I have perhaps a somewhat unusual Raspberry Pi project in mind.
Essentially, I want to establish a secure computing system, especially for business purposes. I've been researching the topic ever since my computer was hacked, and the end result was mostly the creation of a Wikibooks book called End-user Computer Security.
Anyway, I am now looking at replacing my present system with a brand new one but am unsure which way to go. My current thoughts are as follows:
- buy a Raspberry Pi 4 computer and have its OS loaded via a live DVD, with the DVD loaded using an external USB DVD drive.
- the live DVD has to be read-only.
- the live DVD will likely be created by downloading the DVD image to a smartphone and then proceeding to burn the image to a blank DVD using the smartphone and an external USB DVD drive connected to the smartphone
- the Raspberry PI 4 device, smartphone, and DVD drive would be bought brand new in such random and physical ways so as to thwart MITM (man-in-the-middle) attacks (this involves picking randomly-selected units from a physical store).
- the correctness of the live DVD can perhaps be better ensured, by doing the following:
- 1) obtain the image and/or disc in several ways where at least one of the ways does not include relying on the smartphone's internal SD card or other similar NAND flash technology (NAND flash is perceived to be a point of attack);
- 2) load the OS using each disc in turn;
- 3) after each OS load (i. e. after each boot), make sure all the disc images match using the software loaded within that loaded OS session/boot;
- 4) if every check indicates the DVD images are the same then probably nothing to worry about.
- Multiple backup copies of the live DVD can be stored for safe keeping in different locations. This provides a means for checking that any one copy hasn't been maliciously replaced by a hoax live DVD
- the Raspberry Pi 4 computer will also have a battery pack, on which to run in a low-power state when it is not being used. This will ensure that the DVD drive is not needed every time a new computer session is started, because the OS will be loaded entirely into the RAM (using piCore), and when the computer is not used, it will simply be put to 'sleep'. It will also behave as a tamper-evident mechanism, as if the computer is interfered with whilst in the low-power state, this will likely corrupt the state (contents of the RAM or otherwise), and that will likely manifest itself as not being able to log-in into the powered-on system or the system being no longer in "sleep" mode but instead in a completely shutdown state. If the system state is corrupted, a "reboot" would perhaps be needed to 'wipe' the corrupt state clean. To ensure valuable data isn't stolen from the RAM whilst the device is not in use, one of the following methods would be employed: 1) data stored in RAM would always be in an encrypted form; 2) segments of RAM used for the storage of sensitive data would be blanked (zeroed) before putting the device to 'sleep'; 3) both of the methods 1 and 2 would be used together for even higher security. If the whole OS when loaded into RAM, is mostly stored in that RAM in an encrypted state, the system state could perhaps be more easily corrupted through slight tampering, and therefore provide a better tamper-evident mechanism.
- Once per week, assuming no tampering is detected in the system, the system would be used to reinstall the DVD drive's firmware. This would help to ensure that the DVD drive remains a trusted device.
- the computer would be used to log-in to cloud-hosted DaaS (Desktop as a Service) services, meaning that the Pi's limited computing power would not really be much of a concern. There would then be reliance on the security provided by the DaaS provider. The security of the DaaS--normally speaking--would be expected to be quite high; they would generally have much more resources for ensuring this.
- such a set-up would rely on the security of the "TLS cryptographic security certificate" system. Because certain certification authorities would likely be less trusted than others, perhaps only a select few security certificates would be regarded as trusted and used for computing over the internet. In order to stay up-to-date with the certificates in the case of accidental power loss, new certificates would be saved to read-only DVDs, perhaps at the end of each day or each week.
- A USB cryptographic security key would be used in conjunction with a password, to log-in to the DaaS services. Passwords would be changed every now and then
- These methods deliberately avoid NAND flash (as present in SD cards), because of perceived security risks in them. The only time when NAND flash is used locally, is when downloading through the smartphone (smartphones have internal SD cards), however, because of the random-selection principle, there's a good chance that such internal SD cards can be trusted. Even if they cannot be trusted, the live DVD can also be obtained in ways that don't rely on NAND flash. Such obtaining, in conjunction with the DVD image checks mentioned earlier, should mitigate any risk associated with NAND flash.
- Because peripherals like the computer screen, mouse, and keyboard, can be points of attack for adversaries, such devices would be purchased in a similar way to how the Raspberry Pi device, the smartphone, and external DVD drive, would be purchased. By doing so, they would then be able to be trusted. If any such device contains firmware, perhaps the firmware would be able to be reinstalled (to overcome malware attacks in the firmware) in the same way as the DVD drive's firmware should be able to be reinstalled.
- The low cost and high availability of the Pi device is desirable. The high availability makes the random-selection principle stronger and easier to employ. The low cost means that if it really is needed, a new unit can be bought as a replacement, probably in those cases where security may have been compromised in a significant way.
- To be even more sure that the Raspberry Pi hardware has not undergone tampering, or been maliciously replaced with a deceptive fake, certain physical-property authentications can be made of the hardware. For example, using visual inspection, the device can be compared with downloaded photos of how it is supposed to look. Other measurements might be weight, X-ray images, etc. To overcome attacks targeted on the purchases of a specific person, maybe five units of the Pi device can be bought, and then four units chosen at random returned for full refunds.
- The equipment would be locked-up when not in use, and other non-computer measures would be used for things like tamper evidence and prevention of illegitimate password capture (capture done perhaps by means of hidden cameras).
Many of the above ideas are documented in the Wikibooks book, that can be accessed at: https://en.wikibooks.org/wiki/End-user_ ... liminaries
If you are able, please provide comments and feedback, on my overall idea, and on the individual ideas.
Thanks,
Mark F
Very concerning...