Comments: 264 +- IT: Security Threats 3 Levels Beyond Kernel Rootkits on Saturday July 18, @05:19PM
Posted
by
kdawson
on Saturday July 18, @05:19PM
from the close-to-the-machine dept.
from the close-to-the-machine dept.
GhostX9 writes "Tom's Hardware has a long interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this interview she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's surprising is how robust the classic BluePill proof-of-concept is: 'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill. This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'" Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization." She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.
Related Stories
Imitation is the sincerest form of television.
-- Fred Allen
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
huh? (Score:5, Insightful)
I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization.
This seems a touch... idiotic. I could see how it could offer more. AND I don't see how it could offer less.
For what its worth, I don't use an A/V product either.
And Like her, I also have a "pretty reasonable setup" and a dose of "common sense". But I'm still balancing the increased responsiveness and hassle-free experience vs the extra security. Its a trade-off that's worth it to me, but I recognize that it is still a trade-off.
I have to agree it is idiotic (Score:5, Insightful)
It is idiotic for three reasons:
1) The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.
2) Even in the case of low level root kits, they still have to get to your system in the first place. That in general means they have to get downloaded form the net or transferred from a CD or flash drive. Guess what? A virus scanner in the OS can stop that. It can scan the program coming in, before it has a chance to run, and block it. Even if the program would set itself up on a level below what the scanner could detect, the scanner can notice it as it is coming in before it can execute and do that.
3) Defense in depth is ALWAYS a good idea. In the real, physical, world you have to accept that no security is unbreakable. Anything you can make another person can unmake or circumvent. Thus security does not come from having one impassable layer, it comes from having multiple layer of different kinds. Should one layer be bypassed, security over all is not compromised. Well, a virus scanner on the system is another layer. Should be the only layer, but it helps.
Personally, I've never been impressed with her as a security researcher. She seems to be rather paranoid, and living in a theoretical world. In part this is because for all the chatter about Blue Pill, I haven't seen it made practical. Oh sure you can talk about an undetectable super rootkit on paper but does it actually work in the real world? VMWare doesn't think it would, and they do know more than a bit about virtualization.
I'm not saying this isn't an interesting line of academic research, but I'm getting tired of the "OMG I can own any system and not be detected!" doomsaying. No, really, not the case it seems.
Parent
Re: (Score:3, Interesting)
The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.
Absolutely agree. It's nice that she has a throwaway image because it isn't possible to proect herself from her definition of the critical threats, but those aren't the threats I'm necessarily worried about. My A/V keeps (among other things) the script kiddies out who do things that pi$$ me off and cause me to react. The bad guys/girls can have anything on my system which is why they probably won't bother with me. I'm wondering how much crap her system spews the day before she decides (la la la) to reimag
Re: (Score:3, Interesting)
That bothered me too. My VM does not commit any changes when I close it down, which I do at least twice a day.
ALSO, running everything through a proxy helps too.
Re:I have to agree it is idiotic (Score:5, Insightful)
2) Even in the case of low level root kits, they still have to get to your system in the first place. That in general means they have to get downloaded form the net or transferred from a CD or flash drive. Guess what? A virus scanner in the OS can stop that. It can scan the program coming in, before it has a chance to run, and block it. Even if the program would set itself up on a level below what the scanner could detect, the scanner can notice it as it is coming in before it can execute and do that.
This is the malware arms race. The first entity to hit the system and know the second entity's tricks wins. Malware can completely gut antivirus. In theory, it can completely and undetectably emasculate it. (In reality, it doesn't.) Antivirus programs can detect malware and stop them -- provided they know what to look for. Knowing what to look for is harder than it sounds. You can use signature scanning to find really trivial attacks, or very fancy signature scanning to find less-trivial but still enumerated attacks. Only behavioral controls will stop novel attacks, and you need to know what behaviors to stop. Simply stopping anything that might possibly be used to get control the system will leave you with a nonfunctioning system.
Bear in mind that there's anywhere from a few days to a week, at least, before an antivirus database incorporates a new malware signature. If the malware can disable the antivirus (or its update), what's the risk in a one-week window?
Parent
Re: (Score:3, Interesting)
As such, a virus scanner running in the OS is perfectly capable of dealing with them. ... you are not getting the protection you need." [blogspot.com]. The issue is that antivirus gives a user a very false sense of security because it works good enough most of
Antivirus works after code has been sent to the computer or while it's sent using a limited set of known methods. For many exploits, code runs before antivirus gets a crack at stopping it. That's why Symantec's David Hall said "If you are relying solely on antivirus
Re:I have to agree it is idiotic (Score:4, Informative)
If your AV software screws over your system, then get a better one. NOD32 is exceedingly fast and thus low impact on system resources. Also, with any good one, like NOD, you can configure what it scans so you don't have to scan everything if you don't want to.
Parent
Re:I'm suspicious (Score:4, Insightful)
Third party testing, that's how. VB100 would be a big one, but there are others. Various companies test virus scanners and see how they do. That is, in fact, the only way to know how well they work. Having the code open does nothing. You can look at the source and it doesn't tell you how well the thing actually works against threats.
Indeed the only OSS AV software I've aware of, CalmAV, does a pathetic job. The reason may be in part due to the way it is written but more because it doesn't have a good database of signatures. That is what really makes or breaks a detection program. There is no way to write heuristics to find everything. This is not only because there are no universally "bad" actions to look for but also because if you look for only certain behavior, the virus writers will write to avoid that. So the real way detection is done is via signatures. Viruses are analyzed and a database of them is updated on a daily basis (sometimes more often).
ClamAV just doesn't have a good, up to date database and thus misses a lot. NOD32 does, and thus misses little if anything. That the code is open doesn't mean a damn thing. Open or closed, you have to actually test it in an operating environment to see how it works and the answer is NOD32 works well, Clam does not.
Parent
Re: (Score:3, Informative)
It wasn't the oldest or the newest cracks. The cracks I'm using right now (almost literally; I quit Simcity 4 less than two minutes ago) certainly weren't identified.
My understanding of the false positives in no-CD checks is that they are UPX false positives. Avira defaults to not go off on every packed executable. It found actual viruses in the no-CD check patches it removed. One of them was one I downloaded which was a current version, and one wasn't. The perils of removing protection...
Re: (Score:3, Funny)
Re:huh? (Score:5, Insightful)
Think of it this way. Antivirus software is like the Marginot Line. It will keep out most invaders. But the really threatening ones will simply drive around it and disable it from the inside.
Her setup is more like a fortress filled with cruise missiles that can be launched with lots of advanced warning of attack.
Both have costs. One is more effective than the other. So, saying that something expensive and incomplete like the Marginot Line provides increased security may be technically true, but it's kind of a moot point.
Parent
Why does DEP come disabled in Win 7? (Score:4, Interesting)
I understand the DEP (data execution prevention) enabled processors weren't common back in Windows XP days but what is the deal with Windows 7 even 64bit version? Why wouldn't MS enable it by default as it is said to prevent very serious attacks on CPU level, without slowing down the system at all?
While there are no real viruses on OS X yet, I try to prepare machines for "no AV needed even while viruses exist" configuration just like you with couple of extra admin prompts, that is all but I don't follow Windows scene too much.
After enabling DEP, I even gamed on Windows 7 64bit (game is even running under win2k compatibility) and I haven't seen anything bad happen. I remember some stupid HP driver on another machine crashed because of DEP but that was all, the error message was really informative too.
So, do they disable it to make couple of badly written software owners happy while 99% would benefit from it?
BTW, this is what DEP is
http://en.wikipedia.org/wiki/Data_execution_prevention [wikipedia.org]
Parent
Paranoid and delusional (Score:3, Insightful)
Running three separate VMs is not only a sign of paranoia but also a delusion that as a person functioning in todays world you can realistically have so much control over information that with enough effort you can control your own security in all regards, or even that you can control it to the extent necessary to protect yourself from common threats.
Put aside for a moment that she's a security researcher and that probably invites more attacks than the rest of us face. There are a number of flaws readily ap
Well... (Score:5, Insightful)
She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.
And in the article:
I totally don't care about a compromise of my "Red" machine--in fact I revert it to a known snapshot every week or so. I care much more about my "Yellow" machine. For example, I use NoScript in a browser I have there to only allow scripting from the few sites that I really want to visit (few online shops, blogger, etc). Sure, somebody might do a man-in-the-middle (MITM) attack against a plaintext HTTP connection that is whitelisted by NoScript and inject some malicious drive-by exploit, but then again, Yellow machine is only semi-sensitive and there would not be a big tragedy if somebody stole the information from it. Finally, the "Green" machine should be allowed to do only HTTPS connections to only my banking site.
And as long as your bank is never hacked and serving up malware [youtube.com], that probably works well...
Re: (Score:3, Informative)
That's what the noscript is for. It does more than just blocking javascript these days.
Re:Well... (Score:4, Insightful)
If you have already set noscript to allow your bank's site (required for most banks), and that site has been hacked, how does that protect you?
Parent
Re: (Score:3, Insightful)
You can whitelist, you can blacklist, you can disable JS entirely, or you can live with not having that layer of security.
I suspect you need to actually use noscript and dig through the options before making that pronouncement. You can, for example, have all scripting from the top-level site be allowed by default. I don't recommend that for your porn browsing, but it should work on most other sites.
In terms of having a relatively secure JS-enabled browsing experience, NoScript is about as good as you can ge
Re: (Score:3, Interesting)
I bought it with linux preinstalled, so none. Sorry :(
Re:Well... (Score:5, Interesting)
This is something I'm wondering. Perhaps the best thing would be for the "Red" machine to be completely rolled back when done using, and have a virtual share mapped for any data that is worth saving.
Parent
Re:Well... (Score:5, Interesting)
That's what I've got on my setup now.
After upgrading to a multi-core system where each had more processor and memory than my previous computer and noticing that 1 core was idle unless I was doing something CPU intensive, I virtualized my old machine and saved a snapshot just after bootup and opening a browser.
Then I started using that in seamless mode instead of a browser. Every time I close it, not only is the browser history/cache/etc wiped, every possible change to the entire system is wiped.
It doesn't run AV because that system just doesn't matter anymore. Instead of restarting my browser, I'm effectively wiping & re-installing whenever it feels laggy or "off".
Perhaps it is a false sense of security, but as long as it is firewalled from the rest of the network and there isn't a "Neo" virus that can "escape the simulation", I feel safer than browsing on the host system with all the AV/noscript utilities running.
Parent
Re: (Score:3, Interesting)
I was thinking something along this line--it would be nice to have a file system where all modifications were stored on a second partition on the hard disk and the primary partition was read-only (Preferably physically through a switch), including the boot sector.
On ever boot, the data in the "writable" partition is destroyed before the first write/read ever takes place.
A specific command could copy changes over in order to update the writable partition. This would be done during the shutdown process and a
Re:Well... (Score:5, Informative)
Already exists for windows: http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx [microsoft.com]
And it's free.
Parent
Why? (Score:5, Funny)
"...interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages)"
Why oh why did they split Joanna into 9 pages?! Thats so cruel!
Also, First Post
Re:Why? (Score:5, Funny)
Parent
Three Separate Virtual Machines (Score:4, Funny)
There's careful, there's paranoid, and there's three separate virtual machines.
security is ... (Score:4, Funny)
The Hurd (Score:2)
> The problem is, however, that all current popular OSes, like Vista, Mac OS X, or even
> Linux, do not provide a decent isolation to its applications. This is primarily a result
> of all those systems using big monolithic kernels that consists of hundreds of
> third-party drivers that operate at the same privilege level as the rest of the kernel.
Sounds like she wants the Hurd.
Re:The Hurd (Score:5, Insightful)
Microkernels that provide security boundaries between drivers have tended to have unacceptable levels of context switching in the kernel, so once you get past the theoretical stage and you're trying to push the performance to the point where you can compete with monolithic kernels... you're going to get rid of those boundaries.
Microkernels should be seen as a design model for a kernel, an abstraction of the traditional real-time kernel to a broader application area. You shouldn't demand or expect a microkernel to have actual separate processes for each component any more than you should or would demand a TCP/IP stack actually implement separate code layers and call gates for each level of the network stack.
Parent
It would help if you read what I posted (Score:3, Insightful)
There's no benefit to a micro-kernel in these so-called ring -1 attacks. None.
You know, the really odd thing is that that's what I just said. Microkernels are not about security, they're about internal kernel API design. That's why Hurd and Mach suck, they're taking the API design guidelines and treating them as kernel architecture.
This is simple? (Score:3, Insightful)
She runs three separate virtual machines designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.
Three operating systems to maintain. Three browsers. Three filing systems? Three PDF viewers?
Where does it end?
To me, the Zero Day exploit suggests that a random choice of OS, web browser and file viewer would make more sense.
But the whole idea seems overly complex and dangerously fragile.
Three Levels And Beyond (Score:4, Interesting)
She now realizes that Ken Thompson's paper:
"Reflections on Trusting Trust"
http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf [cmu.edu]
- is the basis of ANY hardware firmware or re-flashing of hardware.
I can't wait for next month and hopefully the bombshell we've been waiting for.
Brilliant Joanna indeed.
Re:o.k. (Score:5, Informative)
When 4 cores and several gigs of ram are available in inexpensive off-the-shelf systems, and VM software is freely available and easier to deploy, paranoid levels of security become more and more practical.
Parent
Re: (Score:3, Interesting)
Not to mention the cost of 3 OSes. And I'm not sure if MS can enforce this, but right now you have to buy the more expensive version of Vista according to the license agreement.
Re:o.k. (Score:5, Funny)
Parent
Re: (Score:3, Funny)
Re:o.k. (Score:5, Interesting)
You're serious, right? Let's assume that I have one copy of WinXP - or, Win7, legally licensed. I install a *nix as my primary OS, create a VM using VirtualBox, and I'm legal, so far, right? Get the VM all updated, then clone it 99 times. Suddenly, I'm illegal, right? But, all 99 machines are being used INSIDE of ONE BOX!!! I use one machine to browse the darknet, another machine to do torrenting, another to do my banking, one for general browsing, and one just to test malware on. The rest I may or may not ever fire up for some reason that I haven't thought of yet.
So, how much should I mail to Microsoft for all of my VM's?
Say, can I bum a dollar?
Parent
Re: (Score:3, Informative)
Virtualbox doesn't run on "*nix", so the simplicity of your example is misleading. Windows, Linux, Macintosh and OpenSolaris are the only supported operating systems. The guest OS support is similarly limited.
Hang on, suddenly MacOSX, linux and OpenSolaris are not *nix?
MacOSX is registered Unix 03, OpenSolaris is based on System V Unix and Linux is a non registered Unix clone. Which of those don't you consider *nix? The ones without nix on the end (which leaves Linux) or the ones that aren't Unix (which at least leaves MacOSX)?
You could also throw FreeBSD into the mix which is similar to Linux in that it conforms to many of the same standards without being registered as Unix, there is an experimental version of
Re:o.k. (Score:5, Insightful)
Parent
Re:o.k. (Score:5, Insightful)
Most of your time IS worth nothing. But people are too arrogant to admit it.
Parent
Re: (Score:3)
Most of your time IS worth nothing. But people are too arrogant to admit it.
My time is highly valuable. To me that is. I could care less if it's valuable to you or anyone else. I don't feel that is arrogance. If I don't value my own time, how can I appreciate/value other folks time? Or who would value my time if I don't value it myself first?
Re: (Score:3, Insightful)
I guess it's true that what you don't know can't hurt you.
I'm not sure I agree with that one. Plenty of stuff has bitten me in the ass regardless of whether I knew anything about it.
It's like being a cop and having a teen daughter. Knowing all the dangers out there you can't just let her go to this one party, can't you?
You can't shelter your kids forever; you have to build stronger, better kids and trust they can deal with the world when it is time ( Believe me, I know - I'm there right now).
In the same way, putting thought and care into building a robust, secure computer system pays dividends when it has to deal with the real world.
I guess that's why she's so paranoid about it.
She sounds like a contractor I knew who completely overbuilt his
Re:o.k. (Score:5, Funny)
I guess it's true that what you don't know can't hurt you.
Okay, so, you're walking through your house, right? And you think, "I know, I think I'll make some pancakes", so you go to the kitchen. But what you don't know is there's an ANGRY GRIZZLY BEAR in your cupboard next to the flour.
Parent
Re:o.k. (Score:5, Funny)
Okay so at my school we have faculty advisers that are assigned to students according to their last names. The faculty advisers help students with scheduling conflicts, general questions, help with internships/employment, etc. My adviser is named Jess Depew and she's pretty hot. I don't have a picture that could do her justice at the moment. She's like 25 and she's only been at the school a few years. Anyway, I have been looking into getting an internship at a TV station or something over the summer, and the school helps coordinate these things with an internship database that's maintained by the advisers. You log on with your school ID and password and you can browse internships and stuff. I was having trouble logging on to mine so I went to go see Ms. Depew. That's where all the trouble started.
Firstly, I walked into office like 15 minutes early like an idiot and she's in the middle of lunch. So I awkwardly make stupid stall talk until she's finished.
"Oh, hey, what are you eating?"
"Salmon. I love it. I eat it practically everyday."
"Just salmon? That's pretty weird." Why the hell did I say this?
"Oh, well, I don't know. I try to eat healthy, natural foods...you know, like wild berries and honey and stuff."
"Yeah, I like food too." *facepalm*
Man, I was so nervous. Anyway, we finally begin squaring my stuff away. She looks up what I registered with in the beginning of the year. This is when the crap really hit the fan. This is how the conversation went:
"Okay, your account name is [my name] and your password is ...'depewissexy'..."
Oh damn. I completely forgot that I put that as my password in the beginning of the year. What the hell was I thinking? It was probably the longest 20 seconds of my life before I finally got my balls together to stand up and leave. Just as I walk out the door she says,
"In the future, you might want to bear in mind what kind of things you want keep to yourself."
I was so freaking embarrassed I wanted to kill myself right then and there. I wanted to run the hell out of there and never, ever see her again. But something about what she just said kept me standing in her doorway. I decided to man up and apologize. I turned to her, looked her straight in the eyes, and swallowed my pride. And then, it hit me like a train full of bricks.
She was eating Salmon.
She tries to eat all healthy, natural foods, like wild berries and honey.
She told me that I might want to bear in mind what kind of things I want to keep to myself.
Ms. Depew was a bear disguised as a human.
Immediately, the bear saw that I had seen through its charade. It roared loudly and took a menacing swipe at me. I deftly avoided its claw and sprinted out of the office. The bear was soon in chase, crashing through the walls of the office as if they were made of paper. I jumped over the receptionist desk and ran out the back entrance. The bear followed, tossing the secretary aside like a rag doll. The bear began to pursue me through the street traffic. While I fought my way through the maze of vehicles, the bear simply careened its massive force through anything standing in its way. Cars veered off the road to escape the onslaught of grizzly force that was barreling down the road. The bear was gaining fast. I had no other option but to make my way into the nearest building: a preschool. I burst through the door, startling the children from their naps. Immediately, the bear slammed through the wall, crushing a child beneath his massive paws and burying several other children in sheet rock and debris. I maneuvered my way through the chaos towards the back exit. The pre-schoolers were little more than a screaming annoyance for the bear. Its massive paws cut swaths through the sea of toddlers with each swipe. I used the precious time these children had afforded for me to make my escape into the playground. I scrambled up a ladder to a fort-like structure. My goal was to walk across the monkey bars then jump to a tree which I could climb
Parent
Re: (Score:3, Funny)
Re: (Score:2, Interesting)
It's fine if you apply all security patches, utilize good firewall hardware, don't surf the web or run random untrusted executables on said win32 or win64 box.
Or if you run said web surfing inside a robust sandbox.
Re:You don't use A/V? Are you insane? (Score:4, Interesting)
This is true. It is also a valuable feature.
Not for the poor bastards at home, of course, it'll just make their descent into pop-up misery and a new computer from best buy even faster. Pretty much any centrally managed AV setup, though, makes it pretty easy to check whether or not AV is running on a given client. If you have a client where the AV won't stay up, you have excellent reasons to suspect that the OS is 0wn3d. You can then inspect further, or just pave and reimage, depending.
Malware's habit of shoving an ice pick into the AV's neck at first opportunity is bad for nontechy home users; but it arguably makes that malware easier to detect in serious setups(if the AV can't detect the malware, which is likely, its blood demise will be obvious enough to draw attention).
Parent
Re: (Score:3, Funny)
I'd be careful. She doesn't use AV.
Re:Better solution: read only media (Score:5, Interesting)
Been there, done that, works great.
A few years ago, I set up a bunch of thin clients for general browsing, chatting and homework at a school dorm - they were (were, as I have no idea if they're still in use, but they were absolutely maintenance-free, so I guess they should be) running Linux, with the kernel and boot config (generated on the fly) loaded from a read-only TFTP server and / mounted from a read-only NFS share. On each boot, the init scripts would finish generating a machine-specific configuration in /etc/ and mount a few ramfses on top of some directories using unionfs to give an illusion of a read-write filesystem. Then, upon login (LDAP authentication), the user's directory would be mounted from an individual password-protected Samba share (accessible from the users' personal computers as well), with the noexec attrubite of course. /tmp/ and /var/ were also noexec. Upgrades to the client system were performed at the server, by chrooting into the exported root directory.
Such a configuration is absolutely invulnerable to users, rootkits, viruses and any other riffraff known for breaking things in computers. Even in the unlikely event that someone gained root privileges on a client, they would actually gain nothing and even that nothing would vanish after a reboot.
Parent
Re: (Score:3, Insightful)
And what about those BIOS/EFI[1] firmware-based hypervisor rootkits? If someone is able to gain root access in a given system that is somehow "vulnerable" in such way that a permanent EFI (or similar) rootkit can installed, then you'll be fucked even with the read-only media and all.
Speaking of which, I don't understand why manufacturers are so eagerly adding all this new intelligence into the firmware. What do we need it for anyway? IMO it would be so much simpler from security perspective, if the OS would
Re: (Score:3, Informative)
Very strange... why would someone become transgendered and then turn lesbian?
You don't 'become' trans-gendered. Current medical opinion is that it's a brain structure thing you're born with.
And you wouldn't 'turn' lesbian either, typically you would be born with the tendency to be oriented towards men/women/both.
Gender identity (whether you 'feel' that you are male or female) and sexual orientation (whether you are attracted to men or women or both) are separate issues. It's not a question of 'what is easie