Security Threats 3 Levels Beyond Kernel Rootkits 264
GhostX9 writes "Tom's Hardware has a long interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this interview she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's surprising is how robust the classic BluePill proof-of-concept is: 'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill. This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'" Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization." She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.
Re:You don't use A/V? Are you insane? (Score:2, Interesting)
It's fine if you apply all security patches, utilize good firewall hardware, don't surf the web or run random untrusted executables on said win32 or win64 box.
Or if you run said web surfing inside a robust sandbox.
Re:o.k. (Score:3, Interesting)
Not to mention the cost of 3 OSes. And I'm not sure if MS can enforce this, but right now you have to buy the more expensive version of Vista according to the license agreement.
Re:Well... (Score:5, Interesting)
This is something I'm wondering. Perhaps the best thing would be for the "Red" machine to be completely rolled back when done using, and have a virtual share mapped for any data that is worth saving.
Re:You don't use A/V? Are you insane? (Score:4, Interesting)
This is true. It is also a valuable feature.
Not for the poor bastards at home, of course, it'll just make their descent into pop-up misery and a new computer from best buy even faster. Pretty much any centrally managed AV setup, though, makes it pretty easy to check whether or not AV is running on a given client. If you have a client where the AV won't stay up, you have excellent reasons to suspect that the OS is 0wn3d. You can then inspect further, or just pave and reimage, depending.
Malware's habit of shoving an ice pick into the AV's neck at first opportunity is bad for nontechy home users; but it arguably makes that malware easier to detect in serious setups(if the AV can't detect the malware, which is likely, its blood demise will be obvious enough to draw attention).
Re:Well... (Score:5, Interesting)
That's what I've got on my setup now.
After upgrading to a multi-core system where each had more processor and memory than my previous computer and noticing that 1 core was idle unless I was doing something CPU intensive, I virtualized my old machine and saved a snapshot just after bootup and opening a browser.
Then I started using that in seamless mode instead of a browser. Every time I close it, not only is the browser history/cache/etc wiped, every possible change to the entire system is wiped.
It doesn't run AV because that system just doesn't matter anymore. Instead of restarting my browser, I'm effectively wiping & re-installing whenever it feels laggy or "off".
Perhaps it is a false sense of security, but as long as it is firewalled from the rest of the network and there isn't a "Neo" virus that can "escape the simulation", I feel safer than browsing on the host system with all the AV/noscript utilities running.
Re:Better solution: read only media (Score:5, Interesting)
Been there, done that, works great.
A few years ago, I set up a bunch of thin clients for general browsing, chatting and homework at a school dorm - they were (were, as I have no idea if they're still in use, but they were absolutely maintenance-free, so I guess they should be) running Linux, with the kernel and boot config (generated on the fly) loaded from a read-only TFTP server and / mounted from a read-only NFS share. On each boot, the init scripts would finish generating a machine-specific configuration in /etc/ and mount a few ramfses on top of some directories using unionfs to give an illusion of a read-write filesystem. Then, upon login (LDAP authentication), the user's directory would be mounted from an individual password-protected Samba share (accessible from the users' personal computers as well), with the noexec attrubite of course. /tmp/ and /var/ were also noexec. Upgrades to the client system were performed at the server, by chrooting into the exported root directory.
Such a configuration is absolutely invulnerable to users, rootkits, viruses and any other riffraff known for breaking things in computers. Even in the unlikely event that someone gained root privileges on a client, they would actually gain nothing and even that nothing would vanish after a reboot.
Re:I have to agree it is idiotic (Score:2, Interesting)
:-(
http://www.rutkowska.yoyo.pl/ [rutkowska.yoyo.pl]
Re:Well... (Score:3, Interesting)
I was thinking something along this line--it would be nice to have a file system where all modifications were stored on a second partition on the hard disk and the primary partition was read-only (Preferably physically through a switch), including the boot sector.
On ever boot, the data in the "writable" partition is destroyed before the first write/read ever takes place.
A specific command could copy changes over in order to update the writable partition. This would be done during the shutdown process and a list of all changes could be reviewed before flipping the switch to make your drive writable.
For normal usage, such a system would be easy to use, the only difficulty would be when you wanted it updated, and even then it's not too bad. It is somewhat vulnerable when doing a "Save state" operation to a very specific targeted attack, but even this could be mitigated.
(For instance, you could have to go through a full reboot and boot off the protected partition and have IT display the changes before actually copying them over to the protected drive. I think that would make it 100% secure if you knew how to review the change list properly)
Anti-virus would also be pretty easily replaced by code that just analyzes the change list before you are able to update your main partition.
I suppose there could even be a third partition that you could never run code off that could store cookies and stuff like that if you don't want to always lose your browser history. Might add a little hole for scripting, but still pretty close to 100% safe.
Re:I have to agree it is idiotic (Score:3, Interesting)
The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.
Absolutely agree. It's nice that she has a throwaway image because it isn't possible to proect herself from her definition of the critical threats, but those aren't the threats I'm necessarily worried about. My A/V keeps (among other things) the script kiddies out who do things that pi$$ me off and cause me to react. The bad guys/girls can have anything on my system which is why they probably won't bother with me. I'm wondering how much crap her system spews the day before she decides (la la la) to reimage. That's the stuff that's going after me.
Re:o.k. (Score:5, Interesting)
You're serious, right? Let's assume that I have one copy of WinXP - or, Win7, legally licensed. I install a *nix as my primary OS, create a VM using VirtualBox, and I'm legal, so far, right? Get the VM all updated, then clone it 99 times. Suddenly, I'm illegal, right? But, all 99 machines are being used INSIDE of ONE BOX!!! I use one machine to browse the darknet, another machine to do torrenting, another to do my banking, one for general browsing, and one just to test malware on. The rest I may or may not ever fire up for some reason that I haven't thought of yet.
So, how much should I mail to Microsoft for all of my VM's?
Say, can I bum a dollar?
Why does DEP come disabled in Win 7? (Score:4, Interesting)
I understand the DEP (data execution prevention) enabled processors weren't common back in Windows XP days but what is the deal with Windows 7 even 64bit version? Why wouldn't MS enable it by default as it is said to prevent very serious attacks on CPU level, without slowing down the system at all?
While there are no real viruses on OS X yet, I try to prepare machines for "no AV needed even while viruses exist" configuration just like you with couple of extra admin prompts, that is all but I don't follow Windows scene too much.
After enabling DEP, I even gamed on Windows 7 64bit (game is even running under win2k compatibility) and I haven't seen anything bad happen. I remember some stupid HP driver on another machine crashed because of DEP but that was all, the error message was really informative too.
So, do they disable it to make couple of badly written software owners happy while 99% would benefit from it?
BTW, this is what DEP is
http://en.wikipedia.org/wiki/Data_execution_prevention [wikipedia.org]
Re:I have to agree it is idiotic (Score:3, Interesting)
That bothered me too. My VM does not commit any changes when I close it down, which I do at least twice a day.
ALSO, running everything through a proxy helps too.
Re:Well... (Score:1, Interesting)
I looked at XPe and that functionality. However, I don't think Microsoft intended for it to directly protect against malware, but more to be able to redirect writes to a better space for embedded devices. I'm almost certain that a malware author who gets a copy of XPe or WinFLP could disable the redirects, or at least write directly the changes wanted directly to the system volume.
Utilities like DeepFreeze are better at preventing malware from writing, but because both DeepFreeze and the malware will have the same access permissions, its a matter of who has the more clever programming to ensure the other program isn't able to do its function.
Ideally, the best way to enforce changes get dropped after a reboot is a hardware card like HDD Sheriff (although the current offering doesn't seem to support any Windows version newer than XP). After that, is a hardened hypervisor that can rollback to a known clean snapshot.
Three Levels And Beyond (Score:4, Interesting)
She now realizes that Ken Thompson's paper:
"Reflections on Trusting Trust"
http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf [cmu.edu]
- is the basis of ANY hardware firmware or re-flashing of hardware.
I can't wait for next month and hopefully the bombshell we've been waiting for.
Brilliant Joanna indeed.
Re:I have to agree it is idiotic (Score:1, Interesting)
Exactly. Although you have to design it from the attackers perspective (Red Team it). I use a multilayer defense structure here with tight-fast routines watching the most common vectors while global/realtime scanners, which operate more slowly, are targeted at the other vectors, but deployed in depth. All in all, I'm seeing a 3-4% processor utilization and that's without running everything through a virtual IDS/IPS/firewall appliance on another machine. That, and other measures, is reserved for when the Chinese or North Koreans are coming. LOL!
That's on top of rational user practices applied especially to myself, {Excepting the idiotic idea of trying to operate Windows with restricted user access.} For a period of over fifteen years I was responsible for maintaining the sanctity of the downloads in more than a few fora over on Compu$erve. I saw a lot of infected files both in uploads and from various sites, downloads, and channels. Infections two and both of those were on the Amiga. Never on my PC's. Given that one way I use to disinfect machines (hard drives) is via a PC test bed here, keeping all of my machines infection free is very important, but not critical as restoration from an image is a piece of cake.
We each have our own approaches to the problem of infowar/infocrime. One thought though. If we all used the same techniques, wouldn't that set us up for a larger fall?
Re:I have to agree it is idiotic (Score:3, Interesting)
As such, a virus scanner running in the OS is perfectly capable of dealing with them. ... you are not getting the protection you need." [blogspot.com]. The issue is that antivirus gives a user a very false sense of security because it works good enough most of the time.
Antivirus works after code has been sent to the computer or while it's sent using a limited set of known methods. For many exploits, code runs before antivirus gets a crack at stopping it. That's why Symantec's David Hall said "If you are relying solely on antivirus
A virus scanner in the OS can stop that. It can scan the program coming in, before it has a chance to run, and block it.
Not so much. Sure, if it's a file download that the virus scanner knows about (that's an issue right there). Not at all if it's a browser, OS or network stack exploit. And that is how many modern threats are moving - and increasingly so - and it's probably because antivirus works good enough to require a little more unconventional attack.
Regardless, I've got to agree that for non security experts, virus scanners are something you should have. For security experts, I'm not sure they provide all that much value.
Re:Well... (Score:3, Interesting)
I bought it with linux preinstalled, so none. Sorry :(