Secure hardware again, Re: cyber-"terrorism"?

Matthew Astley lists-ukcrypto at fruitcake.demon.co.uk
Sun, 22 Sep 2002 19:50:29 +0100 

On Sat, Sep 21, 2002 at 02:37:24PM +0200, Casper Dik wrote:

> >IMHO dumb hardware is the easiest and safest solution. You can
> >secure-boot a BBC B just by knowing that the expansion slots are
> >clean, and I'd be impressed if you could trojan the HDC. 8-)
> 
> You really need some hardware support: the firmware must be able to
> verify that the program just loaded from disk is indeed a valid boot
> image.

OK, the 6502 has no memory protection. You need hardware support
there. Hardware for key management would be handy, but not essential.
Is this what you meant?

If you define "valid boot image" as "signed by the user[1]", then the
kernel or root filesystem loaded from disk can be checked against a
public key stored in that read-only BIOS. This could be done now, I
think, on any x86 box. "It's just software", as they say.

Provided you can ensure there is no interference from other devices on
the bus, the system appears to be secure until the the first
exploitable bug in the trusted (signed) software loaded from disk.
This is what Brian wants, and it's a sane thing to want.


I don't see how hardware would help until the user needs to get hold
of the secret key to replace the boot image.

If the disk system's contents are signed, and checked when they are
loaded, the worst the disk can do is a DoS attack - either by
supplying modified (and therefore unsigned) binaries or simply not
returning anything.

Protection against random DoS attacks (hardware failures) comes from
redundancy in the normal way. Protection against malicious DoS from
the disk system sounds like a story for another day.


I can see that the average user is going to think it odd to reflash
the BIOS with a public key, but if the default BIOS doesn't check the
signature then only the paranoid need to bother.

The only reason to take this stuff and hide it in the processor is to
keep out the people with the expensive crocodile clips. This is only
needed if you want to lock the user out of the system.


Matthew  #8-)
-- 
[1] By user I mean The Bloke In Charge. The one who locked the machine
    in the server room with only UPS and ethernet for company.