— If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

— Microsoft’s Ten Immutable Laws Of Security
data protection

We are a team of system administrators and programmers specializing in web hosting and data protection.
Our primary mission is to make dedicated server rental safe and secure.

We have always been worried that a hosting provider has full unrestricted access to customers' servers and data.
Consequently we were looking for the ways to prevent that.

- Progress so far -

Software-only solution DONE

All our servers come with:

pre-boot:
— proper Secure Boot setup: vendor and Microsoft keys removed and our keys installed, following the NSA "UEFI Secure Boot Customization" guidelines
GRUB boot loader removed (as it was deliberately broken to make it boot anything signed by Microsoft) — UEFI boots the OS directly, verifying the Linux kernel and initrd signatures which are securely stored in the TPM chip

after boot:
— triple-layer HDD and data encryption (LUKS full disk encryption + VeraCrypt for user data + Intel SGX container for the most important data)
— additional Linux kernel hardening such as Integrity and LKRG modules (to prevent malicious OS modifications and to make privilege escalation attacks much more difficult to achieve)
— additional hardening of the hardware, operating system and software (e.g. HyperThreading disabled, Vt-d & IOMMU enabled, CIS Benchmarks guidelines implemented, plus extra tweaks based on our experience)



The measures above effectively prevent from:
- booting the server from the untrusted device such as USB drive or a fake hard drive (if the datacenter staff replaces the customers' HDD with a rogue copy)
- infecting the OS boot loader with a malware (e.g. a keylogger to steal the Hard Drive encryption passphrase)
- data theft (e.g. by physically removing the Hard Drives from the server)

Unfortunately they do not prevent the Cold Boot and DMA attacks and could not protect from vulnerabilities in the firmware, hence the second step...

Complex Software + Hardware solution Work In Progress...

The current intrusion detection sensors are a joke as they do nothing but simply log the "chassis intrusion" event in the IPMI event log, and they are almost non-existant as they usually do not come preinstalled by default and most server vendors started to add them as an option just few years ago.

We are working on an advanced intrusion detection sensor as well as a Trusted Boot Module similar to Hypercheck implemented in a single-board microcomputer form-factor, to further complicate the Cold Boot and DMA attack vectors, and to verify the server components' integrity.

The sensor will shutdown the OS and scramble the RAM if it detects light or movement (if the server's lid was opened or if the server was rolled out of the rack cabinet), and the Hypercheck-analogue module will monitor the main server's BIOS and other components' firmware integrity.

The additional software-level solutions include Intel SGX container intended for the most important data such as SSL private keys, and Ramcrypt Linux kernel module which effectively prevents cross-process memory access and complicates the DMA attack.

However, even if we manage to protect the server from Cold Boot and DMA attack vectors, there is still...

The Ultimate ThreatWork In Progress...

All modern servers come with closed source IPMI, BIOS, and most components' firmware, which theoretically could allow vendors and hardware manufacturers to steal the private data from virtually every computer in the world.
We are working on a fully open source firmware server which would minimize the possibility of data theft via vendor backdoor(s) or yet another vulnerability in the vendor firmware.

The ideal server would have:
Intel ME absent or disabled
— proprietary BIOS/UEFI replaced with Coreboot
— proprietary IPMI firmware replaced with openBMC, or open-source hardware IPMI such as Raptor Kestrel used instead
— each significant system component such as Ethernet controller uses an open source firmware which is auditable and replaceable by the end user

Our development platforms are Supermicro X11SSH... (update: our research has shown that Supermicro gen11 servers are not secure enough so we are focused on 12th generation now). Also we closely watch the Open Compute Project progress, as well as the Raptor Talos boards (although they use POWER CPU architecture which limits their usage possibilities), and newest HP servers capable of running openBMC


alignment


> Chaotic... what?

Our company name is a combination of the character alignment in a popular tabletop game¹, which pretty accurately describes our ideology, and the name of the cyber attack vector², which we try to fight against.

¹ — "...alignment is a categorization of the ethical and moral perspective of player characters, non-player characters, and creatures. ...A chaotic good character does what is necessary to bring about change for the better, disdains bureaucratic organizations that get in the way of social improvement, and places a high value on personal freedom, not only for oneself, but for others as well. Chaotic good characters usually intend to do the right thing, but their methods are generally disorganized and often out of sync with the rest of society." — Wikipedia
² — "...An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device, or the data on it.
The most notable scenario is where a maid subverts a laptop left unattended in a hotel room." — Wikipedia