Peter A Clarke

The National Institute of Science and Technology (“NIST”) today released NISTIR 8320, Hardware-Enabled Security: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases.

The abstract provides:

In today’s cloud data centers and edge computing, attack surfaces have shifted and, in some cases, significantly increased. At the same time, hacking has become industrialized, and most security control implementations are not coherent or consistent. The foundation of any data center or edge computing security strategy should be securing the platform on which data and workloads will be executed and accessed. The physical platform represents the first layer for any layered security approach and provides the initial protections to help ensure that higher-layer security controls can be trusted. This report explains hardware-enabled security techniques and technologies that can improve platform security and data protection for cloud data centers and edge computing.

The report is aimed at security professionals on the technical side however anyone involved in privacy and data protection would get a benefit from it.  

It is, as is common with NIST reports and guides, a voluminous document, at 94 pages, making a thorough summary difficult. 

It is worth making the following points, by way of highlighting only:

• the three significant forces impacting security are:
  1. the introduction of billions of connected devices and increased adoption of the cloud have significantly increased attack surfaces;
  2. hacking has become industrialized with sophisticated and evolving techniques to compromise data; and
  3. solutions composed of multiple technologies from different vendors result in a lack of coherent and consistent implementations of security controls.
• the hardware platform is a server (e.g., application server, storage server, virtualization server) in a data center or edge compute facility. The server’s hardware platform represents the first part of the layered security approach.
• Hardware-enabled security—security with its basis in the hardware platform—can provide a stronger foundation than one offered by software or firmware, which has a larger attack surface and can be modified with relative ease.
• hardware root of trust (RoT) can present a smaller attack surface if implemented with a small codebase.
• existing security implementations can be enhanced by providing a base-layer, immutable hardware module that chains software and firmware verifications from the hardware all the way to the application space or specified security control.

• the  threat landscape has evolved in recent years to encompass more advanced attack surfaces with more persistent attack mechanisms. Attackers are pushing lower in the platform stack, forcing security administrators to address a variety of attacks that threaten the platform firmware and hardware. These threats can result in:

  • Unauthorized access to and potential extraction of sensitive platform or user data, including direct physical access to dual in-line memory modules (DIMMs)
  • Modification of platform firmware
  • Supply chain interception through the physical replacement of firmware or hardware with malicious versions
  • Access to data or execution of code outside of regulated geopolitical or other boundaries
  • Circumvention of software and/or firmware-based security mechanisms

• workloads subject to specific regulations or containing sensitive data present additional security challenges for multi-tenant clouds.

• virtualisation and containers significantly benefit efficiency, adaptability, and scalability, but  consolidate workloads onto fewer physical platforms and introduce the dynamic migration of workloads and data across platforms. This results in a loss of customer visibility and control over the platforms and introduces the usage of third-party infrastructure administrators.

• cloud providers expose information related to infrastructure security and platform capability in order to provide their tenants with security assurances.

• as cloud providers often have data centers that span multiple geopolitical boundaries which involve complicated legal and regulatory compliance requirements from multiple countries. Without physical control over or use of confidential computing features or visibility into platform configurations, conventional security best practices and regulatory requirements become difficult or impossible to implement

• Existing mitigations of threats against cloud servers are often rooted in firmware or software, making them vulnerable to the same attack strategies. Hardware-enabled security techniques can help mitigate these threats by establishing and maintaining platform trust—an assurance in the integrity of the underlying platform configuration, including hardware, firmware, and software. . Platform security technologies that establish platform trust can provide notification or even self-correction of detected integrity failures. Platform configurations can automatically be reverted back to a trusted state and give the platform resilience against attack.
• To achieve the necessary security controls, an RoT can be leveraged as a starting point that is implicitly trusted.
• Platforms that secure their underlying firmware and configuration provide the opportunity for trust to be extended higher in the software stack.
• Rooting platform integrity and trust in hardware security controls can strengthen and complement the extension of the CoT into the dynamic software category.

•  the  verification of the underlying platform’s integrity is typically comprised of two parts:

  • Cryptographic measurement of software and firmware.  This refers to calculating a cryptographic hash of a software or firmware executable, configuration file, or other entity. By measuring software and firmware prior to execution, the integrity of the measured modules and configurations can be validated before the platform launches or before data or workloads are accessed.
  • Firmware and configuration verification. When firmware and configuration measurements are made, local or remote attestations can be performed to verify if the desired firmware is actually running and if the configurations are authorized

• A hardware security module (HSM),   “a physical computing device that safeguards and manages cryptographic keys and provides cryptographic processing”, host cryptographic operations such as encryption, decryption, and signature generation/verification . A trusted platform module (TPM) generates cryptographic keys and protect small amounts of sensitive information, such as passwords, cryptographic keys, and cryptographic hash measurements. The TPM is a standalone device that can be integrated with server platforms, client devices, and other products. One of the main use cases of a TPM is to store digest measurements of platform firmware and configuration during the boot process

• The chain of trust (CoT) is a method for maintaining valid trust boundaries by applying a principle of transitive trust. Every CoT starts with an RoT module. It can be composed of different hardware and firmware components. For several platform integrity technologies, the RoT core firmware module is rooted in immutable read-only memory (ROM) code.  An RoT that is built with hardware protections will be more difficult to change, while an RoT that is built solely in firmware can be flashed and modified.

• Organizations are increasingly at risk of supply chain compromise. Managing cyber supply chain risks requires  ensuring the integrity, quality, and resilience of the supply chain, its products, and its services. Cyber supply chain risks include counterfeiting, unauthorized production, tampering, theft, and insertion of malicious or otherwise unexpected software and hardware, as well as poor manufacturing and development practices in the cyber supply chain. Special technologies have been developed to help ascertain the authenticity and integrity of platform hardware, including its firmware and configuration. These technologies help ensure that platforms are not tampered with or altered from the time that they are assembled at the manufacturer site to the time that they arrive at a customer data center ready for installation. Verification of these platform attributes is one aspect of securing the supply chain.

• ROP attacks focus on utilizing buffer overflows and targeted memory overwrites of return addresses in the stack. Attackers redirect return flows by corrupting addresses on the data stack to be locations in already-executable code. These small selected sequences of code called gadgets result in malicious modifications to the system or the invocation of normally unauthorized operations.

• COP/JOP attacks are similar to ROP attacks, relying on gadget building blocks. They target indirect jump instructions at the end of a gadget, many of which are intentionally emitted by the compiler.  Applications can utilize a parallel stack, known as the shadow stack, to help mitigate software attacks that attempt to modify the control flow. Utilizing special hardware, the shadow stack is used to store a copy of return addresses; the address is checked against the normal program stack on return operations. If the content differs, an exception is generated, which can help prevent malicious code from gaining control of the system with techniques such as ROP. In this way, shadow stack hardware can help mitigate some of the most common and exploitable types of software bugs.

• Commodity OSs rely on virtual memory protection models enabled via paging enforced by the processor memory management unit (MMU). OSs isolate process and kernel memory using page tables managed by systems software, with access permissions such as user/supervisor and read/write/execute (RWX). Process and kernel memory accesses are via virtual addresses that are mapped to physical memory addresses via address translation structures. These structures used for address translation are critical to enforcing the isolation model

• Modern OSs are single address space kernels (as opposed to micro-kernels), which provide good performance but have a large attack surface. A vulnerability in the kernel or driver can be leveraged to escalate privileges of a malicious process.

• Heuristic defense mechanisms such as Page Table randomization can be bypassed with information leaks achieved via malicious RW primitives. Such information leaks are performed by chaining together a set of system calls (syscalls).It is important for address translation protection mechanisms to block both of these types of attacks. Processors can also detect and block any execution or data access setup by lower-privilege code from a higher-privilege access. These protections establish boundaries, requiring code to execute with only the necessary permissions and forcing elevated permission requests when needed.

• Approximately 70 percent of the vulnerabilities addressed through security updates each year are memory safety issues. These code bugs can be exploited by attackers to reveal data, including keys and other secrets.

• the hardware-based technologies designed to address memory safety violations are.

  •  memory tagging. It is  a probabilistic lock-and-key approach to detecting memory violation bugs. With a tag size of 4, the probability of detecting a bug is 94 percent; with a tag size of 8, the probability is 99.6 percent.

  • capability-based hardware systems.  This enables software to efficiently implement fine-grained memory protection and scalable software compartmentalization by providing strong, non-probabilistic, efficient mechanisms to support the principles of least privilege and intentional use in the execution of software at multiple levels of abstraction, preventing and mitigating memory safety vulnerabilities.

  • Hardware capability technology. This combines references to memory locations—pointers—with limits on how the references can be used. It is constructed so that it cannot be forged by software. Replacing pointers with capabilities in a program vastly improves memory safety. The benefit of hardware capability technology goes beyond memory safety because capabilities can be used as a building block for more fine-grained compartmentalization of software.

• The vulnerability underlying cache timing side-channel attacks is that the pattern of allocations into the cache of a central processing unit (CPU) can be determined by measuring the time taken to access entries that were previously in the cache or to access entries that have been allocated. This may leak information about the pattern of cache allocations that could be read by other, less privileged software.   Processor designs have added additional instructions along with firmware and software support to mitigate this class of attack.

• vulnerabilities in the kernel space and shared layers can be susceptible to widespread exploitation, making security for the underlying platform even more important. With the need for additional protection in the virtualized workspace, an emphasis has been placed on encrypting data both at rest and while in use. At-rest encryption provides protection for data on disk. . Protecting and securing cloud data while in use, also referred to as confidential computing, utilizes hardware-enabled features to isolate and process encrypted data in memory so that the data is at less risk of exposure and compromise from concurrent workloads or the underlying system and platform  Sensitive secrets like cryptographic keys, authentication strings, or data with intellectual property and privacy concerns can be preserved within a trusted execution environment (TEE) . A TEE also helps ensure that operations performed within it and the associated data cannot be viewed from outside, not even by privileged software or debuggers.

• applications running in memory share the same platform hardware and can be susceptible to attacks either from other workloads running on the same hardware or from compromised cloud administrators.  Various hardware technologies have been developed to encrypt content running in platform memory

• Application isolation utilizes a TEE to help protect the memory reserved for an individual application. The trust boundary associated with the application is restricted to only the CPU. Future generations of these techniques will allow entire applications to be isolated in their own enclaves rather than only protecting specific operations or memory. By using separate application enclaves with unique per-application keys, sensitive applications can be protected against data exposure, even to malicious insiders with access to the underlying platform.

• because cryptographic operations can drain system performance and consume large amounts of compute resources, the industry has adopted specialized hardware interfaces called cryptographic accelerators, which offload cryptographic tasks from the main processing unit onto a separate coprocessor chip. Cryptographic accelerators often come in the form of pluggable peripheral adapter cards.

• a remote service can collate server information and measurement details and can be used to define allowlist policies, specifying which firmware versions and event measurements are acceptable for servers in a particular data center environment. This service would verify or attest each server’s collected data against these policies, feeding the results into a policy orchestrator to report, alert, or enforce rules based on the events. A remote attestation service can provide additional benefits besides verifying server firmware. Specifying allowlist policies for specific firmware versions can allow data center administrators to easily invalidate old versions and roll out new upgrades. In some cases, certain hardware technologies and associated capabilities on platforms can be discoverable by their specific event log measurements recorded in an HSM.  The key advantage to remote attestation is the enforcement of compliance across all hardware systems in a data center. The ability to verify against a collective allowlist as opposed to a local system enforcing a supply chain policy provides operators more flexibility and control in a cryptographically secured manner.