Forgot your password?
typodupeerror
Security

Security Threats 3 Levels Beyond Kernel Rootkits 264

Posted by kdawson
from the close-to-the-machine dept.
GhostX9 writes "Tom's Hardware has a long interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this interview she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's surprising is how robust the classic BluePill proof-of-concept is: 'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill. This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'" Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization." She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.
This discussion has been archived. No new comments can be posted.

Security Threats 3 Levels Beyond Kernel Rootkits

Comments Filter:
  • huh? (Score:5, Insightful)

    by vux984 (928602) on Saturday July 18, 2009 @06:32PM (#28743977)

    I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization.

    This seems a touch... idiotic. I could see how it could offer more. AND I don't see how it could offer less.

    For what its worth, I don't use an A/V product either.

    And Like her, I also have a "pretty reasonable setup" and a dose of "common sense". But I'm still balancing the increased responsiveness and hassle-free experience vs the extra security. Its a trade-off that's worth it to me, but I recognize that it is still a trade-off.

    • by Sycraft-fu (314770) on Saturday July 18, 2009 @07:10PM (#28744161)

      It is idiotic for three reasons:

      1) The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.

      2) Even in the case of low level root kits, they still have to get to your system in the first place. That in general means they have to get downloaded form the net or transferred from a CD or flash drive. Guess what? A virus scanner in the OS can stop that. It can scan the program coming in, before it has a chance to run, and block it. Even if the program would set itself up on a level below what the scanner could detect, the scanner can notice it as it is coming in before it can execute and do that.

      3) Defense in depth is ALWAYS a good idea. In the real, physical, world you have to accept that no security is unbreakable. Anything you can make another person can unmake or circumvent. Thus security does not come from having one impassable layer, it comes from having multiple layer of different kinds. Should one layer be bypassed, security over all is not compromised. Well, a virus scanner on the system is another layer. Should be the only layer, but it helps.

      Personally, I've never been impressed with her as a security researcher. She seems to be rather paranoid, and living in a theoretical world. In part this is because for all the chatter about Blue Pill, I haven't seen it made practical. Oh sure you can talk about an undetectable super rootkit on paper but does it actually work in the real world? VMWare doesn't think it would, and they do know more than a bit about virtualization.

      I'm not saying this isn't an interesting line of academic research, but I'm getting tired of the "OMG I can own any system and not be detected!" doomsaying. No, really, not the case it seems.

      • Re: (Score:2, Insightful)

        by Talchas (954795)
        It might be idiotic if A/V programs didn't totally ruin system usability for on-line protection. And if you just run random scans, or scans of known-downloaded things, you'll still lose against any sort of automated attack (which is where anyone reasonably computer savvy might get attacked through).
        • by Sycraft-fu (314770) on Saturday July 18, 2009 @07:56PM (#28744345)

          If your AV software screws over your system, then get a better one. NOD32 is exceedingly fast and thus low impact on system resources. Also, with any good one, like NOD, you can configure what it scans so you don't have to scan everything if you don't want to.

      • Re: (Score:3, Interesting)

        by PNutts (199112)

        The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.

        Absolutely agree. It's nice that she has a throwaway image because it isn't possible to proect herself from her definition of the critical threats, but those aren't the threats I'm necessarily worried about. My A/V keeps (among other things) the script kiddies out who do things that pi$$ me off and cause me to react. The bad guys/girls can have anything on my system which is why they probably won't bother with me. I'm wondering how much crap her system spews the day before she decides (la la la) to reimag

        • Re: (Score:3, Interesting)

          by EdIII (1114411) *

          I'm wondering how much crap her system spews the day before she decides (la la la) to reimage.

          That bothered me too. My VM does not commit any changes when I close it down, which I do at least twice a day.

          ALSO, running everything through a proxy helps too.

      • It is idiotic for three reasons:

        1) The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.

        Having cleared out nastily infected computers of colleagues for a few years, I had the opportunity to look at the logs of the (symantec I believe) antivirus programs that had failed to block the offending malware. Based on the number of "yay, I blocked such and such virus" entries per infected computer, I'd say that AV programs stop about 1/4 of real, active malware. 25% 99.99%.

      • by blueg3 (192743)

        Actually, depending on your virus scanner, it stops about 50-90% of attacks out there. Joanna's setup is almost certainly more effective.

        • by vux984 (928602)

          Actually, depending on your virus scanner, it stops about 50-90% of attacks out there. Joanna's setup is almost certainly more effective.

          More effective than it would be if she took her existing setup and installed antivirus into it?

          I think not.

      • by blueg3 (192743) on Sunday July 19, 2009 @12:13AM (#28745469)

        2) Even in the case of low level root kits, they still have to get to your system in the first place. That in general means they have to get downloaded form the net or transferred from a CD or flash drive. Guess what? A virus scanner in the OS can stop that. It can scan the program coming in, before it has a chance to run, and block it. Even if the program would set itself up on a level below what the scanner could detect, the scanner can notice it as it is coming in before it can execute and do that.

        This is the malware arms race. The first entity to hit the system and know the second entity's tricks wins. Malware can completely gut antivirus. In theory, it can completely and undetectably emasculate it. (In reality, it doesn't.) Antivirus programs can detect malware and stop them -- provided they know what to look for. Knowing what to look for is harder than it sounds. You can use signature scanning to find really trivial attacks, or very fancy signature scanning to find less-trivial but still enumerated attacks. Only behavioral controls will stop novel attacks, and you need to know what behaviors to stop. Simply stopping anything that might possibly be used to get control the system will leave you with a nonfunctioning system.

        Bear in mind that there's anywhere from a few days to a week, at least, before an antivirus database incorporates a new malware signature. If the malware can disable the antivirus (or its update), what's the risk in a one-week window?

      • Re: (Score:3, Interesting)

        by salesgeek (263995)

        As such, a virus scanner running in the OS is perfectly capable of dealing with them.
        Antivirus works after code has been sent to the computer or while it's sent using a limited set of known methods. For many exploits, code runs before antivirus gets a crack at stopping it. That's why Symantec's David Hall said "If you are relying solely on antivirus ... you are not getting the protection you need." [blogspot.com]. The issue is that antivirus gives a user a very false sense of security because it works good enough most of

    • Re: (Score:3, Funny)

      by Anonymous Coward
      I've never understood why banks have locks on both the doors to the vaults and on the safes.
      • Re: (Score:2, Informative)

        by JustOK (667959)

        And the building itself.

      • Re:huh? (Score:5, Insightful)

        by benjamindees (441808) on Saturday July 18, 2009 @07:39PM (#28744295) Homepage

        Think of it this way. Antivirus software is like the Marginot Line. It will keep out most invaders. But the really threatening ones will simply drive around it and disable it from the inside.

        Her setup is more like a fortress filled with cruise missiles that can be launched with lots of advanced warning of attack.

        Both have costs. One is more effective than the other. So, saying that something expensive and incomplete like the Marginot Line provides increased security may be technically true, but it's kind of a moot point.

    • by Ilgaz (86384) on Saturday July 18, 2009 @09:01PM (#28744625) Homepage

      I understand the DEP (data execution prevention) enabled processors weren't common back in Windows XP days but what is the deal with Windows 7 even 64bit version? Why wouldn't MS enable it by default as it is said to prevent very serious attacks on CPU level, without slowing down the system at all?

      While there are no real viruses on OS X yet, I try to prepare machines for "no AV needed even while viruses exist" configuration just like you with couple of extra admin prompts, that is all but I don't follow Windows scene too much.

      After enabling DEP, I even gamed on Windows 7 64bit (game is even running under win2k compatibility) and I haven't seen anything bad happen. I remember some stupid HP driver on another machine crashed because of DEP but that was all, the error message was really informative too.

      So, do they disable it to make couple of badly written software owners happy while 99% would benefit from it?

      BTW, this is what DEP is
      http://en.wikipedia.org/wiki/Data_execution_prevention [wikipedia.org]

      • Re: (Score:2, Informative)

        by Anonymous Coward

        It's only disabled for 32-bit software. 64-bit software always runs with full DEP.

        The reason is that there's still TONS of poorly written 32-bit software out there that rely on DEP being off.

        That said, I agree that they should still turn it on by default and let the informative error message sort out the mess.

    • Running three separate VMs is not only a sign of paranoia but also a delusion that as a person functioning in todays world you can realistically have so much control over information that with enough effort you can control your own security in all regards, or even that you can control it to the extent necessary to protect yourself from common threats.

      Put aside for a moment that she's a security researcher and that probably invites more attacks than the rest of us face. There are a number of flaws readily ap

  • Well... (Score:5, Insightful)

    by afabbro (33948) on Saturday July 18, 2009 @06:32PM (#28743983) Homepage

    She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

    And in the article:

    I totally don't care about a compromise of my "Red" machine--in fact I revert it to a known snapshot every week or so. I care much more about my "Yellow" machine. For example, I use NoScript in a browser I have there to only allow scripting from the few sites that I really want to visit (few online shops, blogger, etc). Sure, somebody might do a man-in-the-middle (MITM) attack against a plaintext HTTP connection that is whitelisted by NoScript and inject some malicious drive-by exploit, but then again, Yellow machine is only semi-sensitive and there would not be a big tragedy if somebody stole the information from it. Finally, the "Green" machine should be allowed to do only HTTPS connections to only my banking site.

    And as long as your bank is never hacked and serving up malware [youtube.com], that probably works well...

    • Re: (Score:3, Informative)

      by Deanalator (806515)

      That's what the noscript is for. It does more than just blocking javascript these days.

      • Re:Well... (Score:4, Insightful)

        by Sponge Bath (413667) on Saturday July 18, 2009 @07:02PM (#28744123)

        If you have already set noscript to allow your bank's site (required for most banks), and that site has been hacked, how does that protect you?

        • by bjourne (1034822)
          Why do you believe most banks sites requires javascript?
          • by salesgeek (263995)

            Yes. Some even require Flash, too. Why? There are large numbers of executives that are smarter than you at banks.

        • I don't allow my bank with noscript. I don't just white list every site I go to, I only enable scripts if things are epicly broken, like ajax heavy sites.

          My point though was beyond javascript whitelists. Even if you have "allow scripts globally" enabled (bad idea) noscript will still block most attempts at xss, heapspray, plugin abuse, and sketchy redirection etc. In short, noscript is a ninja warrior.

    • by ceoyoyo (59147)

      And as long as you don't care that your "Red" machine spends most of it's time as a zombie sending out spam.

      • Re:Well... (Score:5, Interesting)

        by mlts (1038732) * on Saturday July 18, 2009 @07:28PM (#28744237)

        This is something I'm wondering. Perhaps the best thing would be for the "Red" machine to be completely rolled back when done using, and have a virtual share mapped for any data that is worth saving.

        • Re:Well... (Score:5, Interesting)

          by Zerth (26112) on Saturday July 18, 2009 @08:06PM (#28744379)

          That's what I've got on my setup now.

          After upgrading to a multi-core system where each had more processor and memory than my previous computer and noticing that 1 core was idle unless I was doing something CPU intensive, I virtualized my old machine and saved a snapshot just after bootup and opening a browser.

          Then I started using that in seamless mode instead of a browser. Every time I close it, not only is the browser history/cache/etc wiped, every possible change to the entire system is wiped.

          It doesn't run AV because that system just doesn't matter anymore. Instead of restarting my browser, I'm effectively wiping & re-installing whenever it feels laggy or "off".

          Perhaps it is a false sense of security, but as long as it is firewalled from the rest of the network and there isn't a "Neo" virus that can "escape the simulation", I feel safer than browsing on the host system with all the AV/noscript utilities running.

          • by mlts (1038732) *

            The only place where using VMs for projects might not work well are applications (including games) which require Direct X and high performance. VMWare Workstation has some experimental support for DX9, but if one wants to play a game, probably their best bet would be a second drive with an OS that isn't used for anything other than gaming.

        • Re: (Score:3, Interesting)

          by bill_kress (99356)

          I was thinking something along this line--it would be nice to have a file system where all modifications were stored on a second partition on the hard disk and the primary partition was read-only (Preferably physically through a switch), including the boot sector.

          On ever boot, the data in the "writable" partition is destroyed before the first write/read ever takes place.

          A specific command could copy changes over in order to update the writable partition. This would be done during the shutdown process and a

          • Re:Well... (Score:5, Informative)

            by lagfest (959022) on Saturday July 18, 2009 @08:42PM (#28744515)

            Already exists for windows: http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx [microsoft.com]

            And it's free.

          • by Z34107 (925136)

            You're looking for the Enhanced Write Filter [microsoft.com]. It redirects all writes to RAM, meaning your changes are lost when you reboot. (Or you can have a shutdown script that commits changes to disk if you want.)

            It's part of the XP Embedded SDK, so it's designed for things like letting you run XP from a ROM chip or from a CD-ROM. I use it on my netbook because having all writes trapped in memory makes it's cheap, slow SSD seem ridiculously fast.

          • by drsmithy (35869)

            A specific command could copy changes over in order to update the writable partition. This would be done during the shutdown process and a list of all changes could be reviewed before flipping the switch to make your drive writable.

            People will happily run said command to infect themselves when offered some porn.

            The problem with defeating malware isn't the technology, it's the people.

      • She didn't say she doesn't have some sort of firewall. Stopping infected machines communicating isn't a job of antivirus programs and a properly configured firewall is far more effective at stopping your data getting out than any antivirus.
  • Why? (Score:5, Funny)

    by rysiek (1328591) on Saturday July 18, 2009 @06:33PM (#28743987) Homepage

    "...interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages)"

    Why oh why did they split Joanna into 9 pages?! Thats so cruel!

    Also, First Post

  • by Anonymous Coward on Saturday July 18, 2009 @06:35PM (#28743991)

    There's careful, there's paranoid, and there's three separate virtual machines.

  • by eatvegetables (914186) on Saturday July 18, 2009 @06:36PM (#28744005)
    Security is: 386 dx 40 (my first computer), BSD kernel, and Lynx non-graphical web browser. Only down side.... ascii-art porn (sigh).
  • > The problem is, however, that all current popular OSes, like Vista, Mac OS X, or even
    > Linux, do not provide a decent isolation to its applications. This is primarily a result
    > of all those systems using big monolithic kernels that consists of hundreds of
    > third-party drivers that operate at the same privilege level as the rest of the kernel.

    Sounds like she wants the Hurd.

    • Re:The Hurd (Score:5, Insightful)

      by argent (18001) <peter@slashdot.2 ... m ['nga' in gap]> on Saturday July 18, 2009 @06:54PM (#28744089) Homepage Journal

      Microkernels that provide security boundaries between drivers have tended to have unacceptable levels of context switching in the kernel, so once you get past the theoretical stage and you're trying to push the performance to the point where you can compete with monolithic kernels... you're going to get rid of those boundaries.

      Microkernels should be seen as a design model for a kernel, an abstraction of the traditional real-time kernel to a broader application area. You shouldn't demand or expect a microkernel to have actual separate processes for each component any more than you should or would demand a TCP/IP stack actually implement separate code layers and call gates for each level of the network stack.

      • > Microkernels that provide security boundaries between drivers have tended to have
        > unacceptable levels of context switching in the kernel, so once you get past the
        > theoretical stage and you're trying to push the performance to the point where you
        > can compete with monolithic kernels... you're going to get rid of those boundaries.

        Yet you use virtualization.

        • Yet you use virtualization.

          I use virtualization where it's useful. I don't run my desktop under it, I don't use it where performance is critical. I use FreeBSD jails instead of virtual machines on my colo because they've got less overhead.

      • Blah blah blah, theoretically and all that.

        There's no benefit to a micro-kernel in these so-called ring -1 attacks. None.

        Feel free to read the debate [oreilly.com], or the previous Slashdot discussions [slashdot.org] or consider Linus' previous famous quote: Microkernels are like masturbation, it feels good but it doesn't accomplish anything.

        • There's no benefit to a micro-kernel in these so-called ring -1 attacks. None.

          You know, the really odd thing is that that's what I just said. Microkernels are not about security, they're about internal kernel API design. That's why Hurd and Mach suck, they're taking the API design guidelines and treating them as kernel architecture.

  • This is simple? (Score:3, Insightful)

    by westlake (615356) on Saturday July 18, 2009 @07:27PM (#28744235)

    She runs three separate virtual machines designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

    Three operating systems to maintain. Three browsers. Three filing systems? Three PDF viewers?

    Where does it end?

    To me, the Zero Day exploit suggests that a random choice of OS, web browser and file viewer would make more sense.

    But the whole idea seems overly complex and dangerously fragile.

  • This idea of using VMs could make for some interesting security on laptops that have TPM chips:

    First, the laptop would be secured with BitLocker. This would provide two things, first, hardware and MBR tamper detection. Someone messes with the laptop while its not attended, it won't boot and ask for the recovery key. Second, BitLocker is transparant once it boots. No need to worry about an additional passphrase (though the recovery key should be kept someplace secure).

    The main OS here is mainly used just

  • Just because you're paranoid doesn't mean they aren't out to get you.

  • by not_hylas( ) (703994) on Saturday July 18, 2009 @11:47PM (#28745315) Homepage Journal

    She now realizes that Ken Thompson's paper:

    "Reflections on Trusting Trust"

    http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf [cmu.edu]

    - is the basis of ANY hardware firmware or re-flashing of hardware.

    I can't wait for next month and hopefully the bombshell we've been waiting for.
    Brilliant Joanna indeed.

    • I was waiting for someone to mention that :)

      I loved that paper. When I learned to write compilers in school they gave us this paper and a lecture on it. We then had an exercise on building our own hidden codes.

      Since then, I have learned the value of paranoia. I learned in that class (and have applied since) the concept that just because something *looks* secure doesn't mean that it is. It may just mean you're not looking at it properly.

      • by u38cg (607297)
        Someone somewhere (I stumbled across his website by accident) actually went and built a basic compiler in assembly from scratch and used it to bootstrap a compiler that could compile GCC; he also used a FPGA he'd designed himself to do it on. His compiled GCC and GNU stock GCC both output an identical GCC when compiling itself, so he concluded that the NSA is not in our programs, compiling our code. Now I just need to find the darned page again.
  • Bugs don't have to be undetectable, they just have to be a pain in the ass to remove, very difficult to stop up-front, and quick/easy to deploy their mischief. If those criteria are met, then with a zero-day exploit (these are published all the time), the bug could potentially hit maybe 20% of computers on the Internet successfully (Assume 80/20 rule for got the patch in time, etc.). How many more millions of machines do you need to infect and run your program on than 20% of the Internet?

We want to create puppets that pull their own strings. - Ann Marion

Working...