tag:blogger.com,1999:blog-24586388.post2606319367477937236..comments2023-11-24T09:52:43.963+01:00Comments on The Invisible Things Lab's blog: Trusting HardwareJoanna Rutkowskahttp://www.blogger.com/profile/07657268181166351141noreply@blogger.comBlogger33125tag:blogger.com,1999:blog-24586388.post-41888917414742996252009-05-31T19:04:58.910+02:002009-05-31T19:04:58.910+02:00Hi Joanna,
Take a look at
http://www.springerlin...Hi Joanna,<br /><br />Take a look at<br /><br />http://www.springerlink.com/content/jp07870p24560678/<br /><br />Questions:<br />1-Do you think there are some way to avoid this problem with some sort of "defensive" software design?<br /><br />2-Do you think "open hardware" CPUs do help to avoid CPU's backdoors? (ps: I think that open hardware CPUs are so "obscure" as any other CPU.<br /><br />Cheers,<br /><br />Hyperluzhyperluzhttps://www.blogger.com/profile/01033084749179389645noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-47347823374775171862009-05-30T12:39:52.929+02:002009-05-30T12:39:52.929+02:00@Ebrahim:
The actual defense against backdoors in ...@Ebrahim:<br />The actual defense against backdoors in the infrastructure (e.g. CISCO routers) are good crypto protocols, e.g. SSL. Of course, sometimes SSL implementation might be buggy (e.g. Debian), or the way we use it might be wrong (think sslstrip), but still CISCO would have to count on some bug somewhere. In practice we can effectively protect ourselves against evil network infrastructure (in fact most of the research in computer security over the past few decades was focused just on this problem).<br /><br />On the other hand we have simply no single mean of how to protect ourselves against potential backdoors in CPUs (besides building our own processor design & production factory). We can protect against backdoors in all the other hardware components though VT-d/IOMMU, but not against backdoors in processors.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-25048634808792965452009-05-30T10:12:23.011+02:002009-05-30T10:12:23.011+02:00Well, in answer to your question, why should we tr...Well, in answer to your question, why should we trust Intel / AMD, guess the answer is that people don't! I mean, that would have to be one of the main reasons China is building the Loongson processor.<br /><br />(Failing to login with OpenID because blogger can't handle the URL length in the login redirect!)Bennohttp://benno.id.aunoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-30676607229309265062009-05-30T03:12:56.859+02:002009-05-30T03:12:56.859+02:00It's acutally worse than you think. A CPU is too ...It's acutally worse than you think. A CPU is too complex for a human to design on the physical level, so we have to rely on software to do the design. This software could be compromised without the knowledge of an honest engineer. Security is an illusion.Anonymoushttps://www.blogger.com/profile/04823026599075797295noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-30024403108495019032009-05-30T01:53:10.845+02:002009-05-30T01:53:10.845+02:00Another story: Internet runs on Cisco routers, tho...Another story: Internet runs on Cisco routers, those closed-everything beasts. Cisco simply rules the Internet!Ebrahimnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-86854065560028008552009-05-18T15:30:00.000+02:002009-05-18T15:30:00.000+02:00IT'S IN YOUR FACE!!!
Britain Lets Police Hack PCs ...IT'S IN YOUR FACE!!!<br />Britain Lets Police Hack PCs Without Warrants<br /><br />http://www.foxnews.com/story/0,2933,476904,00.html<br /><br />http://www.youtube.com/watch?v=wlj7u3tOQ9s<br /><br />WE NEED OPEN HARDWARE!!!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-32597683968219261702009-05-07T01:34:00.000+02:002009-05-07T01:34:00.000+02:00Things are getting a little hot around here with a...Things are getting a little hot around here with all your talk of having a built-in backdoor into your network card micro-controller.<br /><br />I'd thought we'd agreed this was our little secret ?<br /><br />:)Big_Galootnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-21066612394643272072009-05-04T20:16:00.000+02:002009-05-04T20:16:00.000+02:00this is exactly what Loic Duflot discussed in SSTI...<I>this is exactly what Loic Duflot discussed in SSTIC 2008[...]</I>Well, no, it doesn't seem to be even closely the same. While I don't know French, I know how to grep through the PDF ;) And the document you quoted do not contain terms, such as VT-d or IOMMU, that are key elements of my post here.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-9659174366159149632009-05-04T17:50:00.000+02:002009-05-04T17:50:00.000+02:00this is exactly what Loic Duflot discussed in SSTI...this is exactly what Loic Duflot discussed in SSTIC 2008 : http://actes.sstic.org/SSTIC08/Bogues_Piegeages_Processeurs_Consequences_Securite/<br /><br />you have to understand French...<br /><br />LaurentAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-34909694105413506532009-04-29T16:44:00.000+02:002009-04-29T16:44:00.000+02:00Great article! I'll just trust now in pencils and ...Great article! I'll just trust now in pencils and papers... rsrsrsUnknownhttps://www.blogger.com/profile/14961251598823861644noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-78755597549824259712009-04-28T19:23:00.000+02:002009-04-28T19:23:00.000+02:00In addition to the King and Agrawal papers cited a...In addition to the King and Agrawal papers cited above, there was a nicely written article about the US government's take on "trusting hardware" (<A HREF="http://www.spectrum.ieee.org/may08/6171" REL="nofollow">http://www.spectrum.ieee.org/may08/6171</A>). The idea is that even if chips are designed properly, they are manufactured somewhere that may not be trustworthy. This is even worse than backdoors inserted at chip design, because randomly modified chips are unlikely to be detected by random inspection. And who has the time or resources to verify each and every chip they use?<br /><br />There's also a workshop that addresses these kinds of problems, including threats from design through chip fabrication: <A HREF="http://www.engr.uconn.edu/HOST/" REL="nofollow"> http://www.engr.uconn.edu/HOST/</A>Gedarehttp://home.gwu.edu/~gedare/noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-75507576221976480292009-04-26T22:02:00.000+02:002009-04-26T22:02:00.000+02:00it may be trivial to build a backdoor, it might be...it may be trivial to build a backdoor, it might be less trivial to bring home the 'win'. in general, i cannot advise this parnoia - it just doesn't add up to make practical sense. open hardware makes sense, but i'd give other reasons, economic reasons. open source makes sense: you can't read source that is not there. i indeed believe, that every line of code get's monitored over time. errors get published. that's exactly the reason, the concept of trust is better developed in open environments: you must not lose it! the others _will_ get you before you reach critical distribution. in general, i have to trust 'the others', the press, and maybe these wireshark authors;), but not my hardware as long as it does it's job. if keyloggers don't scale then cpu-bugs scale even less. in case of blade and/or virtual systems, i have to trust you.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-5504156242335829322009-04-20T13:10:00.000+02:002009-04-20T13:10:00.000+02:00Is hardware security measurable? Is there any secu...Is hardware security measurable? Is there any security standards that should be followed by chip-set and processor designers? or it is just like this, let's add a key-logger circuits and it is all fine!!!Othman Esoulhttps://www.blogger.com/profile/04216236009164917793noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-66452581356829608962009-04-16T14:53:00.000+02:002009-04-16T14:53:00.000+02:00@yet-another-anon:
Comparing to a few additional ...@yet-another-anon:<br /><br />Comparing to a few additional gates in a 45nm processor (that already has 700 millions of them) an additional keylogger can be much easier spotted by others (e.g. reversing enthusiasts). And the vendor would risk going bankrupt once this keylogger is found. And the keylogging unit is definitely not something that the vendor might try to excuse as an "accidental bug".Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-1257763696989306322009-04-16T14:35:00.000+02:002009-04-16T14:35:00.000+02:00Interesting Post :) However personally I'm more sc...Interesting Post :) However personally I'm more scared of something much simpler. Vendor X sells all laptops/keyboards with a built-in keylogger.<br /><br />Nowadays it's just too easy/cheap to include a keylogger which is so small that you won't notice it and that it can record everything you type.<br /><br />The only solution I can think of is an on screen keyboard, which is quite annoying to use.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-20326911076747835842009-04-16T02:33:00.000+02:002009-04-16T02:33:00.000+02:00@joanna from the-old-fashioned-anon:
I do note th...@joanna from the-old-fashioned-anon:<br /><br />I do note the distinction between a rootkit and a backdoor as used in a popular culture but I don't agree with your clarification :) I believe that rootkit doesn't necessary imply the "active" part - we sort of got used to rootkits that need to be executed on the system and then must be actively running to hide themselves, but what about passive rootkits?<br />if we agree that the role of the rootkit is to be invisible (and to be invisible _only_), then hiding a code in a slack space or sectors at the end of the physical disk is a very good (passive) rootkit functionality<br />it is pretty close to your backdoor defintion<br /><br />interesting observation about "all over"; I agree and the mysterious bug is a tempting idea... a scenario where the passive backdoor of some sort triggers in a printer/scanner when a specific document is being processed and activates some sort of an easter egg - it can be just preserving all the documents scanned after a specific event triggered and then after collecting enough information signal a critical fault which requires a specialist's help to repair it (it's Mr. backdoor data collector in fact) <br /><br />hmm when you think of it... modern scanners have such sort-of-backdoors to prevent scanning money - do they store the information about detecting such events anywhere? :)<br /><br />if we assume we actually have the infected processors in place, what could trigger them to do what they are supposed to do? time? specific value of registers/memory content? how could such an event could be delivered though? if we look for similarities in a software world... for botnets, hard to control the target; for targeted attacks, we don't use universal approach... hard to believe someone would go with such a massive investment in an an area where so many things can go wrong... but of course, it's possible<br /><br />a very interesting idea ... perhaps it's time to start working on CPU-fuzzers :)<br /><br />regarding BTW <br />I know you didn't mean your country; I think you meant... well, if you want to continue this topic offline, I would be happy to elaborate... i don't want to pollute your blog with off topics :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-719618004830680392009-04-16T00:06:00.000+02:002009-04-16T00:06:00.000+02:00@the-old-fashioned-anon:
Please note the distincti...@the-old-fashioned-anon:<br />Please note the distinction between a rootkit, which is something that "lives", is active, vs. a backdoor -- something that could be waiting passively for ages, not doing anything by itself. E.g. some additional "if" clause, that normally is never taken (here "if" == some additional logic gates).<br /><br />You are right, however, that once somebody decided to *use* the backdoor, then it is all over (well, in the ideal world at least -- in our world the vendor might just say it was an accidental bug...).<br /><br />But I see this as some form of an ultimate weapon that could be used e.g. in case of a war or terrorist attack, etc. Again, just building the backdoors into processors seem like totally safe for Intel and AMD. *Using* them might be not safe, but having them in place, just in case, seems like a reasonable move.<br /><br />BTW, Of course I didn't mind Poland when I said "not-fully-democratic country" -- Poland is part of EU and NATO and it really is democratic. Also there are no computer hardware vendors based in Poland AFAIK.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-87115033479957849162009-04-15T23:37:00.000+02:002009-04-15T23:37:00.000+02:00call me old-fashioned, but I don't buy the paranoi...call me old-fashioned, but I don't buy the paranoia related to hardware backdoors; it is still much easier to buy or blackmail humanware than trying to attempt to hide the backdoor in the hardware; all best software rootkits are finally discovered, and it is not because somebody spends hours trying to find them, but they somehow manifest their presence at some stage; so will hardware rootkits, because they need to either communicate what they intercepted or must be fetched by somebody via a psychical contact; and if that somebody who find it happens to be Russinovich-like, it is more than certain that the media will pick up the story and the rootkiting company stock and image will be ruined forever; the strength is not in preventing rootkits in hardware, software but in people; sorry for such a cliche, but we live in a world that is very much working just because we trust somebody; you take the plane, you eat bread, you breathe - are you sure you can check all the variables on the way?<br />check this one out - http://www.youtube.com/watch?v=1Xhdy9zBEws<br /><br />with your proposed approach to giving blueprints to governments, or taking it even further - to masses, who will be able to understand them anyway? masses will rely on opinions of experts and experts are not independent as long as they work for somebody or can be bought/blackmailed/etc.<br /><br />not-fully-democratic country... as a matter of fact, living in a post communistic country you are experiencing more freedom than Western Europe, US, or Australia... they actually believe they are free... the ultimate slavery<br /><br />you can't trust any single word in my post :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-42115990723808969322009-04-15T22:48:00.000+02:002009-04-15T22:48:00.000+02:00BajoYo : It seems you missed the point about FOSS....BajoYo : It seems you missed the point about FOSS. The main asset of FOSS over closed-source is you can (or hire some to) fix it if it is broken. How many closed source software remains unpatched for a loooong period ?<br /><br />Patching hardware is a real problem anyway... :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-24724661124632560452009-04-13T21:07:00.000+02:002009-04-13T21:07:00.000+02:00Be happy paranoiac. :)Be happy paranoiac. :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-2387968459040644942009-04-09T04:28:00.000+02:002009-04-09T04:28:00.000+02:00It was a pleasure to read this post, and will cont...It was a pleasure to read this post, and will continue reading the rest of the blog, really clear the way you explain some things that are away from casual language.<BR/><BR/>As you say (I must confess that I preferr open and free software but use also commercial software) commercial software it is not less secure or dangerous than open and free software.<BR/><BR/>A pleasure to find your blog!:: BajoYo ::https://www.blogger.com/profile/10724682132889309010noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-79774261324103541662009-04-05T22:16:00.000+02:002009-04-05T22:16:00.000+02:00Your readers are well aware! :-)But this post also...Your readers are well aware! :-)<BR/><BR/>But this post also reminded of the presentation of the Kris Kaspersky HITB 2009.<BR/><BR/>http://conference.hitb.org/hitbsecconf2008kl/?page_id=214<BR/><BR/>"Intel Core 2 has 128 confirmed bugs. Intel Itanium (designed for critical systems) looks more “promising”, carrying over 230 bugs. They have all been confirmed by Intel and described in errata section of their specification updates. Some bugs “just” crash the system (under quite rare conditions) while the others give the attackers full control over the machine."<BR/><BR/>Anyway, something you drew the attention is something that comment to years, the fact that the software be closed doesn´t mean that its more insecure.<BR/><BR/>[]´s<BR/><BR/>Alberto FabianoTechbert0https://www.blogger.com/profile/07290501598697178871noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-5796609047895780252009-03-30T00:17:00.000+02:002009-03-30T00:17:00.000+02:00Back in 1984 Ken Thompson gave a Turing Award Lect...Back in 1984 Ken Thompson gave a Turing Award Lecture "Reflections on Trusting Trust" of which this is a familiar echo.<BR/>http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdfAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-14912862004092921522009-03-28T12:39:00.000+01:002009-03-28T12:39:00.000+01:00Take a look at this: Trojan Detection using IC F...Take a look at this: Trojan Detection using IC Fingerprinting<BR/>http://ieeexplore.ieee.org/search/wrapper.jsp?arnumber=4223234Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-86095078719780013262009-03-27T02:57:00.000+01:002009-03-27T02:57:00.000+01:00Oh,What you said is very terrible!Ha~,but thanks f...Oh,What you said is very terrible!Ha~,but thanks for sharing all this.Anonymousnoreply@blogger.com