# Computer and Network Security

Lecture 14: OS & Hardware Security

COMP-5370/6370 Fall 2025



## Do you trust other people's code?



- Do you use an HP computer?
  - Android OS or Google's Android Apps?
  - Google services (GMail, Docs, Calendar, etc)?



Finster Professor



**Shady Professor** 



**Profesor Turbio** 

## **Architectural Defenses**



An **architectural defense** is one which is both generic in terms of implementation and focused on *isolating* a potential misbehaving application or process.

- Not tied to a specific application or attack
- Can defend against unknown attacks in the future due to generality

## Defense: Air Gap Hardware



- Physically separated systems/networks
- No logical interaction across boundary
- Physical data transfer across boundary





#### Defense: Virtual Machines



- OS-level isolation
  - Similar to dual-boot but simultaneous
- A "hypervisor" coordinates hardware access
- OSes are isolated (Linux VM on Windows)



#### **Defense: Containers**



- Perspective-level isolation
- Shared kernel w/ isolated perspective
  - Each container thinks it's the only thing running on the entire computer



Virtual Machines

Containers

## **Defense: Process Isolation**



- Memory-level isolation
- Managed via OS scheduler
- Extremely efficient due to virtual memory



## **Defense: Thread Sandbox**



- Logic-level isolation (code logic)
- Threads interact via memory & IPCs
- Tainted threads can be killed and restarted



## **Defense: Thread Sandbox**



- "Do one thing and do it safely"
- A "policy engine" can blindly enforce data interactions and data exchanges
- Very useful for web browsers
  - Request content, run JS, render image, etc are \*very\* different things with predictable inputs and outputs
- Better than nothing but is exceptionally difficult to internally isolate behavior

## Defense: SELinux/App Armor



- Permission-level isolation
- HEAVILY patched set of kernel modules
- "Know what an application is suppose to do and don't let it do anything else."
  - ls doesn't need network access
  - Print driver doesn't need keystrokes



## Defense: Use-Specific HW



- Required to install a shady VTC program?
  - Get a \$50 tower from 2012 and \$20 monitor
- Need to test a really sketchy app?
  - Get a \$30 Android phone with Wifi
- Need to install a known-spyware extension?
  - Chromebooks are \$100 on-sale











## What do you think?





**McAfee** 



### Defense: Anti-Virus



- Anti-Virus and "host-based defense systems" are ... complicated...
- Good They can quarantine and alert you when there's known malware.
- Maybe They can only tell you about known malware and the naïve versions
- Bad They love to quarantine dev-tools and known-benign security tools/apps
- Worse They have to touch everything

## Defense: Anti-Virus





#### Software Facts of Life



- Software has bugs
- Some bugs are weaknesses
- Some weaknesses are vulnerabilities
- Some vulnerabilities can be exploited
- Someone has an interest in exploiting others for gain



#### Defense: Anti-Virus









## **Threat Modeling**



A systematic approach to analyzing and understanding potential weaknesses.



## **Trusted Computing Base**



The **Trusted Computing Base (TCB)** is the collection of all components within a system critical to providing security properties.





Figure 15: Cloud Provider - Service Orchestration

#### **Local TCB**





**Applications** 

Operating System

**HyperVisor** 

**Firmware** 

**Hardware** 

- Everything needed to run the application safely
- Each layer relies on the layers below it to behave correctly

## Turtles All The Way Down





- Attack surface is exponentially larger b/c malicious lower-levels
- Level N bug means levels >=N are untrustworthy
- Bugs and vulns mimic each other due to abstraction





Bash Environment

```
$>
$> ssh username@host
```



- Bash Environment
- SSH protocol design







- Bash Environment
- SSH protocol design
- SSH app architecture









- Bash Environment
- SSH protocol design
- SSH app architecture
- SSH app logic



```
SEC_k : Hon(\hat{C}, \hat{K}) \supset (GoodKeyAgainst(X, k) \lor \hat{X} \in \{\hat{C}, \hat{K}\})
  SEC_{akey}: Hon(\hat{C}, \hat{K}, \hat{T}) \supset (GoodKeyAgainst(X, AKey) \lor \hat{X} \in \{\hat{C}, \hat{K}, \hat{T}\})
  SEC_{skey}: \mathsf{Hon}(\hat{C}, \hat{K}, \hat{T}, \hat{S}) \supset (\mathsf{GoodKeyAgainst}(X, SKey) \lor \hat{X} \in \{\hat{C}, \hat{K}, \hat{T}, \hat{S}\})
 AUTH_{kas}: \exists \eta. Send((\hat{K}, \eta), Cert_K.SIG[sk_K]("DHKey".gy.\tilde{n_1}).E_{sym}[k_{T.K}^{t \to k}](AKey.\hat{C}).
                        E_{sym}[k](AKey.n_1.\hat{T}))
 AUTH_{tgs}: \exists \eta. \ \mathsf{Send}((\hat{T}, \eta), \hat{C}.E_{sym}[k_{S.T}^{s \to t}](SKey.\hat{C}).E_{sym}[AKey](SKey.n_2.\hat{S}))
SEC_k^{client} : [Client]_C SEC_k
                                                                   SEC_k^{kas} : [KAS]_K SEC_k
SEC_{akey}^{client} : [Client]_C SEC_{akey}
                                                            AUTH_{kas}^{client}: [\mathbf{Client}]_C \ \mathsf{Hon}(\hat{C},\hat{K}) \supset AUTH_{kas}
 SEC_{akey}^{kas} : [KAS]_K SEC_{akey}
                                                                AUTH_{has}^{tgs}: [\mathbf{TGS}]_T \operatorname{Hon}(\hat{T}, \hat{K})
 SEC_{akey}^{tgs} : [TGS]_T SEC_{akey}
                                                                                         \supset \exists n_1, k, gy, \tilde{n_1}. AUTH_{kas}
                                                             AUTH_{tas}^{client}: [Client]_C Hon(\hat{C}, \hat{K}, \hat{T}) \supset AUTH_{tas}
SEC_{skey}^{client}: [Client]_C SEC_{skey}
                                                           AUTH_{tas}^{server}: [\mathbf{Server}]_S \ \mathsf{Hon}(\hat{S}, \hat{T})
  SEC_{skey}^{tgs} : [TGS]_T SEC_{skey}
                                                                                         \supset \exists n_2, AKey. AUTH_{tas}
```

Table 1. DHINIT Security Properties

```
\begin{split} C \longrightarrow K(I) : Cert_C.SIG[sk_C](\text{``Auth".HASH}(\hat{C}.\hat{T}.n_1).\tilde{n_1}.gx).\hat{C}.\hat{T}.n_1 \\ I \longrightarrow K : Cert_I.SIG[sk_I](\text{``Auth".HASH}(\hat{I}.\hat{T}.n_1).\tilde{n_1}.gx).\hat{I}.\hat{T}.n_1 \\ K \longrightarrow I \longrightarrow C : Cert_K.SIG[sk_K](\text{``DHKey".gy}.\tilde{n_1}). \\ E_{sym}[k_{T,K}^{l \to k}](AKey.\hat{I}).E_{sym}[k](AKey.n_1.\hat{T}) \end{split}
```

- Bash Environment
- SSH protocol design
- SSH app architecture
- SSH app logic
- Crypto math





- Bash Environment
- SSH protocol design
- SSH app architecture
- SSH app logic
- Crypto math
- Crypto implementation





- Bash Environment
- SSH protocol design
- SSH app architecture
- SSH app logic
- Crypto math
- Crypto implementation
- Channel design





- Bash Environment
- SSH protocol design
- SSH app architecture
- SSH app logic
- Crypto math
- Crypto implementation
- Channel design
- Channel implementation





- Bash Environment
- SSH protocol design
- SSH app architecture
- SSH app logic
- Crypto math
- Crypto implementation
- Channel design
- Channel implementation
- OS implementation





- Bash Environment
- SSH protocol design
- SSH app architecture
- SSH app logic
- Crypto math
- Crypto implementation
- Channel design
- Channel implementation
- OS implementation
- Firmware for HW





- Bash Environment
- SSH protocol design
- SSH app architecture
- SSH app logic
- Crypto math
- Crypto implementation
- Channel design
- Channel implementation
- OS implementation
- Firmware for HW
- HW components

#### Rowhammer



#### **Project Zero**

News and updates from the Project Zero team at Google

Monday, March 9, 2015

Exploiting the DRAM rowhammer bug to gain kernel privileges

Posted by Mark Seaborn, sandbox builder and breaker, with contributions by Thomas Dullien, reverse engineer

[This guest post continues Project Zero's practice of promoting excellence in security research on the Project Zero blog]



- Allows arbitrary process to flip bits in physical memory
- Predictable but not 100% perfect

Think of all the things you can do with 1 bit.





- Bash Environment
- SSH protocol design
- SSH app architecture
- SSH app logic
- Crypto math
- Crypto implementation
- Channel design
- Channel implementation
- OS implementation
- Firmware for HW
- HW components
- SoC design/impl.
- Chip design/impl.

## **CPU Management**





- Completely separate co-processor built into Intel CPUs
- AMD Platform Security Processor (AMD PSP)
  - All chips since 2013
- Intel Management
   Engine (Intel ME)
  - All chips since 2008

#### Let's Connect to a Server





- Bash Environment
- SSH protocol design
- SSH app architecture
- SSH app logic
- Crypto math
- Crypto implementation
- Channel design
- Channel implementation
- OS implementation
- Firmware for HW
- SoC design/impl.
- CPU design/arch

## **CPU Bugs**





## CPU Bug Examples



#### **Pentium FDIV Bug**

#### c = 4195835 / 3145727

appeared to be an instance of the worst-case error. Coe did his analysis without actually using a Pentium—he doesn't own one. To verify his prediction, he had to bundle his year-and-a-half-old daughter into his car, drive to a local computer store, and borrow a demonstration machine.

The true value of Coe's ratio is

c = 1.33382044...

But computed on a Pentium, it is

c = 1.33373906...

#### **Cyrix Coma Bug**

#### **CPU Microcode**



**Microcode** is firmware that acts as a translator for CPUs and turns *opcodes* into *micro-operations* which are executed.

- RISC won the RISC vs. CISC War
  - RISC-style is much more efficient
- Allows manufacturers to patch w/o recall
  - Just install a microcode patch
- Completely unknown to almost everyone

#### Software Facts of Life



- Software has bugs
- Some bugs are weaknesses
- Some weaknesses are vulnerabilities
- Some vulnerabilities can be exploited
- Someone has an interest in exploiting others for gain
- Malware is a different breed of software



#### Microcode Vulnerabilities



Side Channel Vulnerabilities: Microarchitectural Data Sampling and Transactional Asynchronous Abort



ars TECHNICA

**SUBSCRIBE** 



SPECULATIVE EXECUTION STRIKES AGAIN —

Intel SGX is vulnerable to an unfixable flaw that can steal crypto keys and more

Just when you thought it was secure again, Intel's digital vault falls to a new attack.

DAN GOODIN - 3/10/2020, 5:40 PM

#### Let's Connect to a Server





- Bash Environment
- SSH protocol design
- SSH app architecture
- SSH app logic
- Crypto math
- Crypto implementation
- Channel design
- Channel implementation
- OS implementation
- HW components
- SoC design/impl.
- CPU design/arch
- Sub-component impl.

## Hardware Trojans



Hardware trojans are just like trojan horse malware except implemented in hardware from the manufacturer.

Known capability but never seen (AFAIK)



# Hardware Trojans









#### Let's Connect to a Server





- Bash Environment
- SSH protocol design
- SSH app architecture
- SSH app logic
- Crypto math
- Crypto implementation
- Channel design
- Channel implementation
- OS implementation
- HW components
- SoC design/impl.
- CPU design/arch
- Sub-component impl.
- Silicon traces

# **Stealthy Dopant Trojans**



#### Stealthy Dopant-Level Hardware Trojans \*

Georg T. Becker<sup>1</sup>, Francesco Regazzoni<sup>2</sup>, Christof Paar<sup>1,3</sup>, and Wayne P. Burleson<sup>1</sup>

<sup>1</sup>University of Massachusetts Amherst, USA <sup>2</sup>TU Delft, The Netherlands and ALaRI - University of Lugano, Switzerland <sup>3</sup>Horst Görtz Institut for IT-Security, Ruhr-Universität Bochum, Germany

# Stealthy Dopant Trojans





Fig. 1. Figure of an unmodified inverter gate (a) and of a Trojan inverter gate with a constant output of  $V_{DD}$  (b).

# Stealthy Dopant Trojans





Fig. 2. Layout of the Trojan DFFR\_X1 gate. The gate is only modified in the highlighted area by changing the dopant mask. The resulting Trojan gate has an output of  $Q = V_{DD}$  and QN = GND.

### Let's Connect to a Server





## **Trusted Computing Base**



The **Trusted Computing Base (TCB)** is the collection of all components within a system critical to providing security properties.





Figure 15: Cloud Provider - Service Orchestration

# Hardware Security Primitives



Similar to cryptographic primitives, Hardware Security Primitives provide discrete functionality at the silicon-level which can be used as building-blocks.

# Security CPU Instructions



#### **AES-NI**

- Perform specific AES operation in HW
  - Encrypt/Decrypt round
  - Generate round key

| Instruction     | Description <sup>[2]</sup>                       |
|-----------------|--------------------------------------------------|
| AESENC          | Perform one round of an AES encryption flow      |
| AESENCLAST      | Perform the last round of an AES encryption flow |
| AESDEC          | Perform one round of an AES decryption flow      |
| AESDECLAST      | Perform the last round of an AES decryption flow |
| AESKEYGENASSIST | Assist in AES round key generation               |
| AESIMC          | Assist in AES Inverse Mix Columns                |
| PCLMULQDQ       | Carryless multiply (CLMUL)[3]                    |

## Security CPU Instructions



#### **AES-NI**

- Perform specific AES operation in HW
  - Encrypt/Decrypt round
  - Generate round key

| Instruction     | Description <sup>[2]</sup>                       |
|-----------------|--------------------------------------------------|
| AESENC          | Perform one round of an AES encryption flow      |
| AESENCLAST      | Perform the last round of an AES encryption flow |
| AESDEC          | Perform one round of an AES decryption flow      |
| AESDECLAST      | Perform the last round of an AES decryption flow |
| AESKEYGENASSIST | Assist in AES round key generation               |
| AESIMC          | Assist in AES Inverse Mix Columns                |
| PCLMULQDQ       | Carryless multiply (CLMUL)[3]                    |

#### **RDRAND**

 Read random value from HW and store in given register

#### RDRAND—Read Random Number

| Opcode*/<br>Instruction |
|-------------------------|
| NFx 0F C7 /6            |
| RDRAND r16              |
| NFx 0F C7 /6            |
| RDRAND r32              |
| NFx REX.W + 0F C7 /6    |
| RDRAND r64              |

## RDRAND Leakage



### Special Register Buffer Data Sampling (SRBDS) Hardware Vulnerability in Intel CPUs (CVE-2020-0543, aka Crosstalk)

It was discovered that special register buffer data of certain Intel CPUs may be exposed to a malicious process executing on the same CPU. Particular processor operations (e.g RDRAND, RDSEED) use data from outside the physical processor core - this can be done via an internal microarchitectural operation called a special register read. This uses part of a shared staging buffer which may not be completely zero'd on subsequent uses by other threads. As such, a local attacker may be able to infer stale values which were previously returned from special register reads to other processors (as their contents may still be present in other parts of the shared staging buffer). Some special register reads return sensitive information (such as RDRAND, RDSEED and SGX EGETKEY) and so an attacker executing code on the same CPU may be able to infer these values for another thread / process executing on the same CPU.

This attack relies on the same techniques used to exploit previous microarchitectural speculative execution vulnerabilities such as MDS and TSX Asynchronous Abort, and affects some client and Intel® Xeon® E3 processors; it does not affect other Intel Xeon or Intel Atom® processors.

Mitigations for this issue are provided by CPU microcode updates via the intel-microcode package. This mitigation consists of ensuring data in the shared staging buffer is overwritten by the RDRAND, RDSEED and EGETKEY instructions and serialising execution of RDRAND etc instructions across multiple logical processors. As a result, this will have an effect on the performance of these instructions. In conjunction, the microcode updates also supports an optout mechanism so that performance can be restored if desired - to support this, the Linux kernel supports a kernel command-line option srbds=off to allow system administrators to make use of the opt-out mechanism. For details on the boot command line option and how to check system status, please see the Linux Kernel Special Register Buffer Data Sampling Admin Guide.

# Oversimplified Descriptions



- Security CPU Instructions
  - Trusted actions in standard hardware

## Cryptographic Accelerator





- Operations are often well-defined and repetitive
  - 14-rounds for AES256
  - Trial-and-error for bitcoin mining
  - Standardized protocols
- ASIC allows optimized pipelines for specific behavior

# Cryptographic Accelerator



A Cryptographic Accelerator is an add-on component that allows software to leverage custom ASICs for improved performance.





# Usage: Crypto Accelerator



#### **Primitive-Level Variant**

- Offload actions
- Software provides:
  - Action-specific input
     CT/PT/data/sig+data
  - Instance-specific secret
- Accelerator provides
  - Primitive algorithms
  - Action-specific output

#### Protocol-Level Variant

- Offload layers
- Software provides:
  - Configuration
  - Long-term secrets
- Accelerator provides:
  - Protocols negotiation
  - Primitive algorithms
  - Short-term secrets
  - Plaintext messages

# Oversimplified Descriptions



- Security CPU Instructions
  - Trusted actions in standard hardware
- Crypto Accelerator
  - Fast, trusted actions in add-on hardware

### **Trusted Platform Module**



A Trusted Platform Module (TPM) is additional built-in, self-contained ASIC that provides a central "root of trust" for a device.



#### **TPM Internals**





- Includes suite of crypto primitives
  - RNG
  - Algorithm implementations
  - Secure storage
- Arbitrary control logic
  - Timers, persistent counters, etc

## TPM Keys





- Secrets are either generated on-board or injected during manufacturing
- Derive many secrets from single root secret via KDF

## **Usage: Building Block**





- Most commonly a component on motherboard
- Software treats as black-box operations
  - Hardened, well-defined interface for use

## Example: Secure Boot





- TPM validates firmware signature before booting
- If invalid, refuse to launch bootloader
- Used as foundational trust for validating higher-level software

# Usage: Out-of-Band Secret







- TPM available over removable USB
- Explicit trust boundary
- Greatly improved usability with strong security properties

# Oversimplified Descriptions



- Security CPU Instructions
  - Trusted actions in standard hardware
- Crypto Accelerator
  - Fast, trusted actions in add-on hardware
- Trusted Platform Module
  - Trusted actions in built-in hardware w/ keys

# Hardware Security Module



A Hardware Security Module (HSM) is a special-purpose add-on component that securely stores cryptographic keys and performs cryptographic operations.



# Hardware Security Module







- High-performance operations
- Restricted logic
  - Most commonly used for signing operations
- Commonly available "in the cloud" for use with AWS/GCP/...

# Oversimplified Descriptions



#### Security CPU Instructions

Trusted actions in standard hardware

#### Crypto Accelerator

Fast, trusted actions in add-on hardware

#### Trusted Platform Module

Trusted actions in built-in hardware w/ keys

#### Hardware Security Module

Fast, trusted actions in add-on hardware w/ keys

## **Trusted Computing Base**



The **Trusted Computing Base (TCB)** is the collection of all components within a system critical to providing security properties.





Figure 15: Cloud Provider - Service Orchestration

#### Cloud Provider TCB





- SaaS: Software
  - Office 365
- PaaS: Platform
  - Elastic Container Service
- laaS: Infrastructure
  - EC2 Instances
- <many more layers of internal services>
- All on top of Local TCB

# Cloud Computing Architecture TCB





#### Cloud Auditor

Security Audit

Privacy Impact Audit

Performance Audit



**Cloud Carrier** 

# Computer and Network Security

Lecture 14: OS & Hardware Security

COMP-5370/6370 Fall 2025



#### **Course Notes**



- Project 1A grades posted
- Exam 1 grades posted
- Midterm on Tuesday
  - Distance: Identify proctor and schedule
- Same style/format/approach as Exam 1
  - Multiple choice, True/False, Matching, etc.
  - Short-answers for grad-section
  - Bonus available but low point value

## **Course Notes**



- Project 2 due next Friday (10Oct2025)
  - If you haven't started...



# Computer and Network Security

Lecture 14: OS & Hardware Security

COMP-5370/6370 Fall 2025

