• Wednesday, January 29, 2020

Elements of secure computing

Discussion in 'Pakistan Defence & Industry' started by CriticalThought, Jan 11, 2020.

  1. CriticalThought

    CriticalThought SENIOR MEMBER

    Messages:
    5,980
    Joined:
    Oct 10, 2016
    Ratings:
    +10 / 5,690 / -6
    Country:
    Pakistan
    Location:
    Australia
    This is a very quick guide to help Pakistani entities devise secure computing policies. It has been put together in haste because of other engagements the author must honor. I invite fellow Pakistanis to contribute to this thread.

    In devising a secure computing platform, the first order of business is the selection of a secure hardware platform. Commerical off-the-shelf (COTS) hardware platforms such as the intel platform have been known to have flaws that allow programs to access information they are not intended to access. The interested reader should lookup sidechannel attacks, especially the recent 'Meltdown', 'Spectre', and 'Foreshadow' attacks. Similarly, there are instances where the exact same binary BIOS code run on two different computers produced different results. The problem turned out to be hidden logic in the BIOS of one of the systems. In order to guard against such attacks, a secure computing hardware architecture must be designed and built within the country.

    The next piece of the puzzle might surprise many readers. It is important to write an indigenous compiler, to ensure secure computing. One of the most insidious hacks (apart from hidden logic in hardware), is malware within the compiler itself that adds extra code to the binary program being produced by the compiler. It is important to realize that a compiler doesn't need to be written from the grounds up. Rather, people need to be trained in a high performance, open source compiler such as GCC. GCC is a collection of compilers, hence, a set of languages must be selected. The team of specialists should start with a current version of the GCC compiler, and understand every single line of GCC that is relevant for the selected languages. This understanding must be enshrined in a set of test cases that prove the relevant pieces of code actually perform the tasks which the specialists think it does. Once this mastery has been achieved, they can then start modifiying the code to suite their own needs. As new features are released in the open source compiler, they must pass a similarly stringent regime of review and validation before being integrated into the indigenous solution.

    The next step is the production of an operating system. The methodology is the same as the one described above for the compiler. This author recommends starting with Linux as a base.

    I wish to see our armed forces adopting a unified approach to secure computing because they will benefit from the resulting collaboration, and a uniform level of security can be assured across the forces. I end with the prayer that May Allah Make this a source of strength for Islam and Muslims in the whole world. Aameen.
     
    • Thanks Thanks x 4
    • Positive Rating Positive Rating x 1
  2. Vortex

    Vortex SENIOR MEMBER

    Messages:
    2,474
    Joined:
    Apr 17, 2008
    Ratings:
    +3 / 2,818 / -1
    Deserve a +tive rating.
     
  3. BringHarmony

    BringHarmony BANNED

    Messages:
    1,048
    Joined:
    Dec 14, 2018
    Ratings:
    +1 / 595 / -10
    Country:
    Canada
    Location:
    Canada
    Few corrections : Meltdown, Spectre were design flaws that hit not only Intel but AMD and ARM processors as well. It seems almost everyone who designed a branch prediction made similar mistakes. If one looked hard enough, architectures like Sparc would also have similar issues. So its a cross cutting issue, not just limited to a single company.
    Here is another fun thing, designing processor is daunting task. Designing a secure processor is super daunting. Designing a performant processor with modern features and yet keeping it really secure is almost impossible. It is much likely you will end-up making mistakes. some old and some new.

    Your narrative should also include the fact that processor by itself is not enough. You will need to have a secure chipset as well. That means devices like interrupt controller, buses, memory controller, bridges, dma controller. Add to it that you will also need to maintain compliance with standards to be able to work across common available devices and peripherals. And lastly you will need to secure all the devices too. Like storage, network etc. If any one is broken you are broken.

    It is enough to say that it is impossible to be done in your own country unless you are size of USA or China or USSR. So, you will trusting one vendor over another. Choose your poison.

    Modern languages are already implemented around open source compiler backends like LLVM (which has replaced GCC almost everywhere), so rest assured the compiler is not likely to be compromised so long you bootstrap the compiler yourself or take known good builds and check using PGP.

    I will be more worried about runtime though and language design itself. Language like C and C++ are inherently unsafe. Unfortunately, almost ALL of system software are written in these two languages. Including avionics for JF-17, for some reason.

    Best you can do is to develop an inhouse team of really good auditors to audit the open source software you are using. The biggest advice this piece is missing. Oh, btw, while its great to write test cases, the nature of security issue is such that you won't be optimally cover it with all the test cases in the world. The first line of defence can be running the most audited system software.

    Using Linux kernel is a decent choice. Again I will be more worried about system libraries than OS. Linux kernel has been widely audited, so has been a number of kernel modules included.

    That said author has left a 1000 pound gorilla in the room. The device drivers. These are the weakest links. They are often closed source or comprises of huge binary blobs or unauditable sphegatti code. This is where most of the bugs reside, this is the best place to inject any high jacking malware. I do not know any way in which you can practically make an open system while keeping it secure, so you are likely to be broken. One way or another.
     
    • Thanks Thanks x 4
    • Positive Rating Positive Rating x 1
  4. Paul2

    Paul2 FULL MEMBER

    Messages:
    399
    Joined:
    Nov 24, 2018
    Ratings:
    +0 / 327 / -0
    Country:
    China
    Location:
    China
    You seem to know quite a bit, are you working in the sector?

    I myself think that the effort is futile, and the root of the issue is that the industry wants untrusted code being executable.

    Writing a secure programming language is by far easier than making a practical secure CPU

    I will challenge that. C is by far the easiest language to do formal verification on, where you verify not the language primitives, but the underlying machine code.

    The lion share of most exposed code in the world (static web servers, email servers, encryption libraries, and such) has been written in C, and it performs remarkably well.

    Yes, languages that don't let people do raw memory access can let first year CS students work out things that can't be hacked in 5 minutes, but that doesn't change the fact that those people will still adopt bad, and hackable software designs.

    The prime majority of hackable software is written by people who shouldn't have been let close to a computer to begin with, and they will write inherently insecure software no matter what tool you give them.
     
  5. Indos

    Indos PDF THINK TANK: ANALYST

    Messages:
    5,741
    Joined:
    Jul 25, 2013
    Ratings:
    +17 / 8,778 / -0
    Country:
    Indonesia
    Location:
    Indonesia
    Already got one from me.
     
    • Thanks Thanks x 2
  6. Sine Nomine

    Sine Nomine ELITE MEMBER

    Messages:
    8,990
    Joined:
    Nov 19, 2014
    Ratings:
    +26 / 10,836 / -8
    Country:
    Pakistan
    Location:
    Pakistan
    Best bet is keeping tabs on packets and radio transmissions around a network you want to secure.
    No matter how hard one tries keeping a safe hardware or driver set,in this world of ever developing IC's and set of codes you are bound to fail.
    At state level there is no defence against cybre attacks,thefts and hacks other having a team which is capable of matching your foe toe to toe.
     
  7. CriticalThought

    CriticalThought SENIOR MEMBER

    Messages:
    5,980
    Joined:
    Oct 10, 2016
    Ratings:
    +10 / 5,690 / -6
    Country:
    Pakistan
    Location:
    Australia
    Following up from OP, I would like readers to notice the very latest development in the Linux Kernel: the introduction of KUnit testing framework. The release became available on Jan 26, 2020.

    https://kernelnewbies.org/Linux_5.5#KUnit.2C_an_unit_testing_framework_for_the_kernel
    This should make it obvious that unit testing is even on the minds of the core Linux development group. I also need to correct misinformation regarding unit tests having no bearing upon security. Using tools such as Valgrind and compiler options such as 'Address Sanitizer', bugs such as buffer overflows can be detected easily if proper unit tests have been written. Thus, properly written units tests become the first line of defence against certain types of security issues. Whether these tools work with KUnit, I am not sure, because I haven't looked into the matter. But there is no reason why a state sponsored team of experts shouldn't be able to make it work if it doesn't already work.

    Finally, I need to address further misinformation that has been spread on the thread regarding the very necessity of an indigenous computing platform. If Pakistan wants to solve its unique security problems through innovative solutions, then custom solutions will necessarily be needed. Let us look at a concrete example to understand the issue better.

    If an indigenous anti-hypersonic cruise missile system is developed, reaction times will be of utmost importance. The ability of the system to react quickly will be fundamentally tied to the clock frequency of its processor. And if the system is to work against many hypersonic cruise missiles, it will need many processors working in parallel. Unfortunately, the trend in custom-off-the-shelf (COTS) hardware is that you can either overclock a few computational cores to frequencies of 4-5 GHz, or you can have many cores each working at a frequency of approx 2.5 GHz. Worse, due to energy management features, these modern CPUs provide no guarantees of consistent execution on a single core. Thus, system designers need to necessarily consider a custom solution that may throw away unnecessary complexity such as virtual memory, large cache sizes, cache coherence etc. By reducing such advanced features, more cores can be packed into a single processor where each core runs at a higher frequency. The elements of secure computing noted in OP would be extremely relevant to any such custom solution.
     
  8. BHarwana

    BHarwana ELITE MEMBER

    Messages:
    22,414
    Joined:
    Sep 24, 2016
    Ratings:
    +16 / 32,355 / -4
    Country:
    Pakistan
    Location:
    Pakistan
    No computing system in the world is secure.