[EROS-Arch] Error logging

Bill Frantz frantz@pwpconsult.com
Tue, 25 Sep 2001 13:41:12 -0700 

At 6:00 PM -0700 9/24/01, Jonathan S. Shapiro wrote:
>This seems incorrect to me. My trust in the space bank is predicated on an
>assumption that no offline disk forensics will transpire. This is not the
>same as sweet-talking the administrator. One can imagine cryptographic
>shared-key mechanisms for logging in which the administrator couldn't
>retrieve the log in plain text form at all without the developer's consent.

I think that this issue is the key to my queaziness with the guarantees we
are discussing here.  I think that read-only examination of disk images is
quite safe, and well within the capabilities (standard English meaning) of
the hacker community.  Lets try to guard against this attack.

The first thought is that public key encryption could encrypt the log
entries while the developer holds the secret key.  However, a pure public
key system will probably be too expensive for logging at any reasonable
rate.  (It would cost something on the order of a modular exponention for
each 1024 bits of data in the log.)

The next approach involves encrypting the log entries with a symmetric
cypher and using a public key system to encrypt the symmetric cypher key.
If the symmetric key is selected by a good random process (a hard problem
in itself, but the random source in the Pentium chip set offers a
reasonable approach on that hardware), and the key is never written to the
disk, then we are requiring our hacker to run an ICE or VMWare level
debugger to grab the key from main memory.  We at least have cut down the
population of people who can mount the attack.

(It occurs to me that it might be possible to pre-define the random numbers
that VMWare passes to systems running under it.  That might make the attack
much easier.  There may be a similar approach at the hardware level.)

I think I remain queazy.


-------------------------------------------------------------------------
Bill Frantz           | The principal effect of| Periwinkle -- Consulting
(408)356-8506         | DMCA/SDMI is to prevent| 16345 Englewood Ave.
frantz@pwpconsult.com | fair use.              | Los Gatos, CA 95032, USA