[Arm-netbook] ARM's OOB para-virtualization & FreeZone in A10?

Gordan Bobic gordan at bobich.net
Fri Jul 6 16:13:55 BST 2012


On 07/06/2012 03:26 PM, freebirds at fastmail.fm wrote:
> Gordan Bobic wrote:
> Sure, but that still doesn't explain how they got into the machine and
>> gained root access. If they managed to gain root access to your machine
>> they already have full control. You need to establish the initial attack
>> vector and plug that.
>>
>> Bottom line - you need to stop the perp from gaining shell access in the
>> first place. After that you are just fighting an increasingly losing
>> battle.
>
> Thank you for your advice. How to proceed, I don't know. Today, I
> conducted further research to answer your question how they got into my
> machines. Acer Aspire One 722 has AMD-V.
 >
> This year, three times I
> purchased an Acer and returned it within the 14 day return policy,
> because Jack's crackers cracked AMD-V. Though two Atom processors have
> Intel VT, my Asus and MSI Atom netbooks do not. The clue on Intel's
> other hardware assisted virtualization (HAD) was at
> http://openvirtualization.org/open-source-arm-trustzone.html#TrustZone-5

You are again claiming there was AMD-V/Intel VT cracking has taken place 
without having provided any evidence for this opinion. Seriously - what 
evidence do you have that AMD-V/Intel VT was in any way responsible?

Can you please either explain what reason you have to think that 
virtualization extensions are to blame or stop making the claim? It 
seems to me you are fixated on this red herring when you have a real 
problem to deal with.

> This article stated: "Effectively, the ARM TrustZone API is deprecated
> and all the newer implementations use GlobalPlatform TEE as the
> reference. How does the Trusted Execution Environment (TEE) compare to
> Trusted Platform Mobile (TPM)? There are two main components of platform
> security:
> Trusted Execution Environment and Trusted Platform Module. . . . Popular
> CPU Architectures and their TEE implementations: ARM TrustZone. Intel
> TXT, AMD Secure Execution Environment. All three of these TEE
> implementations provide a virtualized Execution Environment for the
> secure OS and applications. To
> switch between the secure world and the normal world, Intel provides SMX
> Instructions, while ARM uses SMC. Programmatically, they all achieve
> very similar results."
>
> Intel developed its version of TEE called TXT in 2006. A search using
> "Atom" and "TXT" did not answer whether Atom has TXT. TXT works with
> TPM. Intel implemented TPM in 2004. Most likely Atom has TXT.  "Starting
> from the use of more advanced Trusted Platform Module (TPM) chips and
> adding new hardware extensions to both processors and chipsets, TXT can
> perform the following . . ."
> http://blog.activeservers.com/PermaLink,guid,2436962e-cc42-4720-864a-d08b64d2872d.aspx
>
> A computer repairman had suggested that my abuser's hackers may be using
> TPM.

You need to recognize that "computer repairmen" aren't necessarily 
qualified to make such a statement. Does he have a computer science 
degree or any kind of a qualification other than in replacing 
motherboards and disks and installing Windows and anti-virus software? 
I'm not sure if you are wilfully misdirecting yourself or just suffering 
misleading device but there really, _REALLY_ is no evidence that any of 
the features you thus far mentioned are responsible for your having been 
hacked.

> Researching TPM brought up old articles on TPM. The hype was that
> TPM improved safety. Only today did I find articles on Intel bring
> virtualization to TPM via TXT. Intel accomplished a mere two years after
> launching TPM. If I were to purchase an older laptop instead of an ARM
> or MIPS, the model would have to be pre 2006.
>
> Reading further, I discovered that TXT is not Intel's first
> virtualization extension. LaGrande is. Intel renamed LaGrande TXT.
> LaGrande has: "Protected Execution allows software to be run under a
> protected environment, where no other software can have access to the
> resources being used by the software, especially RAM memory – i.e., to
> the data being manipulated and generated by the software. Resources also
> include devices and processes being executed (i.e., the software
> itself)."
> http://www.hardwaresecrets.com/article/Intel-LaGrande-Technology-Explained/264/6
>
>   Searching with "Atom" and "LaGrande" did not answer whether Atom has
>   LaGrande. Intel's data sheets on virtualization should reference and
>   link to all their various forms of virtualization. Intel should provide
>   complete specifications on their processors. Computer manufacturers
>   should provide complete specs. They don't. I have not seen any specs
>   regarding TPM, TEE and LaGrande.
>
> To make this relevant to ARM on a small machine, I will discuss Open
> Virtualization's statement: "Effectively, the ARM TrustZone API is
> deprecated and all the newer implementations use GlobalPlatform TEE as
> the reference." This means that the initial description of TrustZone,
> like the initial description of TPM, does not describe the newer morphed
> version that is presently used. Since AllWinner uses ARM Cortex A8 which
> has TrustZone, it is important to fully comprehend the implications to
> security that TrustZone, now morphed into TEE, has.
>
> Every one else on this mailing list may have a secure firewall. You may
> naively believe that you do not need to review TrustZone and TEE
> because: (1) your firewall protects you; or (2) no one would ever want
> to hack your TrustZone anyway.

My point is far more basic than that, and that is that the perp has to 
GET TO my TrustZone in the first place. Without a way to get into your 
machine in the first place, everything else is irrelevant, and if they 
have a way of getting into your machine, them accessing TrustZone, VT 
and whatever other hypervisory hardware you may have available is 
utterly immaterial because once they are in they have everything they 
need to steal or corrupt your data anyway.

Seriously - if it was that easy and all machines with VT were that 
voulnerable, there wouldn't be a single server out there on the internet 
that wasn't hacked.

> Even if this was true, it is important to
> consider people who's firewall is not secure and/or have someone or some
> government who wants to discretely monitor them.

I'm not saying any security measures are 100%, but that absolutely does 
not mean that VT is the evil thing you claim it to be.

> Does a secure firewall really prevent access to TrustZone or TEE?
> Intel's TXT has been hacked. See
> http://www.pcworld.com/businesscenter/article/159833/researchers_detail_intel_txt_hacks_at_black_hat.html
> and
> http://theinvisiblethings.blogspot.com/2009/01/attacking-intel-trusted-execution.html
> It is foreseeable that TrustZone/TEE is hackable.

You are missing the context here. All of this still requires the perp to 
have already gained access to the machine in some other way. This may be 
relevant in the context of, for example, a hostile VM breaching the host 
or another VM running on the same host, or somebody who already has 
access to the machine escalating their privileges. But it has no scope 
for being the initial attack vector that gets them access to the 
machine. You need to be fixing that hole being exploited for the initial 
attack, not going on a wild goose chase crusading against hardware 
virtualization extensions.

> Tom Cubie has ordered the netbook for me from Sunlike. Yet, the more I
> read about TrustZone, the more I fear it. I am wondering whether
> switching to ARM will provide any protection from hardware assisted
> virtualization.

As I keep saying, you still haven't provided any information whatsoever 
to suggest that hardware assisted virtualization is in any way related 
to the problems you are seeing.

> The ARM guide on ARM's website is ambiguous. I am requesting members of
> this mailing list on the behalf of myself and other newbie victims,
> activists and vulnerable others to research whether Allwinner A10
> supports TrustZone, is TrustZone enabled, how in user friendly terms how
> to tell, how to disable it and how to tell if it stays disabled. Thank
> you.

Until you can provide a single shred of evidence that hardware 
virtualization is in any way to blame, I maintain that you are 
misguidedly scare-mongering about it. You might as well be blaming the 
flying spaghetti monster, there's an equal amount of evidence against it 
being at fault. Sorry if that sounds harsh, but it really doesn't sound 
like you have any information/evidence to even remotely suggest that 
hardware virtualization extensions are in any way whatsoever connected 
to your machines having been hacked.

Gordan



More information about the arm-netbook mailing list