Skip to content

Page104

BIOS

The IBM PC-compatible Basic Input Output System contains code in firmware that is executed when a PC is powered on. It first runs the Power-On Self-Test (POST), which performs basic tests, including verifying the integrity of the BIOS itself, testing the memory, identifying system devices, among other tasks. Once the POST process is complete and successful, it locates the boot sector (for systems that boot off disks), which contains the machine code for the operating system kernel. The kernel then loads and executes, and the operating system boots up.

WORM Storage

WORM (Write Once Read Many) Storage can be written to once and read many times. It is often used to support records retention for legal or regulatory compliance. WORM storage helps assure the integrity of the data it contains: there is some assurance that it has not been (and cannot be) altered, short of destroying the media itself.

The most common type of WORM media is CD-R (Compact Disc Recordable) and DVD-R (Digital Versatile Disk Recordable). Note that CD-RW and DVD-RW (Read/Write) are not WORM media. Some Digital Linear Tape (DLT) drives and media support WORM.

Trusted Platform Module

Developed and updated by the Trusted Computing Group, a Trusted Platform Module (TPM) chip is a processor that can provide additional security capabilities at the hardware level. Not all computer manufacturers employ TPM chips, but the adoption has steadily increased. If included, a TPM chip is typically found on a system’s motherboard.

The TPM chip allows for hardware-based cryptographic operations. Security functions can leverage the TPM for random number generation, the use of symmetric, asymmetric, and hashing algorithms, and secure storage of cryptographic keys and message digests. The most common use case for the TPM chip is ensuring boot integrity. By operating at the hardware level, the TPM chip can help ensure that kernel mode rootkits are less likely to be able to undermine operating system security. In addition to boot integrity, TPM is also commonly associated with some implementations of full disk encryption. With encryption, the TPM can be used to securely store the keys that can be used to decrypt the hard drive.

Given the storage of highly sensitive and valuable information, the TPM chip itself could be targeted by adversaries. With TPM being hardware-based, tampering with the TPM remotely from the operating system is made much less likely. The TPM chip also has aspects of tamper proofing to try to ensure that a physically compromised TPM chip does not allow for trivial bypass of the security functions offered.

Data Execution Prevention and Address Space Layout Randomization

One of the main goals when attempting to exploit software vulnerabilities is to achieve some form of code execution capability. Conceptually, the adversary would like to provide their own chosen instructions or supplied code to be executed by the compromised application. Intentionally corrupting the memory of a system via, for example, a stack or heap-based buffer overflow condition, is a common means employed by the adversary.

The two most prominent protections against these types of memory corruption or overflow attacks are DEP (Data Execution Prevention) and ASLR (Address Space Location Randomization). DEP, which can be enabled within hardware and/or software, attempts to ensure that memory locations not pre-defined to contain executable content will not have the ability to have code executed. For example, an adversary exploits a buffer overflow condition in code that allows for adversary provided shellcode to end up in general data storage location within memory. With DEP, if that location had not been marked as expecting executable content, then successful exploitation might have been mitigated.

Another protection mechanism, ASLR, seeks to decrease the likelihood of successful exploitation by making memory addresses employed by the system less predictable. When developing exploits and building post-exploitation capabilities, the exploit code will leverage existing code loaded on a running system. If these components are consistently found at the same memory addresses, then the difficulty of exploitation is decreased. By randomizing the memory addresses used, the adversary is presented with a more difficult to exploit target. For an example of ASLR success, imagine an adversary developing a successful working exploit on their own test machine. When their code, which relies on particular operating system libraries and code being found at predictable memory addresses, is ported to a machine with ASLR enabled the exploit could be caused to fail.

The goal of these protection mechanisms is often suggested as preventing exploitation. However, that goal, while laudable, will never be achieved consistently. Rather the goal of these mitigation techniques is more appropriately thought of as trying to increase the cost of exploit development for the adversaries.