Hardware and Virtualization Flashcards
(36 cards)
What should be considered when implementing new hardware?
- Who is manufacturing the hardware
and how do we trust that the components building the final product are clean and free
from vulnerabilities? - How do we validate that no additional components have been added that could compromise our security and privacy?
What is a “Shielded Virtual Machine”?
Shielding a VM allows it to only be run on an approved host and prevents unauthorized access within the environment, offline or outside of the protected environment.
How are “shielded VMs” implemented in the Microsoft ecosystem?
Enable Guarded Fabric; Guarded
Fabric is the infrastructure component used to enable and protect Shielded VMs
What is required to implement guarded fabric shielded VMs?
- UEFI 2.3.1 (Ensure boot is configured to use UEFI)
- TPM v2.0
- Input-output memory management unit (IOMMU) and SLAT
- Secure Boot enabled
- Gen 2 VMs w/ min OS of Server 2012
What security threats come with virtualization?
- Hypervisor threats.
- VM escape or the ability to interact with the physical host OS or hypervisor directly
from a VM. - Non-segregation of resources, network, and data.
- VM sprawl.
- Non-encrypted storage, physical drives, virtual disk files, and network traffic.
How should virtualized infrastructure be isolated to improve security?
Isolate and segment different virtualized environments; The management
plane, the production environment, the demilitarized zone (DMZ), and highly
confidential applications and databases should be separated.
What is way to validate potential hardware/software purchases?
Ensuring your hardware is certified and compatible with current systems.
What is “firmware” and its function?
A firmware interface is typically low-level software that acts as the medium between the OS and hardware to provide a basic UI for configuring device features and providing instructions for the boot procedure.
What are the two common forms of firmware in Windows?
BIOS and UEFI
How does BIOS function?
BIOS is loaded directly onto a PC motherboard. Its purpose is to initialize the
physical hardware and eventually boot into Windows.
What is NIST’s recommendations for securing BIOS?
- Use an authenticated BIOS update mechanism with digital signatures to validate the integrity of updates.
- Secure the local update process with system passwords and physical locks, or only allow BIOS updates through a local update process with a physical information
technology (IT) presence. - Use integrity protection features to prevent modifications to BIOS.
- Implement non-bypassability features to ensure only the authenticated update
mechanism is used.
How does UEFI differ from BIOS?
- UEFI does not rely on a boot sector to copy an MBR and uses what’s
known as a boot manager to determine what to boot - The traditional BIOS runs 16-bit
code and leverages only the MBR, which presents limitations such as support for drives larger than 2 terabytes (TB). UEFI uses the GUID Partition Table (GPT) and supports 32-bit or 64-bit code - UEFI incorporates security technologies such as Secure Boot
What is the first phase of UEFI?
Security Phase (SEC). This acts as a core root of trust (or boot block in BIOS) to validate the integrity of the code and other firmware components
How does the Security Phase of UEFI protect a host?
If a boot loader has been replaced by malicious code, it won’t be allowed to execute based on an invalid or revoked digital signature.
What are features of UEFI?
- Password settings that include setting a supervisor password and lock settings,
preventing users from making changes without entering the supervisor password.
You can also require a password at unattended boot, at restart, and even at the boot device list. - Fingerprint settings to use biometrics during pre-desktop authentication as an
alternative or in conjunction with entering a supervisor password. - Security chip settings for the TPM.
- UEFI BIOS update settings to add protection regarding BIOS updates,
including rollbacks. - Memory protection for execution prevention against virus and worm attacks that create memory buffer overflows.
- Virtualization settings to enable or disable virtualized hardware support such as
Intel VT-x or AMD-V. - I/O port access to enable or disable the use of devices such as wireless, Bluetooth,
USBs, cameras, and microphones. - Internal device access tamper detection of the physical covers of storage devices.
- Anti-theft to enable a lo-jack for your PC using a third-party provider.
- Secure Boot settings.
- Trusted execution environments (TEEs) such as Intel Software Guard Extensions
(SGX) for hardware-based isolation of application code in memory. - Device Guard, which is a feature set that consists of Configurable Code Integrity
(CCI), Virtual Secure Mode (VSM) Protected Code Integrity, and Secure Boot.
Device Guard features set the foundation for VBS, which we will discuss in more
detail later.
Describe the “secure boot” feature of UEFI
Ensures only trusted software and firmware can execute in the boot chain.
How does secure boot secure the boot chain of an OS/PC?
Each software, driver firmware, and OS boot loader (Windows Boot Manager) has a digital signature or hash that is validated by referencing signature keys stored in the Secure Boot database.
What are the components of secure boot?
Platform Key (PK); Key Exchange Key (KEK) with a public/private key pair; safelist database (db); revoked signature database (dbx)
What is the purpose of the safelist database (db) and revoked signature database (dbx) in UEFI secure boot?
These allow or deny databases are used for validation against the certificates, keys, or image hashes of boot loaders, firmware, and drivers.
What is the role of the platform key in UEFI secure boot?
Created by the OEM that creates the trust to
the Key Exchange Key (KEK); Essential for verifying the authenticity of the KEK and ensuring that only trusted keys are enrolled in the system.
What is the role of the “key exchange key KEK)” in UEFI secure boot?
Used to update the signature database (db) and the forbidden signature database (dbx); Allows the operating system and third-party applications to add new public keys to the db and dbx; Ensures that only authorized KEKs can be installed.
Describe “TPM”
TPM provides hardware-based security, typically in the form of a tamper-resistant chip built directly onto a motherboard; TPMs primarily deal with the encryption and decryption of security keys in isolation; Each TPM chip has its own unique RSA private key
Where IS TPM enabled on a device?
The TPM security chip is typically enabled in the Security tab of the UEFI setup
Describe “Windows Defender Credential Guard” and its purpose
Helps protect user authentication and access tokens in the Local Security Authority Subsystem Service (LSASS) from being stolen
