Security Threats 3 Levels Beyond Kernel Rootkits 264
GhostX9 writes "Tom's Hardware has a long interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this interview she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's surprising is how robust the classic BluePill proof-of-concept is: 'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill. This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'" Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization." She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.
huh? (Score:5, Insightful)
I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization.
This seems a touch... idiotic. I could see how it could offer more. AND I don't see how it could offer less.
For what its worth, I don't use an A/V product either.
And Like her, I also have a "pretty reasonable setup" and a dose of "common sense". But I'm still balancing the increased responsiveness and hassle-free experience vs the extra security. Its a trade-off that's worth it to me, but I recognize that it is still a trade-off.
Well... (Score:5, Insightful)
She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.
And in the article:
I totally don't care about a compromise of my "Red" machine--in fact I revert it to a known snapshot every week or so. I care much more about my "Yellow" machine. For example, I use NoScript in a browser I have there to only allow scripting from the few sites that I really want to visit (few online shops, blogger, etc). Sure, somebody might do a man-in-the-middle (MITM) attack against a plaintext HTTP connection that is whitelisted by NoScript and inject some malicious drive-by exploit, but then again, Yellow machine is only semi-sensitive and there would not be a big tragedy if somebody stole the information from it. Finally, the "Green" machine should be allowed to do only HTTPS connections to only my banking site.
And as long as your bank is never hacked and serving up malware [youtube.com], that probably works well...
Re:Three Separate Virtual Machines (Score:2, Insightful)
What happens when one of those kernel modules contains a security bug, that allows a malicious virtual machine driver to run arbitrary code on the host OS?
Or a security exploit is found that defeats the security of hardware-assisted virtualization.
Re:o.k. (Score:5, Insightful)
Re:The Hurd (Score:5, Insightful)
Microkernels that provide security boundaries between drivers have tended to have unacceptable levels of context switching in the kernel, so once you get past the theoretical stage and you're trying to push the performance to the point where you can compete with monolithic kernels... you're going to get rid of those boundaries.
Microkernels should be seen as a design model for a kernel, an abstraction of the traditional real-time kernel to a broader application area. You shouldn't demand or expect a microkernel to have actual separate processes for each component any more than you should or would demand a TCP/IP stack actually implement separate code layers and call gates for each level of the network stack.
Re:Well... (Score:4, Insightful)
If you have already set noscript to allow your bank's site (required for most banks), and that site has been hacked, how does that protect you?
I have to agree it is idiotic (Score:5, Insightful)
It is idiotic for three reasons:
1) The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.
2) Even in the case of low level root kits, they still have to get to your system in the first place. That in general means they have to get downloaded form the net or transferred from a CD or flash drive. Guess what? A virus scanner in the OS can stop that. It can scan the program coming in, before it has a chance to run, and block it. Even if the program would set itself up on a level below what the scanner could detect, the scanner can notice it as it is coming in before it can execute and do that.
3) Defense in depth is ALWAYS a good idea. In the real, physical, world you have to accept that no security is unbreakable. Anything you can make another person can unmake or circumvent. Thus security does not come from having one impassable layer, it comes from having multiple layer of different kinds. Should one layer be bypassed, security over all is not compromised. Well, a virus scanner on the system is another layer. Should be the only layer, but it helps.
Personally, I've never been impressed with her as a security researcher. She seems to be rather paranoid, and living in a theoretical world. In part this is because for all the chatter about Blue Pill, I haven't seen it made practical. Oh sure you can talk about an undetectable super rootkit on paper but does it actually work in the real world? VMWare doesn't think it would, and they do know more than a bit about virtualization.
I'm not saying this isn't an interesting line of academic research, but I'm getting tired of the "OMG I can own any system and not be detected!" doomsaying. No, really, not the case it seems.
Re:huh? (Score:1, Insightful)
I use an A/V product for two reasons:
First, it is a last line of defense. Sometimes the AV program is updated and can catch threats before a browser or browser add-ons are patched.
Second, I use one that is certified by ICSA and other known independant labs for pure CYA issues. Its a lot easier to excuse something by saying that "oops, it got by the antivirus program that is properly updated daily" versus "I don't run AV". CYA 101, and I'm so used to it in work environments, I practice it at home on Windows boxes.
This is simple? (Score:3, Insightful)
She runs three separate virtual machines designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.
Three operating systems to maintain. Three browsers. Three filing systems? Three PDF viewers?
Where does it end?
To me, the Zero Day exploit suggests that a random choice of OS, web browser and file viewer would make more sense.
But the whole idea seems overly complex and dangerously fragile.
Re:I have to agree it is idiotic (Score:2, Insightful)
Re:huh? (Score:5, Insightful)
Think of it this way. Antivirus software is like the Marginot Line. It will keep out most invaders. But the really threatening ones will simply drive around it and disable it from the inside.
Her setup is more like a fortress filled with cruise missiles that can be launched with lots of advanced warning of attack.
Both have costs. One is more effective than the other. So, saying that something expensive and incomplete like the Marginot Line provides increased security may be technically true, but it's kind of a moot point.
Re:o.k. (Score:3, Insightful)
I guess it's true that what you don't know can't hurt you.
I'm not sure I agree with that one. Plenty of stuff has bitten me in the ass regardless of whether I knew anything about it.
It's like being a cop and having a teen daughter. Knowing all the dangers out there you can't just let her go to this one party, can't you?
You can't shelter your kids forever; you have to build stronger, better kids and trust they can deal with the world when it is time ( Believe me, I know - I'm there right now).
In the same way, putting thought and care into building a robust, secure computer system pays dividends when it has to deal with the real world.
I guess that's why she's so paranoid about it.
She sounds like a contractor I knew who completely overbuilt his house just because he could. Paranoid? Not really. Just building the best house he reasonably could.
Whenever I see overprotective/overkill ... there are some people who live their lives in fear
What might be overkill in the hands of experts today might well be standard issue tomorrow, and no more difficult to use than personal AV and firewall apps today.
I see the Internet as just another way of communication. nothing more
Fair enough. But it sure isn't free of danger, and thinking otherwise won't change things.
Re:Well... (Score:3, Insightful)
You can whitelist, you can blacklist, you can disable JS entirely, or you can live with not having that layer of security.
I suspect you need to actually use noscript and dig through the options before making that pronouncement. You can, for example, have all scripting from the top-level site be allowed by default. I don't recommend that for your porn browsing, but it should work on most other sites.
In terms of having a relatively secure JS-enabled browsing experience, NoScript is about as good as you can get; there's probably not going to be a 'better way' there. There are plenty of ways to be secure on the internet, though.
I've spent approximately 300 seconds to date fiddling with NoScript. I've spent more time than I care to remember cleaning viruses off of computers and reinstalling OS's. In point of fact, I'm doing that right now. I'm getting to the point of thinking that on a Windows machine, using the internet only in a virtual machine is a reasonable option. As is I use linux, and feel extraordinarily thankful to have that option. If you wanted to be completely nuts about it, you could run firefox in a vm in a chroot jail on OpenBSD on a non-x86 processor, building all components from scratch, etc etc. It's just up to you what you want to sacrifice for security. Myself, I don't think that a few minutes of configuration spread over a period of months-to-years is all that big of a deal. But hey, it's your call.
Re:o.k. (Score:5, Insightful)
Most of your time IS worth nothing. But people are too arrogant to admit it.
It would help if you read what I posted (Score:3, Insightful)
There's no benefit to a micro-kernel in these so-called ring -1 attacks. None.
You know, the really odd thing is that that's what I just said. Microkernels are not about security, they're about internal kernel API design. That's why Hurd and Mach suck, they're taking the API design guidelines and treating them as kernel architecture.
Security researchers must be responsible (Score:1, Insightful)
So, a person who can do mad things like ring -1 and knows about -2 -3 attacks who also happens to be a professional security researcher doesn't use AV and "doesn't see need for it."
This is the most irresponsible thing I have ever heard. Does average user have knowledge of system internals like she does? Does average user can stand the torture of 3 virtual machines? Could average user get rid of "run as admin" even on upcoming Windows 7, especially if he/she is a gamer?
This is more like a Medical Doctor bragging about how he never used any pills or went to a doctor and "doesn't see need for it".
She should browse some average user troubleshooting forums and see the junk non technical people are being victim of. No, they really don't know the privilege levels or CPU rings.
Re:Better solution: read only media (Score:3, Insightful)
And what about those BIOS/EFI[1] firmware-based hypervisor rootkits? If someone is able to gain root access in a given system that is somehow "vulnerable" in such way that a permanent EFI (or similar) rootkit can installed, then you'll be fucked even with the read-only media and all.
Speaking of which, I don't understand why manufacturers are so eagerly adding all this new intelligence into the firmware. What do we need it for anyway? IMO it would be so much simpler from security perspective, if the OS would be at the bottom of it all. Added complexity adds new possibilities for exploitation.
[1] http://en.wikipedia.org/wiki/Extensible_Firmware_Interface [wikipedia.org]
Paranoid and delusional (Score:3, Insightful)
Running three separate VMs is not only a sign of paranoia but also a delusion that as a person functioning in todays world you can realistically have so much control over information that with enough effort you can control your own security in all regards, or even that you can control it to the extent necessary to protect yourself from common threats.
Put aside for a moment that she's a security researcher and that probably invites more attacks than the rest of us face. There are a number of flaws readily apparent with this approach to security:
1 - Knowledge is power, and you just told the world critical elements of your defenses. There's a reason banks don't disclose such things. It doesn't make your system any less secure, but it raises the bar for attackers.
2 - You maintain your own VMs. In your mind nobody is better equipped to protect your systems than you are. In reality if you made a security blooper on one system you probably replicated it on all three VMs, if not the host also.
3 - I guess you assume that if you're running an app in the VM and someone decides to attack a vulnerability in your network stack that it won't actually the host system, and since the VM leverages the network stack of the host system that's not necessarily true.
4 - You may secure connections between entities like your bank by allowing only HTTPS through a browser in the VM. Reality is that in the last year major payment processors have been breached resulting in millions of people's card details being stolen. RBS WorldPay and Heartland Data Systems are two known breaches, there is one other yet unidentified from what I have read.
5 - As others have pointed out, anti-virus *will* protect you against nearly all *common* attacks. Today's anti-virus products even scan mail and http traffic for threats before your applications can process the data themselves (usually not in free versions of the AV apps). To say it adds no value at all is sending a very bad message to the majority of readers who would like to think they're better equipped to handle their own security than they really are.
The reality is that you can very easily do many simple things to help protect yourself. Install all your application updates promptly, be careful where you download software from, don't run attachments from spam e-mail, don't follow links sent to you in email without checking where they really go first, be careful where you enter your card details, run AV software, etc. etc.
However, beyond a certain point you have to spend exponentially more effort, beyond what the majority of people would consider reasonable, for very small gains in security. Chances are that you will still suffer fraud etc. during your lifetime, and it will be due to some vector completely beyond your control.
No, I didn't RTFA. 9 pages? gtfo.
Re:I have to agree it is idiotic (Score:5, Insightful)
2) Even in the case of low level root kits, they still have to get to your system in the first place. That in general means they have to get downloaded form the net or transferred from a CD or flash drive. Guess what? A virus scanner in the OS can stop that. It can scan the program coming in, before it has a chance to run, and block it. Even if the program would set itself up on a level below what the scanner could detect, the scanner can notice it as it is coming in before it can execute and do that.
This is the malware arms race. The first entity to hit the system and know the second entity's tricks wins. Malware can completely gut antivirus. In theory, it can completely and undetectably emasculate it. (In reality, it doesn't.) Antivirus programs can detect malware and stop them -- provided they know what to look for. Knowing what to look for is harder than it sounds. You can use signature scanning to find really trivial attacks, or very fancy signature scanning to find less-trivial but still enumerated attacks. Only behavioral controls will stop novel attacks, and you need to know what behaviors to stop. Simply stopping anything that might possibly be used to get control the system will leave you with a nonfunctioning system.
Bear in mind that there's anywhere from a few days to a week, at least, before an antivirus database incorporates a new malware signature. If the malware can disable the antivirus (or its update), what's the risk in a one-week window?
Re:I'm suspicious (Score:4, Insightful)
Third party testing, that's how. VB100 would be a big one, but there are others. Various companies test virus scanners and see how they do. That is, in fact, the only way to know how well they work. Having the code open does nothing. You can look at the source and it doesn't tell you how well the thing actually works against threats.
Indeed the only OSS AV software I've aware of, CalmAV, does a pathetic job. The reason may be in part due to the way it is written but more because it doesn't have a good database of signatures. That is what really makes or breaks a detection program. There is no way to write heuristics to find everything. This is not only because there are no universally "bad" actions to look for but also because if you look for only certain behavior, the virus writers will write to avoid that. So the real way detection is done is via signatures. Viruses are analyzed and a database of them is updated on a daily basis (sometimes more often).
ClamAV just doesn't have a good, up to date database and thus misses a lot. NOD32 does, and thus misses little if anything. That the code is open doesn't mean a damn thing. Open or closed, you have to actually test it in an operating environment to see how it works and the answer is NOD32 works well, Clam does not.
Re:You don't use A/V? Are you insane? (Score:2, Insightful)
A good AV will detect unknown threats and zero day attacks even before you read about them.
Really, how does that work if the malware has been tested to work against the AV before it being released into the wild?