[Cryptography] suggestions for very very early initialization of the kernel PRNG

Arnold Reinhold agr at me.com
Fri Nov 8 11:24:32 EST 2013 

On Nov 8, 2013, at 7:49 AM, Jerry Leichter <leichter at lrw.com> wrote:

> On Nov 8, 2013, at 7:06 AM, Arnold Reinhold wrote:
>> CD-ROMs have a big advantage over USB flash drives: they are physically unmodifiable. The read-only partition on your USB drive is enforced by system software that can be compromised.
> While I said the same thing myself ... there's a subtlety here.  You said "CD-ROM", which is a pressed disk, and is indeed physically unwritable.  But that requires access to a CD pressing facility - i.e., CD-ROM's are something for the commercial market.  Same for DVD-ROM.  It's not clear there's a sufficient market for anyone to sell a CD- or DVD-ROM LiveCD, and I'm sure there will be those who wouldn't trust the contents anyway.  (To get around that, you'd want to make sure the contents of the disk were created using a fully reproducible build process.  Then the suspicious could always build from source all the way up to an ISO image and compare bit by bit.)

It seems you can get CD-ROMs pressed in quantities of several hundred for about a buck apiece. So this option is not out of the question. And an SHA256 hash of each disk would insure faithful reproduction. But I agree with your next sentence.

> 
> What most people have in mind, though, is cutting their own CD or DVD.  And here you get into the whole mess of different technologies, and the question of just what enforces the "non-writability".  CD-RW is out, as its explicitly re-writeable.  Any given physical piece of a CD-R "can't be re-written", though you can add more data to previously written sections later.  What "can't be re-written" actually means physically, I'm not sure.  The bits are written to a CD-R as "permanently" altered and unaltered areas of dye.  Even if the "permanent" alterations can't be undone, one could in principle alter some of the unaltered regions.  It would require specialized hardware and software; given all the error correction needed to make these devices usable, it's not even clear what modifications you might be able to introduce.  It also seems highly unlikely that a commercial CD-R writer could be modified (by a malicious firmware alteration) to play this game.  But who knows.

> With DVD, things get even more complicated, given the multiple extant technologies.
> 
> Theoretically, I suppose it might even be possible to use a laser to blast extra pits into a pressed CD or DVD - though that would certainly require specialized equipment and physical access to the disk, at which point you might as well produce a look-alike disk containing whatever you want on it.
> 
> I'm sure the three-letter agencies have had their engineers all over this stuff, just in case they mighy need the capability to modify a "read-only" disk.  I haven't seen any public discussion of the issue, though I'll admit I haven't looked hard for it.
> 
> In *practical* terms, a CD-R or DVD-R - *not* a -RW, or the logically equivalent "+" versions - can probably be treated as unmodifiable unless you're targeted by the NSA or someone with similar resources.  (Even then, they probably have many easier ways to get to you.)  It would be nice to confirm, though, that CD-R or DVD-R writers are *physically* incapable of modifying existing information, not just blocked from trying by perhaps-modifiable firmware.
>                                                        -- Jerry
> 

The attack I am concerned with is a remote attack that, say, exploits a zero-day and roots or inserts a backdoor in your operating system. Maybe you opened an e-mail or visited a web site you shouldn't have. The attacker does not want to lose access when you reboot. That attack seems feasible with a USB flash drive or CD-RW, but not with write-once CD or DVD media. I don't claim to be an expert in CD/DVD technology, but my understanding is that the optical drive firmware prevents overwriting and cannot be re-flashed from the computer the drive is attached to. The RIAA/MPAA would never allow that as it could be used to bypass DRM. One also has the option of using an optical drive no write capability on one's secure machine.  Such drives can still be purchased, and there are many old PCs gathering dust in basements with this "feature."

A large organization that gained physical access to your CD or DVD and wanted to modify it would more likely replace it with a different disc and use their forging skills to make the outside look identical, rather than trying to alter bits on your original. (Even more likely they would just modify your computer in some nefarious way.)

Building secure systems requires some starting point of trust and read only media is very attractive in this regard. It is certainly worth some effort to get authoritative answers to the questions you rase.


Arnold Reinhold

More information about the cryptography mailing list