The operating principle of trusted boot modules. ALTELL TRUST - protection against unauthorized access


Trusted download tools or modules (MDZ, SDZ)- these are software or hardware-software tools that allow you to launch the operating system exclusively from trusted storage media (for example, hard drives). Moreover, such devices can monitor the integrity of software (system files and operating system directories) and technical parameters (compare computer configurations at startup with those that were predefined by the administrator during initialization), and act as identification and authentication tools (using passwords and tokens).

Trusted boot tools allow you to solve problems such as:

Running the operating system bypassing the hard drive. If an attacker does not know the credentials of legitimate employees, but has physical access to the user's computer or server, he can load the operating system from a pre-prepared flash drive and thereby gain access to information stored on the hard drive. However, one of the features of trusted boot tools is the presence of a watchdog mechanism. Since booting an operating system from external media requires you to go into the computer's BIOS (or basic input/output system) and manually select a boot tool, this can take quite a long time. If you set the computer to restart when the operating system takes longer to load than usual, the attacker will not have time to change the BIOS settings and boot from his device.

Stealing user credentials. Even if an attacker finds out the employee’s login and password to log into the system, he will be deterred by the lack of a personal identifier. In order to load the operating system when the trusted boot module is installed on the computer, the user must provide a personal identifier or token. Without it, downloading will not occur.

Compliance with regulatory requirements. Government information systems and systems that process personal data are required to undergo compliance certification. The requirements include mandatory protection of information systems using means of protection against unauthorized access. If a higher level of security for data stored in the system is required, security measures require the use of trusted boot hardware.

Trusted download means can be:

  • Hardware and software modules for trusted loading at the expansion board level. Such devices are built into the computer case, connecting to the motherboard via a PCI connector.
  • Software. They are divided into BIOS trusted boot and boot record level tools. The former are built into the BIOS, which allows them to perform their functions before loading the operating system. Others replace the boot record on the hard drive and operate before control reaches the operating system level.
- this is loading various operating systems only from predetermined permanent media (for example, only from a hard drive) after successful completion of special procedures: checking the integrity of PC hardware and software (using a step-by-step integrity control mechanism) and hardware identification / user authentication.

Concept Basics

  • Control of the device from which the BIOS starts loading the OS (usually the computer’s hard drive, but it can also be a removable media reader, boot over a network, etc.);
  • Monitoring the integrity and reliability of the device’s boot sector and system files of the running OS;
  • Encryption/decryption of the boot sector, OS system files, or encryption of all device data (optional).
  • Authentication, encryption, and storage of secret data such as keys, checksums, and hashes are performed in hardware.

Authentication

User authentication can be performed in various ways and at different stages of computer boot.

To confirm the identity of the computer launcher, various factors may be required:

  • Secret user login and password;
  • Floppy disk, CD, flash card with secret authentication information;
  • Hardware key connected to a computer via USB, serial or parallel ports;
  • A hardware key, or biometric information, read into a computer using a separately made hardware module.

Authentication can be multi-factor. Authentication can also be multi-user with shared access rights to the computer. So, one user will only be able to launch the operating system from the hard drive, while another will be able to change the CMOS configuration and select a boot device.

Authentication can occur:

  • During BIOS firmware execution;
  • Before loading the master boot record (MBR) or boot sector of the operating system;
  • During execution of a boot sector program.

Performing authentication at different stages of boot has its benefits.

Trusted Boot Steps

At different stages of a computer's boot process, a trusted boot can be performed by different means, and therefore will have different functionality.

  • Executing BIOS firmware. At this stage, the following can be implemented: checking the integrity of the BIOS firmware, checking the integrity and authenticity of CMOS settings, authentication (protection from starting the computer as a whole, or only from changing the CMOS configuration or boot device selection), control of boot device selection. This boot step must be done entirely in the BIOS firmware by the motherboard manufacturer;
  • Transfer control to the boot device. At this point, the BIOS, instead of continuing to boot, may transfer control to the hardware trusted boot module. The hardware module can perform authentication, boot device selection, decryption, and verification of the integrity and validity of boot sectors and operating system system files. In this case, decryption of the boot sector of the operating system can be performed only at this stage. The BIOS firmware must support transfer of control to the hardware module, or the hardware module must emulate a separate boot device, made in the form of a hard drive, removable media, or network boot device;
  • Executing the boot sector of the operating system. At this stage, integrity checks, boot loader validity, operating system system files, and authentication can also be performed. However, the executable code of the boot sector is limited in functionality due to the fact that it has restrictions on the size and placement of the code, and also runs before the operating system drivers start.

Hardware Usage

Hardware trusted boot modules have significant advantages over pure software tools. But ensuring trusted booting cannot be done purely in hardware. Main advantages of hardware:

  • High degree of security of secret information about passwords, keys and checksums of system files. Under conditions of stable operation of such a module, there is no way to retrieve such information. (However, some attacks on existing modules are known that disrupt their functionality);
  • Possible secrecy of encryption algorithms performed in hardware;
  • Inability to start the computer without opening its contents;
  • If the boot sector is encrypted, it is impossible to start the user's operating system, even after removing the hardware module;
  • In the case of full data encryption, it is impossible to obtain any data after removing the hardware module.

Examples of existing hardware

AMD SVM

Launched a year before Intel TXT

Intel Trusted Execution Technology

Trusted Execution Technology from Intel.

It is more likely not a means of trusted downloading, but rather protection of the resources of any individual applications at the hardware level as a whole.

TXT is a completely new concept for computer security at the hardware level, including working with virtual PCs.

TXT technology consists of sequentially protected information processing stages and is based on an improved Trusted Platform Module. The system is based on the safe execution of program code. Each application running in protected mode has exclusive access to computer resources, and no other application can interfere with its isolated environment. Resources for working in protected mode are physically allocated by the processor and a set of system logic. Secure data storage means encrypting it using the same TPM. Any TPM encrypted data can only be retrieved from the media using the same module that performed the encryption.

Intel has also developed a secure data entry system. The malicious program will not be able to track the data flow at the computer input, and the keylogger will only receive a meaningless set of characters, since all input procedures (including data transfers via USB and even mouse clicks) will be encrypted. The application's protected mode allows you to transfer any graphic data to the frame buffer of the video card only in encrypted form, so malicious code will not be able to take a screenshot and send it to a hacker.

Hardware trusted boot module "Accord-AMDZ"

It is a hardware controller designed for installation in a PCI/ PCI-X/ PCI-express/ mini PCI/ mini PCI-express slot. Accord-AMDZ modules provide trusted loading of operating systems (OS) of any type with the file structure FAT12, FAT 16, FAT32, NTFS, HPFS, UFS, FreeBSD UFS/UFS2, EXT2FS, EXT3FS, EXT4FS, QNX 4 filesystem, Solaris UFS, MINIX, ReiserFS.

The entire software part of the modules (including administration tools), the log and the list of users are located in the non-volatile memory of the controller. This ensures the possibility of identifying/authenticating users, monitoring the integrity of hardware and software of a personal computer (PC), administration and audit at the hardware level using the controller before loading the OS.

Main features:

  • identification and authentication of the user using a physical electronic product - a personal identifier - and a password up to 12 characters long;
  • blocking PC loading from external media;
  • blocking interruption of control procedures from the keyboard;
  • setting time restrictions on user access to PCs in accordance with the operating mode established for them;
  • monitoring the integrity of computer hardware, system areas, files, and the Windows registry;
  • automatic logging of recorded events at the stage of trusted OS loading (in the non-volatile flash memory of the controller);
  • watchdog timer;
  • administration of the security system (user registration, monitoring the integrity of the PC software and hardware).

Additional features:

  • control and blocking of physical lines;
  • RS-232 interface for using plastic cards as an identifier;
  • hardware random number sensor for cryptographic applications;
  • additional non-volatile audit device.

The complex is applicable for building systems for protecting information from unauthorized access in accordance with the governing documents (State Technical Commission) of Russia on the 2nd level of control for the absence of undeclared capabilities, can be used in automated systems up to security class 1D inclusive and can be used as a means of identifying/authenticating users, monitoring software integrity and hardware environment (RS) when creating automated systems up to class 1B inclusive.

ViPNet SafeBoot- a certified high-tech trusted boot software module (TBM), installed in UEFI BIOS from various manufacturers. Designed to protect PCs, mobile devices, servers (including virtualization servers) from various unauthorized access threats (ATTs) at the boot stage and from attacks on the BIOS.

Protection for computers and servers must be in effect from the moment they are turned on. The time from the moment of switching on to the start of the operating system is key to trust in the system as a whole. There are risks in the very early stages of loading:

  • Transferring control to an untrusted bootloader;
  • Loading malicious code into UEFI;
  • Intercepting data and disabling basic security mechanisms.
All this can lead to bypassing all security measures installed in the operating system and stealing information. Embedding the ViPNet SafeBoot trusted boot module protects your computer from these threats and makes the system trusted.

Purpose:

ViPNet SafeBoot designed to identify and authenticate users, differentiate access based on roles, as well as organize trusted loading of the operating system. ViPNet SafeBoot Increases the security level of devices and computers by:

  • Authorization at the BIOS level, before loading the main components of the operating system;
  • Monitoring the integrity of the BIOS, protected components of the operating system and hardware;
  • Blocking the loading of a non-standard copy of the operating system.

Use cases

Product ViPNet SafeBoot can be used both in conjunction with other ViPNet products and separately. Main problems that can be solved:
  • Compliance with the requirements of FSTEC orders*:
    • No. 17 on the protection of government information systems (GIS);
    • No. 21 on the protection of personal data information systems (ISPDn);
    • No. 31 on the protection of automated process control systems (APCS);
  • Protection against unauthorized access at the earliest stages of booting computers or devices with UEFI BIOS.

Advantages

  • Software MDZ with the ability to be installed in UEFI BIOS from various manufacturers.
  • Non-removability, in contrast to hardware versions of MDZ.
  • Simplified methods for setting up MDZ using administration templates.
  • Full control of UEFI integrity by checking the integrity of all its modules.
  • Russian product.

Certification in FSTEC of Russia

ViPNet SafeBoot complies with the requirements of the governing documents for trusted loading tools of the class 2 basic I/O system level, which allows the product to be used to build:
  • ISPDn up to UZ1 inclusive;
  • GIS up to security class 1 inclusive;
  • Process control system up to 1st security class inclusive.

What's new in ViPNet SafeBoot 1.4

  1. Sleep mode is a key feature aimed at the convenience of OEM delivery of SafeBoot in workstations and servers by hardware platform manufacturers. Detailed description in the attached document.
  2. Implementation of a licensing system - the product is now licensed by serial number.
  3. Support for authorization using Western certificates - increasing the convenience of working with the product. There are customers who use authorization using a token and a certificate issued by Microsoft CA, including through LDAP. It is for this reason that we decided to support this authentication method.
  4. Support for JaCarta-2 GOST - expansion of the list of supported key media for authentication.

InfoTecs reserves the right, without notice, to make changes to the supplied products (characteristics, appearance, completeness) that do not impair its consumer properties.

Strong two-factor authentication- User authentication using a token with a x.509 certificate (two-factor), a password, or a combination of both. Supported IDs:

  • JaCarta PKI
  • Rutoken EDS
  • Rutoken EDS 2.0
  • Rutoken Lite
  • Guardant ID

Role-based access

  • User.
  • Administrator.
  • Auditor.

Integrity control. In order for the platform to be trusted, it needs a guarantee that all important modules loaded at system startup are unchanged. That's why ViPNet SafeBoot checks integrity:

  • all key UEFI BIOS modules;
  • boot sectors of the hard disk;
  • ACPI, SMBIOS tables, memory distribution maps;
  • files on disks with FAT32, NTFS, EXT2, EXT3, EXT4 systems (ViPNet SafeBoot does not matter what operating system is installed);
  • Windows registry;
  • PCI/PCe configuration space resources;
  • CMOS (contents of non-volatile memory);
  • transaction completeness - NTFS, EXT3, EXT4.

For the convenience of users, it has become possible to automatically build control lists for Windows OS.

Security event log. For convenience, several logging modes with different levels of detail are provided.

The trusted boot module is intended for computer technology that processes secret and confidential information (including the “top secret” and KA1 levels).

Thanks to working with multi-user groups with equal and different levels of authority and supporting administration schemes with both centralized and decentralized control, Maxim-M1 is a universal solution for use in secure systems.

Main functions

controls access during the initial startup of the PC, before switching to the OS. Identifies and authenticates the user using a two-factor method;

Keeps indelible logs: user authentication, integrity control. Data safety is guaranteed due to non-volatile memory;

checks the validity period of user data (keys, service information) in real time;

controls the hardware and software of the protected system (RAM, hard drives, file system and FS logs, Windows registry);

protects against password guessing.

Advantages of APM "Maxim-1"

Suitable for installation on the information security administrator's workstation in information systems that work with trade secrets, personal data, and state secrets.

Can be used on a diskless workstation to work with secret and confidential information on a remote server.

The module is compatible with the main client versions of Windows (2000/XP/Vista/7) and server versions (2003/2008), as well as systems based on the Linux kernel 2.6.x and 3.x.x and the Astra Linux operating system.

Requirements and restrictions when using APMDZ "MAXIM-M1"

For installation and proper operation of the module, hardware and software must meet the level of requirements for architecture, supply voltage, board configuration, BIOS version, installed updates, and power connectors. During the operation of the module, restrictions are set for hardware and software in the system. A complete list of requirements is presented in the documentation for the APMDZ.

Personnel requirements

The user of the remote control module (administrator) must be able to work in basic operating systems, have experience in setting up personal computers and external equipment, and in administering automatic systems on local computers, servers, workstations and thin clients.


2024 gtavrl.ru.