«
»

Notes from George Cox’s Talk

by

Notes on George’s security design talk:

Security as an afterthought, aka add-on, aka “wax job” == fail

The security of a product is a lifecycle consideration (you can’t “fire and forget”); field remediation will be necessary

Secure hardware design requires cross-module thinking

Time to market == time to money

Avoiders focus on cost, security professionals focus on value

Remote reprovisioning functionality  built into computers these days, great for good guys, great for bad guys if done poorly

This entry was posted on April 28, 2010 at 1:00 pm and is filed under Class Notes. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

9 Responses to “Notes from George Cox’s Talk”

  1. David Colvin Says:
    April 28, 2010 at 2:36 pm | Reply

    Does anybody know of any end-user/home-user services that utilize the remote management features embedded in the new Core2?

  2. Michael Qin Says:
    April 29, 2010 at 2:49 pm | Reply

    Can someone explain what remote reprovisioning is? Thanks

  3. diabolicalmdog Says:
    April 29, 2010 at 8:51 pm | Reply

    Tools built into hardware/firmware/bios that allow you to install a new OS remotely without having to boot the OS on the computer (which is infected). Take a look at “network boot” or bootp for some of the older iterations of this idea.

  4. Andrew Muldowney Says:
    April 30, 2010 at 7:31 pm | Reply

    http://www.engadget.com/2010/03/09/1024-bit-rsa-encryption-cracked-by-carefully-starving-cpu-of-ele/

    A bit older but when talking about hardware control I was reminded of this again.

  5. Andrew Muldowney Says:
    April 30, 2010 at 7:53 pm | Reply

    http://www.engadget.com/2010/03/09/1024-bit-rsa-encryption-cracked-by-carefully-starving-cpu-of-ele/

    Talk about the need for hardware security/integrity. If you can force software to what you want at a hardware level, whats the point of software security?

  6. Abhishek Chhikara Says:
    April 30, 2010 at 11:59 pm | Reply

    Found this paper which provides some insight into secure hardware design http://grandideastudio.com/wp-content/uploads/secure_embed_paper.pdf

  7. Antonio Says:
    May 3, 2010 at 2:58 pm | Reply

    What is cross- module thinking?

  8. diabolicalmdog Says:
    May 5, 2010 at 7:06 pm | Reply

    George demonstrated how data may be secure from raw access within a certain hardware or software module, but when it passes to another part of the system it’s readable. By cross-module thinking, I mean security design with the thought in mind that all the hw/sw modules you’re creating for a system have to be integrated into each other such that the whole system is secure, not just being able to say that each module is secure in isolation.

  9. Rohit Sinha Says:
    May 5, 2010 at 8:28 pm | Reply

    The whole cross-module thinking can be related to end user application and a database setup. If there is a authentication module on say a website, if the password and corresponding username is sent over a unsecure channel, then even if the database stores everything encrypted, anyone can capture the data during the transfer. The different hardware modules are like the different computers that are interconnected by a network. So in order to make that authentication module secure, you must either send it over a encrypted channel (SSL) or encrypt the data on the client side (using JS) and then pass the data to the database for checking.

Leave a comment