-3

And I mean, even if someone tries rooting with a Live CD, even if one takes the HDD away and plug it in somewhere else, etc...

I want to be able to give a client a machine with a service running, but don't want to allow it to peek inside it, at all.

Edit: Oh ok, just to clarify, the user is not going to use the computer directly, the service is exposed through a TCP port and that's how they interact with it.

Broader Scenario: I provide a service through the internet, because my users' data is somewhat sensitive, many of them had asked me to give them a server that they could just have locally and stay cool because their data doesn't leave the building. I'm ok with that but don't want them to check out my source code and steal/modify it.

Ale Morales
  • 178
  • 1
  • 9
  • 3
    Full-disk encryption would do the first part, but it is contradicting your last sentence. You cannot get full protection against somebody who needs to be able to run it. – John Mar 11 '16 at 21:33
  • About your edit: Is the client not supposed to use it directly, or can't he use it directly? – deviantfan Mar 11 '16 at 21:49
  • Does the user have physical access to the machine? – Steve Sether Mar 11 '16 at 21:51
  • It is never intended to do it, they are not even supossed to log-in to it, or even touch it. – Ale Morales Mar 11 '16 at 21:51
  • @SteveSether Yes the user will have physical, unsupervised (from me), access to the machine. – Ale Morales Mar 11 '16 at 21:51
  • You might consider using a Virtual Server to host your service. Access the server through RDP or SSH and just don't share the login information to it. Other than that, the only option I can think of is to encrypt it and lock it up with a password on the home screen. – xorist Mar 11 '16 at 22:05
  • @l1thal Thanks, that's an interesting suggestion, could you elaborate more? – Ale Morales Mar 11 '16 at 22:10
  • In order for me to further help you, I would need to know what kind of service you would be running. I would also need to know smaller factors such as how much you're willing to spend on a virtual server and what specs you'd like it to have. – xorist Mar 11 '16 at 22:13
  • If you're working on a project, I'm more then happy to help. Experience is everything in my eyes. My skype is l1thal, I have a black and white picture of an angel. Message me there if you'd like further, more detailed assistance. – xorist Mar 11 '16 at 22:14
  • @l1thal It's just a service that travels through TCP/IP, and I'm willing to spend a "moderate" amount of money, like, the cost of a commodity server, not the cheapest one, but neither the most expensive. – Ale Morales Mar 11 '16 at 22:15
  • Well I'm not sure if I'm allowed to advertise hosts here, and this conversation is becoming slightly off-topic and requiring as well. If you'd like further help with virtual servers and securing them and your service, please contact me through Skype or feel free to post another question about it. – xorist Mar 11 '16 at 22:17
  • This question appears unclear- looks like different requirements in comments etc. Can you edit it to make it clear? – Rory Alsop Mar 12 '16 at 14:41
  • Hmm... Any suggestions? at Rory – Ale Morales Mar 12 '16 at 14:48
  • 1
    almosnow - what you are asking for is impossible. If you give them physical access and enough information to run the machine, a motivated attacker will be able to get full access to the disk's contents. – Neil Smithline Mar 12 '16 at 18:48
  • Hi almosnow - you probably need to clarify. In one place you say they will have physical access, and in another you say they will only have a network connection to it. Can you take all the points you have made in comments and incorporate into the question - that would help a lot. – Rory Alsop Mar 17 '16 at 16:08

3 Answers3

2

If the user has physical access to the machine, all bets are off.

The most obvious method to attempt to secure the machine would be to encrypt the hard drive. The problem with that is that a running machine MUST contain the encryption key somewhere in memory, otherwise the OS can't operate. Since the decryption key is in memory, you're vulnerable to a cold boot attack

In addition, there's other vulnerabilities that physical access would give you. BadUSB is one example.

Steve Sether
  • 21,530
  • 8
  • 50
  • 76
  • Ok, let's say that my source code is not worth doing a cold boot attack either. I just want to prevent against enthusiasts that could just take out the HDD and peek at it, or things like that, I want to make it as hard as possible, at least. Don't know about BadUSB, can you tell me more about it? (Googled it but don't get it) – Ale Morales Mar 11 '16 at 22:09
  • 1
    There's other attacks available. If you encrypt the HD, you have to store the password somewhere since you can't be present to type it in. All an attacker has to do is take out the drive, copy it, then mount it and look for the password. Or alternatively, run the copy as a vmware image. Then you can do whatever you like since it's running inside a virtual machine. The point is, physical access gives you many attack vectors. – Steve Sether Mar 11 '16 at 22:31
  • 4
    If all you care about is source code, you should rely on laws rather than technology to protect you. – Steve Sether Mar 11 '16 at 22:31
1

It much depends on what you're up against (your scenario).

A "normal" user could be trusted with a headless machine and a closed Linux installation, just closing off GRUB. This and a suitable contract/license would suffice. You can disconnect keyboard and mouse from the motherboard, seal the unit and only export your service and SSH.

The next level is disk encryption - a more sophisticated but still wet-behind-the-ears guy will just try to mount the disk from another machine, and might not even be aware there's such a thing as a ext4 or a NTFS - possibly "The disk must be formatted!" will be enough to scare him off, or he'll try with a extfs reader and won't be able to access the encrypted partition.

This is more or less where you'll want to stop. Going further adds complexity and still can't achieve total security.

The next level is a user savvy enough to understand that if the disk is encrypted and yet it boots, it means that the boot sequence has access to the decryption key. I've heard of experimental drivers (mainly working through obscurity) that hide the key in strange places, from unused CMOS memory to external EEPROMs, but as the old joke goes, we've already established how this will end, now we just haggle about the price - how much effort will be needed by a determinate hacker with full hardware access to break in. For if he's determined enough, he will break in.

There are drivers (and undetectable hardware devices, and virtualization methods) that allow intercepting both parallel port and USB traffic. Controlling the hardware clock and I/O, a replay attack becomes possible that will allow booting into a tampered system, thereby either allowing access to the decrypted disk from the "outside" of a VM, or starting extra services that will allow the same. So you would need to add sophisticated self-checking mechanisms to prevent this.

At this point, check out answers to the new problem and consider using a specially designed PC where the hard disk can't be removed. Keep in mind that "can't" means that you and I couldn't, but Chuck Norrissomeone (again: determined enough, wealthy enough, knowledgeable enough, ruthless enough) can.

Something you might try (and it still does not supply complete security) is to require that the machine is always connected to the Internet. Yes, the data is secure inside and doesn't get out, but when it boots, the machine can access an external server and get its decryption password from there using a scheme resistant to replay attacks.

Of course, if you're up against a determined hacker, one day the machine connecting to your server will not be the actual machine but a subverted piece of code that will (try to) steal the decryption key. With some luck, however, this will not succeed on the first attempt, and in the keyserver logs you'll see a sequence of a few reboots and key requests while the guy drills through the defenses.

Another possibility would be to allow the user to enter a response to a challenge via SMS. This would guarantee the customer that the server can't exfilter anything, and you would still have some sort of pulse on the situation.

Architecture change

Another possibility that occurs to me is that the user's PC contains their data, but it does not contain your service. This is downloaded directly to memory securely from the Internet, and executed at each boot. You would need a "supervisor" application that examines its environment and determines it's secure and untampered-with, and then requests through SSL and presenting a license key the latest application binary from your server. The binary downloads and starts doing what it needs to do on the data in the target PC, never being saved to disk. The server can verify the caller's IP address if belonging to a known customer network.

Now the attacker has to fool the supervisor application (which will still connect and request a binary even if it detects a tampered environment. It will just do so including a subtle hint that it's acting under duress - a "hawaiian good luck sign" if you will), and unless the attacker is the customer himself, also fool the server as well as seize the computer. Still possible, mind you, but way harder.

LSerni
  • 22,670
  • 4
  • 51
  • 60
-3

Yes, absolutely. The somewhat impractical answer is to install Linux on a machine and then keep it off-line and with you 24x7 so that nobody else has access to the machine.

Not really. It sounds as if you want an impractical level of security. For an example, see Microsoft and all their various attempts to release software and keep it to hidden users. Remember, when you do business with people you must exchange some information, and you are required to trust people with the information that you exchange with them.

In your favor, you know the code, you maintain it, and stealing part of the code would probably require expert knowledge. Another point in your favor, is that you can arrange to maintain the machine with the code on it. There is probably a greater danger from hackers stealing your code than there is that your business partners will steal it.

For optimal security, pick a strong Linux distribution that gets security updates out quickly, install a clean OS, update it regularly, install as little software as possible on the box, lock down all the ports, configure a strong firewall, and write really tight server-side code. If you are really security conscious, then run this machine on it's own sub-net with an independent gateway firewall and your own choice of DNS servers.

  • 3
    Did you even read the question (completely)? – deviantfan Mar 11 '16 at 21:47
  • I just don't want them to be able to read what's on the HDD, but I also can't be there every time they boot the server to type the password manually. – Ale Morales Mar 11 '16 at 21:56
  • The user should not be able to boot the TCP service over the Internet. I suggest a standard client-server set-up with a well-written server that is not vulnerable to common TCP attacks. – Brent Kirkpatrick Mar 11 '16 at 22:20
  • 1
    @almosnow, even if you were there to type the password, this would still not help you. See for example http://www.amazon.com/gp/product/B004ZLV1UI (USB versions exist; unobtrusive versions and installation tricks exist). – LSerni Mar 12 '16 at 14:13