Actions

AEM

From Whonix

Anti Evil Maid (AEM) notes.

Adversary capabilities:

  • physical access
  • remove disk
  • re-fash BIOS
  • exfiltrate TPM

Anti Evil Maid (AEM) alternatives:

  • BIOS password
    • attack requires removal of disk
    • there might be a BIOS master password
  • boot partition on USB
    • attack on BIOS required
    • or USB persistent modifications
  • disk hasher → attack on BIOS required

Anti Evil Maid security issues:

  • download binary file SINIT without verification and hope the processor will correctly verify it
  • rely on closed source TPM

Anti Evil Maid (AEM)

  • authenticates machine to the user (not user to machine)
  • change in BIOS → reseal required
  • another complicated password?
  • picture support was deprecated?
  • one time password support OTP TOTP ("google authenticator) (2FA)
  • measurement of Xen, kernel, and initrd versions
  • only compatible with legacy boot
  • not compatible with UEFI
  • not compatible with USB 3.0
  • hide USB from dom0 (more secure but also more fragile) (BadUSB attack) vs not-hide (able to use USB AEM)
  • AEM on USB encourages to boot from USB → makes it easier for an evil maid (no need to change settings in BIOS)
  • a reason for AEM on USB → as a keyfile (second factor) → better yubikey

[advertisement] Looking to Sell Your Company? Contact me.


Join us in testing our new AppArmor profiles for improved security! (forum discussion)

https | (forcing) onion
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.