Is Implementing a Hypervisor for ECR Payment Applications Cost Prohibitive?

The publicity surrounding data scraping attacks against ECR applications prompted me to write a few posts about approaches to stop the execution of such malware at the operating system level (see for example http://paymentnetworks.blogspot.com/2014/07/detection-of-data-scraping-in-retail.html ). After the recent UPS attacks, I think it is quite clear that the payment systems industry will not form a uniform response to these attacks and instead touts Europay, MasterCard, VISA (EMV) as more of a prayer than a solution.

The ability for the Intel and AMD X86 to host hypervisor kernels provides ECRs a superior ability to detect and stop these attacks; however, retailers will be in no mood to deploy such a response once they have already forked over most of their equipment upgrade budget to move to EMV.  Certainly ECR software developers will likely have some academic help.

Amit Vasudevan and his fellow researchers at CyLab, Carnegie Mellon University seem to have a clear sensible approach to any that care to listen about methods to control applications running on a platform processing sensitive data such as payer financial data. 

For example in:

“Requirements for an Integrity-Protected Hypervisor on the x86 HardwareVirtualized Architecture”

 by Amit Vasudevan, Jonathan M. McCune, Ning Qu, Leendert van Doorn  and Adrian Perrig  (from  CyLab, Carnegie Mellon University; Nvidia Corp; Advanced Micro Devices (AMD) Corp) (http://users.ece.cmu.edu/~jmmccune/papers/vasudevan_mccune_ning_leendert_perrig_sechyp_trust2010.pdf )

The researchers describe clear rules for implementing a hypervisor generally (which no one has yet done, and maybe extremely difficult to do but implementing just a fraction of them (which has been done) would significantly deter data scraping attacks).

The researchers provided another jewel:

“It’s an app. It’s a hypervisor. It’s a hypapp.”:Design and Implementation of an eXtensible and Modular Hypervisor Framework

By Amit Vasudevan, Jonathan M. McCune, and James Newsome (all from CyLab, Carnegie Mellon University, 2012)

(https://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab12014.pdf)

The article describes design principles for creating the secure environment.

 AMD and Intel hypervisor modes are not compatible with each other so developers will need to write different versions, one for Intel’s “Separation Kernel Model” and the other for AMD’s “SVM – Secure Virtual Machine (PACIFICA)”.

 If these are successful (counters data scraping attacks) then users on compatible computers initiating payment for personal use might be able to implement similar approaches. If the costs to implement this type of approach prove to be cost effective then more trusted applications working with payment operating systems would increase the efficiency of managing sensitive data in hostile environments and quickly deploy to face future threats.

Next Blog: The Difference between DUKPT and EMV approach to Security