Which is the best technical approach to digital asset security?

Case study — SILO based on Guardtime’s Black Lantern HSM

Over the last years, we have seen a number of mining and wallet service compromises, underscoring how the world of digital currency is attracting thieves. It is a multi-billion dollar problem. These stories appropriately have resulted in institutional investor concerns that these holdings are not just volatile, but also insecure.

Reacting to these threats, digital currency holding groups and exchanges are increasingly looking to encryption as a way to address a lack of industry basic security hygiene, vulnerable users and inability to protect data. However, while encrypting stored data is one of the most effective ways to thwart such attacks, it is hard to do right.

To better understand the context, we look at the industry. Thieves are not brute forcing private keys as many would imagine. Instead, they rely on attacks in which:

• The holder of the currency is tricked to give access to the password for the account at storage service(s).
• They expose your private key (managing your own wallet).
• They impersonate a recipient.
• They benefit from an insecure third party (e.g., compromised employee laptops or accounts).
• Exchange and exit scams (thieves offer exchange or market services to maintain an account in bitcoin and steal holdings).

The real issue is the need for strong security strategies that protect digital assets and prevent exposure to theft end-to-end. While most investors choose to buy, store and transfer their currency through ‘secure’ wallet platforms, these services still suffer from exposure — even when they move beyond software security only to Hardware Security Modules (HSMs) that provide trusted storage and execution for wallet security applications.

Why? Hardware security strategies are inadequate, on their own, to secure cryptocurrency holdings. This is because they are raw technology that must be implemented correctly within the context of an overall and enterprise, cloud, mobile security application design. And this is something we hardly see in the industry.

In today’s environment, one must factor, not only where critical information is stored, but also where it flows and the third parties who have resultant exposure. HSM are only one piece of a complex countermeasure strategy that has to weigh a number of factors — including the holdings themselves, but also, holistically, how user and third-party application and authentication services will be interacting ultimately with these holdings.

Essentially, custodians of digital assets require a platform that considers these issues end-to-end — it’s design must reflect the work of a formal counter-measure assessment looking at attack vectors, dependencies, user and third party interactions.

THE SOLUTION

A PURPOSE-BUILT HSM

SILO builds its security framework upon the HSM’s secure execution environment. This allows the end-to-end multi-account wallet management system to benefit from secure transaction processing and policy enforcement.

What does SILO based on Guardtime’s Black Lantern offer vs a traditional HSM?

• A secure execution environment which only executes preauthorized, signed and authenticated applications, making it impossible for a malicious user to load or execute any arbitrary software.
• True application separation. Each application’s memory and execution is segregated from all others. This means that, even if an application connected to an outward facing interface was compromised, the attacker would be unable to access other internal applications. Like an onion, SILO includes many layers, each one more difficult and painful to penetrate.
• Memory protection at the hardware and OS levels. Executable memory is protected, and applications cannot access or overwrite into each other’s memory. This blocks buffer overflow and code injection attacks.
• SILO provides real-time, constant monitoring of executable memory. If executable memory is modified or corrupted for any reason, it is detected in real time and appropriate actions are taken.
• Separation of vendor and customer keys/information to prevent third party disclosure. Customer keys, secrets and data are generated completely at the customer site and protected by keys specific to that appliance that are never available outside of the appliance. This removes any dependencies or ability for customer data to be compromised by the vendor.
• When customer applications run in SILO’s secure execution environment, the crypto and key management APIs are only exposed internally to the signed and authenticated application. This prevents API level attacks to gain insight into crypto secrets. The keys are also kept benignly in the platform layer, not exposed to the application.

HARDWARE AND SOFTWARE APPROACH

In Cyber, Advanced Persistent Threat actors generally follow a well understood workflow to target victim assets. These include initial reconnaissance (to harvest target domain intelligence), weaponization (to couple an exploit into a deliverable payload accepted by the system), delivery of that bundle via an aperture available from the victim, exploitation to execute code on the victim, installation of the malware, opening command and control of the victim — leading to an attacker successfully achieving their objectives (wallet stolen, personal information obtained, credentials stolen, etc.).

How does SILO based on Guardtime’s Black Lantern interrupt this kill chain?

SILO takes a defense in depth approach blending software and hardware policy and security enforcement, limiting the activities of any subsystem or process accomplished by the platform. The system employs a Hard Real-Time Operating System from Green Hills over a Secure System on Chip (NXP) architecture, which allows to achieve these capabilities as well as high-assurance (and certified) device lifecycle management (which allows to provide organizations with all infrastructure key management services to securely generate software signatures, certificates, and device unique keys). The root keys are not exportable and indeed require physical reverse engineering on chip to extract — a very costly, risk-laden, and time-consuming process assuming the attacker has a SILO.

The Operating System and run time environment build on these infrastructure and device capabilities utilizes a partitioning architecture to provide the embedded system total reliability, security, and maximizing real time performance. The Operating System used implements hardware memory protection to isolate and protect SILO applications. Secure partitions guarantee each task the resources it needs to run correctly, while fully protecting the operating system and user tasks from malicious code — including denial of service attacks, worms, trojans, etc. and unlike other memory protected operating systems, SILO never sacrifices real-time performance for security and protection.

Unlike other digital asset management solutions, middleware is extensively tested and validated for the OS including routing and network stacks, file systems, web services, I/O, and graphics stack and class drivers mitigating exploit payloads.

Also, the RTOS is one of the first to leverage hardware memory-management units (MMUs). Kernel services have been carefully optimized to minimize the overhead of system calls reducing exploitation surface. A real-time scheduler supports priority levels and enables complete control over CPU percentage allocation making real-time detection of non-nominal events achievable. To prevent the risk of user stack or attack overflow, the kernel has its own memory stack. Without this, the kernel would need to access the user process stack. This is an undesirable trait of operating systems because it is impossible for the user process to anticipate the maximum stack size if it is subjected to use by unknown code.

SILO POWERED BY GUARDTIME BLACK LANTERN — GENERAL FEATURES

• Software is digitally signed and encrypted at rest with NIST certified encryption algorithms. The hardware is incapable of executing unsigned code — it will not boot if the software and hardware runtime environment is not authentic.
• The hardware is also resistant to cryptanalysis attacks, such as statistical power analysis on invasive attacks. All of the executable software is monitored during run-time; it’s monitored by both, software and hardware. This mitigates threats relating to the use of “mod chips” for the purposes of altering data streams in and out of the Security Appliance. End-to-End protection and resilience is afforded to guarantee delivery of your services.
• In addition to the active monitoring of executable code during run-time, the architecture prohibits the introduction of executable code after the software has been authenticated, decrypted and executed. All executable code is read-only, through custom processor enforcement with hardware-based tamper reactions.
• Secure Production deployment accreditation offers flexibility for customer solutions using SILO appliances. The National Information Assurance Partnership (NIAP) evaluation of Black Lantern ensure secure management, control and auditing layers while extending security to the application. NIST certified cryptography libraries ensure secure implementation.

METACO is a leading provider of financial technology for banks. Established in 2015 and backed by institutional shareholders such as Avaloq, Swisscom, SICPA and DiePost. METACO’s SILO solution is trusted by global market infrastructure providers and banks including Avaloq, Swisscom, Deutsche Börse, Gazprombank and Sygnum. //www.metaco.com

Contact: info@metaco.com

Guardtime was established in 2007 with a goal of eliminating the need for trusted authorities within Estonian Government networks. Since then, it has become a leading provider of security solutions in the digital domain for businesses in the defense, telecom, life sciences, financial services, energy or government sectors. // www.guardtime.com

Contact: office@guardtime.com

This article is property of METACO SA and Guardtime.