O Mitigating Modified System Component Attacks

The TPM enables any software running on a Trusted Platform to use strong and robust cryptographic capabilities to protect code and data without any need for specific software other than the TPM device driver. But these mechanisms are rarely used in operating systems because of the critical performance requirement. The performance improvement brought about by the TPM's cryptographic hardware acceleration (though this is greatly reduced by the slow communication on the LPC bus) does not compensate for the complex modifications required in the operating system kernel. On the other hand, these cryptographic capabilities can be used for efficiently encrypting data on the fly, such as filesystems, with the added protection of the encryption keys being inside the TPM.

The authenticated boot process can also be extended to measure the various parts of the operating system. This cannot be performed in the same manner as was done during the boot process because of the significantly higher number of components. Several hundreds of operating system kernel, configuration, and service files may exist and need to be measured. Instead, the operating system kernel must be extended so as to take responsibility for measuring its different components. For example IBM's Integrity Measurement Architecture proposes a simple Linux kernel module to be in charge of managing a list of measured components and the accumulated measurements of these components.

To truly mitigate the modified system component attacks, you must control what operating systems can do and enforce security policies independently from them. Hypervisors are designed for this and are able to operate below the operating system, intercepting all calls to the hardware and ensuring that these calls are legitimate. In addition to the DRTM feature described in the previous section, the new Intel and AMD CPU architectures provide new CPU instructions for facilitating the execution of hypervisors, mostly to reduce the performance overhead introduced by hypervisors (though hypervisors can also sometimes improve operating system performance by reducing the amount of memory accessed—among the slowest operations performed). In addition to strictly confining the operating system to a given memory space, hypervisors control the various system calls and can thus prevent certain software from modifying or accessing unauthorized parts of the memory. This way, rootkits can no longer install themselves in the operating system kernel and Trojans can't open security ports they are not supposed to open.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment