Dan GriffinWelcome to the 15th edition of the JW Secure Informer, our bi-monthly newsletter. This is an opportunity to share what’s on our radar, specifically with respect to enterprise network security, but also regarding IT and business more generally.

The Informer is intended to be useful content and good for a quick read. So if it’s just clutter in your inbox, we’ve failed, and I hope you’ll let us know.

Endpoint Security and Trusted Boot

An Introduction By Way of James Bond

In the James Bond film Casino Royale, a high-stakes poker game is arranged as a gambit to lure a desperate terrorist to the table. Before the game begins, each player types in a secure PIN on a mobile banking kiosk, which is essentially a laptop with a special number pad. The PIN will later be used to authorize a funds transfer if that player wins the game.
Of course, James Bond wins the poker game. When the Swiss banker returns with the mobile kiosk to complete the funds transfer, Bond invites his new girlfriend to type in his PIN. “How could I know it?” she asks. Well, it turns out that the PIN code he used is actually her name. Cue the cheesy romantic montage.

And yet, while the context is as hackneyed as one might expect from James Bond, the Swiss banker’s mobile kiosk presents particularly interesting questions about endpoint security. After all, mobile banking is becoming the norm. If hackers had been able to perform a brute-force guessing attack on Bond’s PIN, they would have found it quickly. Therefore, the bank doesn’t want just anybody to be able to access its private funds transfer system, even though that system needs to be accessible to a mobile device that could be operating anywhere.

In addition to the dubious integrity of Bond’s PIN, we also need to consider the security of the mobile kiosk itself. It’s possible that hackers or a trusted insider could compromise the device by installing a keystroke logger or other malware. With access to such a highly trusted device, hackers could wreak havoc, liquidating customer accounts at their leisure. What can the banking industry do to secure mobile devices against such threats?

Trusted Boot

A compelling solution for securing the mobile banking scenario depicted in Casino Royale is trusted boot with remote attestation. The Trusted Platform Module, or TPM, is a tamper-resistant security chip installed on many PCs. The TPM works with the computer BIOS to monitor what happens as the computer starts up. During the boot process, the TPM records data (known as measurements) such as the identity of the operating system loader and other binaries.

Once the PC has started up, the data gathered by the TPM is available to be queried. The TPM applies a digital signature to the boot data in order to guarantee its integrity.
The information that the TPM gathers about the boot sequence is critical in the mobile banking kiosk scenario since it allows us to establish a chain of trust starting from the PC hardware and extending to the operating system and user apps. If a hacker modifies any of the components in that chain, we want to know about it. Likewise, if a hacker adds any untrusted components to the chain, we want to know about those as well.


It’s one thing to gather the boot data from the TPM, list the loader and boot drivers that are present, and even to verify the digital signature of those binaries. However, it’s quite another thing to determine whether those binaries – even if they’re signed – are actually the correct ones. This verification is the role the antivirus solutions have long played: if an attempt is made to run a program or open a file that is recognized to include something bad or untrusted, then the antivirus solution blocks it.

In order for a trusted boot solution to be practical, the same antivirus procedure needs to be done when the PC is starting up. As early as possible during the boot sequence, an antivirus driver should load and monitor all of the binaries loaded thereafter. The antivirus driver complements the TPM. While the TPM is taking measurements that can later be verified cryptographically, the antivirus driver is looking for risky files in real time. In order to ensure that only trusted components are loaded, one of the measurements that the TPM takes is the identity of the antivirus driver itself. This measurement ensures that only the trusted, un-tampered antivirus software is loaded.

Remote Attestation

The OEM or the organization that purchase the PC can preconfigure the TPM with a secret key. The TPM can also use a key to digitally sign the boot data (also known as a boot log) gathered during startup. Referring back to the chain of trust mentioned earlier, the TPM key is the first link in that chain and the antivirus driver is the last. If we can verify with high assurance that each link in the chain is a trusted binary, and if we trust that our antivirus solution will protect the PC once it’s running, then all that remains to verify the machine’s integrity is to be able to demonstrate to a remote server that the chain of trust is intact. This validation is accomplished by using a process called remote attestation.

During the process of remote attestation, the TPM boot data is gathered, signed with a trusted key, and is then sent to a remote server for verification. In the mobile banking scenario, the software running on the kiosk laptop would perform remote attestation as part of authenticating to the funds transfer system. Before allowing the transaction, the funds transfer system verifies the following components:

  • Integrity of the signed boot log received from the client/kiosk
  • Identity of the TPM key
  • Presence of a trusted boot loader, antivirus driver, and any other binaries loaded before or between these components

Finally, a Plot Twist

If you’ve seen Casino Royale, you know that James Bond’s winnings were in fact diverted, but not because of a compromised device. Instead, it was a trusted insider. Indeed, there’s little that can be done to prevent an attack by someone who misuses his or her explicitly granted privileged access.

Rather, the best strategy for mitigating the threat of a trusted insider misusing his or her access is to audit those transactions. Trusted boot is useful here since it allows you to track who did what, what device that person used to perform the action, and when the action was committed, with high assurance.

The TPM key allows a specific device to be registered to a specific user. Combining remote attestation with some form of user authentication allows a user/machine binding to be enforced. If a trusted user attempts a transaction from the wrong kiosk, that action should be flagged as a potential stolen credential. Likewise, if an untrusted user attempts a transaction from a trusted kiosk, that action should be flagged as an indication that the kiosk might have been stolen.

With trusted boot and remote attestation, we have the tools we need to ensure that James Bond’s poker winnings are safe and to further reduce the bank’s risk profile for fraud. Cue the cheesy romantic montage.

More Information

For more information, please check out Hacking Measured Boot and UEFI at DefCon 20, as well as my new book Cloud Security and Control.