Platform Attack Taxonomy

Trusted Computing is a wide technology that aims to raise the security bar for next-generation computing systems. Indeed, this security paradigm stretches from the hardware to the applications, extending through all the intermediary elements— firmware, boot sequence components, hypervisor, and the operating system. The TCG explicitly states in its specifications that Trusted Computing does not aim at protecting against physical attacks (e.g., an attacker can open your computer and reset the TPM manually or attempt to open it to steal its secrets), but assumes that most physical components will be protected using adequate means. In practice, this means that TPM manufacturers take particular care with the physical security of the TPM chip (some TPMs have up to 80 different internal physical mechanisms to protect the TPM), the user protects his or her own computer, or the company manages the physical security of the computing assets.

Explaining in simple terms the kind of attacks that Trusted Computing helps prevent is difficult because so many possible attack vectors and ways to use the numerous trusted capabilities exist. This chapter does not aim to be exhaustive and acknowledges that the security landscape regularly evolves, changing the shape of threats and security tools. Furthermore, the first concrete applications implementing solutions to these problems have only been released recently, thus limiting the practical experience that will lead to understanding their practical impact on mitigating threats. We will nevertheless aim to give an overview of the typical attacks that Trusted Computing technologies help prevent and offer a description of the associated technical elements where available.

As is usually the case with security, computing system properties threatened by attackers include the following.

Authentication This is the ability to unambiguously and verifiably identify an entity (e.g., a person, a computer, a credit card, etc.) or a piece of data. Entity authentication is illustrated by the example of user authentication in most operating systems via a login that identifies the user and a password that validates the identifier. Authentication typically involves information about what you know (e.g., login and password), what you have (e.g., a USB key), what you are (e.g., biometrics), and/or where you are. Data origin authentication, or message authentication, on the other hand, ensures that the data origin can be identified. You can authenticate anonymous identities, i.e., identities that cannot be directly traced back to the enduser or computer, notably by providing entity certificates where a trusted authority attests to the validity of a given identity (without revealing it).

Authorization This is the process of associating access rights from entities to objects, defining who is allowed to access what and in what manner and verifying (or validating) these rights when access is requested. Authorization controls access at the various entry points to the system and ensures that control points are in place to prevent unauthorized access. While mandatory access control (MAC) generally assumes the access is indicated via a label on the object (e.g., sensitivity) and the control mechanism is robust (i.e., difficult to bypass), discretionary access control (DAC) defines access based on the entity's identity, making it possible to pass permissions. DAC mechanisms are used in most Linux distributions, whereas MAC mechanisms can be found in distributions such as SE Linux.

Integrity A piece of information has integrity if it was not tampered with by unauthorized or unknown means and remains unaltered until its owner modifies it. Information loses its integrity when, for example, a malicious entity modifies it during communication, usually in order to exploit a vulnerability and gain an advantage over the user. This is a property important to many aspects of computing systems, as data needs to have integrity in order to operate properly.

Confidentiality Data must remain private to the entities that use the data. This property applies both in the local and remote environments. There are various levels of confidentiality, from secret (where no one should have access to the information except its owner) to private (where personal information belonging to the user should not be released without his or her knowledge).

Availability is sometimes added to the previous four properties but is of less interest in the case of Trusted Computing, as Trusted Computing does not focus specifically on communication. Nonrepudiation, revocation, and accounting properties are also considered in the TCG specifications, but only on more specific aspects of the technology.

Each of these properties naturally leads to the common threats a trusted system is susceptible to.

Spoofing or Identity Fraud People are usually identified through various layers of the computer's architectures, for example, MAC and IP addresses, operating system version, application identity, and account/login names. By falsifying any of these identifiers, a malicious user can prevent anyone she is interacting with from tracing her back to her computer, or she can even pretend to be someone else. At the lowest level of the architecture, this would be a man-in-the-middle or relay attack, whereas an example at the highest level of the architecture would be ID theft, which is becoming one of the major threats to computing systems, as it is facilitated by the diversity and inconsistency of ID systems and identifiers. Recent years have seen sophisticated attacks of this kind, such as phishing attacks where the user is fooled into believing that he is connecting to his usual bank or e-commerce server (e.g., eBay, Amazon), when, in fact, he is connecting to a fake server that perfectly mimics the appearance of the real one. This threat can automatically lead to the next one, namely unauthorized access, if an attacker changes its identifier to another user's.

Unauthorized Access With the extensive use of multiuser systems such as Linux and the need to represent and satisfy several stakeholders' rights and requirements, access rights violations have become more dangerous and more common. This threat can be seen from two angles, depending on whether the system checks permissions (the usual Access Control List used for Linux file access rights) and prevents anything not permitted, or the various capabilities of requesting entities, thus preventing what is not explicitly permitted. For example, spyware software relies on the leniency of modern operating systems' security principles to data mine user information to better exploit a user's habits and preferences, thus breaching her privacy and trust. Although at the center of political and sociological controversies, Digital Rights Management (DRM) systems are also used to try to enforce access rights, but on objects stored on a platform different from the owner's. This latter aspect should be separated from the notion of "fair use," as the two lead to two different kinds of problems (dominance abuse in the case of using DRM to enforce unfair usage models).

Unauthorized or Hidden Modification of Data or Code Modern malware operates by modifying system and user files in such a way that they can obtain a certain advantage (eavesdrop, access, control) from these modifications. Rootkits modify operating system code in order to execute and hide from the operating system and users. Trojans modify service policies and open network ports to communicate with the controlling hacker, possibly behaving like worms and spreading through the local network. All these malwares rely on the inability of modern operating systems to check the integrity of system files effectively. This can sometimes even lead to user files being corrupted, for example, ransomware (or cryptovirus) programs that encrypt user data (e.g., important documents), send the decryption key back to the hacker, delete the key from the computer, and explain to the user that she will only obtain the key for decrypting her data by sending a ransom to the hacker.

Breach of Confidentiality (Privacy) Recent years have seen a significant increase in the number of security breaches that have led to the disclosure of confidential or private information, such as credit card, health, or customer account information. The case of the U.S. company TJX is very famous, as the company lost millions of customer records because of stolen laptops, and illustrates the scale of the problem very clearly. The issue becomes much more personal with the use of spyware software, which is usually bundled with another piece of software that the user installs, that secretly spies on a user's activities, reporting back server statistics that the user never intended to share.

For many of these threats, cryptography can be used to protect against the attack vectors. But the problem is more general, as software implementing the cryptography executes on top of systems that cannot be fully trusted, if trusted at all. Although the TPM provides robust cryptographic functionalities (usually implemented in hardware and highly resilient to exploits), it is controlled by software running on top of other hardware. In particular, operating systems are a huge source of vulnerabilities nowadays, due to their monolithic architecture that grants them too many privileges and renders their verification, and thus their trustworthiness, almost impossible. This particular technological threat is tackled by hypervisors that attempt to enforce proper memory management and access to peripherals and the corresponding security policies.

A simple taxonomy of the attack vectors of Trusted Platforms mimics the general architecture of these systems:

• Hardware attacks Despite the fact that the TCG explicitly states that preventing these kinds of attacks are not the goal of its standards, you can thwart a few simple ones using appropriate means. This ability is significantly reinforced by new Intel and AMD hardware architectures that implement the changes necessary for Trusted Computing to be used effectively.

• Low-level software attacks These are attacks targeting the firmware and boot components that are run only between the platform hardware startup and the operating system startup and have to initialize the various elements of the platform.

• System software attacks Control software comprises the operating system and possibly the hypervisor, if available. Attacks on this software aim at stealing machine control from the owner or user.

• Applications attacks At the highest level of the execution stack, applications interact directly with the user and attacks on applications are related to the various files used and the information displayed or recorded.

This taxonomy can be seen from examining a Trusted Platform from top (hardware) to bottom (end-user applications). Overall, a complete Trusted Platform should be able to protect against all four categories or attack vectors, but doing this has been extremely difficult because of the concerns regarding traditional separation between the different elements of computing platforms. In the next sections, we'll follow this simple taxonomy in order to detail how Trusted Computing can help detect and prevent these attacks.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment