryption among other things – the disk is tied to the TPM.  If we move the disk to a different computer, it can’t be decrypted.

  • A Hardware Security Module or HSM can be used to store digital keys for digital signatures.  A TPM is a type of HSM.  We can use HSMs to provide dedicated hardware needed for the rapid calculation of complicated encryption algorithms.

  • A TPM provides the following features

    • Attestation – we create a hash of the system when we know it is good.  We can rehash the system each time it boots and compare it with the original hash.  If the two match, then we know that the system has not been altered.

    • Binding – we can encrypt the data with a key that is attached to the system.  If the data is moved to another system, it can’t be decrypted.

    • Sealing – the TPM will only decrypt the data when we know that the system is good.  We compare the original hash against the new hash.

  • The Endorsement Key is a key that is burned into the TPM.  We must make sure that the key stays private.

  • Cryptographic Module

    • A cryptographic module is a separate device hardware device used for cryptography

    • It is more difficult for software attacks to compromise the security of a hardware device

    • The module also provides physical security protections

    • The module is more efficient because it is specifically designed for cryptography, and allows the main processor to perform other tasks

Interface

  • A constrained interface is an interface that restricts what a user can do based on their security level.  It can be an interface in a software application. 

  • We can do the following

    • Show all commands, but display commands as greyed out when users don’t have permission to use them.

    • Hide commands from users if they don’t have permission to use them.  This is more

Fault Tolerance

  • A system should be able to continue operating even with an error – we call this fault tolerance.

  • We implement fault tolerance by adding redundancy (multiple identical components).

  • For example, multiple components like RAID or dual power supplies, or multiple servers set to work as a cluster.

  • We want to avoid a single point of failure.