What kind of “actions” can a TPM2 policy authorize?

I’ve been instructed to use the state of our system’s TPM’s PCR registers to prevent the system we’re working on from booting if one of the PCR registers is different from what we expect. In service of that goal, I’m reading over this article: https://threat.tevora.com/secure-boot-tpm-2/

there is a paragraph near the middle that reads:

TPM2 has the ability to create policies based off of PCRs: If the PCR contents do not match expectations, the policy will not authorize the action.

What kind of actions are they talking about here? And what would be the immediate ramifications if the action was not authorized?


Some background: Before today, I was under the impression that the principle trick of the TPM was to encrypt or decrypt data using a key that the TPM holds securely. Now this article suggests that the TPM can also (two different functions) encrypt or decrypt data based on the current state of its’ PCR registers… this seems similar enough to my previous understanding that I can believe it.

If my understanding is correct, I can see how this would be useful to our project’s goals; encrypt a blob of data that is critical to the success of the boot (say… the kernel*) with the state of the PCR registers while the PCR registers are in a known-trustworthy state (i.e. while known-trustworthy software is loaded). If software that writes different PCR registers replaces the known-trustworthy software, then the kernel blob won’t decrypt properly, and execution “halts”. Presumably there are ways to handle this halting gracefully, like Bitlocker or LUKS; I imagine if I just encrypted executable code and then decrypted it with the wrong key, it would produce gibberish, and the machine would do unexpected things rather than halt gracefully when running that gibberish.

A co-worker has taken the position that there’s a simpler way; that a TPM can permit or refuse an action directly… so, like, it halts the processor or something, I guess? He doesn’t express himself very well, and when I tried to summarize his position he told me I got it wrong, so… I’m deliberately keeping the details of his position scant. Suffice it to say, my understanding of what a TPM does wouldn’t allow for what he describes…

You could interpret the two sentences from the article as supporting his position, or mine, depending on what actions it is possible to ask the TPM to authorize, and what the immediate consequences ramifications of the TPM denying you the authorization to do something. Does anyone here have an opinion?

*…how would I “encrypt the kernel”, exactly? :-p

CORS policy during development

Does the CORS policy add any value during the development phase? Should I develop with CORS on or off? The development is occurring in a distributed environment and there are no local copies of components, only a testing environment where components are uploaded and tested (not on the same servers, so CORS still apply). If I should enable the CORS policy, how should I set it up so my distributed teams can work against my back-end server from their development environments ?

This question was strongly influenced by this one : should-i-develop-with-tls-on-or-off

With the existance of CORS, what further purpose does same origin policy serve?

I’ve been using CORS for a while and I think I understand it. But as far as I can tell, because the allow-origin header is provided by the server being called, which an attacker can control as they see fit, same origin policy cannot prevent an injected script from calling an attackers server.

Furthermore, by using my own server as a proxy, and spoofing headers, I can essentially make any HTTP call to any server in the world, regardless of their CORS settings.

Assuming an attacker can do whatever they want with their server, does this mean that same origin policy is dead?

Changing the default forward policy to accept (VPN/NAT)

I came across something that seems counter-intuitive while reading a tutorial associated with a very popular hosting provider showing people how to install their own Debian-based OpenVPN server. Specifically the default forward policy is changed from “DROP” to “ACCEPT” in order to allow traffic to be routed correctly. There seem to be no additional rules anywhere that would in any way restrict routing beyond this default policy.

If I understand correctly this could allow someone to use the machine as a gateway into the VPN, potentially allowing unsolicited traffic through. The logic here is that without any rules preventing packet forwarding the OS will simply forward any traffic not destined for itself. For example someone could make a static route for the external IP assuming a network of 10.8.0.0/24. Normally NAT would act as a firewall but in this case I can only assume it would, at best, rewrite the IP of response packets.

This is the tutorial for reference: How To Set Up an OpenVPN Server on Debian 9

I just want to know are my concerns justified or is there something that I’m missing?

Enforcing DMARC policy (reject) on an Office 365 tenant

The domain & tenant has SPF and DKIM properly configured and DMARC policy set to p=reject. Still, emails spoofed with the domain in the From header aren’t rejected, but appear in the Junk Email folder on Office 365. People do check their Junk Email for false positives, and are still reading all the CEO frauds, sextortion letters etc.

This seems a feature instead of a bug, as described in Microsoft’s documentation:

How Office 365 handles inbound email that fails DMARC

If the DMARC policy of the sending server is p=reject, EOP marks the message as spam instead of rejecting it. In other words, for inbound email, Office 365 treats p=reject and p=quarantine the same way.

Office 365 is configured like this because some legitimate email may fail DMARC. For example, a message might fail DMARC if it is sent to a mailing list that then relays the message to all list participants. If Office 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they will be marked as spam and not rejected.

However, this reasoning has some flaws:

  • DKIM protects legitimate mail; DKIM signed messages do pass with the DMARC policy even if it fails to align with the SPF when forwarded on a mailing list. (Mailing lists should change the envelope sender to pass SPF checks, anyway, so the SPF checks are probably passed, but not aligned.)

  • By implementing p=reject instead of p=quarantine the owner of the domain has stated that the emails should be rejected. Therefore, Microsoft’s implementation is against RFC 7489, 6.3:

    p: Requested Mail Receiver policy ...     reject:  The Domain Owner wishes for Mail Receivers to reject       email that fails the DMARC mechanism check.  Rejection SHOULD       occur during the SMTP transaction. 

Is there any setting on Office 365 to alter this behaviour and reject these messages?

What Same Origin Policy related risks are there with static pages?

I am wondering what risks there are if you have static pages on the same host that don’t trust each other. A key concept of Javascript and web security is the Same Origin Policy (SOP), which is also the reason why we need to avoid XSS. If there’s e.g. a blog on example.org with an admin interface on example.org/admin and an attacker can place some javascript on example.org/foo then the attacker can execute javascript that e.g. will create a new admin account or perform other actions on behalf of the admin. I generally understand how this is happening.

However I wonder the following: If the pages on example.org are all static, i.e. no forms that perform actions or endpoints that act on POST requests, does the SOP still matter?

I was thinking of attacks like: Can example.org/foo/ open example.org/bar/, but with manipulated content? This could be useful e.g. if example.org/foo hosts downloads that an attacker can manipulate or redirect. I have tried a few things, but I wasn’t able to perform such an attack. (One way might be ServiceWorkers, but they are path constrained, which limits possibilities quite a bit.)

And are there other attacks that one should care about in purely static scenarios?

Is it possible to just use one policy in a self-play setting?

I would like to ask is it possible to train an agent under self-playing setting but with just one policy to be trained? What are the foreseeable problems with such an implementation? My concern is as such: suppose agent A starts off as in role 1, and later goes role 2 (which is role 1’s opponent) after a few iteration. When A switches to role 2, it might use the information gained when A was in role 1 to its current role’s advantage. And after another few iterations when A switches back to role 1, A might use the information gained when A was in role 2 to its current role’s advantage. This is because we assume there is just one policy for agent A, so the weights are updated and kept when A switches its role. The information gained can be things such as new strategies learnt, new information gained (when the agent’s knowledge of the environment is incomplete), etc. So a more sensible way of training I think would be using two agents A and B with two separate policies to train – more like in a generative adversarial network setting in some sense. But then by definition this is not considered as self-play isn’t it?

Add-on: So relating to the case of Alphazero playing chess, if the agent is really just playing with itself, despite chess belongs to the so-called perfect information game, but the opponent’s thoughts/strategy/decision making process should be still unknown to the player. But if my assumption of how self-playing is true, then the agent A will have the thoughts/strategy/decision making process of role 2 when it is in role 1. Isn’t that cheating (because in reality those knowledge are not attainable; rather one can only guess what are those information from its opponents)? (I haven’t read through the Alphazero paper yet because I am not proficient enough to understand those technical details, so I would really appreciate it if anyone could explain the relevant part to me)

Password Policy for Digital Environment

When creating a Security Policy such as Password Policy, what are some of the typical assets that need to be protected?

And how does this affect, employees, contractors, vendors, suppliers, and representatives who access the organization-provided or organization-supported applications, programs, networks, systems, and devices.

Curios in learning more. I’d also appreciate real expertise details, in addition, if anyone has a good valid password policy that is written and implement, I’d love to read it and learn from it.

QES AdESQC TL based Signature Validation Policy

Reading the ETSI EN 319 102-1 V1.1.1 (2016-05) Electronic Signatures and Infrastructures (ESI); Procedures for Creation and Validation of AdES Digital Signatures; Part 1: Creation and Validation.

The signature validation procedures and requirements are clear in section 5. However there are many references to validation according “Signature Validation Policy”, which should be included also in the validation report.

I was searching what does it mean and came along to “QES AdESQC TL based” signature validation policy. Many example are there which has this policy in the validation report.

Where is the signature validation policies defined? Where I can find the relevant information about it? It seems that QES AdESQC TL based is something standard but I am not able to find the real definition of the policy.

I am not sure if the signature validation policy can be defined for example as XML file with the conditions how to validate signature or seal, which can be understood by application.

All sample validation reports refer to it, e.g.:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <SimpleReport xmlns="http://dss.esig.europa.eu/validation/simple-report">     <Policy>         <PolicyName>QES AdESQC TL based</PolicyName>         <PolicyDescription>Validate electronic signatures and indicates whether they are Advanced electronic Signatures (AdES), AdES supported by a Qualified Certificate (AdES/QC) or a         Qualified electronic Signature (QES). All certificates and their related chains supporting the signatures are validated against the EU Member State Trusted Lists (this includes         signer's certificate and certificates used to validate certificate validity status services - CRLs, OCSP, and time-stamps).     </PolicyDescription>     </Policy>     <ValidationTime>20/01/2016 08:06:05.002</ValidationTime>     <DocumentName>PAdES_B_PVDB-extended_LTA.pdf</DocumentName>     <ValidSignaturesCount>1</ValidSignaturesCount>     <SignaturesCount>1</SignaturesCount>     <Signature Id="id-30b3acd8c4fe0ced13b26ed2e6574d91e2e77b19e06a42b6c513a0b046b4561b" SignatureFormat="PAdES_BASELINE_LTA">         <SigningTime>30/07/2015 13:49:14.000</SigningTime>         <SignedBy>Pierrick Vandenbroucke (Signature)</SignedBy>         <Indication>TOTAL_PASSED</Indication>         <SignatureLevel>AdESqc</SignatureLevel>     </Signature> </SimpleReport> 

Generating the base64 of sha256 of a file for Content Security Policy of a web page


The issue

I have a small private Apache2 web server running on Debian 10 Buster with security on my top list. Right now, I’m struggling with:

How to generate in the Linux terminal the base64-encoded sha256 of my CSS style sheet file styles.less for Content Security Policy?


Getting close

The closest I got was thanks to this comment made by sideshowbarker with command:

cat styles.less | openssl dgst -sha256 -binary | base64 

So far I only know that this part is ok:

cat styles.less | openssl dgst -sha256 

because the output SHA-256 hash sum equals to ordinary sha256sum command, as proved with:

$   cat styles.less | openssl dgst -sha256 (stdin)= 0d1095db21ec5177406ed074dadd59d8298f6f4f9ae870bf8d562feeb081ecb1  $   sha256sum styles.less 0d1095db21ec5177406ed074dadd59d8298f6f4f9ae870bf8d562feeb081ecb1  styles.less 

$   openssl version OpenSSL 1.1.1d  10 Sep 2019 

Any ideas welcome. Will be back shortly, be patient with comment replies, thank you.


Getting wrong output:

DRCV2yHsUXdAbtB02t1Z2CmPb0+a6HC/jVYv7rCB7LE= 

Chrome says it shall be (I hope I’m getting the right one):

OiTUxy1L7oqoB+m4jFzA6QMKYPBRZqHn9Z33xviiEFI= 

As it might be helpful now, here’s the direct link for that style sheet. Hope we solve it soon.