Comment by nickpsecurity

7 years ago

Nice article. A few comments:

“Rings 1 & 2 - Device Drivers: drivers for devices, the name pretty much describes itself.”

STOP and GEMSOS did use four rings. The evaluators griped that UNIX’s didn’t. Microkernel proponents kept pushing mainstream OS’s to move drivers from kernel mode to another mode. Maybe my memory is off again but arent the drivers for Nix’s and most monolithic kernels in kernel mode (Ring 0)? Maybe Xen does something different with its use of protected mode. Then, some things in user-mode later on like FUSE.

“Each of these kernels have their own networking stacks and web servers. The code can also modify itself and persist across power cycles and re-installs. We have very little visibility into what the code in these rings is actually doing”

Which is why I put money down that the backdoors NSA paid for in direct money and/or defense contracts would be in management systems. That we’d definitely find services with 0-days in there. Sure enough…

“Linux is already quite vetted and has a lot of eyes on it since it is used quite extensively.”

That’s total nonsense. Empirical evidence below that’s been consistent over long periods of time. If anything, using Linux is guaranteeing you vulnerabilities if they can call anything in the kernel. If a subset or just one function, maybe OK. Careful analysis case by case on that. We’d be better off with something clean-slate for this purpose that can reuse Linux drivers where necessary. Then, we’d check the drivers and the interfaces.

https://events.linuxfoundation.org/wp-content/uploads/2017/1...

It is true that it’s better than the closed-source stuff they’re using, has better tooling, folks understand it better, and so on. All true.

“We need open source firmware for the network interface controller (NIC), solid state drives (SSD), and base management controller (BMC).”

The problem with this and Intel/AMD internals are that they’re secretive partly to avoid patent suits and new competition. You’re not getting this stuff opened. Not easily at least. Might be better to literally do a closed-source product for them vetted by multiple parties. Otherwise, get the actual specs under NDA to build the open-source code against in a way that doesn’t leak the specs a lot. Alternatively, gotta build your own hardware doing this yourself with whatever the I.P. vendors give you. I mean, good luck on the reverse engineering efforts but these are usually lagging behind.

“We need to have all open source firmware to have all the visibility into the stack but also to actually verify the state of software on a machine.”

You actually need open, secure hardware for that since attackers are now hitting hardware. I kept telling people this would happen. Just wait till they do analog and RF more. What she’s actually saying here is “verify the state of the machine if the hardware works and is honest and doesn’t do anything malicious between verifications.”

“ is the same code running on hardware for all the various places we have firmware. We could then verify that a machine was in a correct state without a doubt of it being vulnerable or with a backdoor.”

Case in point: I put a secret coprocessor on the machine for “diagnostic purposes,” it can read state of system, it can leak over RF or network, and we leak stuff out of that signed, crypto code. Good thing no major vendors are including hidden or undocumented coprocessors on their chips. ;)

“Chromebooks are a great example of this, as well as Purism computers. You can ask your providers what they are doing for open source firmware or ensuring hardware security with roots of trust.”

End with some good advice: buy stuff that’s more open and secure to get more of it. Market demand incentivizing suppliers. That could solve a lot of these problems if enough people do it.

8 comments

nickpsecurity

Reply
monocasa  7 years ago

Rings 1&2 are basically useless on x86_64 because they give you the same access to memory as the kernel, they just don't let you execute privileged instructions directly.

On 32-bit x86, ring 1 at least got used for hypervisors (VMWare, Virtual box, and Xen off the top of my head). I half remember that OS/2 used the middle rings too.

I think the protection model of four rings was just copied from VAX, being the closest thing to big iron that x86 protected mode was inspired from.

  • nickpsecurity  7 years ago

    re 1&2. Ok, that's what I was thinking. Thanks for the refresher.

    re protection model. Nah, it was MULTICS from a Saltzer and Shroeder paper. They're among the pioneers of INFOSEC in high-assurance security which I'm often talking about here. They describe their reasoning about that here [1]. It, segments, and an IOMMU were in SCOMP, the first system certified to high security. Early promoter Roger Schell got an ex-Burroughs guy that Intel hired to add the rings and segments to their chips so high-assurance, security kernels could use them. The one he backed and got certified, GEMSOS, did leverage about every security feature on Intel CPU's. STOP used all the rings. GEMSOS had a hybrid scheme. BAE was selling STOP with Aesec still selling GEMSOS. Threw in a link on security kernels if you want to check that out. Today's state of the art moved on to secure hardware/software architectures using a mix of formal verification and language-level security on top of other QA activities. The competition used type enforcement [3] and capability security [4].

    [1] https://www.multicians.org/protection.html https://www.multicians.org/exec-env.html

    [2] http://www.cse.psu.edu/~trj1/cse443-s12/docs/ch6.pdf

    [3] https://cryptosmith.com/mls/lock/

    [4] https://web.archive.org/web/20160304223007/https://www.cis.u...

    • monocasa  7 years ago

      The four rings and their purpose was copied from VAX and VMS. It was specifically added by Intel trying to convince DEC to port VMS.

      The GE-645 had 16 protection rings in hardware IIRC, and was designed so that unprivileged software would see essientially an unlimited number of rings. It's a very different model in practice (and way better IMO).

      IMO we're probably going to have to migrate back to a hardware model to describe the memory regions to hardware to protect against the cache based Spectre variants the same way we protect against Meltdown.

      1 reply →

gnufx  7 years ago

Actually, at least a bit of it does exist. There are two different "OpenBMC"s. The IBM/Rackspace one is used for POWER9, as in the Summit and Sierra supercomputers.

Another effort in the free space -- a different part from Talos -- is EOMA68 https://www.crowdsupply.com/eoma68 with a parallel effort for RISC-V.

  • nickpsecurity  7 years ago

    It's a nice exception to the rule. IBM has enough patents to crush anyone that messes with them. So, they're not as worried. Don't forget older PPC and SPARC boxes with Open Firmware, too. I have one at the house from 2003 that can run Youtube vids.

    https://en.m.wikipedia.org/wiki/Open_Firmware

    Gaisler had a GPL'd SPARC core to go with it, too. Oracle's T1 and T2 were open, too.

    • gnufx  7 years ago

      I haven't forgotten Openboot, but as far as I know, ALOM wasn't part of it, and I doubt anything current comes with a free version. The two OpenBMCs aren't purely IBM, and that's more than one example apart from RISC-V possibilities. BMC is particularly important, because remote access is critical for large-scale management, typically implemented with a lot of problems, and often exposed highly insecurely. There's obviously a very real problem, but POWER9 seems to be an encouraging example that deserves support, and even Talos has some non-free firmware, as far as I remember (apart from add-on graphics).

      1 reply →