Intels AES-NI instructions
-
The most concerning exploit I can think of is the RNG. Almost any changes to AES-NI will cause the system to stop working and will be easily detectable as storage and network instantly breaks. But changes to RNG does not cause catastrophic failure.
Agreed. To make matters worse, poor RNGs are extremely difficult to detect. And in crypto protocols there are lots of opportunities for the attacker reconstruct the state of your RNG if it has a major weakness.
Most any back door related to AES-NI will probably require physical access at some point. AES-NI could save the last N keys in non-volatile on-chip storage or at a certain memory location in dram. Storing unexpected data in dram could very likely result in data corruption unless the location was reserved, but the CPU does not reserve memory, it would have to be in concert with another device that is also back-doored.
Maybe I'm not following you, but AES-NI doesn't do what you think it does. As I said in my previous post, AES-NI is just an accelerator. If you want to steal a key, you certainly don't need physical access. The keys are just sitting in memory, so you just need to memory-scrape it (or, in some cases, read it from disk).
Even if someone wanted to put a backdoor in AES-NI, I'm not even sure what they'd do that wouldn't be better accomplished with some other form of malware. (And those other methods would work perfectly fine against any software crypto library.)
Any hardware based remote backdoor would require several devices to work together to accomplish this feat. Doing this transparently in a way that doesn't cause an OS to crash would be quite hard, since not all OSs work the same and they change over time.
Well, that depends on what you mean by a hardware-based backdoor. Purely hardware? Sure, that looks needlessly complicated. But if that includes tampering with low-level firmware, either in the BIOS or in the firmware in any of the numerous devices in your computer with direct memory access, then that doesn't look that hard. It seems like an awful lot of work to for a highly targeted attack, though.
-
The more i think about my argument the more i realize it does not add up. If anyone had the ability to flash the microcode of your cpu they would probably go after something easier than AES-NI….
I do find it odd that Cavium crypto accelerators and their binary blob and NDA are banned but the intel cpu AES-NI is different how???
-
@Phishfry:
The more i think about my argument the more i realize it does not add up. If anyone had the ability to flash the microcode of your cpu they would probably go after something easier than AES-NI….
More than that, if someone had the ability to flash microcode, they'd probably go after something easier and likely more powerful than microcode: SMI handlers.
Or just rootkit the kernel. That's a lot easier and probably would still do 99% of what they'd want. But I'm happy to feed your paranoia with more sophisticated attacks.
-
Your not bugging me the least.
As Thomas J would say:
"A Well-Informed Populace Is Vital To The Operation Of A Democracy"I find it ironic the press is acting like a harddrive firmware hack is a first. The assembly of 12 drive manufacturers virus tools -Now that is impressive(If i didn't have to pay for it!)
I don't see any Compact Flash manufacturers on the list(small reprive).
-
The most concerning exploit I can think of is the RNG. Almost any changes to AES-NI will cause the system to stop working and will be easily detectable as storage and network instantly breaks. But changes to RNG does not cause catastrophic failure.
Agreed. To make matters worse, poor RNGs are extremely difficult to detect. And in crypto protocols there are lots of opportunities for the attacker reconstruct the state of your RNG if it has a major weakness.
Most any back door related to AES-NI will probably require physical access at some point. AES-NI could save the last N keys in non-volatile on-chip storage or at a certain memory location in dram. Storing unexpected data in dram could very likely result in data corruption unless the location was reserved, but the CPU does not reserve memory, it would have to be in concert with another device that is also back-doored.
Maybe I'm not following you, but AES-NI doesn't do what you think it does. As I said in my previous post, AES-NI is just an accelerator. If you want to steal a key, you certainly don't need physical access. The keys are just sitting in memory, so you just need to memory-scrape it (or, in some cases, read it from disk).
Even if someone wanted to put a backdoor in AES-NI, I'm not even sure what they'd do that wouldn't be better accomplished with some other form of malware. (And those other methods would work perfectly fine against any software crypto library.)
Any hardware based remote backdoor would require several devices to work together to accomplish this feat. Doing this transparently in a way that doesn't cause an OS to crash would be quite hard, since not all OSs work the same and they change over time.
Well, that depends on what you mean by a hardware-based backdoor. Purely hardware? Sure, that looks needlessly complicated. But if that includes tampering with low-level firmware, either in the BIOS or in the firmware in any of the numerous devices in your computer with direct memory access, then that doesn't look that hard. It seems like an awful lot of work to for a highly targeted attack, though.
For both the AES-NI and "hardware" backdoors, I was going after is it would be hard to create remote backdoor that was integrated into the hardware and not software. Creating any old remote backdoor wouldn't be hard, but creating an undetectable backdoor that does not crash the system would be quite difficult if it was built directly into the CPU or network silicon.
I assume the easiest place would be into the drivers, assuming they're binary blobs.