New Attacks Subvert Trusted Platform Modules

Modern computer systems rely on Trusted Platform Modules (TPMs) to verify the integrity of the operating system running on the computer. This prevents malicious software from hiding itself within a modified version of the operating system. Researchers from The South Korean National Security Research Institute have just disclosed vulnerabilities that allow an attacker to subvert the function of a TPM. The vulnerabilities were demonstrated in detail on different hardware setups, and will require system administrators to apply software and firmware updates to prevent attacks. 

https://www.bleepingcomputer.com/news/security/researchers-detail-two-new-attacks-on-tpm-chips/  

https://github.com/kkamagui/papers/blob/master/usenix-security-2018/paper.pdf

I chose this story to comment on not only because the attacks are interesting, but also because these attacks present an opportunity to discuss how modern secure boot processes protect computers. In an ideal world, an operating system would provide access control features capable of preventing attackers from gaining control over the computer. We know that, despite decades of improvements in software security, operating systems still have vulnerabilities that allow attackers to circumvent security controls to gain control of a PC.

Advanced threat actors tend to build attacks that leverage multiple software security vulnerabilities to gain control over a victim's computer in ways that are difficult to detect. Advanced threats like to stay hidden so that they can continue to compromise a victim over long periods of time. A rootkit is a kind of malware that penetrates deeply into an operating system to hide on a computer. Rootkits often work by modifying the operating system's functions so that their presence can't be detected by the compromised OS. In other words, if you can control an operating system, how can software running on the OS or the OS itself be trusted to detect the malicious software hidden in the OS? 

One way to prevent rootkits from modifying an operating system is to verify the integrity of the OS as the computer initially loads the OS during the startup process. If the component that loads the OS (the bootloader) detects that the operating system has been modified in unexpected ways, the bootloader can halt loading the OS pending some action by a system administrator. But, wait! If a rootkit can completely control the computer's OS, the rootkit can conceivably modify the bootloader so that it can't be trusted either. An advanced rootkit can even modify the compromised system's firmware. Where does this existential security crisis end?

The answer lies in a "root of trust" called the trusted platform module (TPM), which enables a secure boot process. The TPM, which is supposed to be unmodifiable except by a user with physical access to change the computer's settings at initial startup, is a hardware component that ships with modern motherboards and that is typically enabled by most vendors when a new computer ships. The TPM hardware verifies the bootloader software, which verifies the operating system. The operating system protects processes running on the OS. When the operating system's security fails due to software vulnerabilities, allowing malware to change critical functions of the OS, the bootloader, or even some parts of the computer's firmware, the hardened TPM theoretically should be able to detect the malicious change. TPMs also provide some other security features to modern computers, but for this discussion I've only explained the concept of secure boot.

The attacks presented by these researchers show how to break the assumption that malware can't usurp the secure boot process anchored in the TPM. (Note that the Bleeping Computer article incorrectly states that attackers need physical access to the computer to exploit these vulnerabilities.) There are actually two different vulnerabilities that the researchers discuss, the most interesting one being the "grey area vulnerability."

The grey area vulnerability stems from a problem in the TPM specification itself. The technical details are explained in the paper, but the summary is that there is a way to change the data that the TPM uses to check the integrity of the system when the system awakens from a sleeping state. If malware can cause the operating system to put the TPM to sleep incorrectly, then the malware can change the data used for integrity checking, replacing it with values that will verify the malware's modified version of the OS.  Because this attack exists due to an ambiguity in the TPM specification, the researchers were able to demonstrate the attack on several different motherboards that used different microprocessors. The mitigation for this attack is to disable the S3 sleeping state, which can often be changed in the BIOS/UEFI settings.