Physically Securing Information
CS
463/480 Lecture, Dr.
Lawlor
If I have physical access to a computer, I can very rapidly
permanently root it by:
- Booting the computer from my own USB stick or DVD running
reset tools (such as pogostick).
Countermeasures: BIOS lock, USB ports desoldered or filled with
epoxy.
- Reading any data I want directly from the hard drive.
Countermeasure: whole-disk encryption.
- Adding software backdoors like secret network servers, kernel
modules, etc. Countermeasures: filesystem and rootkit
audits.
- Adding hardware backdoors like a keylogger
installed in the keyboard itself, or a black
box attached to the ATM. Countermeasures: physical
tampering audits.
There are some very powerful physical attacks possible, like
replacing selected USB cables with an externally identical tiny
radio-controlled USB keyboard, or chilling and pulling the DRAM
modules to grab everything in RAM (a "cold
boot attack"), or using a
magnetic force microscope to recover overwritten blocks from
magnetic disks.
Slowing down big dumb attackers
The classic big dumb attacks are:
- Denial of service, by burning down or blowing up the entire
building.
- Intrusion by drilling, melting, burning through, or blowing up
the door or locks protecting your data.
The classic countermeasures against big dumb attacks are adding big
dumb materials:
- Dirt is under $10/ton but it's very low strength. Put dirt in
bags or boxes, like the HESCO
gabion units at US operating bases, and you can stop a
truck bomb at very low cost.
- Concrete is $100/ton delivered, but it's brittle and difficult
to modify once cast. This can be an advantage, because
quartz-heavy concrete is very slow to drill even with a diamond
cutter, although a thermic lance can still melt through it.
- Steel is $1000/ton or more, but it's much stronger, and can be
welded and formed. The biggest downside of steel is it is
incredibly dense. Another downside of steel is a jet of pure
oxygen from a cutting torch can rapidly cut steel even several
inches thick, so often a concrete layer is added to prevent
thermal attacks.
These things often get combined: a safe is a steel box, but there's
often a masonry inner liner. A vault or bunker uses reinforced
concrete, which includes steel rebar to gain some of the strength of
steel, while maintaining a cost more like concrete.
You can also defeat big dumb attacks like drilling using reactive
cleverness, like a sheet of tempered glass designed to break when
you drill it, that permanently "relocks" the safe's bolts.
Modern "explosive
reactive armor" or "active
countermeasures" on tanks defeats explosive warheads by ...
exploding them. Having a really big facility, several miles
across, helps to dissipate blast and keep attackers from escaping
with your loot, although it also increases the perimeter you need to
defend.
Classic blended attack example: "The Score (2001)",
where the attacker (Robert de Niro) sneaks into a secure room, uses
an oxygen lance to slowly cut a small hole in a safe, fills it with
water (an impressible fluid), and detonates a small explosive charge
that detaches the whole door, including the glass relockers. Mythbusters
tried this, and the explosive part worked great, but lancing
the safe wall torched everything inside the safe (not so good for
computer parts or cash), and the safe is designed to not hold water.
The nice part about big dumb attacks is they're obvious--you're not
going to keep using the server if it's been torched or blasted open.
Detecting slow sneaky attackers
Slow sneaky attackers are a much harder problem, because you might
not even realize they've been there.
- Ninjas. "Mission:
Impossible (1996)", the attacker (Tom Cruise) makes it
into a secure machine room with a pressure-sensitive floor by
rappelling down from an air vent. (Countermeasure: air
vents are 6" across, and have lasers.)
- Lock
picking ranges from laughably easy to incredibly
difficult, depending on the lock. The theory behind a
pin-tumbler lock is the key operates like a secret key, raising
each pin tumbler by the amount it needs in order for the
cylinder to turn. A lock snap gun
or bump key can defeat some locks by momentarily pushing the
tumblers up out of the cylinder. In 2004, it was revealed
many
round bicycle locks could be opened with a pen
tube.
- It's usually the stuff you don't think about, like the under
the door tool.
Countermeasures are primarily detection:
- Alarm systems are designed to allow rapid active response to
an intrusion, which is great, but they need to be able to
reliably detect intrusions, which is hard in general--a door
opening sensor is easy and can be made reliable, but what if
they didn't use the door? Mythbusters has done several tests
of detection systems, and there are countermeasures for
nearly everything.
- Tamper-resistant seals, like glitter
nail polish [Michaud and Lackey, 2013]: you paint the
server's screws with glitter nail polish, and photograph the
random orientation of glitter flakes.