Hardware Security

Tamper Resistance?

How much hardware within a system belongs to the TCB? The industry has gained greatly from the ability to plug PC cards and PCI devices into computers on whim. Most OS software has been so permissive that rogues find subverting the software much easier than than resorting to rogue hardware. We examine some risks with untrusted PC cards and PCI devices. On most current systems these cards are bus masters with the same ability to read and write RAM as the CPU.

The official interface specs are expensive and I have not recently studied them. I do recall, however, that there are several levels of spec:

Level Description Threat Rogue’s investment
Circuit This specifies the voltage and impedance required to communicate with the system bus. It specifies the difference between signal and noise. One man’s noise, however, may be the rogue’s signal. Custom circuit design
Logical signal sequences—Pin Specs These specify when clean signals on the pins to the card belong to the card, and also when it it permissible to assert a signal. The rogue card may read addresses and data that belong to another card, or even the CPU. Custom logic design.
Messages These spell out what messages from the system are meant to convey to the card that the card should concern itself with which areas of RAM. The cardbus spec spells out the semantics of interface signals to the card relating to where the card may read or write. It is up to the card to conform. A rogue card may not. A rogue card may concern itself with other areas of RAM, either reading or writing there. microcode
Card Identification There are protocols for a card to identify itself with a structured name, including identification of the manufacturer. The rogue card can lie. microcode
I omit attacks such as asserting signals impermissibly as these are likely to be observed by either damaging other equipment or at least damaging its operation.

The IOMMU

I think that Sun’s SPARCs introduced the IOMMU which serves as an intermediary between cards and the system bus. It translates RAM addresses for access by the cards, as the MMU (Memory Mapping Unit) translates addresses for programs executed by the CPU. This translation also affords access control.

This allows a secure subsystem to exclude all PC cards or all PCI devices from the TCB except, perhaps, those with rogue custom circuit design or logic design.

It would seem difficult to retrofit an IOMMU to extant OSes not designed with that in mind.

AMD’s IOMMU design addresses most of these issues. (Regarding 2.1 “The IOMMU may optionally include support for remote IOTLBs. A device with IOTLB support can cooperate with the IOMMU to maintain its own cache of address translations.” If “remote IOTLBs” means hardware ‘outside the system’ then we have a problem. Any IOTLB is in the TCB where ever it is.)

Who is the bad guy?

Part of the motivation of TCPA is to protect the user and the threat is that the user unwittingly installs a rogue card. This requires a fancier plan as the installer is not the rogue. Another part of the TCPA thrust is to assure content owners that some particular platforms will do their part in protecting their interests. In this case the owner may be the rogue.

New Proposed Interfaces between Chips

I have looked briefly at RapidIO and HyperTransport. HyperTransport calls for a standard method for accessing RAM but also provides for disabling that ability, which is the power-up default. I don’t know whether it can support legacy drivers with this disabled.

Neither document mentions hot swapping but they leave the impression that such issues are the realm of the legacy bridge to old cards. There is room here for security design bugs, and also an opportunity to solve some of these problems.

PCI-X and PCI Express are two proposals that are not yet open. Their overviews stress legacy OS compatibility. This would not preclude new modes that controlled RAM access by individual units.

Of Microsoft’s Palladium plans, Seth David Schoen says that: Even PCI DMA can’t read or write memory which has been reserved to a nub’s or TA’s use (including the nub’s or TA’s code). This memory is completely inaccessible and can only be accessed indirectly through API calls. The chipset on the motherboard is modified to enforces this sort of restriction. I think that they plan to protect RAM by a per page access bit. DMA to each physical page is controlled by a bit for that page.

Level	Description	Threat	Rogue’s investment
Circuit	This specifies the voltage and impedance required to communicate with the system bus. It specifies the difference between signal and noise.	One man’s noise, however, may be the rogue’s signal.	Custom circuit design
Logical signal sequences—Pin Specs	These specify when clean signals on the pins to the card belong to the card, and also when it it permissible to assert a signal.	The rogue card may read addresses and data that belong to another card, or even the CPU.	Custom logic design.
Messages	These spell out what messages from the system are meant to convey to the card that the card should concern itself with which areas of RAM. The cardbus spec spells out the semantics of interface signals to the card relating to where the card may read or write. It is up to the card to conform. A rogue card may not.	A rogue card may concern itself with other areas of RAM, either reading or writing there.	microcode
Card Identification	There are protocols for a card to identify itself with a structured name, including identification of the manufacturer.	The rogue card can lie.	microcode