5

I have a system that displays video from a camera feed with an overlay, and it must boot without any user intervention (the quicker the better). However, these systems will be in the hands of customers so we are worried about reverse-engineering.

The OS (linux), software, and logs are stored on an mSATA SSD. The CPU is a 4th-gen Core i3 with 4GB RAM.

Basically, how can we prevent any unscrupulous customers or competitors from simply removing the SSD and stealing our application code? The obvious answer is to encrypt the drive, but it needs to boot unattended. The next logical step is to decrypt the software at runtime, but you would still need to store the decryption key somewhere in plaintext right?

There is a TPM module onboard, which might be a solution, but I couldn't find any good documentation on using it for this.

I am open to any and all suggestions.

Chriszuma
  • 151
  • 1
  • 4
  • 9
    Less code, more lawyers. – Michael Hampton Feb 04 '15 at 22:56
  • ^ this is the right route. – Sirex Feb 04 '15 at 23:01
  • 1
    FYI, this works natively and easily with Windows BitLocker, so it's possible. However, if you're giving customers running systems, they can always access the system while it's running, or extract the crypto keys from RAM (as done for a cold boot attack). There's no really practical way to do what you want without custom, high-security hardware to prevent physical access and tampering, and even then, that's mostly focused on detecting physical tampering rather than preventing it, because preventing physical isn't really feasible. Not a problem you can solve technically. – HopelessN00b Feb 05 '15 at 08:50
  • 2
    Less fear of reverse-engineering. If someone really wants your tech, they'd get it at runtime, where keys need to be unencrypted.. Don't spend time on something that's just a snakeoil technology in your use-case, spend it on creating better software that people really need.. – Izzy Feb 05 '15 at 14:19
  • The following link has the information you want: >http://wejn.org/how-to-make-passwordless-cryptsetup.html Essentially you want to create a file key that the encryption can link too, assuming you are using LUKs. – Gravy Feb 04 '15 at 23:56

1 Answers1

4

Overview

  1. encrypt the disk
    • use dm-crypt and LUKS
  2. seal the key to a TPM and use access restrictions according to well-known PCR set.
  3. use secure boot
    • Intel TXT and TBoot are capable of securely booting a Linux Kernel. You have to check whether your CPU and chipset support TXT.

Security

  • Without secure boot the only way to prevent the TPM from releasing the key to everybody is to use a password - not feasible if unattended operation is required.

  • The disk can only be decrypted on the machine with the particular TPM.

  • The key is only released after a secure boot. Thus, only software approved by you may access the disk. However, you have to design a proper update strategy to be able to update the system. (If updates are a concern)

  • The TPM can be tricked by low cost (< 100 €) hardware attacks. This needs some skills, but is totally feasable.

  • The key might still be obtained by removing the RAM and reading it using a special device. But it will be wiped during a paltform reset by Intel TXT.

  • Backups are always a problem. If it's easy to access the precious data in the backups, all your platform protection is worth nothing. If you store the backup on the same system, it's not a backup.

  • Runtime behavior! If your customer can get access on the running system (SSH, HTTP, ...) then the disk will be mounted and all data accessible.

Links

Some years ago a protorype research project was released, you might find some information there as well: IAIK acTvSM Platform

Scolytus
  • 394
  • 3
  • 6
  • 21