[Cryptography] Understanding state can be important.

Tue Dec 29 16:31:00 EST 2015

On Mon, 28 Dec 2015 11:45 Ray Dillinger wrote:

> Remember systems where there was a physical write-protect slot on the
> floppy disk?
…
> We live now in a
> world where our devices offer no physical security against being
> written, and no physical certainty of the success of any erasure.
…
> There is no physical basis for security we're truly certain of
> to even be built any more.

I agree. Lack of write-protect is a bedrock problem in developing secure systems. One solution is to use live CD-ROMs. There are a number of live distros out there that can be compiled from source. Once burned, the checksums of the CD-ROMs can be verified on a variety of different platforms. The U.S. Air Force distributes such a system called Lightweight Portable Security (http://www.spi.dod.mil/lipose.htm). But the flexibility of such systems is limited.

Here is a more general approach that I think can be made practical with relatively straightforward development. They fit with my view is that modern desktop and portable computer are too complex to be trusted and we should be looking at simpler computing models based on inexpensive, widely available off-the-shelf hardware, such as the Arduino and Raspberry Pi boards. I consider the Arduino devices more secure than the Pi because they are simpler and do not require an operating system, but the Pi is more useful and is at least stateless. 

My solution to the write-protect problem involves two single purpose devices. One is a board that would serve as a write-protect shield for an SD card. All SDcards implement a Serial Peripheral Interface Bus (SPI), which is supported on the Arduino and R Pi platforms. The SDcard specs, e.g. http://blog.chinaaet.com/282280072/p/17750, include a set of commands. There are two for writing blocks: CMD24 and CMD 25. The wedge board would send commands and data to and from the SDcard transparently except that it would block the Write commands. This feature might be controlled by a switch or a jumper on the board. A light or sound alert could warn of a write attempt.

The write-protect board with an SDcard installed might be made to act like a USB flash drive.  This should be easy to do on a Raspberry Pi Zero ($5 retail), using the Pi Zero’s USB port. One might have to load a special, verified OS distro beforehand. (Here are instruction to make the Pi read only, with a RAM disk. http://blog.pi3g.com/2014/04/make-raspbian-system-read-only/  I haven’t tried them.) It should also be possible to make a write-protect board using an Arduino platform, but with more software effort. 

The second component is a unit that would verify the checksums of SDcards. This could be built quickly on a Pi, and with more work, on an Arduino.  A variety of hashes and output formats (e.g. hex and base-32) could be supported, though a common standard would be desirable (SHA2 maybe). A Beagle Bone might also be suitable, though it is not stateless.  The Pi has a built in display generator for HDMI and analog video. The later could be used with an old TV or an analog display designed for automotive use to display the check sum. Alternatively a 7-segment display could blink out the checksum one hex digit at a time. (I’ve used Morse code on a built in LED for debugging, but it’s not a general solution.)

The two devices, ideally on distinct platforms, would work together as follows. A suitable distro would be built and loaded onto an SDcard using an ordinary PC. That SDcard would then be verified using the checksum board. After it is verified, it could be used to load software onto to a stateless device such as another Raspberry Pi, through the write-protect board. With a trusted OS installed, other SD cards or flash drives can then be used with disk encryption, which if done properly deal with the secure delete problem

Once the necessary software is built and configured, setting up and using these devices would be relatively simple. 

Arnold Reinhold