Notes on George’s security design talk:
Security as an afterthought, aka add-on, aka “wax job” == fail
The security of a product is a lifecycle consideration (you can’t “fire and forget”); field remediation will be necessary
Secure hardware design requires cross-module thinking
Time to market == time to money
Avoiders focus on cost, security professionals focus on value
Remote reprovisioning functionality built into computers these days, great for good guys, great for bad guys if done poorly
April 28, 2010 at 2:36 pm |
Does anybody know of any end-user/home-user services that utilize the remote management features embedded in the new Core2?
April 29, 2010 at 2:49 pm |
Can someone explain what remote reprovisioning is? Thanks
April 29, 2010 at 8:51 pm |
Tools built into hardware/firmware/bios that allow you to install a new OS remotely without having to boot the OS on the computer (which is infected). Take a look at “network boot” or bootp for some of the older iterations of this idea.
April 30, 2010 at 7:31 pm |
http://www.engadget.com/2010/03/09/1024-bit-rsa-encryption-cracked-by-carefully-starving-cpu-of-ele/
A bit older but when talking about hardware control I was reminded of this again.
April 30, 2010 at 7:53 pm |
http://www.engadget.com/2010/03/09/1024-bit-rsa-encryption-cracked-by-carefully-starving-cpu-of-ele/
Talk about the need for hardware security/integrity. If you can force software to what you want at a hardware level, whats the point of software security?
April 30, 2010 at 11:59 pm |
Found this paper which provides some insight into secure hardware design http://grandideastudio.com/wp-content/uploads/secure_embed_paper.pdf
May 3, 2010 at 2:58 pm |
What is cross- module thinking?
May 5, 2010 at 7:06 pm |
George demonstrated how data may be secure from raw access within a certain hardware or software module, but when it passes to another part of the system it’s readable. By cross-module thinking, I mean security design with the thought in mind that all the hw/sw modules you’re creating for a system have to be integrated into each other such that the whole system is secure, not just being able to say that each module is secure in isolation.
May 5, 2010 at 8:28 pm |
The whole cross-module thinking can be related to end user application and a database setup. If there is a authentication module on say a website, if the password and corresponding username is sent over a unsecure channel, then even if the database stores everything encrypted, anyone can capture the data during the transfer. The different hardware modules are like the different computers that are interconnected by a network. So in order to make that authentication module secure, you must either send it over a encrypted channel (SSL) or encrypt the data on the client side (using JS) and then pass the data to the database for checking.