Thursday, February 19, 2009

Attacking Intel TXT: paper and slides

The new press release covering the basic details about our TXT attack is here.

The paper is here.

The slides converted to a PDF format are here. There is also an original version of slides in the Keynote format here for the Mac people. And for all the other people who don't use Mac, but still value the aesthetics (?!), I have also generated a QuickTime clickable movie out from the Keynote slides -- it can be found here, but it weighs 80MB.



Hal Finney said...

Very nice work!

As far as the STM, I agree that it would be good for this to come out ASAP. In fact it's not 100% clear to me whether it has to be customized to the individual PC or whether a fully generic STM might be possible that could run on all systems.

The situation is not unlike the SINIT module, which you did not mention. This is what gets involved in the "late launch" and organizes the transition into secure mode. Eventually this is supposed to be part of the BIOS, but right now Intel is providing it for download as part of the tboot project. Apparently a generic SINIT module works fine.

The same issues you raise with respect to possibly buggy STM apply to SINIT as well. We have to trust that the implementors are doing it right.

One potential saving feature is that the STM (and SINIT) modules do get measured during launch, hence an implementation can prove that it is protected by an STM. The existence of buggy systems without STMs does not have to cast doubt on attestations produced by good systems, once they exist.

xyz said...

First of all, excuse my English...I don't know too much about this issue, but it moves me to study it a bit harder, and it's really interesting. Many possibilities, and a lot of work in front of Intel...