1 00:00:00,230 --> 00:00:02,070 Secure Processing. 2 00:00:02,070 --> 00:00:04,910 In this lesson, we're going to talk about secure processing 3 00:00:04,910 --> 00:00:07,720 and a couple of key concepts associated with it. 4 00:00:07,720 --> 00:00:09,640 Now, when we talk about secure processing, 5 00:00:09,640 --> 00:00:12,330 this is a mechanism for ensuring the confidentiality, 6 00:00:12,330 --> 00:00:15,670 integrity, and availability of software code and data 7 00:00:15,670 --> 00:00:17,790 as it's executed in volatile memory. 8 00:00:17,790 --> 00:00:19,830 Because after all, we're going to take data 9 00:00:19,830 --> 00:00:21,800 off of our hard drive or off of our network 10 00:00:21,800 --> 00:00:23,390 and we're going to put it into RAM 11 00:00:23,390 --> 00:00:25,430 and then from RAM into our processor. 12 00:00:25,430 --> 00:00:28,020 And all of that time going from RAM to the processor 13 00:00:28,020 --> 00:00:29,120 or while it's stored in RAM, 14 00:00:29,120 --> 00:00:31,530 it has the potential for it to be modified 15 00:00:31,530 --> 00:00:34,180 or for it to be stolen or for it to be not available. 16 00:00:34,180 --> 00:00:35,940 And so by doing secure processing, 17 00:00:35,940 --> 00:00:38,540 we want to harden that area of this process. 18 00:00:38,540 --> 00:00:41,070 Now, there are lots of ways to do secure processing, 19 00:00:41,070 --> 00:00:43,580 but we're going to focus on five of them in this lesson. 20 00:00:43,580 --> 00:00:46,090 We're going to talk about processor security extensions, 21 00:00:46,090 --> 00:00:49,070 trusted execution, secure enclaves, 22 00:00:49,070 --> 00:00:51,860 atomic execution, and bus encryption. 23 00:00:51,860 --> 00:00:54,810 The first one is processor security extensions. 24 00:00:54,810 --> 00:00:57,540 Now, these are low-level CPU changes and instructions 25 00:00:57,540 --> 00:00:59,350 that enable secure processing. 26 00:00:59,350 --> 00:01:01,860 And these are built into your microprocessor. 27 00:01:01,860 --> 00:01:03,120 Now, they're called different things 28 00:01:03,120 --> 00:01:06,170 depending on if you're using an AMD or an Intel processor. 29 00:01:06,170 --> 00:01:07,980 If you're using an AMD processor, 30 00:01:07,980 --> 00:01:10,825 this is known as Secure Memory Encryption (SME) 31 00:01:10,825 --> 00:01:12,875 or Secure Encrypted Virtualization (SEV). 32 00:01:13,723 --> 00:01:16,540 On the other hand, if you're using Intel processors, 33 00:01:16,540 --> 00:01:20,350 you're going to be using Trusted Execution Technology or TXT 34 00:01:20,350 --> 00:01:23,440 or Software Guard Extensions (SGX). 35 00:01:23,440 --> 00:01:24,700 All four of these things 36 00:01:24,700 --> 00:01:27,220 are a form of processor security extensions 37 00:01:27,220 --> 00:01:28,180 and for the exam, 38 00:01:28,180 --> 00:01:30,350 that's pretty much as deep as you need to go. 39 00:01:30,350 --> 00:01:33,240 The next thing we want to talk about is trusted execution. 40 00:01:33,240 --> 00:01:36,280 The CPU's security extensions invoke TPM 41 00:01:36,280 --> 00:01:38,180 and a secure boot attestation 42 00:01:38,180 --> 00:01:40,750 to ensure a trusted operating system is running. 43 00:01:40,750 --> 00:01:42,880 So, any time we want to boot up the system, 44 00:01:42,880 --> 00:01:45,800 we want to make sure that we are using that trusted firmware 45 00:01:45,800 --> 00:01:49,200 using UEFI and using TPM and secure boot 46 00:01:49,200 --> 00:01:51,270 to tell us that this operating system that's being booted 47 00:01:51,270 --> 00:01:52,720 is something we trust. 48 00:01:52,720 --> 00:01:55,430 This is very common inside the world of using Microsoft 49 00:01:55,430 --> 00:01:57,950 on an Intel or AMD processor set. 50 00:01:57,950 --> 00:01:59,770 Next, we have a secure enclave. 51 00:01:59,770 --> 00:02:02,200 Now, a secure enclave is an extension that allows 52 00:02:02,200 --> 00:02:04,810 a trusted process to create an encrypted container 53 00:02:04,810 --> 00:02:06,200 for sensitive data. 54 00:02:06,200 --> 00:02:07,450 This will help us prevent things 55 00:02:07,450 --> 00:02:09,140 like buffer overflow attacks, 56 00:02:09,140 --> 00:02:11,090 and typical application usage here, 57 00:02:11,090 --> 00:02:12,640 we'll be able to store encryption keys 58 00:02:12,640 --> 00:02:16,210 and other sensitive data inside of the secure enclave. 59 00:02:16,210 --> 00:02:17,950 Once we have that trusted operating system, 60 00:02:17,950 --> 00:02:19,760 we can then create the secure enclave 61 00:02:19,760 --> 00:02:22,200 for us to be able to store that data within. 62 00:02:22,200 --> 00:02:25,120 The next one we want to talk about is atomic execution. 63 00:02:25,120 --> 00:02:26,510 Now, there are certain operations 64 00:02:26,510 --> 00:02:29,140 that should only be performed once or not at all. 65 00:02:29,140 --> 00:02:31,620 For example, initializing a memory location. 66 00:02:31,620 --> 00:02:33,450 This should only happen one time, right? 67 00:02:33,450 --> 00:02:36,280 And so, once you've initialized it, that should be it. 68 00:02:36,280 --> 00:02:37,970 Well, the idea of atomic execution 69 00:02:37,970 --> 00:02:39,830 is there are these extensions in place 70 00:02:39,830 --> 00:02:42,130 to make sure somebody can't reuse or hijack 71 00:02:42,130 --> 00:02:43,940 an atomic execution operation 72 00:02:43,940 --> 00:02:46,160 like doing a memory initialization. 73 00:02:46,160 --> 00:02:48,000 This can help you prevent buffer overflows 74 00:02:48,000 --> 00:02:49,190 and raise conditions 75 00:02:49,190 --> 00:02:50,790 by being able to control these processes 76 00:02:50,790 --> 00:02:52,210 and again, this is something that's built into 77 00:02:52,210 --> 00:02:54,040 those processors these days. 78 00:02:54,040 --> 00:02:56,220 And finally, we have bus encryption. 79 00:02:56,220 --> 00:02:58,530 Now, bus encryption is data that is encrypted 80 00:02:58,530 --> 00:02:59,750 by an application 81 00:02:59,750 --> 00:03:02,060 prior to being placed on the data bus. 82 00:03:02,060 --> 00:03:04,680 This will ensure that the data being sent over the network 83 00:03:04,680 --> 00:03:07,100 or over a bus is going to be protected 84 00:03:07,100 --> 00:03:08,970 because it's going to end up an encryption. 85 00:03:08,970 --> 00:03:10,610 Now, for this to work, we have to ensure 86 00:03:10,610 --> 00:03:12,130 the device at the other end of the bus 87 00:03:12,130 --> 00:03:14,600 is trusted to decrypt that data. 88 00:03:14,600 --> 00:03:16,500 Now, what does this look like in the real world? 89 00:03:16,500 --> 00:03:17,880 While I've had this happen to me myself 90 00:03:17,880 --> 00:03:20,950 as I've plugged in something like my Roku device to my TV. 91 00:03:20,950 --> 00:03:22,280 If I have my Roku device 92 00:03:22,280 --> 00:03:25,190 and I have a cheap HDMI cable connecting it to my TV, 93 00:03:25,190 --> 00:03:27,380 sometimes they can't do the three-way handshake 94 00:03:27,380 --> 00:03:29,500 that's required for HDCP. 95 00:03:29,500 --> 00:03:32,040 Now, HDCP was a copyright protection thing, 96 00:03:32,040 --> 00:03:35,010 so it encrypts the data going from your device to your TV. 97 00:03:35,010 --> 00:03:36,870 And so, when that handshake happens, 98 00:03:36,870 --> 00:03:38,100 if it doesn't happen properly, 99 00:03:38,100 --> 00:03:39,570 you'll get something that looks like this, 100 00:03:39,570 --> 00:03:41,460 HDCP Unauthorized. 101 00:03:41,460 --> 00:03:43,870 And this is because the bus encryption failed. 102 00:03:43,870 --> 00:03:46,470 The TV or the Roku didn't trust each other 103 00:03:46,470 --> 00:03:48,200 and so you have to unplug the cable, 104 00:03:48,200 --> 00:03:49,750 plug it back in and try again 105 00:03:49,750 --> 00:03:51,640 and then eventually, they'll make the three-way handshake 106 00:03:51,640 --> 00:03:53,660 and now you can watch your TV. 107 00:03:53,660 --> 00:03:54,493 That's the idea here. 108 00:03:54,493 --> 00:03:56,780 This is a form of bus encryption that most of us use 109 00:03:56,780 --> 00:03:59,630 and we may not even realize we're using on a daily basis.