Re: CSI 2008 Redux

[Matthijs Koot <matthijs () koot biz>]

Hi RB,

RB wrote:
> Leaving the trust issue alone, I find it entirely regrettable that so
> many seem to have blindly swallowed the "Right to Read" hype and
> simply assume TPM chips are evil insilicate.  I detest DRM & Big
> Brother as much as your garden-variety Libertarian, but while trying
> to solve the very difficult physical presence security problem a
> couple of years ago, I decided to try to examine them for what they
> are.  Needless to say, I was surprised: although TPM chips certainly
> could provide the building blocks to do what we all fear, they're
> generally quite benign, more analogous to an integrated smartcard than
> an evil overlord's rootkit.

You mention that you were looking at TPM "while trying to solve the
(...) physical presence security problem". Although you didn't claim
that TPMs provide any solution there, I'd like to emphasize (for other
readers) that according to the TCG-specs, TPM is not designed to protect
itself against non-"simple" hardware attacks:

"The commands that the trusted process sends to the TPM are the normal
TPM commands with a modifier that indicates that the trusted process
initiated the command. The TPM accepts the command as coming from the
trusted process merely due to the fact that the modifier is set. The TPM
itself is not responsible how the signal is asserted; only that it
honors the assertions. The TPM cannot verify the validity of the
modifier. (...) The assumption is that to spoof the modifier to the TPM
requires more than just a simple hardware attack but would require
expertise and possibly special hardware."
(source: page 86 of the "Design Principles", TCG TPM Specification
Version 1.2 Revision 103)

So 1) being able to manipulate the (locality) modifier is bad, and
2) TPM only provides modest protection against attacker's with physical
access. The TCG-people confirm this: TPM is intended to protect against
software-based threats (which it may not do very effectively, as
Joanna's post suggested, as long as integrity checks can only be done at
boot/load-time).

> association.  It is _just_ a [presumed] secure cryptography facility
> that supports a wide variety of functionality.

Although you didn't claim the opposite, it may be useful to mention that
the TPM does not directly expose an interface to its encryption
capabilities: TPM does not (yet?) give us general-purpose
hardware-accelerated encryption. I'm not sure about hashing and signing.

Btw, it is interesting to see TPM being discussed so gentle and
reasonable on this list. Perhaps everyone's anticipating TPM to become a
new fun target for pentesting :)

The book "A Practical Guide to Trusted Computing" (David Challener et
al., 2008) makes a nice read.

Regards,
Matthijs
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave