Computer Hardware

1
Computer Hardware Security
Presenter Tan Chun You
2
Todays Agenda

• Windows XP Boot Process
• Security Vulnerabilities
• Smart Card Authentication

3
Windows XP Boot Process

• Power-on Self Test Phase
• BIOS ROM Phase
• Boot Loader Phase
• OS Configuration Phase
• Security Logon Phase

4
Power-On Self Test Phase
1
(AKA POST Phase)

• Power Supply checks if power is supplied at the
  right level
• If test passed, Power Good signal is sent to
  CPU
• (CPU will make a short beep sound to indicate
  clearance of POST)
• CPU will now initialize BIOS firmware

5
WAIT! Whats BIOS?
S
S

• BIOS is a firmware written in assembly language
• (Basic software that interacts with respective
  hardware)
• Usually stored in a Flash memory (ROM) located on
  motherboard
• Its the first code the computer runs when
  powered on.
• (CPU can only run programs stored in either ROM
  or RAM)
• It interfaces and retrieve data from the CMOS

BIOS Interface
6
BIOS ROM Phase
2
(Comprises of many steps)

• BIOS perform POST to verify all initial hardware
  checks
• Warm / cold boot
• Amount of memory present
• Presence of peripheral devices (e.g. keyboard,
  mouse)
• BIOS checks CMOS for custom settings (boot order
  etc)
• Hardwares firmware to perform SMART diagnostic
  test individually
• BIOS determines the first bootable disk
• BIOS reads the machine code instruction stored in
  boot disks MBR
• If no error, BIOS copies all execution into the
  RAM

7
About CMOS?
S

• CMOS is actually a kind of RAM that runs on
  special battery
• Battery typically lasts 5 years for desktops
• Volatile storage device Loses information when
  battery dies
• Used not only in computers (e.g. Cameras as well)
• CMOS stores the following data
• Boot order (devices)
• Calendar settings
• Hardware Passwords
• Hardware Configurations

CMOS Chip
CMOS Battery
8
Boot Loader Phase
S
3
(Comprises of many steps)

• Control is now passed to the Boot Loader (stored
  in ROM)
• Boot loader accesses the disk partition table
• So as to identify primary, extended and active
  partitions.
• Main purpose to locate the NTLDR file
• NTLDR switches processor from real-mode to 32bit
  protected
• So as to enable memory paging
• NTLDR calls boot.ini to determine the entries in
  OS boot partition
• Boot menu is now displayed for user to select OS
• NTLDR passes information to the Ntoskrnl.exe file
• Information are passed from the Windows Registry
  and boot.ini

Boot menu displaying a list of OS for user to
select(boot.ini)
9
OS Configuration Phase
4

• Ntoskrnl loads XP kernel, hardware abstraction
  layer and registries
• Control is now with the DOS-based Ntdetect.com
  program
• Searches for hardware profile information
• Loads respective software drivers to control
  hardware devices

10
Security and Logon Phase
S
S
5
(Finally!)

• Ntoskrnl loads Winlogon.exe which triggers
  Lsass.exe (LSASS)
• ( Windows XP boot process ends here )
• About Local Security Administration (LSASS)
• A Windows process that enforces security policies
  on the system
• Verifies user logging onto a Windows PC or server
• Handles password changes
• Creates access tokens
• Writes to Windows Security Log

Interface for logging onto Windows
11

• Topics
• Types of Malware
• Main security threats to BIOS
• About Rootkit
• About Sasserworm

Computer Security
12
Types of Malware

• Infectious Malware
• Computer Virus infects .exe files, spreads when
  executed
• Computer Worm Actively transmit over network to
  computers
• Concealment Malware
• Trojan Horse
• Root kit (most)
• Backdoor
• Malware for profits
• Spyware
• Botnet Used by attacker to send upgraded
  malware to all same botnets
• Keystroke Logger
• Dialers Stealing money from infected PC by
  making expensive calls

13
About Root kit

• Software designed to evade programs from security
  scans
• Most root kits are classified as a malware
• Not all, as root kit can be used for legitimate
  purposes
• (e.g. Parental control over a childs computer)
• A successfully installed root kit threatens your
  computer!
• Attackers can install backdoor, key loggers or
  Trojan horse
• Computer vulnerable to unauthorized remote admin
  access
• Some anti-virus can detect malwares hidden by
  root kit
• Types of root kits (5 at least)
• Firmware root kit BIOS etc
• Hypervisor root kit Virtual Machine Monitor
  (VMM)
• Kernel root kit add/replace codes in OS
• Library root kit dll format files (can use
  digital signature to detect)
• Application root kit regular apps

14
More about BIOS root kit

• Allows installations of virus/backdoor/trojan by
  hackers
• Especially vulnerable to CIH (Chernobyl) virus
• CIH rewrites critical boot information in BIOS
  with garbage output
• Reinstallation of OS doesnt remove firmware
  rootkit
• 60 of the newly manufactured laptops comes with
  a legitimate rootkt
• Computracer (to deter laptop thefts)
• Security experts has proven its vulnerability by
  modifying the rootkit early this year

15
Smart Card Authentication
16
Types of Data-processing Cards

• Embossed Cards
• Magnetic-stripe cards
• Smart Cards
• Contactless Smart Cards (uses Radio Frequency)
• Contact-type Smart Cards (uses Integrated
  Circuit)
• Memory Smart Cards
• Microprocessor Smart Cards

17
About Smart Cards

• Storage space of 256kB or more
• Quite a lot compared to Embossed or
  Magnetic-stripe cards
• Strong authentication against unauthorized access
• Long life-span and high reliability
• Contains an encrypted digital certificate

18
Digital Certificate

• Also known as Public Key Certificate
• An electronic document binding a public key and
  an identity using a digital signature
• In PKI schemes, signature should be signed by
  trusted third party
• Contents of typical digital certificate
• Serial Number
• Subject
• Signature
• Issuer
• Valid-from
• Valid-to
• Thumbprint Algorithm (algorithm to hash the cert)
• Thumbprint (hash itself)

19
Digital Certificate

• Classes of Digital Certificate
• Class 1 For individuals, intended for emails
• Class 2 For organization, proof of identity is
  needed
• Class 3 For servers and software signing,
  verification is done by CA
• Class 4 For online business transactions
  between companies
• Class 5 For private organization or government
  security

20
About Kerberos
S

• Smart Card authentication requires Kerberos
• Kerberos
• Computer network authentication protocol
• Provides authentication between client and server
• Verifies each others identity using
  symmetric-key cryptography
• Requires digital certificate from a trusted third
  party
• TTP, also known as CA (Certificate Authority)
• Implemented as a Security Support Provider (SSP)
  since WinServer 2003
• Accessible through Security Support Provider
  Interface (SSPI)

Typical Kerberos Process
21
Smart Card Authentication Process
(Comprises of many steps)

• If reader is attached, user is prompted to insert
  card
• User is prompted to enter PIN code
• Logon requests is passed to Local Security
  Authority (LSA)
• LSA communicates with Kerberos authentication
  package
• Kerberos sends a request to Kerberos Distribution
  Center (KDC) on domain controller for
  authentication
• (request includes certificate from smart card)
• Builds a certification path from certificate to
  root CA
• There must be an enterprise CA (published in
  active directory), this prevents a rogue CA
  certified in another CA hierarchy from issueing a
  certificate in the domain

22
Smart Card Authentication Process
(Comprises of many steps)

• KDC uses public key from certificate to verify
  signature
• KDC verifies that timestamp is within skew time,
  the time period during which a request can be
  processed.
• (Helps to detect replay attacks)
• KDC looks in Active Directory for account
  information
• If passed all tests, KDC returns a Ticket
  Granting Ticket. KDC provides a copy of its
  certificate as well as signs the returned
  information with its private key.
• Client verifies the KDC by building a certificate
  path from the certificate to the trusted CA, and
  uses KDC public key to verify reply signature
• If all is ok, normal Kerberos path starts here.

23

• QA