Platform Security Summit 2018
May 23-24, 2018 · Fairfax, VA
“Give me a place to stand on,
and I will move the earth.”
Modern humans stand on hardware, firmware, software, sensors, networks, standards, finance and law. These are powerful levers for owners, defenders and adversaries. When can we trust the integrity of a mutable lever?
PSEC 2018 brings together security researchers and developers from the open-source ecosystems of OpenEmbedded, Xen Project and OpenXT. During the preceding decade, competing stakeholders of these ecosystems created systems that were battle-tested by adversaries and millions of users.
With a focus on hardware-based security and commercially extensible open source, this event is a must for hardware and firmware engineers, VMM and OS developers, security architects, integrators and senior technical staff. Attend and explore how to build better platforms on which to stand.
There will be a single track of presentations, 8:30 am - 5:30 pm on Wed 23rd and Thu 24th of May. To reserve a seat, please register. For background material, see the list of references.
H A R D W A R E
The Trusted Platform Module (TPM) has been the standard in software integrity measurement and reporting for over 15 years. TPM 2.0 became an ISO standard in 2015, a Windows 10 security requirement in 2018 and is integrated into platforms across the enterprise as a discrete part or as firmware in a TEE. Despite the pain and suffering associated with programming in past TCG APIs, TPM architecture has proven sound and useful.
This talk will cover Intel’s collaboration with partners in the TCG TPM2 Software Stack (TSS2) working group to create a set of usable APIs. Design and craftsmanship of APIs with intuitive, predictable behavior can increase developer adoption and the likelihood of critical infrastructure functioning as intended. We have made TPM2 programming architecture and APIs usable for multiple levels of abstraction and varying constraints. We’ll discuss recent successes, including open-source APIs for environments ranging from embedded firmware to desktops and servers.
The TSS2 APIs are however just a means to an end and so this talk will conclude with a discussion of projects that we aim to enable through these APIs. Specifically—richer functionality in the UEFI firmware environment, hybrid approaches for key management in hardware crypto accelerators, integration with distributed key management infrastructure, the impact of recent OSS work on user freedoms and emerging standards like the Device Identifier Composition Engine (DICE).
Tracing the history of firmware security in Dell BIOS, I will discuss the current implementation of security technologies in Dell BIOS, how we got here, motivations for protecting the BIOS the way we do, and new technologies that the OpenXT community should be aware of. I will cover TPM measurements, what we measure and why; UEFI Secure Boot and how to configure in Dell BIOS setup; Intel BootGuard and its role in protecting the BIOS; transitioning technologies in the last two years and what’s changing in the next two, including pre-boot VT-d and Windows 10 SystemGuard.
In today’s degrading threat landscape we are seeing attack trends that are putting a strain on software-only security solutions. Particularly, well-resourced attackers are increasingly focused on lower levels of the compute stack to gain better control and persistence in endpoints ranging from new IoT devices to well-established PC and printing platforms. There is also an increase in destructive attacks on a scale that is new and concerning, with attacks like NotPetya taking devices offline worldwide in a way that was not recoverable with traditional software techniques.
This talk will discuss HP’s investment in security research and innovation for over two decades, advancing the state of the art in hardware-enforced security and resilience, which helps address these emerging threats. We will discuss how today’s HP business devices have security built-in from the hardware-up, to help protect, detect and remediate attacks, with minimal interruption to users, and we will review how we design systems for cyber-resilience of firmware, software, and operating systems.
Two Sigma Investments
Secure firmware is the foundation of secure systems. If we want to build slightly more secure systems they will require open, auditable and measured firmware. If we can’t read and audit the firmware code, we can’t reason about what is going on during the critical phases of the boot process; if we can’t modify and reproducibly build the firmware, we can’t fix vulnerabilities or tailor it to our needs; and if the firmware isn’t measured and attested, we can’t be certain that our system hasn’t been tampered with.
LinuxBoot is a way to achieve all three of these properties and makes it possible to replace closed source, proprietary firmware with modern, well-tested and user-extensible code. In this talk I’ll present an overview of LinuxBoot, the Heads firmware, and how they work with moderately secure operating systems like Qubes to maintain a chain of trust from the reset vector to launching user VMs on laptops and servers.
Host Firmware is an integral ingredient of platforms at Intel. From the early days of proprietary BIOS in the 1980’s and 1990’s, to the world of standards in the 2000’s, to the post-PC world of the last few years, the nature of firmware has changed. This talk will discuss current trends in standards such as UEFI and associated EDKII firmware, other communities like coreboot, and common denominators like the Intel® Firmware Support Package. For the enterprise, open-source server host firmware and the Open Compute Project (OCP) Open System Firmware (OSF) efforts will also be described, including the recent publication of Min Platform. The talk will also touch on emerging solutions, challenges and market opportunities for more seamless enablement of Intel Architecture.
U.S. National Security Agency
We describe our work to demonstrate an enhanced SMI transfer monitor (STM) to provide protected execution services on the x86 platform. An STM is a hypervisor that executes in x86 system management mode (SMM) and functions as a peer to the hypervisor or operating system. The STM constrains the SMI handler, by hosting the handler in a virtual machine (VM). Otherwise, the SMI handler holds unconstrained access to the platform, which could undermine the assurance provided by DRTM or TXT.
Our STM enhancements create a protected execution capability by extending the STM to support additional VMs (PE/VM). These enhancements utilize the existing capabilities of the x86 processor and, thus, require no additional hardware. We modified an existing hypervisor integrity measurement engine to function in a PE/VM. The related discussion explains how the module can be loaded from a guest virtual machine and how page tables are used to restrict the access that the measurement engine is allowed to memory.
Ensuring and verifying that system launch has executed with only the intended system software is widely accepted as a prerequisite for placing trust in the integrity of a computer system. A variety of hardware and software based technologies are available on commodity computing platforms, with different capabilities and similar-sounding names all aiming to address different aspects of this requirement. To provide clarity for discussion of this topic, this presentation will cover the fundamentals of establishing system integrity at boot and review the modern landscape of boot integrity technologies, with definitions for important terms.
In addition, a new software framework, TrenchBoot, will be presented. We will describe TrenchBoot’s place in the early system software stack, how it leverages the the available boot integrity technologies and the cooperation of earlier launch components to provide a stronger footing for launch of the Operating System. TrenchBoot enables fine-grained platform verification in support of advanced security and assurance use cases. We describe the aim to provide a standard measured launch approach, with an extensible, Open Source, reusable implementation suitable for third-party extension and integration.
Assured Information Security
According to the UEFI specification, measurements of boot components and applications are required if the system has a TPM present. These measurements are referred to as Static Root-of-Trust Measurements (SRTMs). The SRTMs only extend to the firmware and the EFI applications it launches. However, modern operating systems have many moving components that are critical to the security and integrity of the system as a whole. In the case of Linux for example, hijacking the initramfs or even just being able to manipulate the boot parameters can prove to be disastrous.
The problem is also present for systems such as Xen, which is the cornerstone of both QubesOS and OpenXT. While Xen can be included in the SRTM measurements, if it is booted directly by the UEFI firmware (ie. without GRUB), none of its critical components —such as the XSM policy, dom0 kernel or the command line arguments — would be measured.
We have extended the shim EFI loader and Xen to allow measurement to be made of these critical components during boot. Using these measurements, it is possible to implement Anti-Evil Maid solutions without the use of Intel TXT, enabling a practical solution for non-Intel hardware. That said, the solution is compatible with TXT, allowing for deployments where the end of the SRTM chain is the start of the DRTM, thus eliminating the traditional “gap” present in DRTM solutions.
Recent years have given rise to varied new hardware security primitives, such as the Trusted Platform Module, AMD SEV, Intel SGX, and Intel Boot Guard. Each of these depends on a silicon root of trust that is controlled by its manufacturer, is tightly integrated with the desired functionality of the system, and is difficult to separate out. By adding a physically distinct chip with an easily understood and controlled root of trust, a design can achieve defense in depth against single-point compromise of boot integrity. This is particularly true if the chip design is open sourced and available for inspection and third party implementation.
We report the success of a project that Google performed as a proof-of-concept for increasing confidence in first-instruction integrity across a variety of server and peripheral environments. We begin by motivating the problem of first-instruction integrity and share the lessons learned from our proof-of-concept implementation. Our goal in sharing this information is to increase industry support and engagement for similar designs. Notable features include a vendor-agnostic capability to interpose on the SPI peripheral bus (from which bootstrap firmware is loaded upon power-on in a wide variety of devices today) without negatively impacting the efficacy of any existing vendor- or device-specific integrity mechanisms, thereby providing additional defense-in-depth.
U.S. National Security Agency
Securing complex systems involves trusting many distinct parts to function correctly and remain correct while the system is running. Modern systems use measurement and signature checks to attempt to ensure that malicious software cannot hijack this process during each step of the boot process. This means that the platform is at its most trusted state early in its boot phase, and potentially becomes less trusted with each unsigned or unmeasured interaction.
The dynamic root of trust provided by TXT/TBOOT restarts this process: once it runs, the current trusted computing base (TCB) of the platform contains only the ACM, STM or SMM, and the OS launched by TBOOT (Xen). This smaller TCB may exclude large parts of the EFI firmware, temporarily mitigating any attacks taking advantage of bugs in that code. However, most platform drivers need to use the information provided by the firmware to be useful - either directly via ACPI tables or by making assumptions about device state. Since those drivers normally run in ring 0 of the Linux kernel in Xen’s dom0, the platform’s TCB quickly re-inflates to its previous size. However, it is possible to create domains before expanding the TCB in this way, and the hardware domain does not need to be the most privileged domain on the system.
This talk will discuss the domain builder and hardware domain split in Xen, its use in securing drivers for the virtual TPM subsystem, and how it can also be used to maintain the smaller TCB for domains created after the platform is fully up and running.
The UEFI Secure Boot protocol is used to verify the authenticity of a Portable Executable (PE) binary before it is loaded and executed. Usually, this is a second stage bootloader, e.g. GRUB2, or an operating system kernel. Fedora’s Shim and Linux Foundation’s PreLoader are extensions to UEFI Secure Boot which make the authentication process more flexible. This presentation will deal with the most important aspects of UEFI Secure Boot and Shim. Additionally, it will discuss how the Xen hypervisor’s boot process can be protected with UEFI Secure Boot and a Shim binary. The presentation will show what is needed to make UEFI Secure Boot and Shim usable when booting Xen with GRUB2.
Portland State University
This talk provides a short overview of EPA-RIMM, an Extensible Performance-Aware Runtime Integrity Measurement Mechanism being developed at Portland State University. EPA-RIMM identifies the presence of hypervisor and operating system-resident rootkits by detecting unexpected changes in system state. The talk will introduce our Xen and Linux-based prototypes, our extensions to open-source UEFI firmware, the achieved performance, and detection capabilities.
EPA-RIMM features a System Management Mode (SMM)-based measurement agent that operates in a de-privileged virtual machine, leveraging a protection policy applied by Intel’s SMI Transfer Monitor (STM). This applies the principle of least privilege to the measurement agent while still accomplishing effective rootkit detection. EPA-RIMM minimizes its impact on the system by decomposing large measurements into sequences of smaller inspections to reduce the time spent in a single SMM session. With its extensible measurement API, EPA-RIMM can dynamically vary the monitored resources on each inspection to complicate an attacker’s ability to derive the measurement target. EPA-RIMM also utilizes its measurement API to avoid building host software contextual information into the measurement agent. These features of EPA-RIMM make SMM-based measurements flexible, more secure, and effective. EPA-RIMM’s results suggest that it can meet production-level performance goals while monitoring key OS and hypervisor data structures for signs of attack.
Wind River Systems
Since 2003, OpenEmbedded (OE) has provided a best-in-class build automation and cross-compilation framework for embedded device operating system images. Since 2011, Linux Foundation’s Yocto Project (YP) has co-developed the OE build system and augmented it into a set of tools and a reference Linux distribution for commercial customization. OE and YP employ layers of BitBake recipe metadata to separate concerns of architecture, applications, distributions, platforms and collaborating vendors.
OE layers enable customization, optionality and fit for diverse use cases, without sacrificing collaboration on common components and tooling. The economics are compelling for commercial use: engineering investment can be focused on the unique aspects of each system, tailored to purpose, while leveraging OE’s curated layers of high-quality supported software. Layer-specific mailing lists are used for coordination.
The meta-virtualization layer includes Xen and virtualization-related technologies such as libvirt, SeaBIOS and Open vSwitch, in addition to LXC, OCI, Moby Project, Kubernetes and Linux KVM. This talk will introduce the layer, its components, contributors and technology. It will discuss Wind River’s use of OE in commercial products that support secured devices. We will present Wind River’s secure boot requirements and the components and layers used to build devices.
U.S. Air Force Research Laboratory
SecureView is an Air Force developed multi-network access solution that provides users with the ability to access multiple environments on a single workstation. It is a low-cost, non-proprietary solution that is based on commodity hardware and open-source virtualization technology. It is a flexible solution to address a wide variety of use cases.
- Windows and Linux guests
- Dynamic support for both thick and thin-client computing models
- Single or multiple wires to desktop
- CSfC Suite-B VPN and DaR
- Consolidated view of multiple security domains
- Keyboard based awareness
- Enterprise scalability
- Desktops, laptops, and tablets
- Reduces footprint, power and cost
U.S. Naval Research Laboratory
We explain how the strong security separation provided by separation VMMs is preserved under enterprise scale use. Enterprise scale use includes multiple separation policies, composite policies on individual hosts, multiple service level agreements addressing different threat models, and support for elasticity. We explain how an enclave abstraction accomplishes this and describe an architecture that uses Xenon’s MSM security module to support the enclave abstraction on local hosts.
Hypervisors have a key role in Platform Security, leveraging a reduced attack surface to provide robust isolation and containment in a way that commodity operating systems have proven too complex to provide. Over the last 17 years, the speaker has been intimately involved with building 4 hypervisors that have been used in a number of applications with extremely demanding security requirements: Xen, XenClient, Bromium vSentry and AX.
Each hypervisor is a product of its time, trying to make best use of the available hardware capabilities to meet product design goals, capabilities and performance, building on our growing knowledge of architectural and implementation strengths and weaknesses. With each new hypervisor, the importance of security as an overriding design goal has grown, and has been the primary driver leading to the different architectural design decisions taken in each case.
This talk will examine the design evolution across the 4 hypervisors, talking about the lessons learned and how those decisions have stood the test of time, through security research and adversary action.
Recent developments in Xen and Linux now provide an environment in which it is possible to effectively limit the privilege of QEMU running as a device emulator in a privileged domain. This talk will discuss how dm (device model) op hypercall, file handle restriction in privcmd, libxentoolcore and the acquire_resources new memory op all contribute to the security of a system using QEMU as device emulator for untrusted guests.
Assured Information Security
Most people think that hypervisors are meant to virtualize servers and provide a means to run Windows on a Mac, but there is a whole field of research where hypervisors are used without guest virtual machines, for introspection, reverse engineering, anti-virus, containerization and diversity.
Bareflank is an open source (LGPL v2.1) lightweight hypervisor that aims to provide all of the scaffolding needed to rapidly prototype new hypervisors via open source or proprietary extensions. Bareflank has support for Linux and Windows on Intel 64-bit CPUs, with planned support for OS X, UEFI, ARM and AMD. Bareflank is written in C++ with support for the C++ STL via libc++. Thanks to inheritance and modular design, Bareflank makes it simple to extend and create your own hypervisor, with step-by-step examples that demonstrate custom extensions.
In addition to Bareflank’s lightweight, modular design, the hypervisor has been written using test driven development. All Bareflank code includes unit tests to validate that the provided code works as expected. This presentation will be an introduction to the Bareflank Hypervisor and our plans for 2018/2019. Topics to be covered include:
- OpenXT research on Bareflank
- Xen PV interface on Bareflank
- OpenXT service VMs on Bareflank
U.S. Air Force Research Lab
Bear is a minimalist operating system design aimed at scalable multiprocessor systems whose primary goal is resilience. The design is expressly targeted toward critical military applications for the purpose of operating through failures, errors, and malicious attacks. Lessons learned from several key proof-of-concept components, implemented as Linux kernel modules, were incorporated into a new from scratch system.
University of California at Irvine
A modern software system is a composition of highly complex parts: operating systems, middleware, libraries, servers, and more. In principle, compositionality of interfaces means we can understand each module independently of the internal workings of other parts. In practice, abstractions are leaky and software systems grow in complexity with every generation. Traditional ways of understanding failure, execution and performance are reaching their limits in the face of emergent behavior, unrepeatability, cross-component execution, software aging, and targeted security attacks.
Deterministic systems analysis has the potential to change the way we analyze and debug software systems. Once recorded, the execution of the system becomes an independent artifact that can be analyzed offline. With complete system state, guaranteed re-execution behavior and no limitation on run-time complexity of analysis, we can perform deep, iterative and automatic exploration of a system’s dynamic properties.
This work creates a foundation for deterministic replay as a ubiquitous system analysis tool. We define design and engineering principles for building fast and practical replay machines, to capture operating system execution with an overhead of several percent, on a realistic workload, with minimal installation cost. We implement an intuitive interface for replay analysis. Our VM introspection layer allows analysis algorithms to be programmed against the state of the recorded system through familiar source-level variable and type names. For performance analysis, the replay engine provides a faithful performance model of the original execution.
High-reliability and mission assurance for critical systems, especially in embedded or non-enterprise use cases, require engineers to make mindful decisions at every layer of the software and hardware stack. Star Lab’s Crucible Security Suite, powered by the Xen Project hypervisor, provides the tools and techniques to confront these challenges by combining mature open-source technologies with years of domain-specific expertise.
This talk will cover why and how Star Lab leverages OpenEmbedded, Yocto Project, tboot, and Xen to provide a secure embedded virtualization platform, with particular focus on processing determinism, resource isolation, and runtime integrity. The audience will see how the tailored use of Xen provides the flexibility of virtualization to operational technology (OT) domains, where performance and security are paramount concerns for every deployment.
This presentation introduces Magrana Server, a high-security server virtualization platform built upon open-source XenServer. Magrana Server disaggregates services that share resources into separate VMs, called service virtual machines (SVMs). Each enclave has a separate set of SVMs which support the hosted operational VMs within each enclave. This design isolates enclaves, preventing information from flowing between enclaves. Magrana Server further protects each enclave through a variety of techniques, including a comprehensive mandatory access control policy and end-to-end encryption for both data-in-transit and data-at-rest.
The technologies provided by VMMs for communication between VMs have a critical impact on VM isolation properties, on the confidence components can have in the delivery of data and in the integrity of the data that is received. This talk will identify aspects of inter-VM communication system architecture that support important properties that are valuable for building secure systems.
We will introduce terminology to enable classification of the existing body of art and survey relevant communication technologies in modern hypervisor, OS and microkernel systems. We will also present an example, an inter-VM communication mechanism developed for the Xen hypervisor, and how it is distinguished from other available communication channels on the Xen platform and elsewhere.
David A. Wheeler
The Institute for Defense Analyses
This talk will discuss open source software (OSS) and the US Department of Defense (DoD). It will discuss current policies, including the NDAA 2018 section on OSS. It will explain that open source software is commercial software – and why that is so important. It will also cover the key legal requirements for releasing software as OSS when it’s developed using DoD funds.
The Xen Project is unique in its breadth of adoption and diverse contributions. Many vendors in the ecosystem are not directly competing, enabling collaboration which otherwise would not be possible. While hypervisors were once seen as purely cloud and server technologies, they are now used in many market segments to add compartmentalization and layers of security. This has led to renewed focus on older technologies, such as L4Re/seL4 and new technologies such as zircon, ACRN and others.
Meanwhile, the Xen Project has been trailblazing in adopting virtualization in new market segments and continues to innovate and set the direction for the industry. This has enabled downstream Xen developers to build viable businesses and products in areas such as security and embedded. This talk will cover Xen feature changes that are driven by security needs, and the challenges of safety certification within the context of open source projects and Xen Project in particular.
Ad fraud yields a higher lifetime value per infection than anything else you can do with a botnet. As a result, top tier operators have gone to extraordinary lengths to make bots as lifelike as possible to evade detection. In this talk, we will review:
- The state of the art in bot behavior, evasion, and anti-forensics. Hint: the adversary can use machine learning, too, and they have lots of real people to clone, emulate, or train off of
- Why even well-studied malware families like Kovter are still alive and kicking
- Breakthrough techniques in running an arms race against an adversary you must model as at least as smart as you and almost certainly better resourced than you
- Deception and strategic indeterminacy: Getting inside the OODA loop of an adaptive adversary by denying immediate success/fail feedback
- Corollary: put security through obscurity back in your playbook
- Cui bono? Playable moves when you can detect an adversary, they can’t tell they’ve been detected, and you can see which bank accounts benefit from what they attempted
How do norms, rules and trust help shape future behavior and decisions of human agents? This presentation will describe how the study and synthesis of legal, as well as broader normative theories can lead to a better understanding of agent trust and decisions made under uncertainty.
It will describe a model of authority found in common law agency, specifically the delegation of actual authority from a principal to a human agent. Other important agency concepts will also be discussed including interpretation, information asymmetry and agent autonomy.
Further refinement of such a model could have important applications in the area of machine autonomy. For example, by confining a non-human, autonomous agent to those actions that are deemed reasonable under a theory of agency, a greater degree of assurance and trust might be gained in the agent. Other potential applications of the proposed model include risk management, decision support and automated policy design.
Platform owners can use open source to Commoditize Your Complement (CYC). While early commoditizers can reap benefits, the long-term result can be an economic race to the bottom if more players employ CYC strategies and ecosystem margins shrink.
This talk will present a model for a platform ecosystem of complementors to compete with vertically integrated single-vendor platforms.