Intel Patches Flaws In Trusted Execution Tech

An anonymous reader writes "Joanna Rutkowska's company Invisible Things Lab has issued the results of their research into flaws in Intel's Trusted Execution Technology (TXT), whose function is to provide a mechanism for safe loading of system software and to protect sensitive files. ITL describes how flaws in TXT can be used to compromise the integrity of a software loaded via an Intel TXT-based loader in a generic way, fully circumventing any protection TXT is supposed to provide. The attack exploits an implementation error in the so-called SINIT Authenticated Code modules and that could potentially allow a malicious attacker to elevate their privileges. Intel has released a patch for the affected chipsets, which include the Q35, GM45, PM45 Express, Q45, and Q43 Express." Here are ITL's press release (PDF) and Intel's advisory.

Readme.TXT

[marciot]

User: Oh, look, someone sent me a text file
User: *double-click*
Computer: Launching trusted executable...
Trojan: Got ya, sucker.

Seriously Intel, TXT? What were you thinking?

Re:Readme.TXT

[mirix]

Yeah really. Some dude in his Intel office:
"Hey Jim, you know what computing needs? more ambiguous acronyms. That would be just grand."

Re:TPMs and related tech

[dpilot]

The issue isn't to build perfectly secure hardware/software, it's to build *sufficiently* secure hardware/software. There really are self-destructing crypto-chips, but those are usually installed in critical hardware where the data involved is sufficiently concentrated and/or valuable that it's worth spending the extra money to protect.

Let's take a simple testcase... Assume that you want to use crypto-stuff to theft-proof your laptop by turning it into a brick for anyone who doesn't have the secret password/token. In bygone days, that might have been the BIOS password, but it's really simple to remove the battery, etc. That's a simple, cheap way to work around the protection. Many systems have a hard drive password, so let's pretend that it's secure. So the "cost" to steal one of those is a new 2.5" hard drive. Now as the protection becomes more sophisticated, presumably the cost to work around it rises as well. At some point, you're better off buying a new laptop, instead of breaking the protection on a stolen one.

Similarly with the value of the data. Most of my data is only valuable to me, not to anyone else. So for the most part, it's not worth much to someone else to crack my data protection. It's worth investing some money/resource to protect my data, but why would anyone bother working really hard to get at it? On the other hand, the previously mentioned mainframe may well have hundreds of thousands of credit card or account numbers, or it may have account numbers for lines of credit worh millions of dollars, etc. It's worth much more to crack the mainframe than it is my piddly system.

So while we may talk about how anything can be broken with physical access, most of the time, especially for Slashdotter's systems, it's just not worth the effort. What we can get off the shelf, TPM or TXT, etc, is probably good enough, probably even overkill.

Re:It's a security issue

[Proteus Child]

...and how many people in the security community started out in the hacker community and took great pains to conceal their real names back then? More to the point, how many people in the security community go to great lengths to dissociate their all-grown-up-now professional lives from their days in the hacker scene because it would call unfavorable attention upon their employers, plus put certain of their expensive certifications in jeopardy?

Some people spend years hacking around in their basements and don't feel a need to tell anyone about their work. Others "suddenly appear" because they finally feel like publishing something, the work they publish is brilliant, and thus they gain respect for it.