O Mitigating Boot Process Attacks

Trusting Computing does not prevent the boot process attack but makes it detectable by performing an authenticated boot. The authenticated boot extends the normal boot process by leveraging the Trusted Computing functionalities in order to keep track of the platform state. The authenticated boot is rooted in the same fundamental component as the boot process, i.e., the BIOS that contains the CRTM. The BIOS must be TPM-aware and, therefore, capable of talking to the TPM on the LPC bus. Bear in mind that the CRTM is a root of trust and has to be robust, which is usually the case as it is not as faulty as other software and stored in a nonmodifiable part of memory. The authenticated boot process builds the chain of trust by ensuring that each component measures the next component in the boot chain and stores the measurement in a PCR inside the TPM before control is passed to this component. Each component of the authenticated boot must be Trusted Computing-compliant by being able to measure (directly or by invoking a component already started) a program, using the SHA-1 hash function mandated by the current TCG specifications.

If a boot process attack is performed, the measurement stored in the PCR will not match the measurement of the actual component, thus revealing the attack. Furthermore, all secrets that have been sealed to the platform configuration cannot be unsealed until the platform has been restored to the expected platform state.

A typical authenticated boot follows the sequence of execution described here and shown in Figure 12-3:

1. PCR[0] to PCR[15] are reset, i.e., their content is set to zero.

2. The CRTM measures the BIOS firmware and its associated data (hardware configuration), respectively, stores the measurements in PCR[0] and PCR[1], and then starts the rest of the BIOS firmware.

3. The BIOS firmware measures the option ROMs and its configuration data, and respectively, stores the measurements in PCR[2] and PCR[3].

4. Similarly, the Master Boot Record (MBR) code portion and the partition table measurements are stored, respectively, in PCR[4] and PCR[5].

5. The MBR then starts by determining the active boot partition, searches and loads the BOOTMGR boot manager, measures it, and stores the measurement in PCR[9].

6. Several auxiliary pieces of information can then be measured and their measurement stored in PCR[11], for example, the current boot status, operating system secrets, and the full-disk encryption key.

7. BOOTMGR measures the operating system loader (possibly after the user selected which operating system to boot), stores the measurement in PCR[10], and finally transfers control to the operating system loader for the specified partition. The operating system loader is at that moment in charge of measuring the integrity of all components to be started before transferring control to the operating system. The operating system can then, in turn, ensure the integrity of system files (hibernation, swap, crash) and all executables loaded to an authenticated logon.

> Measures and then executes

► Measurement is stored in

> Measures and then executes

► Measurement is stored in

Figure 12-3 Chain of trust during an authenticated boot

Another innovative way to mitigate the threat of the boot process attack is to remove the dependency on the boot process. You can do this on recent systems via a particular Root of Trust for Measurement (RTM) called the Dynamic RTM (DRTM), which is used to start a hypervisor in a trustworthy manner. The DRTM is totally independent from the traditional boot process, ensuring the hardware platform is in a well-known state after its execution and that the hypervisor runs with the appropriate privileges in order to control the operating systems that it executes in isolated compartments. The DRTM is used for measuring the hypervisor program that will be executed and is implemented as a new CPU instruction, GETSEC[SENTER] for Intel CPUs and SKINIT for AMD CPUs.

Even if the boot components were modified, the hypervisor is not affected as a new chain of trust is started when the DRTM is executed. This chain of trust dedicated to the DRTM is new and independent from the one rooted in the BIOS because the TCG specification requires that the software executing before the DRTM cannot compromise the process of starting the DRTM. The new Intel and AMD CPU instructions implementing the DRTM are part of new security functionalities codenamed Trusted Execution Technology (TXT) for Intel and AMD-V for AMD, which we will not discuss here. The interested reader can find more at http://www.intel.com/technology/security/ and in the article "Trusted Computing Using AMD 'Pacifica' and 'Presidio' Secure Virtual Machine Technology" by Geoffrey Strongin.*

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment