Cyberattacks are gaining in complexity and sophistication. Recent attacks such as Throwhammer, Nethammer, NetSpectre, Faxploit, and Malware Guard Extension attest to the increasingly complex methods devised by hackers to take control over remote networks and to spread malware. Today’s cyber reality surpasses by far the fertile imagination of Hollywood cyber fiction films.
Another hacking invention was recently exposed in Bloomberg Businessweek’s “Big Hack” news story (published on October 2018), which described how a maliciously planted tiny chip on a server board can pose serious security risks to organizations. The information revealed in that story has managed to disturb the waters in the tech and security industries and communities, as it described alleged infiltrations of data centers of some major corporate and governmental organizations.
The stage for infiltration was set, according to the news story, by tampering with hardware of leading server vendors. Allegedly, tiny IC devices (chips) were planted on server boards at one stage in the supply chain. These infected boards were later installed in servers that were deployed in major corporate and governmental data centers. Via the on-board planted chip, hackers can gain remote access to the data center and compromise its assets and steal users’ and companies’ sensitive information.
Mellanox’s products and advanced NIC and smartNIC technologies offer various levels of protection that detect and prevent security breach scenarios, including those enabled by the hardware-based hack described by Bloomberg.
Let’s take a closer look.
Bloomberg claims that tampering chips (identified as a small red box in the illustration below) were planted on server boards between the Baseboard Management Controller (BMC) and its flash. As the BMC has access to both the external network and the internal server resources, malware implanted in the BMC execution space can allow a malevolent adversary to remotely access and compromise the integrity of the server it is connected to.
Mellanox’s family of intelligent adapters embed security features in the hardware that prevent using the adapters as a backdoor to the server data, and block adversaries from attacking the adapters to steal sensitive information.
Mellanox ConnectX and BlueField based adapters (ConnectX-4 Lx, ConnectX-5, ConnectX-6, BlueField) implement a secure firmware update check, which means that the devices verify – using digital signatures – the firmware binaries prior to their installation on the adapters. This ensures that only officially authentic images produced by Mellanox can be installed, regardless whether the installation happens from the host, the network, or a BMC.
Adversaries attempting to remotely upload malicious firmware images will not be able to do so since the secure firmware update mechanism will reject it; a modified code will not have the matching digital signature and will therefore fail the verification process.
Secure Boot is a process which allows ConnectX and BlueField adapters (ConnectX-6, BlueField) to verify the authenticity of each element in the boot process, and to halt if an unauthorized element is found. Secure Boot starts from the anchor of the device: un-modifiable ROM code that acts as the root-of-trust uses an on-chip embedded public key to authenticate the initial code that is loaded from an external storage. The authentication relies on strong cryptographic suites and digital signatures.
As no external intervention in the authentication process is allowed, any potentially planted tampering chip cannot compromise the adapter’s boot process: the network adapter will not run unauthorized boot loaders planted on the flash; by simply not booting, the adapter prevents using it for backdoor access to server resources
Mellanox SmartNIC– More Ways to Secure Your Data Center
In the above sections, we focused on smart technologies that prevent utilizing Mellanox adapters as a backdoor to the data center. But the big question remains: What if someone does manage to access the server through yet another backdoor – through a fax machine, through BMC, or through another mechanism? In the following, we will describe how Mellanox products can help data center administrators protect their network and its data.
As no external intervention in the authentication process is allowed, any potentially planted tampering chip cannot compromise the adapter’s boot process: the network adapter will not run unauthorized boot loaders planted on the flash; by simply not booting, the adapter prevents using it for backdoor access to server resources.
Well first – you can protect your data by encrypting it!
Cryptography has greatly progressed since its debut as early as 1900 BCE in Ancient Egypt, where non-standard hieroglyphs were found carved into the wall of a tomb. Nowadays, complex cryptographic protocols and cyphers have become a standard for cloud-based applications where these are used to protect the confidentiality and integrity of data passed between locations. It is also progressively used to protect lateral traffic within the data center. But encryption and decryption of data is a CPU intensive activity. Mellanox SmartNIC security solutions (Innova IPsec, BlueField smartNIC, Block storage crypto on ConnectX-6) offer to offload the cryptographic actions to the NIC hardware, freeing up the CPU to handle the applications and enabling scalable cryptographic solutions.
An additional challenge posed by security breaches is detecting them in real time.
Some recent cyberattacks have gone undetected for months, allowing for massive collection of data. eBay reported in May 2015 a breach during which hackers used credentials to gain access to inside data for 229 days!
Bloomberg reports the maliciously planted chip’s purpose was to modify the host server’s operating system. The host introspection technology of Mellanox BlueField SmartNICs offers a platform which can help applications detect such cases in real time, and even shut down the connection to the network upon such occurrence – therefore instantly stopping the intrusion. An Intrusion Detection System (IDS) application may leverage this BlueField SmartNIC capability to protect data centers from such scenarios.
Running IDS over a BlueField SmartNIC allows gaining the best of both worlds: close visibility to what is happening inside the server, combined with proximity to the network. In a data center using the BlueField SmartNIC, hackers trying to access a “Big-Hack” tampered server would be identified and reported to the data center administrator before being able to cause damage.
BlueField’s host introspection capabilities can also be used to implement more security applications such as firewalls, antivirus, secure logging, malware analysis and others.
Best of all the BlueField SmartNIC can scan the host memory and offload any processing of the resulting data on the Arm cores, without placing any load on the host CPU or impacting application performance.
It is widely known that traditional data center security technologies were mostly perimeter based and focused on securing the entrance and exit of the data center. Latest developments have proven that this model cannot sustain the attacks perpetrated by increasingly sophisticated hackers. Data center architects now realize that security must move from the perimeter to the heart of the multi-tenant data center to fend off sophisticated hack attempts.
Mellanox intelligent adapters can secure the end points, closer to the network. With a multi-layered security approach, Mellanox smart interconnect products are capable of bringing security from hardware up to application level.