SGX, or how I stopped worrying about the microchip hack
Bloomberg Businessweek had recently reported on a hardware supply chain allegedly infiltrated by government-sponsored hackers, who, according to the report, installed a malicious microchip into motherboards to spy on US-based companies.
The accused government has denied any involvement in this episode and the companies that, according to the report were targeted, denied finding evidence for it. No one has yet come forward to share the technical details of the implanted microchip. But even without these details, we can discuss the potential implications of such an attack, and how the technology developed by Anjuna can help customers regain confidence in their application security in light of similar threats.
First, let us examine a few possibilities for hardware-assisted security compromises, and what such an implant could potentially do. Disclaimer: we do not go into discussing the physical properties of such a chip, and whether it can be as small as illustrated in the Bloomberg article.
We assume the chip can read data passing from the processor (CPU) to the memory (DRAM), and in addition tamper with that data. This provides the capability to either exfiltrate data, or potentially redirect the execution flow of applications, or even the operating system, making it easily exploitable. For instance, if the piece of code that checks the permissions of an account is circumvented, a regular user may gain the capabilities of a superuser or administrator. Another avenue would be to exfiltrate sensitive data that is only supposed to reside in memory (and not in persistent storage) by using a hardware implant that can access both the memory bus and the I/O to the hard-drive or SSD. One example where it can be an issue is applications that store data at-rest in an encrypted form, and then decrypt it in memory in order to operate on it (secrets management applications are such an example).
It is no easy operation to compromise a supply chain and the assembly line, but it is feasible, especially for advanced attackers. In a world where supply-chain hardware attacks are possible, we need to consider a new security paradigm where we accept that hardware may be compromised and move toward a zero trust model.
Our goal should be minimizing trust in various hardware components, and tightening the security perimeter around our applications. At the hardware level, the best we can do (while still allowing for general-purpose computation) is to minimize trust to the processor chip, the CPU. At the software level, minimizing trust to the application itself, and removing the trust in the operating system and the storage is a great trade-off between usability and security — enabling applications to focus on the business logic, without worrying about anything running alongside them on the host.
Anjuna does just this with its Runtime Security solution based on Intel® Software Guard Extensions (SGX). It creates a software perimeter around the application that eliminates the need to trust the operating system, the hypervisor or the host machine — protecting it from zero-days, physical access and privileged users, be it, hackers or insiders.
Intel® SGX essentially enables a completely new and unprecedented security model. Any data that leaves the CPU boundary and is written to the memory (and could potentially be intercepted by a hardware implant) is encrypted using a key that is generated in the processor. For readers who are familiar with the Cold-Boot and RowHammer attacks — the Intel® SGX technology can prevent those as well.
Anjuna enables to easily take advantage of the security guarantees of Intel® SGX, with a runtime that integrates transparently into the user’s infrastructure, without the need to rearchitect or modify the protected applications. Using the solution to protect critical applications can restore the confidence that the data is protected, regardless of the origin of your hardware appliances.