<i>preroll music</i>

Herald: I’m really glad that
you’re all here and that today

I can introduce Joanna Rutkowska to you.

She will be talking about reasonably
trustworthy x86 systems.

She’s the founder and leader
of the Invisible Things Lab

and also – that’s also something you all
probably use – the Qubes OS project.

She presented numerous attacks
on Intel based systems and also

virtualization systems. But today she
will not only speak about the problems

of those machines but will present some
solutions to make them more secure.

Give it up for Joanna Rutkowska!

<i>applause</i>

Joanna: Okay, so, let’s start
with stating something obvious.

Personal computers have become
really the extensions of our brains.

I think most of you will
probably agree with that.

Yet the problem is that they are insecure

and untrustworthy,

which personally bothers me al lot.

And here I want to make a quick digression

for the vocabulary I’m gonna
be using during this presentation.

When we say, well, there are
three adjectives related to trust

and people will often confuse them.
When we say something is “trusted”,

that means by definition something
can compromise the security of

the whole system, which means
we don’t like things to be trusted.

“Trusted third party”, “Trusted CA”
we don’t like that.

When we say something is...

because “trusted” doesn’t necessarily
mean that it is “secure”.

So, what is secure? Secure is
something that is resistant to attacks.

Perhaps this laptop might
be resistant to attacks.

If I open [an] email attachment and the
email attachment compromises my system

or maybe that if I plug
USB for the slide changer

I might be hoping that this
action will not compromise

my whole PC.

And yet something can be
secure but not trustworthy.

A good example of this might be e. g.

Intel Management Engine (ME), that I’m
gonna be talking about more later.

So it might be very resistant to attacks,
so it might be a backdoor.

A backdoor that is
very resistant to attacks,

yet it is not acting in
the interests of the user.

So it’s not “good”, whatever
good means in your assumed,

moral reference.

So, there’s been of course a lot of work

in the last 20 years and maybe more

to build solutions that provide

security and trustworthiness

and most of this work has focused on
the application layer and things like

GnuPG and PGP first,

TOR, all the secure communication
protocols and programs.

But of course,

it is clear that any effort
on the application level

is just meaningless if we can
not assure, if we can not trust

our operating system (OS).
Because the OS is the trusted part.

So if the OS is compromised
then everything is lost.

And there has been some efforts,
notably the project I started 5 years ago

and now this is like more than a dozen
of people working on it: Qubes OS.

It tries to address the problem of OS’s

being part of the PCB,
so what we try to do is

shrink the amount of trusted
code to an absolute minimum.

There’s been also other
efforts in this area.

But OS’s is not something I’m
gonna be discussing today.

What I’m gonna be discussing today
is the final layer, is the hardware.

Because what was OS to applications
it is hardware to the OS.

Again, most of the effort so far

to create secure and trustworthy OS,

they have always been assuming
that the hardware is trusted.

That means that... usually
that means for most OS’s that

a single malicious
peripheral on this laptop,

like a malicious Wi-Fi module
or maybe embedded controller

can compromise again my whole PC,

my whole digital life.

So what to do about it?

Before we discuss what to do about it

we should quickly

recap all the problems
with present PC platforms

and specifically I’m gonna
be focusing on x86 platform

and specifically with Intel x86
platform, which means: laptops.

This picture shows how a
typical modern laptop looks like.

You can see that it consists of

a processor in the center,
and then there is memory,

some peripherals, keyboard and monitor.

Very simple.

It can be very simple, because

if we look at present Intel processors

they really integrate everything
and the kitchen sink.

Ten years ago we used to have a processor,
a Northbridge, a Southbridge

and perhaps even more discrete
elements on the motherboard.

Today nearly all these elements have been
integrated into one processor package.

This is Broadwell

and this long element
here is the CPU and GPU

and the other one it
is said to be the PCH.

PCH is what used to be
the platform controller hub,

which is what used to be called
the Southbridge and Northbridge.

The line has somehow
blurred between these.

Of course there is only one
company making these.

It’s an American
company called INTEL.

It is a completely opaque construction.

We have absolutely no ways
to examine what’s inside.

That obviously...
The advantage is that

it makes construction of computers,
of laptops very easy now.

And lots of vendors can
produce little sexy laptops,

like the one I have here.

On this picture we see now some more
elements that are in this processor.

So, when you say processor
today, it’s no longer CPU.

Processor is now CPU, GPU,
memory controller, hub, PCIe,

root, some Southbridge,

so e.g. SATA controller and so on,
as well as something

that is called Management Engine (ME),
which we discuss in a moment.

There are few more elements
here that are important.

The most important for us
is the SPI flash element.

Because what’s interesting is that
with this whole integration

that has happened to the processor
and the other peripherals,

still the storage for the firmware,

so the storage where your BIOS as
well as other firmware is stored,

is still a discrete element.

We’ll see this element in
one of the next slides.

So let’s now consider first

the problem of boot security.

Obviously everybody understands
that boot security is something

- how to start the chain of
trust for whatever software

is gonna be running later -
is of a paramount importance.

I think I’m out of range.

Connected with boot security
is malicious peripherals,

that I mentioned shortly before.

So we’ll be now thinking: Can we assure

only good code is started

and how the peripherals
might interfere here.

Again, we will look at this SPI flash.

If we're now considering the boot
security we would like to understand

what code is loaded on the platform. And
if we now think where this code is stored,

it seems that the code is stored on
the SPI Flash and potentially also

on some of the discrete elements.

Let me state it again that this whole
integrated processor package

has everything and the kitchen
sink except for the flash,

so except for the storage of the firmware.

Here we have one of the SPI flash chips.

This is from my Laptop actually.

It’s a little microcontroller

and it typically stores the firmware for
these things, that are written here.

Now the question is, let's say I
have got this laptop from a store.

How can I actually verify what
firmware is really on this chip?

Well I can perhaps boot it into some
minimal Linux and try to ask it.

But of course if there is some malicious
something on the motherboard,

not necessarily this chip,
I will not get reliable answers.

Another question: Let’s say I somehow
know that there’s something trustworthy

on this SPI chip. Can I somehow enforce
read-only’ness of this program?

There have been some efforts to do that.

Like some projects by Peter Stuge
who just took a soldering iron

and connected one of the pins - one
of these 8 pins is called “write protect”.

If you ground it, it will be telling the
chip to discard any Write commands.

But again, remember, this chip
is still a little microcontroller,

it’s a little computer. So it might
ignore whatever you requested to do.

It’s not like you are cutting off
a signal for Write commands.

You are merely asking the
processor to ignore it.

So if you don’t trust the chip in the
first place, this doesn’t provide you

a reliable way to enforce read-only’ness.

Finally can I upload my own firmware?
Can I choose to use whatever BIOS I want?

Again, we don’t seem to have luck here.

And as I mentioned, this is just
one of the places on the platform

where the state is stored.
Embedded controller would be

a whole another microcontroller
having its own internal flash.

Or if not, using another
SPI chip to get flash from.

A disk would be another
microcontroller with a small computer,

having its own - typically -
flash for its own firmware.

And perhaps the same
with the Wi-Fi module.

Now for many years, myself and
lots of other people believed that

technologies like TPM, trusted execution
technology... like UEFI Secure Boot

I never really liked, but many people
did - they believed that they could

somehow solve the problem of secure boot.

But all of these technologies
have been shown to fail horribly

in this... on this premise.

And then we have...
So these were problems,

the tip of the iceberg of
problems of the secure boot.

The short story is: Today we can
not really assure secure boot.

Maybe before we move on to
Intel ME: e.g. Intel TXT:

Trusted Execution Technology was
introduced by Intel in the hope

to put the BIOS outside of the TCB,
trusted computing base for the platform.

So, the idea was that if you use TXT
which you can think of as

a special instruction of the processor,
that was the root of trust.

So, the promise was that
when using Intel TXT

you can start the chain of trust

without trusting the BIOS.
As well as other peripherals

like Wi-Fi card, which might
be malicious perhaps.

And that was just great.
And I really like the technology.

With my team we have done
lots of research on TXT.

But one of the first attacks that we have
presented, and that was back in like 2009,

was that we could bypass TXT
by having a malicious SMM.

SMM was loaded by the BIOS.

So apparently it turned out, that the BIOS
could not be really put outside of the TCB

so easily, because if it was really
malicious it would provide a malicious SMM

and then the SMM could bypass TXT.
So the response from Intel was: “OK,

but worry not, we have a technology
called STM - Secure Transfer Monitor.”

That is a little hypervisor to sandbox
the SMM which might be malicious.

So they wanted to boot
a special dedicated...

they built it actually... they built a
special technology to sandbox this SMM.

And then it turned out
this is not so easy.

Because as usual they
were missing the details.

And it is 6 years, 6 years has passed and

we still have not seen
any real STM in the wild.

Which just is an example how
hopeless this approach in building,

in trying to provide secure
boot is for the x86 platform.

Another problem with x86 that

has risen to prominence in the recent
years is the Intel Management Engine.

One of these things, that Intel

has put into this integrated processor
is called Management Engine (ME).

And this ME is a little microcontroller
that is inside your processor.

It has its own internal RAM,
it has its own internal peripherals.

Like DMA engine, which
has access to the host RAM.

And of course, it loads only
Intel-signed firmware.

And it has also its own private ROM inside
the processor, that nobody can inspect.

And nobody knows what it does.

And it runs a whole bunch
of proprietary programs.

And it runs even Intel’s
own proprietary OS.

And this all is happening all the time
when you have some power connected

to your processor.
Even if it’s in a sleep mode.

It’s running all the time
here on my computer.

It can be doing anything it wants.

Obviously when I say something
like that the first thought for,

at least for security people
is: “This is an ideal

backdooring or rootkitting
infrastructure.” Which is true.

However there is another
problem and it’s Zombification.

I call it Zombification of personal
computing that I will discuss in a moment.

I’m just stressing these are two somehow
independent problems with this ME.

About 10 or more years ago I used to be
a very active malware researcher or

scout malware researcher. Especially
rootkit researcher and back then when,

if I was to imagine an ideal
infrastructure for writing rootkits,

I couldn’t possibly imagine
anything better than ME.

Because ME has access to essentially
everything that is important.

As I mentioned it has
unconstrained access to DRAM,

to the actual CPU, to GPU.

It can also talk to your networking card,

especially to the Ethernet card

which controller is also in the
Southbridge in the processor.

It can also talk to the SPI
flash and asks the SPI flash.

It has its own dedicated
partition on the SPI flash,

which can be used to store
whatever ME wants to store there.

This is really problematic and
we don’t know what it runs.

But the other problem,
that is perhaps less obvious,

is what I call zombification of
the General Purpose Computing.

About a year ago there
was a book published by

one of the Intel architects, one of the
architects who designed Intel ME.

I highly recommend this book.

It’s the only somehow official source
of information about Intel ME.

And what the book has made clear is that

the model of computing that
Intel envisions in the future,

is to take the model, that we have
today, which looks like this.

The size of the boxes somehow
attempts to present

the amount of logic or involvement
of each of the layers

in processing of the user data.

Obviously we have most of this
processing done in the applications.

But we also have some involvement from the
OS and also from the hardware, of course.

For example, when we want to
generate a random number

we would usually ask an OS to

return us the random number.

Because the OS can generate it using
timings and interrupts, whatever.

But again, most of the logic, most of
the code is in the application’s layer.

And this is good, because

thanks to computing being
general purpose computing,

everyone of us can write applications.

We can argue what is the best
way to implement some crypto.

Some people can write it one way, some
other people can write it another way.

And that’s good.

Now this is the model
that Intel wants to go to.

It essentially wants to eliminate
all the logic that touches data

from apps and OS even
and move it to Intel ME.

Because, remember,
Intel ME is also an OS.

It’s a separate OS. Only that this is an
OS that nobody knows how it works.

It’s an OS, that nobody
has any possibility

to look at the source code
or even reverse engineer.

Because even we can not
really analyse the binaries.

It’s the OS that is fully controlled
by Intel. And not to mention that

any functionality it offers is
also fully controlled by Intel.

Without anybody being
able to verify what they do.

That might not even be malicious.

They may not even be
doing malicious things.

Perhaps they are just
implementing something wrong.

Bugs. Security bugs, right?

But of course Intel believes
that whatever Intel writes

must be secure.

For some reason the must have missed

a number of papers that my team and others

have published in the recent 10 years.

The questions are: Can we disable Intel ME
or can we control what code runs there?

Can we see at least what code is there?

And as far as I’m aware the
answer is unfortunately: Not.

As I mentioned, I have this cool
laptop it runs Qubes OS, of course,

but still it not only runs Qubes OS.
It also runs side by side Intel ME.

Intel ME proprietary OS.

And I can’t do anything about it.

About 6 or 7 years ago my team
has done some work on Intel AMT.

I believe this was the first and probably
the only work where we managed

to actually inject code into
ME. That was back in times

when Intel ME was not in the
processor. It was in the Northbridge.

It was in the Q35 or Q45 chipset,
if I remember correctly.

So we demonstrated how we
can inject a rootkit into ME.

Of course Intel then patched it.

Now they continue to think that whatever
they write will be always secure.

But, the problem is...

For a number of years after that
presentation I used to believe

that we could use VTD
- an INTEL IMMU technology with TXT -

perhaps to effectively sandbox ME.

Because some of the specifications I saw,

suggested that VTD should be able to

sandbox ME accesses to host memory.

And because we used VTD heavily
on Qubes, thanks to Xen using it,

I was pretty much not
that worried about ME.

Unfortunately it turned out
that ME can just bypass VTD.

And this is a feature of this ME.

Which brings us to this rather
sad conclusion that perhaps

if we look at Intel x86 platform,
then the war is lost here.

It might be lost even
if we didn’t have ME.

Even if we somehow manage to
convince Intel to get rid of ME,

or at least to offer OEMs, Laptop
vendors, an option to disable it,

by fusing something.

The problem with secure boot
that I mentioned earlier,

and that I analysed in more detail
in a paper I released 2 months ago,

is that it really is hopeless,

because of the complexity
of the architecture

where we have ring 3, ring 0, okay. Then
we have SMM, then we have virtualisation,

then we have STM to sandbox SMM,
and the interactions between these.

This all doesn’t look really like
it could be solved effectively,

which of course bothers me a lot.

At least on purely egoistic reasons,

because I spent the last 5 years
of my life on this Qubes project.

And of course with such a state of
things it makes my whole Qubes project

somehow meaningless.

If the situation is so bad,

perhaps the only way to solve the problem
is to change the rules of the game.

Because you can not really
win under the old rules.

That’s why I wanted to share
this approach with you today.

That starts with recognizing that

most of the problems here is
related to the persistent state,

that is stored pretty much
everywhere on your platform,

which usually keeps the
firmware, but not only.

So let’s imagine, that we could do a
clean separation of state from hardware.

So this is the current picture.
This is your laptop.

The reddish boxes are state,
the persistent state.

That means these are places
where malware can persist.

So you reinstall the OS, but
the malware still can re-infect.

There are also places where
malware can store secrets,

once it steals them from you.
So imagine I can have malware,

that might only be stealing
my disk encryption key.

And it can store it somewhere on
the disk or maybe on SPI flash.

Or maybe in the Wi-Fi module firmware, or
maybe in the embedded controller firmware,

somewhere. Somewhere
there in those red rectangles.

Now if the malware does it,
that is a pretty fatal situation,

because if my laptop
gets stolen or seized,

perhaps then the adversary who gets

a key to the malware can
just decrypt the blobs.

And the blobs would reveal my disk
decryption key. And then the game is over.

And also another problem with
this state is that it might be

revealing many of the user and
personally identifiable information.

How ever you read this PI shortcut.

These are for example MAC addresses.

Or maybe processor serial number.

Or maybe ME serial number. Whatever!

Or maybe the list of SSID networks,
that ME has seen recently.

How do you know it’s not being
stored somewhere on your SPI flash?

You don’t know what is stored there.
Even though I can’t take off my SPI flash

or just connect a programmer to my
SPI flash - an EEPROM programmer -

I can read the contents of the SPI
flash, but all of this will be encrypted.

Now we recognize, that the
state might be problematic.

And now imagine a picture, that
we have the laptop, which has

no persistent state storage.
Which is this blue rectangle.

Let’s call it stateless laptop.

And then we have another element,
that we’re gonna call trusted stick

for lack of any more sexy name for it.

That’s gonna be keeping all the firmware,
all the platform configuration,

all the system partitions,
like boot and root,

all the user partitions.

Now we see that... and of course the
firmware and system partitions

will be exposed in a read only manner.

So even if malware, perhaps a traditional
malware, that got into my system

through a malicious attachment,
even if it found a weakness in the BIOS,

or maybe in the chipset, allowing
it to re-flash normally, allowing it

to re-flash the BIOS - we have seen plenty of
such attacks in the recent several years.

Now it would not be able
to succeed, because

the trusted stick, which gonna be a
simple FPGA implemented device,

will just be exposing
the read-only storage.

You see that firmware injection
can be prevented this way.

Also there is no places
to store stolen secrets.

Again, the same malware running in the ME

still can steal my disk encryption
key or my PGP private key.

But it has no place to store it.

So if somebody now takes my laptop,
will not be able to find it there.

You might say, maybe it will be
able to store it on the stick.

But then, again, the stick, the firmware
and system partitions are read-only.

And the user partitions
are encrypted by the stick.

So even if ME can send something to be
stored there, nobody besides the user

can really get hands on this blob.

Also we get a reliable way to
verify what firmware we use.

Or ability to choose what
firmware we want to use.

Because we can just take this stick,
plug into our trustworthy computer,

some, I don’t know, Lenovo X60 from 15
years ago, that we have running Coreboot

and we just analysed all
the elements, whatever.

So we finally a have a way to
upload firmware in a reliable way.

Thanks to the actual laptop having no
state, we can have something like Tails

finally doing what it advertises.
I can boot Tails or something like that.

I can use it, I can shut it down and there
is no more traces of my activity there.

I can give my laptop to somebody other.
Or I can boot some other environment.

Perhaps some, I don’t know,
Windows to play games, or whatever.

So what would it take to have
such a stateless laptop?

This is the simplest version which
shows that the only modification

that has been made here was
to take the SPI flash chip

and essentially put it outside
the laptop on a trusted stick.

And just route the wiring,
just 4 wires, to the trusted stick.

And that’s pretty much it.

That’s the simplest version. Oh,
and I also got rid of the disk.

And also I had to ensure, that
whatever discrete devices,

which are in that case embedded
controller and Wi-Fi module,

they do not have flash memory
but use something like OTP memory.

We can further get rid
of the Wi-Fi, and use

an external USB connected
one if that is not possible.

And for the embedded controller that
should be possible, much more easier,

because embedded controller is always
something that the OEM chooses.

So we can just talk to whatever
OEM, who would like to implement

this stateless laptop, and ask the
OEM to use an embedded controller

with essentially ROM, instead of flash.

So that’s the simplest version,
which is really simple.

This is a more complex version
where we also fit something

that I call here SPI Multiplexer.
Which allows to share the firmware

not just to the processor, but
also to the embedded controller.

And perhaps also with the disk.

Because maybe we actually
would like to have internal disk.

Because internal disk will always
be faster and will always be bigger

than whatever disk we will
put on our trusted stick.

You might object, that, come on, disk
is actually not a stateless thing! Right?

Because disk is made especially
to store state persistently.

But it’s a special disk, that I will
mention in just a few minutes.

It’s a special disk running trusted
firmware and doing read-only

and encryption for everything.

And now for the trusted stick:

As I mentioned, the trusted
stick is envisioned to have

read-only and encrypted partitions.

And the read-only partitions are for
firmware and the system code.

So the first block is something that we
would like to export over SPI, typically,

and the system partition is
something that we make visible

to the OS using something like
pretending being USB mass storage

or actually implementing
USB mass storage protocol.

And the encrypted partition
- again, the important thing here is

that encryption should be
implemented by the stick itself.

So we have some key here,

the question is how this key should be...

What input should be taken
to derive this key from.

It could be something that
is persistent to the stick.

It could be combined with a
passphrase, that the user enters

using a traditional keyboard,
plus maybe a secret from the TPM.

And when I say TPM I think about the
firmware TPM inside the processor

that is using storage provided by

encrypted firmware partition.

The optional internal disk
that I just mentioned,

it should essentially do
the same as the stick,

and because it will be
running trusted firmware

that it will be fetching
from the trusted stick itself

the disk will not have any flash memory.

So because we will trust
the hardware of the disk

and because we will trust the
firmware, we will trust the firmware

to provide read-only and encrypted
partitions just like those ones

I mentioned on the stick, which is nice
because it reveals the stick from acting

as a mass storage device, which has

practical consequences which are nice.

So there’s a picture with the internal
trusted disk, which you see just here.

As you can see, it takes also the
firmware from the trusted stick.

And there is even an open source
project, OpenSSD. And it looks like

people have already built an open hardware
open firmware SSD, a very performant disk.

So this is not just science
fiction, even for this SSD.

Okay, so that looks all very nice,
but there is one problem.

Even though malware may not have any
place on the laptop to leak the secrets,

it still might try to do
it over networking.

And let’s differentiate now between
classic malware and sophisticated malware.

Classic malware is something you get with
an attachment or some drive-by-attack

which we’ll discuss in a moment.
Now, let’s focus on sophisticated malware.

So, a hypothetical rootkit in ME.

Before we move on, for obvious
reasons, such a sophisticated malware

would not be interested
in getting caught easily.

So, it would not be establishing a
TCP connection to NSA.gov server

or whatever, right?
That would be plain stupid.

Having that in mind, let’s
consider a few scenarios.

Scenario number 0 is
an air-gapped system.

Even though it might
be an air-gapped system,

still remember there is ME running there.

If the computer is not
inside a Faraday cage,

there is still plenty of other
networks or devices around it.

Which means that ME can theoretically
use your Wi-Fi card or even speaker

to establish a covert channel with, say,
your phone, that might be just nearby.

So, in order to make such a
system truly air-gapped,

knowing that we can not get rid of the ME,

we really need to have kill-switches
for any transmitting devices,

including the speakers, and apparently
even that might not be enough,

because some people showed
covert channels that used

things like power fluctuations

or temperature fluctuations but let’s
leave that exotic examples aside.

A more interesting scenario is a
closed network of trusted nodes.

In that scenario we assume that
all these people are trusted.

Again, by definition that means that
any of these people can compromise

the security of anybody else.
We really don’t like trusted things,

but, well, let’s start with something.

Now, even though each of these trusted
peers which run state-less laptops,

even each of these have
this malicious ME in itself

because we gonna fit a small proxy

so a modification that we are...
that we should additionally do,

that I have not shown you before,
is that rather than connecting

your Wi-Fi module directly to the
processor which is not good,

because it gives full authority of the
processor over this Wi-Fi module.

Instead we would like to
connect it to some proxy.

It would be doing some kind of tunnelling.

Something like VPN or maybe TORifying
any traffic that is generated there.

So even though ME might be willing
to be sending some traffic

maybe not explicit traffic,

maybe will be piggybacking on
some user generated traffic,

by only modifying, I don’t know, TCP
initial sequence numbers, or something.

It still all will be happening
inside the tunnel.

Again, some people might be
saying “Yeah, but still ME

might be modulating the timings
of the generated packets

and this way try to convey some
information using timing.”

We can’t truly do much about that
but on the other hand it would be

extremely difficult for ME to
do that, implementation wise.

Finally a scenario where
we want to use any...

when we want to connect with anybody
not just with a trusted computer.

So, say, with some website on the internet
that might or might not be trusted.

Again, by having this proxy which by
the way might be implemented inside

this embedded controller that
we know, if you remember,

it runs the trusted firmware because it
fetches firmware from our trusted stick.

So the proxy again is tunnelling
any potential leakage from ME

which means that a malicious ISP or
any part of the infrastructure here

still can not really retrieve the
secrets that ME tries to leak.

But of course at some point we need to
terminate the stunnel that might be

the VPN server or might be a TOR exit
node or maybe the server itself if it’s,

say, maybe an onion server, in
which case anybody here can still

presumably get the secrets
from ME in this cloud here.

Which unfortunately we
can do nothing about.

Except for hoping that at least
if we used perhaps TOR

for this first part of the equation

then at least a malicious
administrator of, say, this server

would not be able to
correlate whose decryption...

whose disk decryption key it really is.

Although this is very tricky. That would
only work if this computer was

a special purpose computer. If you
used something like Qubes here

and if you wanted to have different
partitions, one for your personal

and only one of these partitions
would be special secret partitions.

That wouldn’t work, because
ME still would be able to gather

your identification information
from whatever partitions you have.

Because again, it has unconstrained access
to all the personal, all the host memory.

But still this... using this
proxy pushes adversary,

hypothetical adversary, in the
ME, into extreme difficulty

of needing to piggy-back on
some higher-level protocols

establishing exotic cover channels.
Comparing to what they can do today

one can... they simply steal the key
and store it on SPI first partition.

Or maybe on your disk. This is like
orders of magnitude more difficult

for them to do.

We mentioned the sophisticated
malware and I mentioned

the classic malware is a different story.
The classic malware doesn’t need

to be shy against leaking something
through whatever means you can think of.

Perhaps by sending email to somebody. But
obviously to address the classic malware

problem we can address it quite
reasonably well on the OS level.

For example using compartmentalization.
But here comes the problem,

is, that a malicious BIOS...

Let me get back a little bit. Because
so far we having assuming that

we don’t really need to trust the BIOS.
Because having this stateless laptop

and trusted stick, even if the BIOS was
malicious, it still, again, would not

be able to change anything in its own
firmware partition, would not be able to

store any stolen secrets
anywhere. So it’s convenient

to figure that the BIOS
might not be trusted.

But then, again, a compromised
BIOS might instead be providing

privilege escalation backdoors for
classic malware that executes on your

compartmentalised OS.
Such as to do VM escape.

Such things are trivial to implement.

And we don’t want classic malware
which means we want to ensure

that the BIOS does not
provide such backdoors.

And to make it short, we need open-source
BIOS. Something like Coreboot.

It’s great that we have Coreboot
and we could help Coreboot

to become such a BIOS
for this stateless laptop.

Even though Coreboot is not fully open-
source - it relies on so-called Intel FSP,

the firmware support package, which
is a Intel blob that is needed to

initialize your DRAM and other silicon
- still it should be reasonably easy to

ensure that FSP does not
provide SMM backdoors.

So this is a solvable problem.

Finally there’s this question:
So let’s say half a year from now

or a year from now pure reason
or somebody will tell you

here is the stateless laptop.
You can order, just a 1000 dollars.

So you got the laptop. But how do you
know it really IS a stateless laptop?

Maybe it is full of state-caring
elements. Maybe it’s full of

radio devices that are
emanating radios everywhere.

This comes down to the problem of:
How do we compare 2 different PCBs?

Two different Printed Circuit Boards?

As far as I’m aware right now our industry
has no ways to compare two different PCBs

and to state: yes they look identical.

Because if we had that, then we could
have the vendor, the laptop vendor

which would obviously have to be
open-hardware to publish the schematics

and pictures of the boards and then
anybody who ordered this laptop

would have an opportunity to always,
say, photograph the board and

have a diff tool to compare it.
If it really looks the same.

Sure we would not be able to see inside
the chips but at least the geometry-wise

comparison would be a tremendous step
to making such malicious modifications

by vendors very difficult.

This is a vision problem, kind of, right?
You take 2 photos, have 2 photos

of 2 PCBs and you have a tool to compare
it. And I believe Jake Applebaum

has already mentioned it,
some... a year ago probably,

it’s a great research project for all
you academic people sitting here.

That’s an example of a board that...
I have no idea, I got this laptop,

I opened it, I see this board. Sure, I can
identify some IC elements

like this embedded controller here...

But, really, maybe it’s connected
somehow differently,

maybe there is some other flash
elements there, I don’t know.

I would like to have an ability now to
check this with a called-in image

that some experts will analyze
in-depth and say it’s safe to use.

Many people say that perhaps we should
all give up on Intel x86 because ME e.g.

<i>applause</i>

Yet this is not such a nice idea.

Or maybe this is not such a
silver bullet, I should have said.

First, we have ARM. Everybody says
“Why not ARM? Let’s go to ARM!”

First: There’s no such thing as an ARM
processor. Okay?

ARM just sells the specifications, or IP.

And then the vendors, like Samsung,
Texas Instruments etc. who take this IP

and design and make very own SOC.
This is still a proprietary processor

that they can put whatever they want
inside. E.g. we have Trust Zone

that by itself is not as closed as ME.
That there is nothing that would

prevent a vendor to actually take
Trust Zone and lock it down

and end up with something
like ME very easily.

Just a matter of the
vendor willing to do that.

Also the diversity of the processors
make it difficult for OS’s like Qubes

that would like to use advanced
technologies like IMMU for isolation

to actually support all of them because
different PSOCs might be implementing

completely different versions or
even technologies doing that.

Another alternative, a much better one
is to use open-hardware processors.

Currently that means FPGA-
implemented processors.

In the future maybe we will have 3D
printers that will allow everybody

to print it. That will be great. But
probably is not coming any time,

in the coming 10 or 20 years.

And meanwhile the performance and
lack of really any security technologies

like IOMMU or virtualization doesn’t
make this a viable solution

for the coming say 5 years at least.

And even then, even if we have
such an open-source processor

this clean separation of state
still makes lots of sense.

Right? Again, because firmware
infections can be easily prevented

because malware, if it gets there
somehow still has no places

to store stolen secrets because
it provides reliable way to verify

or upload firmware. And makes it
easy to boot multiple environments.

And share laptops with others.

I know that most of you will now say:
“Yeah, that may be cool idea but

the market will never
buy into that!” Right?

Understanding that PCs are really,
as I said, extension of our brains,

we should stop thinking about
market forces as the ultimate force

shaping how our personal
computing looks like.

Just like we didn’t desert
to market forces

to give us human rights. Right?

We should not count on the market forces
to give us trustworthy personal computers.

Because that might just not be really...

<i>applause</i>

That just might not be in the
interest of the market forces!

So, hopefully, some legislation
could be of help here.

Maybe EU could do something here.

Because it’s really fun, when I
often talk with other engineers,

and we all know that our world
now really runs on computers,

and yet it apparently...
Almost every engineer I talked to

says something like “Yeah but the
sales people will never do that,

the business will never agree to that.”

But if the world runs on computers
shouldn’t it be us, the engineers,

who should actually have the
final say how this should...

how the computer technology
should look like?

Yeah, I’ll just leave it here with this.
Thank you very much!

<i>final applause</i>

<i>postroll music</i>

subtitles created by
c3subtitles.de in 2016