Physically Securing Information
CS
463/480 Lecture, Dr.
Lawlor
If I have physical access to a computer, I can very rapidly
permanently root it by:
- Booting the computer from my own USB stick or DVD running
reset tools (such as pogostick).
Countermeasures: BIOS lock, USB ports desoldered or filled with
epoxy (but then how do I do maintenance when a disk
dies?).
- Reading any data I want directly from the hard drive.
Countermeasure: whole-disk encryption.
- Adding software backdoors like secret network servers, kernel
modules, etc. Countermeasures: filesystem and rootkit
audits.
- Adding hardware backdoors like a keylogger
installed in the keyboard itself, re-flashed
hard drive controller, or a black
box attached to the ATM. (Snowden leaked the NSA
catalog of hardware implants; you can buy the home
versions from Hak5).
Countermeasures: physical tampering audits, component x-rays.
There are some very powerful physical attacks possible, like
replacing selected USB cables with an externally identical tiny
radio-controlled USB keyboard, or chilling and pulling the DRAM
modules to grab everything in RAM (a "cold
boot attack"), or using a
magnetic force microscope to recover overwritten blocks from
magnetic disks.
Slowing down big dumb physical attackers
The classic big dumb attacks are:
- Denial of service, by burning down or blowing up the entire
building.
- Intrusion by drilling, melting, burning through, or blowing up
the door or locks protecting your data.
The classic countermeasures against big dumb attacks are adding big
dumb materials:
- Dirt is under $10/ton, but it's very low strength. Put dirt in
bags or boxes, like the HESCO
gabion units at US operating bases, and you can stop a
truck bomb at very low cost.
- Concrete is $100/ton delivered, but it's brittle and difficult
to modify once cast. This can be an advantage, because
quartz-heavy concrete is very slow to drill even with a diamond
cutter, although a thermic lance can still melt through it.
- Steel is $1000/ton or more, but it's much stronger, and can be
welded and formed. The biggest downside of steel is it is
heavy and difficult to shape cheaply. Another downside of
steel is a jet of pure oxygen from a cutting torch can rapidly
cut steel even several inches thick, so often a concrete layer
is added to prevent thermal attacks.
These things often get combined: a safe is a steel box, but there's
often a sheetrock inner liner for thermal resistance. A vault
or bunker uses reinforced concrete, which includes steel rebar to
gain some of the strength of steel, while maintaining a cost more
like concrete.
You can also defeat big dumb attacks like drilling using reactive
cleverness, like a sheet of tempered glass designed to break when
you drill it, that permanently "relocks" the safe's bolts.
Modern "explosive
reactive armor" or "active countermeasures"
on tanks defeats explosive warheads by ... exploding them.
Having a really big facility, several miles across, helps to
dissipate blast and keep attackers from escaping with your loot,
although it also increases the perimeter you need to defend.
Classic blended attack example: "The Score (2001)",
where the attacker (Robert de Niro) sneaks into a secure room, uses
an oxygen lance to slowly burn a small hole in a safe, fills it with
water (an impressible fluid), and detonates a small explosive charge
that detaches the whole door, including the glass relockers. Mythbusters tried this,
and the explosive part worked great, but lancing the safe wall
torched everything inside the safe (not so good for computer parts
or cash), and the safe is designed to not hold water.
The nice part about big dumb attacks is they're obvious--you're not
going to keep using the server if it's been torched or blasted open.
Detecting slow sneaky physical attackers
Slow sneaky attackers are a much harder problem, because you might
not even realize they've been there. This means you might keep
using the compromised private key without revoking it, continue to
provide attackers with financial data, etc.
- Ninjas. "Mission:
Impossible (1996)", the attacker (Tom Cruise) makes it
into a secure machine room with a pressure-sensitive floor by
rappelling down from an air vent. (Countermeasure: air
vents are 6" across, and have lasers.)
- Lock
picking ranges from laughably easy to incredibly
difficult, depending on the lock. The theory behind a
pin-tumbler lock is the key operates like a secret key, raising
each pin tumbler by the amount it needs in order for the
cylinder to turn. A lock snap gun
or bump key can defeat some locks by momentarily pushing the
tumblers up out of the cylinder. In 2004, it was revealed
many
round bicycle locks could be opened with a pen
tube.
- Insider attacks, like the sysadmin who has decided he
disagrees with what your organization is doing, and is going to
leak everything you have, or sell it to the highest bidder.
- It's usually the stuff you don't think about, like the under
the door tool.
Countermeasures are primarily detection:
- Alarm systems are designed to allow rapid active response to
an intrusion, which is great, but they need to be able to
reliably detect intrusions, which is hard in general--a door
opening sensor is easy and can be made reliable, but what if
they didn't use the door? Video
is great if somebody's watching it, which is very
difficult in the long run. Mythbusters has done several tests
of detection systems (video, thermal IR, ultrasonic motion
sensor, laser beam break), and there are countermeasures for
nearly everything.
- Highly trained, well armed and armored guards on random
patrols with reliable realtime radio communication and lifesign
telemetry to a secure central command center works great.
But it's overkill for most datacenters.
- Tamper-resistant seals, like glitter
nail polish [Michaud and Lackey, 2013]: you paint the
server's screws with glitter nail polish, and photograph the
random orientation of glitter flakes. The downside is this
is purely reactive security: your data is already gone.