Forgot your password?
typodupeerror
Intel Security Technology Hardware

Intel Patches Flaws In Trusted Execution Tech 84

Posted by kdawson
from the trusting-trust dept.
An anonymous reader writes "Joanna Rutkowska's company Invisible Things Lab has issued the results of their research into flaws in Intel's Trusted Execution Technology (TXT), whose function is to provide a mechanism for safe loading of system software and to protect sensitive files. ITL describes how flaws in TXT can be used to compromise the integrity of a software loaded via an Intel TXT-based loader in a generic way, fully circumventing any protection TXT is supposed to provide. The attack exploits an implementation error in the so-called SINIT Authenticated Code modules and that could potentially allow a malicious attacker to elevate their privileges. Intel has released a patch for the affected chipsets, which include the Q35, GM45, PM45 Express, Q45, and Q43 Express." Here are ITL's press release (PDF) and Intel's advisory.
This discussion has been archived. No new comments can be posted.

Intel Patches Flaws In Trusted Execution Tech

Comments Filter:
  • by Anonymous Coward

    oh my gawd! Now I can't even use plain TXT documents!! oh wait... nevermind...

  • by girlintraining (1395911) on Tuesday December 22, 2009 @10:55PM (#30532400)

    It was true fifty years ago, and it's still true today: If I have access to the hardware, you're screwed. And thus far, there have been precious few non-trivial applications that have been unexploitable remotely at some point. Systems are amazingly complex and full of flaws because almost all modern software was built with security as an after-thought. The only difference these days between a "secure" system and an insecure one is that the secure system hasn't had its flaws discovered yet.

    • by ameline (771895)

      > If I have access to the hardware, you're screwed

      Or more precisely; If Joanna has access to the hardware they are screwed. :-)

      Finding and exploiting these flaws is not a widely held skill. Unfortunately for the ones (futilely)* attempting to secure these things, all it takes is for *one* smart and enterprising person to crack it, and then the jig is up.

      * And given that it is inevitable for the hardware to get into the hands of Joanna and other likewise bright and curious people, it *is* both a futile an

      • Or more precisely; If Joanna has access to the hardware they are screwed. :-)

        Hey, be nice, she's a lady.
      • Exactly. It's the same problem as with DRM and audio/video - your software can kick ass, but all it takes is one person to break it and everybody has a copy.

    • by pclminion (145572) on Tuesday December 22, 2009 @11:23PM (#30532556)

      It was true fifty years ago, and it's still true today: If I have access to the hardware, you're screwed.

      Hardware safety is like thread safety. It originates at the lowest levels and percolates upward. In thread safety, the lowest levels are primitives like interlocked exchange. On top of this, we build spin-locks. On top of those we build critical sections. Etc. Hardware can be made secure by making it tamper-resistant. Cryptographic ICs can be rigged to self-destruct when somebody opens the package. Given a secure cryptographic chip, hardware security can be assembled on top of it. I'm not willing to go out on a limb and say that we have TRULY secure cryptographic chips, but if and when we do, we can built unconditionally secure hardware on top of them just like we build thread safety out of interlocked exchanges.

      • Cryptographic ICs can be rigged to self-destruct when somebody opens the package. Given a secure cryptographic chip, hardware security can be assembled on top of it. I'm not willing

        Cost? :P

        That might just be a factor in security being tacked on as an afterthought. Since people are incredibly shortsighted about everything, the cost here and now is what matters.

        So if eating healthy might keep me alive 40 years longer... screw it, cheeseburger! I'll die happy at 65!

        And if I have a chance to reduce pollution created at a power plant, so people have reduced medical costs and no environmental cleanup is needed later... screw it, money! $$$

        And if face the possibility of getting a girl pregna

        • by pclminion (145572)

          Cost? :P

          True -- at first glance there are serious challenges to building a hardware security primitive. But if a cheap device was ever created, it would be a very, very bad day. Control over all the hardware would be in the hands of the key-holders alone...

      • by Rich0 (548339)

        The only way I can see hardware security reaching true theoretical unbreakability is if we get to the level where the uncertainty principle prevents observing the hardware in action, but I'm not sure if it will be feasible to have the hardware even run reliably under those conditions.

        You can certainly make the hardware hard to crack, but ultimately it is physical in nature and it can be taken apart physically. It is almost impossible to make it theoretically secure, although in practice you can do pretty w

        • The only way I can see hardware security reaching true theoretical unbreakability is if we get to the level where the uncertainty principle prevents observing the hardware in action, but I'm not sure if it will be feasible to have the hardware even run reliably under those conditions.

          Well, this idea is pretty much the basis for quantum cryptography: if anyone observes the transmission, it gets corrupted. So it's evidently possible for some things.

          • by Rich0 (548339)

            Absolutely, and I had this in mind. However, right now quantum cryptography only protects the transmission, not the end-nodes. You'd need a computer where every byte of data in transit, in processing, or in memory associated with the authentication mechanism is protected all the time.

            Even that won't really protect you completely since you can do a MITM at any time. The processing circuitry presumably needs to read the data to do work on it. So, you can remove the existing circuitry and replace it with c

      • Re: (Score:3, Insightful)

        by dpilot (134227)

        The issue isn't to build perfectly secure hardware/software, it's to build *sufficiently* secure hardware/software. There really are self-destructing crypto-chips, but those are usually installed in critical hardware where the data involved is sufficiently concentrated and/or valuable that it's worth spending the extra money to protect.

        Let's take a simple testcase... Assume that you want to use crypto-stuff to theft-proof your laptop by turning it into a brick for anyone who doesn't have the secret passwo

        • by pclminion (145572)

          So while we may talk about how anything can be broken with physical access, most of the time, especially for Slashdotter's systems, it's just not worth the effort. What we can get off the shelf, TPM or TXT, etc, is probably good enough, probably even overkill.

          What you're missing is the other application of truly secure hardware -- absolutely, totally, brutally locked down DRM mechanisms. To massive IP companies, it's probably worth it to pour a few hundred million into figuring out how to cheaply build a

          • by dpilot (134227)

            Hopefully it'll never come to that. Don't forget, every DRM doodad added to software and hardware hurts their respective makers. Part of the giant black eye that Microsoft took over Vista was because of the reliability implications of all of that "trusted path" and "degradation" garbage. Stuff that doesn't do spit to increase the value of the hardware or software to the customer, and it boosts the costs to the developer/manufacturer without any extra revenue, it just placates the MafiAA. So at this poin

      • Hardware can be made secure by making it tamper-resistant. Cryptographic ICs can be rigged to self-destruct when somebody opens the package.

        Sometimes you don't even need to expose the silicon to mess with the guts of a chip. You can still connect to the pins or solder pads of an IC and monitor signals passively, or introduce overvoltage/undervoltage/weird signal patterns from outside.

    • It was true fifty years ago, and it's still true today: If I have access to the hardware, you're screwed.

      But will that still be the case when computers consist of isolated atoms embedded in a diamond lattice? The equipment required for hacking will certainly be different.

      • by peragrin (659227)

        The tools change yes, but you will still have inputs and outputs. as long as you have those hacks are still possible. just a lot smaller.

    • by jamesh (87723)

      It's funny isn't it... It took 10 years for someone to read the boot rom of the Super Game Boy (and similar time for the Game Boy?), but the XBox was hacked in a similar fashion much faster.

      I think if it takes 10 years for someone to break it then it could be deemed secure... the trouble with that is that it's only true retrospectively :)

    • Systems are amazingly complex and full of flaws because almost all modern software was built with security as an after-thought.

      Please note that Unix was designed from the ground up to be secure, and there've been exploits, root kits and vulnerabilities in it over the years. Not many, compared to some other systems, but enough to show that making a secure system and keeping it that way is a non-trivial exercise.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Systems are amazingly complex and full of flaws because almost all modern software was built with security as an after-thought.

        Please note that Unix was designed from the ground up to be secure,

        No it wasn't - it was built to be open, used by mutually-trusting users.

        You're thinking of Multics.

        • Re: (Score:1, Funny)

          by Anonymous Coward

          NT was designed from the ground up to be secure

          Just Microsoft botched the implemementation of that

  • Do I have to weld it on or something?

  • Readme.TXT (Score:5, Insightful)

    by marciot (598356) on Tuesday December 22, 2009 @11:42PM (#30532638)

    User: Oh, look, someone sent me a text file
    User: *double-click*
    Computer: Launching trusted executable...
    Trojan: Got ya, sucker.

    Seriously Intel, TXT? What were you thinking?

    • Re:Readme.TXT (Score:5, Insightful)

      by mirix (1649853) on Wednesday December 23, 2009 @12:01AM (#30532704)
      Yeah really. Some dude in his Intel office:
      "Hey Jim, you know what computing needs? more ambiguous acronyms. That would be just grand."
      • Exactly. And people wonder how viruses spread so fast... Really, OSes need to check the file type and then auto-assign a unique file extension for file browsers, at least on those easily exploitable (Windows and perhaps OS X). So even though the file may be called song.mp3 , but the actual file type is an .exe, it would be called song.exe in the file browser. Things with multiple extensions would also be changed in the browser for example song.mp3.txt that is really a .exe file would be called songmp3.exe i
        • Re: (Score:1, Interesting)

          by Anonymous Coward

          What about not executing what isent set +x.. and save by default new file as -x.
          Oh that right, it already the case except on flawed OS.

          • Re: (Score:1, Troll)

            by Darkness404 (1287218)
            Well, we can't expect Windows to ever implement anything better than half-baked security now can we? ;)
        • by spathi-wa (575009)

          I don't agree that this will solve anything. People who are likely to double click on cute_cat.jpg.exe are just as likely to not know the difference between song.mp3.exe and songmp3.exe.

          "it says mp3 right there in the file name"

        • Re: (Score:3, Informative)

          by Tycho (11893)

          The classic MacOS had a feature similar to this, but it was abandoned by MacOS X. One type of metadata present for each file in the classic MacOS had a four character creator code and another four character file type code. The FourCC codes used currently in audio and video files were originally derived from this system. At any rate, unless the file type was "APPL" or "CNTL" it wasn't going to execute from the Finder unless the file type code was changed, a nontrivial, but not an impossible task for a use

          • And oh, dear me, that resource/fork mess was unstable. They inevitably fell out of sync during hardware issues or during software problems, and completely ruined MacOS filesystems and components. Re-implementing that mess would be like bringing back punch cards. Sure, they have some advantages in stability, but the mostly useless overhead of handling them is unacceptable.

            • by Tycho (11893)

              Actually, the most common problem with standard HFS drives had nothing to do with file forks. There was no backup of the structures necessary for the integrity of the filesystem in standard HFS. With the not at all uncommon hard lock ups and reboots in MacOS 7.5* to 8.1 one structure is bound to get corrupted, especially if the caching policy for the write cache on the hard drive is set to write-back.

              At any rate, the type of problems present in standard HFS are no longer a factor, backup superblocks and b

      • by zaft (597194)
        Duh, people at Intel don't have offices, you clod.
  • The technology is even less trusted than it already was by end users.
  • by Anonymous Coward on Wednesday December 23, 2009 @05:08AM (#30533834)

    TXT is not about trusting you the user, its about not trusting you. You cannot be trusted not to copy that DVD or BluRay, so Intel and the media companies are arranging to take over your computer. With TXT installed you will not be allowed to do certain operations, and there will be no way around it even with administrator privileges. TXT is about taking away control of your computer and giving it to the big corporations. Only signed software can be installed, so there will be no way around the DRM. The trusted path from media to screen will be enforced by the hardware, and it will refuse to run if anything has been tampered with.

    There is no reason why a user would ever want to have TXT installed on their machine, that cannot already be done with public key based security. The primary difference between traditional public key certificates and TXT, is that in TXT you are not trusted to have access to your own private certificate.

    • by Nursie (632944)

      I had been wondering about that. It seemed to me that it describes a system in which you don't have control of your system and couldn't poke around in the process to find out what it was doing.

      I'll stick with the broken version, thanks.

    • by eallanjr (1069538)
      TXT doesn't HAVE to be about DRM and selling your computer's soul to the big corporations. TrouSerS [sourceforge.net] is a FOSS implementation of the trusted software stack. There are legitimate uses for trusted computing aside from DRM enforcement.

      But I agree that there is probably is very little need for a typical user to be running TXT on their machine; I definitely don't trust MS/MPAA/etc not to abuse the technology
    • by dpilot (134227)

      Let's leave the MafiAA out of this for a moment. Sometimes it seems to me that most users really can't be trusted with their computers.

      Click this link!!!
      Open thie attachment!!!

      The littany goes on and on, and no matter how many times they're warned, they still click that link and open that attachment.

      For that matter, none of us fully trusts ourselves, in all circumstances. After all, we all say, "Never do normal operations as root, only use root as necessary." That's been considered the first line of secu

    • You're talking garbage and have no idea what TXT is or how it works.
    • The problem is that it's not a fundamentally bad idea. Just like you want people to be able to verify the places they're connecting to in a reliable fashion, ensuring that only trusted software can run is on the surface a very good idea -- for example this behavior on the blackberry platform is (IMO) a good part of the reason why you don't hear of much malware for Blackberry. Without access to the Blackberry-specific components, you're very limited in the damage you can do. And without a signed key from R
    • Only signed software can be installed, so there will be no way around the DRM.

      Can the computer industry really go along with this? There are bajillions of software packages that have never been signed.

  • /me wonders when we can expect updated BIOS from Asus and others?

    • Easy, Ship it back to your vendor or reseller. You'll get your system back in a couple of weeks. What? Too long? You have two choices then, 1) Buy a temporary desktop or a laptop (yay free market at work! [/sarcasm]), or 2) buy new BIOS chip to plug in, from your vendor (of course). The chip will have an updated TPM/TXT signature on it. I'm sure that's what Hollywood would want you to do. Don't expect the chip to be cheap or anything though. On second thought, scratch that. Hard drive manufacturers don
  • Sounds like Intel needs to move to the Systematic Hardware Integrated Trust standard...

That does not compute.

Working...