Establishing a root of trust: Trusted computing and Intel-based systems
In the global defense-electronics market there is a growing demand for trusted computing solutions that carry effective protections against cyberattacks. Users want to be confident that when they power up their deployed embedded system, the code that their system is running can be trusted. In this sense,"trusted" means that the system is running only the software code that the system integrator intends it to, and that no other code - malicious or otherwise - has been added to it.
Unfortunately, it takes almost no effort to think of recent examples where corrupted code has caused great harm to computing systems around the world. One potent example is the WannaCry ransomware worm unleashed in May 2017 that wreaked havoc on thousands of computers by encrypting their data. In just one day, WannaCry infected 230,000 systems in 150 countries. According to the FBI, ransomware is the fastest growing malware threat, targeting users of all types – from the home user to the corporate network. On average, says the FBI, more than 4,000 ransomware attacks have occurred daily since January 1, 2016, a 300 percent increase over the approximately 1,000 attacks per day seen in 2015. It only takes one innocent click on a URL link to inadvertently install malicious code into a computer’s BIOS – the malicious code then essentially owns that infected system. The threat is real and demands a proactive response.
Embedded defense systems are also vulnerable to cyberattacks. In 2015, the U.S. Air Force Scientific Advisory Board (SAB) conducted a study on “Cyber Vulnerabilities of Embedded Systems on Air and Space Systems” and concluded that “there is a broad-based set of immediate actions that can significantly mitigate embedded system cyber risk.” Moreover, a 2015 RAND Corp. report on “Cybersecurity of Air Force Weapon Systems” concluded that cyber capabilities “create potential opportunities – and incentives – for adversaries to counter U.S. advantages through cyberattacks.” To counter the cyberthreat in its weapons systems, the U.S. Air Force established the Cyber Resiliency Office for Weapons Systems (CROWS), which has the task of supporting the design, development, and acquisition of weapons systems that are more resilient to cyberattack.
A foundational concept in cybersecurity, and the starting point for the right response, is the hardware root of trust (RoT). Such components establish trusted functions, based on hardware validation of the boot process, that ensure that the device’s operating system is being started up with uncorrupted code; these functions are located in hardware so they can’t be changed. Protecting embedded systems against cyberattacks must start with the very first instruction a processor executes.
There are a variety of approaches available for system designers to select and mix or match to establish a trusted computing environment. Some of these approaches are more secure than others.
For Intel-based embedded hardware, two important weapons in the system designer’s trusted computing arsenal are Intel’s Trusted Execution Technology (TXT) and Boot Guard. With TXT, after the code begins executing, the system inspects and “measures” the executed code, comparing it to what would be expected if every piece of code is as it should be. TXT provides hardware-based security technologies, built into Intel’s silicon and a device called the trusted platform module (TPM), that harden a platform against attacks to the hypervisor, operating system, or BIOS; malicious root kit installations; and other software-based attacks.
Intel TXT creates a cryptographic hash (a “measurement” in Intel terminology) of critical BIOS components and compares them to a known good measurement. TXT provides hardware-based enforcement mechanisms to block the launch of any code that does not match approved code. This trust can then be extended all the way through the boot loader and into the operating system. Any error in the code will be detected and addressed according to the launch control policy (LCP) established by the user. Because TXT provides the system integrator with a launch control policy, a notification of corrupted code can have different consequences. After being informed that the system has been modified and is no longer trusted, the user can choose to either continue to run or to shut down. If the system integrator has established an “open” launch policy, the decision to continue to run is made with the full knowledge that the system is no longer trusted.
Boot Guard works in a complementary fashion to TXT. Intel describes Boot Guard as “hardware-based boot integrity protection that prevents unauthorized software and malware takeover of boot blocks critical to a system’s function.” Boot Guard is a hardware trust system that inspects an initial boot block, which runs prior to the BIOS, and ensures that it is trusted before allowing a boot to occur.
Both TXT and Boot Guard are valuable tools for establishing RoT in Intel-based embedded systems and are important elements of a comprehensive trusted computing solution. Designers of embedded commercial off-the-shelf (COTS) hardware and systems remain informed and knowledgeable about the latest options for protecting their hardware and data from malicious attack or intrusion.
COTS products are now available that include designed-in security features that enable users to quickly and economically implement their protection plans for critical technology and data. Such secure products enable designers and users to begin their system development on standard COTS hardware and software and then move to a secure, 100 percent software- and performance-compatible version of the product when they are ready to implement their program protection requirements. (Figure 1.)
Deployed embedded military systems run applications that may contain critical program information (CPI), which – if compromised – could lead to a loss of competitive advantage to the U.S. military and put the warfighter in danger. Defense electronics designers and users need to know that their application code is secure, and that their valuable software intellectual property (IP), such as algorithms for intelligence, surveillance, and reconnaissance (ISR), can’t be accessed or corrupted by an adversary. Trusted computing techniques should go beyond protecting hardware at the module and chassis level; trusted computing must also provide a comprehensive approach to data protection that enables data to be securely stored, retrieved, and moved in a system while allowing only authorized access. This level of trust may require secure network routers for data in motion solutions as well as secure storage for data at rest, with support for Type I, FIPS 140-2, FIPS-197, AES-256, and AES-128 encryption.
Ensuring that a system is trustworthy begins with the first instruction on trusted hardware. An effective trusted computing strategy for COTS solutions can include antitamper protection that guards against physical hardware intrusion, encryption techniques for critical data at rest, and effective cyberattack protections that ensure that a corrupted BIOS will cause no harm. The first step is to establish the root of trust.