No system is immune to attack and if anyone tells you otherwise they are either ignorant or lying (
Bruce Schneier calls the later folks snake oil salesmen); between you or me I don’t know which of the two is worse.
The TPM, like all system was designed with was from the get go with certain goals in mind and being resilient to local host attacks was certainly one of them but being immune from hardware attacks certainly was not one.
Now don’t get me wrong they specify a number of things that help mitigate the risks associated with a number of hardware attacks but if they were to set out to deliver a solution that was immune to these attacks they would either never have a finished product or they would ship something that makes claims no product can make.
I guess that makes the question did they design to mitigate the right attacks, or did the design mitigate enough of the attacks? Well in the end the answer to that question will depend on under what situations the TPM is used for; for example conditional access systems like
Network Access Protection are all based on the idea that hosts either make claims about their state or that hosts behave a particular way, both are examples of what I call “
asking the drunk if they are drunk” you might be talking to a honest drunk but you might be talking to a dishonest one too.
The use of a TPM to take measurements of pre-boot components (BIOS, MBR, boot loader) gives you a reasonable confidence that those components were used to start the operating system, when combined with
operating system integrity protections (warning: link is a ppt) and selection of trustworthy “health agents” that measure system health you have a good (not perfect) basis to believe those claims. I would argue that given the other risks that exist in a system like this that the protections offered by the TPM are sufficient for this use.
It’s important to note however that there are certainly cases where the protections offered by a standard TPM would be insufficient for a solution as well.
I guess the next question one should ask themselves is that if the TPM can’t prevent all attacks why should we bother? Well as we have discussed previously there is no such thing as absolute security (it’s akin to perpetual motion, everyone wants it but we will never get it) but if we don’t do our best to mitigate against the known probable attack vectors that affect our solutions then we might as well give up when it comes to security.
My friend
Cem has been caught saying “
Security is often act of re-arranging deck chairs on a sinking ship” this is certainly true, but its not necessarily a problem if we understand the value of a nice view when the ship goes down ;).
Back to the topic of TPM based attacks, I ran across two interesting blog posts on this topic today check them out here:
As a FYI Microsoft has always recommended Bitlocker be used with its multi-factored advanced modes when this is done the sort of hardware only attacks discussed here do not work.