Hardware Assurance

Malware for hardware? Of course!

Supply chain assessments

• Trust off the shelf products?

• Vendor Assessment

  • Risk management

  • Support

  • Forensic assistance

  • Historical reliability

• Second-hand / grey market

• Trusted Foundry

Hardware Root of Trust (RoT) or Trust Anchor

• Secure subsystem providing attestation

• RoT implemented as a Trusted Platform Module (TPM) chip

  • Crytpographic processor and storage

  • Endorsement key

  • Tamper proof. Crypto shredding

  • PUF – Physical Unclonable Function

  • Tpm.msc

• Hardware Security Modules (HSM)

  • Alternative to TPM

  • Removable, appliance or PCI card

  • Entrust

  • Thales

  • Enabled for cloud services as well

  • Cryptographic storage in the cloud is called a vault

• Trusted firmware

  • Firmware runs with highest privileges

  • BIOS

  • UEFI

    • Secure boot (digital certs)

    • Measured boot and attestation (for NAC systems)

  • Trusted Frimware updates

    • Whose digital signatures do you trust?

    • Intel Boot Guard

  • eFuse

    • Each firmware update blows one fuse

    • Number of blown fuses => number of updates/tampering

  • Self encrypting Drives (SEDs)

    • Offload crypto operations to the drive itself

    • Media Encryption Key (MEK)

    • Key Encryption Key (KEK)

    • TPM vs password

  • Secure Processing

    • Trusted execution – TPM validates OS kernel

    • Secure enclave – Secure area by a process for crytopgraphic keys

    • Processor Security Extension – Low level instructions

      • SME (AMD)

      • TXT (Intel)

      • SGE (Intel)

    • Atomic execution – Protects against race conditions and buffer overflows

      • TOC/TOU

    • Bus encryption – Secure data in transit in the hardware.