14

What would be the best practices for securing a single-purpose Windows laptop against a determined foreign intelligence agency from tampering with data on the machine? The machine would be used several times per year by two individuals who independently verify each other's work and print the results. The machine would not need access to the Internet, but when in use would need to be connected to a printer.

Some of the things I've thought of so far:

  • Use a laptop with a TPM module.
  • Encrypt the drive.
  • Disable the NIC.
  • Disable the USB ports.
  • Use a strong password on the machine.
  • Physically store the machine in a locked safe while not in use.
  • When used, transport the laptop using two different security personnel.
  • While out of the safe, the laptop would always be attended by at least two individuals.
  • The laptop would be a fresh install of windows with no 3rd party software installed on it (not sure about updates in a situation like this).
  • The custom software on the computer, when run, would compute the hash of it's binary files (e.g. exe and dll) and generate a code that the user would compare to a known value to detect tampering.

Any changes or additions?

schroeder
  • 125,553
  • 55
  • 289
  • 326
RogerMKE
  • 243
  • 1
  • 5
  • Would the concern only be tampering with the contents, or also spying of the contents? – bukwyrm Aug 13 '18 at 12:18
  • 3
    Just tampering. The information on the machine isn't sensitive, just the accuracy of it. – RogerMKE Aug 13 '18 at 12:19
  • Would destruction of the contents be a concern? – bukwyrm Aug 13 '18 at 12:28
  • 8
    Are you sure that Windows would be the best option for such high security demands? – architekt Aug 13 '18 at 12:35
  • 2
    @bukwyrm No, it's really just about preventing anyone from tampering with the results of the user's work to produce bad results. Two users would independently do the same work, and a third would check that the results from the two workers are in agreement. – RogerMKE Aug 13 '18 at 12:37
  • @Martin No I am not certain. I'm open to justifiable suggestions. – RogerMKE Aug 13 '18 at 12:38
  • 1
    If the printer is part of the process, it too needs to be in the safe. Also, unused internal and external ports should be physically disabled, not just software/ bios disabled. The TPM is more of a problem facing a state actor, is it not? I' d keep the hardware minimal. – bukwyrm Aug 13 '18 at 13:19
  • 1
    Use custom warranty void stickers to ensure the laptop has not been physically opened. – Mark Buffalo Aug 13 '18 at 13:30
  • 1
    Slightly off topic, but don't forget to secure the printer in this instance. If the printer can be compromised, it could be used to install drivers on the laptop, as well as theoretically modify any printed data – Dan Landberg Aug 13 '18 at 14:37
  • 1
    Whether or not the printer is considered trusted is important. If it is trusted, then it's fine to plug in directly. If it isn't, then you might want to use an inert medium (such as a DVD) to transfer data to the printer. I left this stuff out of my answer until I better understand your threat model. – forest Aug 14 '18 at 04:47
  • I know you need to actually use it, but after reading your requirement and reading forest's recommendations, I'd say the only real way to make sure it is secure is to throw it in a wood chipper before installing any confidential information. – Cort Ammon Aug 14 '18 at 05:42
  • More seriously, does any of the information need to be confidential? You could solve a lot of problems by relying on massive redundency of the information and the calculations. – Cort Ammon Aug 14 '18 at 05:45
  • 1
    @CortAmmon OP mentioned in a comment that the information on the machine itself isn't sensitive. – forest Aug 14 '18 at 09:09
  • You could buy a printer that does not have networking features. For instance, a dot-matrix printer or a label/receipt printer. – alejandro5042 Aug 16 '18 at 22:54
  • Since a printer will be a lot easier to compromise than an air-gapped laptop with TPM, you might want to remove it from the equation. Get a printer that can print PDF files from a USB stick, and buy a USB stick with hardware write-protect switch so the printer cannot write any file that would compromise the computer. – billc.cn Aug 17 '18 at 13:08
  • If hardware was compromised, it could be flashed to alter the accuracy of the data. Specially if the GPU was flashed with a modded firmware (if i were to display hash B, display hash A on screen) – bradbury9 Sep 26 '18 at 08:51
  • What about [cosmic bit flips](https://www.johndcook.com/blog/2019/05/20/cosmic-rays-flipping-bits/) ? – Nomad Oct 05 '21 at 10:53

2 Answers2

11

I am assuming that there is some reason you can't use a dozen different laptops in multiple countries or jurisdictions doing the same activities to provide extremely high redundancy (as pointed out in a comment on the question). If any of the laptops have results that differ, at least one of them can be assumed compromised and incident response can kick in. The number of independent computations could be scaled to match your requirements. This of course assumes that the activity done on the laptop is deterministic and that there is only one "right answer", allowing any honest and uncompromised party to come up with the exact same results.

Assuming you need to maximize integrity for a single laptop, your plans seem solid. I would however make a few changes and additions to your proposal:

  1. Switch to Linux so vulnerabilities are not given to nation states before being patched.

  2. Require that those who handle the laptop provide a comprehensive chain of custody.

  3. Don't just disable unused peripherals, cover them with anti-tamper epoxy resin.

  4. Disallow using any untrusted peripherals. Even VGA/HDMI can be vulnerable!

  5. Do not use custom software to hash binaries. Secure software already exists.

  6. Require smartcards to identify to the device. Shamir's Secret Sharing is useful.

  7. Mind EMSEC by working in a secure area or using shielded devices.


Mutual authentication

It's important that the users of the computer are able to authenticate to it. Normally, it is the user who authenticates themselves to the computer, but in high-risk environments, it may be necessary for the computer to authenticate itself to the user as well. This can be done using various experimental mutual authentication technologies like MARK, which uses an active USB device.

Each person who uses the laptop should be using a smartcard as part of the authentication process. This card should be kept physically secured. Depending on your threat model, it may even need to be hidden while on the person. It is possible to use secret sharing algorithms to ensure that a threshold of authorized individuals are required to fully authenticate themselves to the system. This could be set up such that, say, five people have keys, and at least three of them must use their keys at the same time to authenticate. This will protect from up to two people going rogue while still allowing authentication even if up to two people lose access. The exact parameters, including the weight each person holds, can be tweaked at will to match your threat model.

Firmware and software integrity

Assuming that the TPM is used for SRTM, it will be able to detect any modifications to the bootloader and related software, as well as certain firmware and even the BIOS itself, assuming the BIOS contains a read-only boot block (the CRTM). If encryption is also used, this provides a greater level of tamper resistance. Unfortunately, most block modes are malleable (plaintext can be intelligently modified even without knowing the key), so it is necessary to have the OS verify all components of the system even after boot, for example by using IMA, the Integrity Measurement Architecture, available on Linux.* IMA may reduce I/O performance by breaking demand paging.

Often, the NIC or USB controller will still be active even if the operating system is ignoring them. A vulnerable BIOS could be compromised through such interfaces. Most systems' BIOS are horribly insecure and allow both local attackers (malicious processes running on the machine) and physical attackers to gain higher privileges. You can do some limited analysis of BIOS security by using the CHIPSEC framework. This framework is designed to verify certain security attributes for a platform's firmware. Important information is available on their wiki. This framework is designed primarily for BIOS vendors and OEMs who wish to look for vulnerabilities that allow the firmware to be overwritten at runtime despite standard software write locks put in place.

* I have little experience with Windows, but I believe it is possible to support such integrity with that operating system. However, it is important to remember that nation states often get prior notice to vulnerabilities in Windows before they are disclosed publicly or even patched. For this reason, Windows is likely not the best platform to be using.

Physical attacks

If someone gains unrestricted physical access to a laptop, it is not your laptop anymore. There are a number of different physical attacks that one can carry out. Some of them can be mitigated, whereas others would require you physically modify your laptop to mitigate:

  • DMA attacks - Many peripherals support direct memory access, both internal and external. External GPUs, Thunderbolt, Firewire, and internal PCI and PCIe ports all support DMA. This support allows anyone who connects a device to these interfaces to perform reads and writes to arbitrary memory locations. The mitigation requires your laptop have a proper DMAR table and a modern IOMMU (VT-d2 for Intel). You must also boot with the IOMMU enabled, e.g. by passing intel_iommu=on to the boot command line on Linux.

  • Cold boot attacks - Passive retrieval of memory is possible by removing the memory modules and placing them in a different device to read. This allows them to read sensitive data, but does not allow tampering, as it is a highly invasive procedure that necessarily requires the target machine to be shut down. Full memory encryption mitigates this, and the use of ECC memory can also complicate the attack (ECC typically requires the memory modules be reset to a known state during initialization).

    Cold boot attacks only compromise confidentiality of data in memory, not integrity. If integrity is all you need, then cold boot attacks are not relevant to your threat model.

  • JTAG - JTAG is a debug protocol and interface on the motherboard for many devices from ones as simple as CPLDs to ones as complicated as enterprise x86 processors. Plugging a JTAG probe into the interface allows complete, absolute control of the chipset, allowing them to halt the machine, read and write registers and memory, and interact with peripherals. If an attacker manages to connect to the target using JTAG, all bets are off. You need to ensure the device either does not have a JTAG header, or that the header has been destroyed or coated with epoxy.

Additionally, physical attacks may involve connecting to a vulnerable peripheral. Nearly everything can be vulnerable, even VGA and HDMI can be exploited by abusing things like EDID. USB devices may support DCI, and a few fail to disable it in their BIOS. These systems can see USB abused to pass JTAG commands without opening the machine and connecting a probe to the motherboard. Networking interfaces can be vulnerable, and vulnerabilities have been found. Sometimes it is not enough to simply disable the ports in software, as various DCI vulnerabilities have shown. You may need to physically block the ports using a strong epoxy resin.

Physical tamper evidence

There are several ways to detect physical tampering with a device. All of these methods require you take a high-resolution photograph of the machine at multiple angles so that you can compare them against your actual machine at any time that you suspect it may have been modified. Any solution for detecting physical tampering will be visible as a discrepancy between the photo and the actual device. The general idea is to place something in sensitive areas of the device which will be visibly broken or moved if that area is intruded upon. A few examples:

  • Security tape - The standard way is to use tamper-evident security tape. These are stickers or strips of tape that leave unique marks on the surface if they are removed, and which are designed to be resistant to steam or other techniques used to gently pull them off. These can get quite expensive, supporting features such as holographic labels and unique marks.

  • Epoxy resin - Epoxy is a strong glue-like substance that sets in and cannot be easily removed without destroying anything that it coats. There are many types of epoxy of differing strengths and properties. You would want one which is designed to resist tampering (e.g. designed not to easily be removed with solvents or fine drills), as well as non-conductive and non-thermally insulating, to prevent shorts and overheating. When used correctly, epoxy resin can both resist physical attacks (tamper-resistance), and make successful attacks visible (tamper-evidence).

  • Nail polish - Nail polish that has a lot of glitters is actually very, very useful as a form of a ghetto security seal. When placed around the joints of a system, it becomes extremely difficult to open it without moving the glitter. Once the glitter is disturbed, it becomes nearly impossible to place it back exactly as it was, leaving valuable evidence behind for the defender.

Emission security (EMSEC)

When you have nation states as an adversary, covert monitoring of electromagnetic signals is a very real possibility. These signals can be used to read keystrokes from 20 meters away or more. It can be used to perform Van Eck Phreaking to view computer displays through walls. It can be used to break encryption by listening to the processor as it works on cryptographic material. Mitigating this requires a large, secure perimeter (several hundred meters), or using a TEMPEST-certified device. These certifications do come from the government (e.g. NATO SDIP-27 and USA NSTISSAM), but they allow devices to be certified as immune dangerous to EMI/RFI leakage.

Unless you are in a secure, shielded room or have a large and secure perimeter, you must make sure your devices are shielded while they are being used for sensitive operations. While not strictly related to electromagnetism, it is also important to use the device in a room with no windows, just as high-security government facilities do. This prevents audio (both from conversations, and from the keyboard) from being recovered using laser microphones. If your budget or circumstances make any of this impossible, you must rely on standard OPSEC to prevent your adversary from getting close enough at the critical time to record sensitive emissions.

Glorfindel
  • 2,263
  • 6
  • 19
  • 30
forest
  • 65,613
  • 20
  • 208
  • 262
1

I would like to add a layer of simplification to @forest's excellent answer.

Burn the entire system to read-only media

And protect the DVD (or bluray) from swapping by the attacker.

Once the software suite and the OS system image are surely clean, they can be burned to non-rewritable media. The idea is to run a live OS and the software suite every time from DVD, using the RAM as temporary storage. Question did not mention if the application needs to preserve state on disk or can load rocket coordinates input from USB keys or keystrokes. As soon as the physical media remains the same, you are almost guaranteed to run original software.

This provides you with ONE advantage: on the bare suspect that the hardware is compromised, you can get a new one or run the machine as a virtual machine on a clean hypervisor.

You still need a lot of offline security, given the power of a foreign intelligence. Also a bit of budget...

  • Mark and protect your media so that it will be hard to swap with a tampered DVD running rogue software
  • Protect your supply chain: if the new bought-in laptop is delivered first to 3-letter-agency, they can compromise hardware and install a rootkit
  • Question did not mention privacy, so using computing resource on a local cloud provider that is unlikely to be tampered by foreign intelligence is a way to deceive the attacker on where the software will be executed. Changing the provider often is a plus
  • You can still borrow laptops somewhere of your choice

The threat

If foreign intelligence compromises a laptop running your software, they may try a very targeted cold boot attack with a rootkit.

Assuming the attacker knows your software very well, have infinite budget and want to compromise the result of your computation, they can use a rogue bootloader that loads a modified kernel targeted at your application. Such a kernel can theoretically do any harm from altering known memory registers to sending crafted data to printer via peripheral driver. Or (altering file system routines) load a modified executable version while the hash check reports the executable on disk has never been tampered with.

If you are able to change the executing hardware quickly and unpredicatbly, you gain a serious advantage over this threat. For example, you may want to (send someone to) purchase a laptop in cash by your local BestBuy, MediaWorld or similar.

A foreign attacker must then compromise the entire supply chain to spot the hardware you will be using, if you suspect the need to change it. Pretty conspiracist, too much conspiracist to me.

Chain of custody

I recall @forest's point #2 in his initial list. You must ensure a consistent chain of custody for the readonly media and possibly the laptop(s). A permanent ink hand-signature on the media is my best idea for the moment.

usr-local-ΕΨΗΕΛΩΝ
  • 5,361
  • 2
  • 18
  • 35
  • Comment: I do not like the idea of running highly sensitive software on clouds – usr-local-ΕΨΗΕΛΩΝ Sep 26 '18 at 20:19
  • SRTM or BootGuard can be used to prevent the bootloader from being tampered with (the latter is easier to use, but also easier to bypass), or prevent a rogue bootloader from being used. – forest Sep 27 '18 at 00:55