In 1976 I was developing software and hardware for medical test equipment that helped ophthalmologists diagnose eye diseases and prescribe glasses. Few of us worried about keeping the patients' information confidential on the equipment. That changed in just a few short years. Embedded modems and serial connections joined embedded processors to enable a whole new set of solutions - and risks - for a wide variety of machines that we didn't think of. The ubiquitous Automated Teller Machine (ATM) became practical through the combination of slow speed modems and embedded computing, as did retail Point of Sale Systems (POS). Most of these systems were originally based on one-off Operating Systems (OSes) that were more simple dispatchers and schedulers at best. This made hacking the system more complex: to hack each unique system required a unique attack. But as systems complexity increased, developers selected a different development path: combine standardized OS software to provide common functions with application-specific software to enable the product features.
With many of the commonly used Operating Systems and BIOSes available as Freeware or Open Source, hackers have a head start looking for vulnerabilities. These vulnerabilities can be minimized by employing secured systems such as Intel®'s Trusted Execution Technology(TXT). TXT provides a mechanism for loading and executing only trusted code, such as a Virtual Machine Monitor (VMM) or OS, even if there is malware present, the BIOS has become compromised, or an active attack on the loading process is underway. The specific behavior of TXT depends on the launch control policy. If a compromised BIOS is present in the system, the loading process stops. No security system can guarantee absolute security under all conditions - every system can be compromised given the right conditions, and with adequate time and money. But, TXT provides some critical operations in hardware to increase the level of difficulty encountered when trying to hack the system.
In the figure below, TXT is used to validate the VMM before it is loaded. If the VMM code is unchanged from a known good copy, the loading continues. Otherwise, loading is halted.
The Intel Trusted Execution Technology Software Development Guide uses the term measurement frequently. Using Intel's definition of "measuring software" means that the system must process (hash) the executable code, obtaining results that are unique to that specific code. Differences in hash codes indicate that changes have occurred in the executable code. A cryptographic hash algorithm meets these needs and is used to hash all critical software including BIOS and the operating kernel. The result is a hash code of a length that ensures a low probability of a modified piece of critical software matching the hash code of the unmodified software.
Hacking difficulty is further complicated by the crypto key stored inside a microcontroller within the embedded system and never presented to the outside world. This microcontroller is called the Trusted Platform Module (TPM). The TPM securely stores passwords and digital keys and certificates that can provide unique identification, among other things. The TPM, depending on the platform chipset, is either a discrete IC or it is integrated into the chipset itself. A TPM-resident co-processor performs cryptographic operations such as key generation, encryption/decryption, hashing, and random number generation.
Green Hills Software INTEGRITY Secure Virtualization Technology and RTOS (Real Time Operating System) use the underlying security capabilities of Intel's VT-capable processors to provide multiple virtualized guests on the same core, such as Windows and Linux, while providing an evironment for secure, realtime applications. According to David Kleidermacher, CTO of Green Hills Software, "by using the hardware capabilities of VT-enabled Intel processors, INTEGRITY is able to guarantee the highest levels of security." INTEGRITY-based platforms, used in military/aerospace, infotainment, critical control systems, and financial/banking, are already certified to the highest software criticality slevels, including the FAA's DO-178B Level A and Common Criteria Evaluation Assurance Level EAL 6+. Green Hills Software is an Affiliate member of the Intel® Embedded and Communications Alliance (Intel® ECA).
Real Time Systems GmbH, another Intel® ECA affiliate, takes a different approach. By virtualizing the processor or processors in an application platform, Real Time Systems enables multiple OSes to run simultaneously and independent of each other. Virtualization technology separates OS operations and applications programs in a series of partitions that are protected from each other. RTS Real-Time Hypervisor provides real time performance with no added latencies. Designers gain the ability to mix several different operating systems including Windows XP, Windows CE, QNX, Linux, On Time RTOS-32, VxWorks, Microware OS-9, and Pharlap ETS. Communications between tasks may be configured via a virtual network using standard TCP/IP protocol or a shared memory space.
Using the hardware-based root of trust enabled by TXT provides designers with new trust alternatives: many software components can be removed from the trust chain and platform configuration checks are performed and values locked.
While I've addressed a high level overview of how you can provide increased security for embedded computer-based data, there may be other uses for the TXT technology. As presented here, TXT is used to ensure a trustable load of a load process, VMM, and/or OS kernel. What other applications of the technology can you imagine? I'd like to hear your thoughts.