Security Hardened Execution Environments

Computing environments have traditionally been designated a being either client or server environments, depending on the anticipated presence of users, and from this distinction deployment and operational practices have evolved to address the associated security risk profiles of those environments.

Server environments have migrated to data rooms, then data centres, and more recently the cloud. Each migration has increased the physical separation between the general public and the physical computing devices employed to run computing workloads, and has increased the level of automation employed in the interests of cost reduction, but with the added benefit of increasing security.

Client environments by contrast are hampered by the intrinsic requirement for user access, proximity of the user to the computing device, and potential proximity with the general public. Standardisation and automation have focussed on reducing the complexity of the user environment and automating cyber defences against potential attacks. Increasing adoption of home and mobile working practices have effectively eliminated many of the operational security practices that were typically adopted within more secure office environments, and have established a wide range of generic cyber attack opportunities that are available within those environments.

Open source projects such QubesOS have adapted virtualisation technologies originally designed for server environments to these client environments, and have addressed many of the operational security issues involved in adopting such technologies to the client environment.

Our research adopted QubesOS as the baseline security environment, and then added encrypted Blockchain technology to the mix. We established granular security using encrypted Blockchains as an essential component of security hardening any realistic client environment, and established the process isolation provided by the Xen virtualisation hypervisor used within QubesOS as a highly effective complement to this technology.

We would like to highlight the contributions of the QubesOS project and team to public discussions about operational security practices, with particular reference to the importance of establishing effective isolation between work streams, classification of such work streams based on inherent security risk involved in their processing, and the balance between risk and usability involved in decisions about the transfer of data between work streams..

We would also like to highlight recent developments within the Xen project, with respect to porting the hypervisor to run on ARM processors, and the substantial emphasis on enhanced security within the migration project. We would also like to acknowledge the work within the Raspberry Pi community on establishing official support for Xen on the Raspberry Pi 4. We believe this offers a very cost effective solution for users that want some of the security benefits of QubesOS combined with encrypted Blockchain technology.

Our research identified specialisation as one of the primary facilitators of enhanced security within both client and server devices, and acknowledged the importance of process isolation in protecting work streams from vulnerabilities in other work streams, which naturally leads to the automation and frequent repetition of virtual machine creation from validated source images, as a standard practice to mitigate the potential impact of vulnerabilities within individual virtual machines.

We also identified the integration of hardware security tokens into the encryption management process as one of the most cost effective security enhancements available, particularly where such tokens are used without user involvement to validate the identity of the hardware environment, and are separately used with user involvement to validate user presence and identity.

Physical security of validated environments during manufacture and distribution is one of the most challenging security issues, which must be addressed in order for users to have any confidence in the security of the environment. This is a classical supply chain vulnerability problem, where the opportunities for attackers to introduce vulnerabilities are almost limitless, and any single failure within the operational security process may completely invalidate all subsequent security measures. Ultimately, this challenges depends upon users deciding who they choose to trust, and reviewing the compliance evidence provided throughout the supply chain.

Particular attention needs to be applied to the selection of hardware device and component manufacturers, given the documented existence of surveillance mechanisms within products from major brands, such as Intel and AMD. Some projects, products and organisations have started active development programmes to eliminate such potential security threats, which should be considered where possible, but it is probably more realistic to assume that any device or component is intrinsically compromised, and to introduce systemic counter-measures within the overall system design and manufacture process.

It may also be desirable to include entropy sources within or attached to the environment, and under some circumstances is may be desirable to introduce an external trusted platform module (TPM) to protect encryption key materials, and/or noise generators to mitigate surveillance.

Physical security of validated environments during installation and operation are equally critical, but may be more amenable to effective mitigations, particularly where the installation is within a fixed location. The basic principle is that anything the user can touch is intrinsically insecure, and anything that can be serviced in location is almost impossible to validate as being secure during subsequent usage. The easiest and cheapest solution is to hermetically seal the environment and physically attach it to the firmament, using mechanisms that will automatically destroy encryption key materials in the event of tampering.

Mobile environments are much more challenging to protect, because of the physical presence of third parties, but some threats are inherently mitigated by the presence of the user, and likelihood of the device remaining within their physical presences at all times. Hermetically sealed units with anti-tamper protection offer significant protection in most circumstances. However, counter-surveillance measures should always be considered, due to the low cost and abundance of surveillance technologies available in the market. Privacy covers should always be considered to protect screens and keyboards, and should ideally restrict viewing to a very small or negative angle, such that the user can see the screen and keyboard, but their body is guaranteed to block any surveillance from behind or to the side of them. Note, tamper-resistance also needs to be extended to protect the privacy covers.