Wednesday, January 25, 2017

How to setup TCG OPAL 2.0

What is it?

The Trusted Computer Group has a new standard called OPAL 2.0 which dictates how to create self-encrypted drives (SED). This allows you to encrypt your data at rest.

Is it easy to use?

I recently bought a new Samsung SSD which advertised self-encryption (SED) and OPAL 2.0 support. I was excited to try out the latest and greatest encryption tools the industry had to offer, surely they've come up with something user-friendly by now?... Sadly this turned out to be an incredibly complex procedure with very little documentation which drove me to write this post. The Samsung drive wouldn't recognize properly until I plugged it into a SATA III port. The included software "Samsung Magician" could now see the drive and erase it (which regenerates the stored encryption key) but couldn't actually do much else. Clicking on the buttons to enable SED or OPAL 2.0 simply brought up help text saying "additional software is required" but failed to give any pointers beyond that...

Can I trust it?

Trust is a difficult thing when it comes to technology. My SSD was certified as OPAL 2.0 compliant by the TCG but the spec leaves a few things vaguely defined to allow manufacturers more flexibility including where to store the encryption key. The hardware and software are closed source and rather difficult to reverse engineer. While I have the tools available to desolder the chips, dump the ROM, and start reading ARM assembly I would really prefer not to ruin a brand new drive. One of the advantages of self-encrypting drives is that the performance overhead is very very low compared to unencrypted drives due to dedicated hardware on the drive itself. Software-based disk encryption relies on the CPU to encrypt and decrypt each block during read and write operations, which slows down programs waiting for that data or competing for time on the CPU. The upside is most software-based disk encryption systems are open source and much easier to independently verify.

Why not both?

If you're already using software-based disk encryption, turning on OPAL 2.0 SED on your drive adds an extra layer of defense without any noticeable performance hit. OPAL 2.0 keys are stored somewhere on the drive and aren't accessible in RAM. An attacker would need both sets of keys to access your data once the system is powered off, which is more difficult than using only one method.

What could go wrong?

There are a few known attacks already available for this brand new technology! The Evil Maid attack still works since there are numerous ways of recording passwords on a tampered system, encryption does not prevent hardware tampering or software alterations. The Hot Plug attack also works since the drive only locks when power is removed. SED drives support a mode called "Class 0" which uses BIOS to prompt for an ATA password, while this is better than nothing the password is easily recovered via JTAG.

A friendly reminder, encryption is a great tool, but it is only a single layer of defense against a fairly limited set of attacks such as physical theft. Following the steps below are very likely to lock you out of your computer and make your data disappear for ever... you have been warned.

How do I set this up?

  1. Backup any data you care about ever seeing again.
  2. Verify you actually backed up all of your data.
  3. Secure Erase the drive. This usually requires software tools from the manufacturer and ensures that the default encryption key installed by the manufacturer is changed.
  4. Install your OS of choice to the drive like you normally would.
  5. Enable software-based full disk encryption:
     - Windows users can use TrueCrypt, VeraCrypt, BitLocker, etc...
     - Linux users should use whatever is best supported by their distro
  6. Follow the instructions from Drive Trust Alliance to enable OPAL and encrypt your drive including the "optional" testing steps.
    1. Shutdown your system and make sure it's powered off entirely then power it back on (don't reboot). Verify you're prompted for both sets of passwords and that everything boots correctly. If something went wrong, use the Rescue System to Remove OPAL.


    Leave a comment!

    Monday, July 13, 2015

    Recruiter Spam

    I get a lot of spam from recruiters which is both a blessing and a curse. I picked an active field which is both exciting and frightening at the same time. I like my current job so I tend to delete all of it without a second thought, but one caught my eye today...

    The recruiter read my LinkedIn profile closely enough and wrote a carefully worded message well enough that I actually bothered to read past the subject line. This is where things went down-hill fast... Here are a few choice excerpts:

    "My client is a very early stage start-up that has taken an angel round of funding from private investors last month."

    They have funding? Great! It must be a decent enough idea to convince people to throw money at them....

    "They have 3 co-founders on the business side of things and are looking for a technologist to build their vision. This person will be building out the platform from scratch."

    Three business people, zero engineers, zero lines of code, starting a technology company. This is terrible, they must have a stellar product in the...

    "They are building a Linked-In type platform"

    Someone gave these people money, they have nothing built and the idea isn't even unique? ... I wish them all the best, but this looks like a classic example of how not to start a company, especially not a technology company. Having an idea is a wonderful thing, but believing that an idea is enough, and all you need is a geek to build it, for you to profit from, is so incredibly out-of-touch that I felt the need to share this.

    Success is not dreamed, it is built.

    Anyone trying to convince you otherwise likely has an ulterior motive. They have everything to gain, and very little to lose. I've taken odd jobs like this in the past, I was fresh out of high-school and they sounded great. Each time things start smoothly, ideas are shared, prototypes built, some progress is made. In any business, especially technology companies, tough decisions need to happen and if the business side does not understand the technology side (and vice-versa!) these initial decisions can crush a company entirely. Hearing the phrase "it is my idea" is a stark reminder that you are not working with this person you are working for them.

    In any investment there are risks and rewards. It is important to think through all aspects before pursuing a new venture.

    • Who will you be working with?
    • Will you have enough common ground to be able to discuss difficult issues effectively?
    • Enough unique skills to be a solid contributor?
    • Ownership in areas that have a direct impact on your daily life?
    • Do the rewards outweigh the risks heavily enough to warrant change?
    I think I'll be keeping my day job

    Monday, April 01, 2013

    Sega Genesis - Super Battleship - Jolly Roger

    Released in February of 1993, this game seemed innocent enough. I received it as a Christmas gift later that year. No matter how many times I tried, I could not beat the 'Jolly Roger' level... I've picked up the game and put it back down numerous times over the last two decades, but never beaten it until today.

    Today, I tell you, of the brave soldiers who fought to disrupt the merchant supply lines near Ilocana island. (NOTE: This isn't historically accurate... not even a little)

    Jolly Roger

    Day 1: It was a cold day in the Pacific Theater aboard the Battleship Africa when we received our orders. Pacific Command had lost their bloody minds. Our orders were to take on a full armada, an entire naval fleet of ships, with a half-stocked battleship, and destroy the merchant fleet supplying the enemy. Moral was low, but our orders clear. Captain Moses ordered all ahead full, and we proceeded East at 24 knots.

    Day 2: The enemy fleet comes into range on radar. It's worse than we imagined and they've already spotted us. Two carriers, four destroyers, a handful of cruisers, and sonar picked up what sounds like a submarine headed our way. The enemy is positioned perfectly in deep water between the two islands, there's no time to go around and they're directly between us and the merchant fleet. Still we proceed on our course.

    Day 3: The enemy took a pot shot at us, close enough to the ship to spray water on the deck. Had we been closer to land our crew would already have jumped ship, this mission was doomed to fail before it had even started. In order to avoid certain demise, we veer South East and continue at 24 knots.

    Day 4: The enemy has closed enough ground to start firing upon us. We manage to outrun them twice, but suffered some damage. Our sonar is out, but we already know the enemy submarine is coming for us, it's only a matter of time. Despair sets in, but we manage to take stock of our armaments. We had 30 shells, 2 missiles  and a dozen depth charges. Barely enough to sink 1/4 of the enemy fleet...

    Day 5: We're approaching the shore line of Ilocana Island, the enemy has already trained it's sights on us and the shore batteries are eagerly waiting for us to come into range. It's only a matter of time now, we're trapped between the enemy navy and the islands Eastern harbor.

    Day 6: The enemy submarine finally makes its move, we were hit with a torpedo without any warning. We're now without steering and sonar. Even our bow guns, useless as they may be against our underwater foe, were disabled. Unable to return fire, we set course in the only direction our broken rudder would allow. FORWARD!

    Day 7: As if invited, we steamed into Ilocana Harbor at full speed, with guns raised and missiles primed. Before the enemy could even fire a shot, we launched one of our two STS missiles across the harbor and annihilated the enemies barracks and communications tower. The island erupted into panic as we continued to bear down on the shore.

    Day 8: With the enemies land communications disabled, and our ship blocking the mouth of the harbor, the islanders had no idea what was in store for them. We issued demands for additional missiles and supplies or face additional bombardment. Little did they know we were down to our last one.

    Days 9-18: The ruse worked! The enemy islanders began supplying us with missiles in return for sparing their lives. We happily fired them off away from the island sinking enemy ship after enemy ship. Without communications the islanders had no idea reinforcements were so close, we had done it! Or so we thought...

    Day 19: The enemy submarine, immune to our onslaught of missiles and shells, had entered the harbor under our very noses. A volley of torpedoes made that quite clear. We had no time to celebrate, only enough time to steam forward in the only way we could. We ran aground.

    Day 20: The enemies merchant fleet grew nearer and nearer to their destination while we had idled in the harbor. The submarine had caught us so very off-guard that we didn't even think to deploy our depth-charges. Now useless, they sat below deck, waiting for a lucky torpedo to send us all to our watery graves.

    Day 21: Knowing our death was all but certain, we fired our remaining missiles far and wide, the merchant fleet was far enough away, far enough to be faint shadows on a dimly lit radar display, far.. but not far enough. We sank ten of the twelve merchant ships! We had broken the enemies supply line and decimated their fleet. A cheer broke out on deck as the radar tech called out each blip as it disappeared. By the tenth cheer the crew had lost all sense of order. We had been stranded on a foreign shore, our ship all but sunk if not for the rocks we had run upon, our weapons exhausted, and the enemy submarine closing in for it's final kill; but we had already won.

    SPOILERS: How to beat the Jolly Roger level: Head southeast at the start of the mission. Hit start to retreat from any battles you encounter. Continue moving diagonally as fast as your can until you reach the shore, there is a small harbor you can enter. Fire a shell or a missile at the troop barracks on land to take over the port. You will now be restocked at the end of each turn. Use every turn you can to fire a single missile at the merchant ships. Aim for the furthest one you can reach. If attacked, return fire with a single missile and sink them. The submarine will hit you every turn but there isn't much you can do but persevere if it keeps its distance. You should be able to sink 10 merchants within 20 turns. Good luck!

    Saturday, September 29, 2012

    Reverse Engineering


    Reverse engineering a system (for whatever reason) can be fun and challenging. I recently found myself in need of changing the contents of an 8KB file with no format information whatsoever. I had been playing Final Fantasy 6 on my phone during my morning commute and had accidentally killed off a favorite character of mine in a permanent way. I knew I only needed to flip one or two bits to correct this, but which ones?

    Part 1 - Tools:

    Tools can make or break an attempt at reverse engineering, some can be as simple as a hex table taped to the side of your monitor, or as complex as a full-fledged debugger. I had the advantage of both :)

    • Something to take notes with
    • Programming calculator (even calc.exe will suffice)
    • Backups of whatever it is you're working on
    • Debugger (if available)
    • Some way of testing your changes
    • Some way of generating new changes
    • A diff tool (diff, windiff, etc)

    Part 2 - Poking around:

    Getting started can be daunting. 8 KB is a tiny file, but massive when you're trying to figure which single bit is the important one. Start by making a map to narrow your search space.
    I opened up the save file and found two-thirds of it mostly empty, given that I was only using the first 'save slot' in the game, it was safe to assume saves were made sequentially in the file. I created a second save in slot 2 and verified this.

    So now I have a rough idea of where I'm looking. To test the boundaries of each 'save slot' I flipped a single bit and tested the changes... when I went to test, the game claimed I had zero saves! Good thing for backups. Turns out the game also checksums its data to prevent corruption (and likely also tampering as I was attempting).

    Knowing that flipping bits randomly definitely wasn't going to work, it was time for differential analysis:
    1. Backup the file
    2. Make a single change in game
    3. Save
    4. Diff the two files
    To my surprise, loading and saving the file without changing anything caused several bytes to change! Upon further inspection, the game has a timer which clocks how many seconds the user has been playing for. This corresponded to 3 bytes somewhere in the middle of the save file. It took a few minutes to realize the game stores its values with the least significant bytes first. So 45 23 01 in memory is 012345 in hex. In addition to the timer bits changing, the last 4 bytes of the save slot also changed an equivalent amount... the checksum!

    Part 3 - Mapping data:

    Once I had a basic understanding of how the file was organized, I began creating a map of the file and assigning names to blocks of memory. Having a debugger to rapidly make changes and test the results was especially helpful.

    Guess and check: One technique to speed up mapping is to pick a value in the game, such as amount of money  then searching the whole file for that exact value. Then change it slightly to see if it's correct.

    Differential reverse engineering: Another is to change a value several times within the game, saving after each change and backing up the file, then diffing the files to see which location changed each time and by how much.

    Pattern matching: Certain data tends follow a logical pattern, such as text, and can easily be searched for. The unix 'strings' command is great for this. Since this game originated in Japan and was later translated to English, the text turned out to be in some other format than ASCII. Text still follows a pattern though, 'A' is usually one less then 'B'. Applying that to one of the games heroes names, I found that the data for each hero in the game is stored at the very front of the file.

    Part 4 - Intuition:

    Programmers tend to think alike (even across the ocean). Data that belongs together, is usually grouped together. Data that only requires 1 bit to store, is usually compressed into a single byte with related data. A well written piece of software will always attempt to be organized and efficient.

    Data that can be stored statically in ROM and referenced with just an index (or pointer) can be tricky to find. In game 'items' are stored in an inventory as pointers in a table, followed by a second table of integer quantities. Moving items around in game made it very easy to see the link between these two tables since each change in game corresponded to 2 changes in the file (separated by exactly 0xFF bytes).

    Final thoughts

    Any system can be reverse engineered regardless of how large, complex, or foreign it may be. If I had the source code to this game, tracking down this bit would have taken minutes rather than hours. Closed source projects require more time to understand than their open source counterparts, but they aren't any more secure.

    Here is an almost complete mapping of the saved game format for Final Fantasy 6:

    Tuesday, April 20, 2010

    I still exist.

    Currently working with a number of fun technologies (Xen, Gentoo, Virtualization, TPM, Vt-X, and Vt-D. Researching ways to measure how resilient the security of a computer system is.

    I've also learned how to dance recently.

    This blog started out as a way to report my progress on Google Summer of Code.
    I worked on adding memcache support to MySQL's query cache.
    Since then I've completed my Masters in Computer Science and am pursuing my Phd.

    Saturday, September 06, 2008

    And with one final click, the project is complete.
    I've uploaded the source of my project to Google Code.
    This whole project has been quite the experience.

    I plan on continuing this blog, don't expect timely updates though.
    I'm doing Grad work full-time at WPI ( as well as some part time work.

    Sunday, August 10, 2008

    IT WORKS!!!

    And not a moment too soon.
    I've finished my day job for the summer and have been pouring over the code the last few days trying to isolate the last two bugs.
    I've also received word that I don't have 8 days left, I have I'm a bit rushed but still hopeful.

    As part of my bug fixing for the hit code (which works beautifully now) I was able to remove all of the unnecessary mutex locking from within the cache. This is a nice speed boost as there is no longer any need to lock and unlock when working with the cache. It just works (tm).

    I have a fairly rough implementation of the invalidate code that looks something like this:

    if(anything changed) {

    It works, and it allows for multiple instances to use the same cache.
    My next task is to make this a bit more refined (per table invalidation) by using 'namespacing' within memcache. The idea works like this:
    For each table, store a "0" in memcache with 'db_name:table_name' as the key.
    Each time a table changes, increment that key.
    When formulating the key for a query result, include each relevant get('db_name:table_name') in the key hash.

    The nice thing about this approach is no matter how much data is in the cache,
    invalidating is always O(n) where n is the number of tables involved.
    The previous query_cache could slow down a MySQL instance in a write-heavy environment due to searching for and invalidating entries in the cache when a table changed.
    With this implementation, everything is non-blocking and when a table changes a quick call to 'memcached_increment()' is all that's needed. Memcached will remove stale entries after they've expired, since once the namespace has changed they will never be read again.

    It looks like I will not have time to refactor this into a plug-in during the summer of code timeline. But I've met and exceeded most all of my other goals so I'm not too worried.
    I'll have a tarball, a diff, and hopefully a checkin with bzr done tomorrow to prepare for my final review.

    Best of luck to all!
    We're almost done!