Hardware Assurance

Malware for hardware? Of course!
Supply chain assessments
- Trust off the shelf products?
- Vendor Assessment
  - Risk management
  - Support
  - Forensic assistance
  - Historical reliability
- Second-hand / grey market
- Trusted Foundry
Hardware Root of Trust (RoT) or Trust Anchor
- Secure subsystem providing attestation
- RoT implemented as a Trusted Platform Module (TPM) chip
  - Crytpographic processor and storage
  - Endorsement key
  - Tamper proof. Crypto shredding
  - PUF – Physical Unclonable Function
  - Tpm.msc
- Hardware Security Modules (HSM)
  - Alternative to TPM
  - Removable, appliance or PCI card
  - Entrust
  - Thales
  - Enabled for cloud services as well
  - Cryptographic storage in the cloud is called a vault
- Trusted firmware
  - Firmware runs with highest privileges
  - BIOS
  - UEFI
    Secure boot (digital certs)
    Measured boot and attestation (for NAC systems)
  - Trusted Frimware updates
    Whose digital signatures do you trust?
    Intel Boot Guard
  - eFuse
    Each firmware update blows one fuse
    Number of blown fuses => number of updates/tampering
  - Self encrypting Drives (SEDs)
    Offload crypto operations to the drive itself
    Media Encryption Key (MEK)
    Key Encryption Key (KEK)
    TPM vs password
  - Secure Processing
    Trusted execution – TPM validates OS kernel
    Secure enclave – Secure area by a process for crytopgraphic keys
    Processor Security Extension – Low level instructions
    SME (AMD)
    TXT (Intel)
    SGE (Intel)
    Atomic execution – Protects against race conditions and buffer overflows
    TOC/TOU
    Bus encryption – Secure data in transit in the hardware.

PreviousEndpoint Security and Behavior Analysis NextBlackholes and Sinkholes

Last updated 2 years ago

Hardware Assurance

Malware for hardware? Of course!
Supply chain assessments
- Trust off the shelf products?
- Vendor Assessment
  - Risk management
  - Support
  - Forensic assistance
  - Historical reliability
- Second-hand / grey market
- Trusted Foundry
Hardware Root of Trust (RoT) or Trust Anchor
- Secure subsystem providing attestation
- RoT implemented as a Trusted Platform Module (TPM) chip
  - Crytpographic processor and storage
  - Endorsement key
  - Tamper proof. Crypto shredding
  - PUF – Physical Unclonable Function
  - Tpm.msc
- Hardware Security Modules (HSM)
  - Alternative to TPM
  - Removable, appliance or PCI card
  - Entrust
  - Thales
  - Enabled for cloud services as well
  - Cryptographic storage in the cloud is called a vault
- Trusted firmware
  - Firmware runs with highest privileges
  - BIOS
  - UEFI
    Secure boot (digital certs)
    Measured boot and attestation (for NAC systems)
  - Trusted Frimware updates
    Whose digital signatures do you trust?
    Intel Boot Guard
  - eFuse
    Each firmware update blows one fuse
    Number of blown fuses => number of updates/tampering
  - Self encrypting Drives (SEDs)
    Offload crypto operations to the drive itself
    Media Encryption Key (MEK)
    Key Encryption Key (KEK)
    TPM vs password
  - Secure Processing
    Trusted execution – TPM validates OS kernel
    Secure enclave – Secure area by a process for crytopgraphic keys
    Processor Security Extension – Low level instructions
    SME (AMD)
    TXT (Intel)
    SGE (Intel)
    Atomic execution – Protects against race conditions and buffer overflows
    TOC/TOU
    Bus encryption – Secure data in transit in the hardware.

PreviousEndpoint Security and Behavior Analysis NextBlackholes and Sinkholes

Last updated 2 years ago