Slashdot Mirror
Windows Update Can Hurt Security
An anonymous reader writes "Researchers at Carnegie Mellon University have shown that given a buggy program with an unknown vulnerability, and a patch, it is possible automatically to create an exploit for unpatched systems. They demonstrate this by showing automatic patch-based exploit generation for several Windows vulnerabilities and patches can be achieved within a few minutes of when a patch is first released. From the article: 'One important security implication is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update... can detract from overall security, and should be redesigned.' The full paper is available as PDF, and will appear at the IEEE Security and Privacy Symposium in May."
Windows _____________ Can Hurt Security
You are damned either way. The only way to avoid complete damnation from security vulnerabilities is to run a large number of different operating systems, but then you are damned to live a life in complete confusion about system maintenance instead.
The onion principle is a general security term that has been defined a long time ago, but the fact that we are all online in some way or another all the time means that the onion is rotten.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Just roll the entire i386 directory into every patch.
There is no good solution to this problem -- that fixing something makes it easier to find old problems. At some point, users need to be responsible enough to apply updates.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Profitability is key, not security. Think of sysadmins as janitors. We pay you to wipe up the mess. It's not worth our while to invest in systems that don't create a mess as long as janitors are cheap enough to come with their electronic mops and buckets.
And you are.
Sorry.
... patch based security is also the model linux uses (as far as I understand).
Furthermore, for Linux access to the unpatched code is also easy to obtain.
Somebody please correct me if I'm mistaken.
Tie two birds together: although they have four wings, they cannot fly. (The blind man)
If it's possible to generate an exploit that quickly, we need to completely abandon the current "patch it and hope no one broke in" approach to security. It's never been a good approach, but if any idiot can generate exploits via a point-and-click program, that's obviously a big problem. This problem isn't limited to Windows, and most operating systems aren't patched within even a few hours of a patch release. There's good reasons for this, and bad ones. But no one really wants to trust their critical systems to be patched (and possibly go down and become unworkable) to an instant patch system.
The fundamental problem here is that a lot of security depends on single points of failure. A real security system relies on the "defense in depth" approach.
AccountKiller
Couldn't this process (modified of course) do the same thing to any update for any software at all?
How exactly is this news? I mean, I should update my software when there's a new patch anyway, but now that THIS has been developed I...need to update my software when there's a new patch... Automating it is a pretty neat trick, and it pretty much destroys any argument for security through obscurity, since it means you couldn't patch any hole to maintain the obscurity, but it's not like security through obscurity in the computer software realm has that amazing a track record in any case.
The PDF outlines three methods of alleviating the problem of staggered patch distribution:
1) Patch Obfuscation: basically an attempt to hide exactly what the patch fixes by padding out the patch with a lot of lines of nonsense. While this might prove effective, it would only be effective until an improved algorithm for discerning the true reason for the patch is found, and in the meantime, it would create its own set of problems, particularly if the level of obfuscation required balloons the size of the patch to an unmanageable degree.
2) Patch Encryption: basically distributing the patch in an encrypted format, waiting until it is reasonable to assume that everyone has the patch, and then transmitting a decryption key to decrypt and apply the patch more or less "simultaneously". Problems: this only pushes the problem back one level; meaning the same method of exploitation is just as possible, while this also creates an unacceptable time lag for patches to be applied, which hackers who write exploits the old-fashioned way can exploit to their considerable benefit.
3) Fast Patch Distribution: basically leveraging technologies like P2P to insure that patches are rolled out...well...fast. Problems again include off-line hoists, as well as hosts who have the misfortune of being on ISPs that take a dim view of P2P.
In summary, none of the methods outlined have much of a chance to combat this new threat.
____
~ |rip/\/\aster /\/\onkey
Unfortunately, no fix is feasible. The basic problem is twofold:
- If you tell someone how to fix a problem, you tell them what the problem was.
- It's not possible to push updates to all affected systems simultaneously.
That the first is true should be obvious if you think about it for a minute. As for the second, that comes from the fact that the affected systems are owned by different entities with different requirements and different environments. A fix for a problem affects more than just the fixed software, especially when the fix is in the operating system on which other business-critical software runs. Any fix has to be checked for compatibility with that entity's specific environment, this checking can't start until after the entity has gotten the fix, and everybody's going to take a different amount of time to check and get clearance to deploy.The only "fix" would be a mandatory push to all systems at one time, and that won't be accepted by the people who own the systems unless Microsoft or someone else accepts complete 100% liability for all costs associated with any failure. And I just don't see that happening.
Not to be inflammatory, but it really is.
Essentially, these people wrote a paper which says that hackers can analyze Windows Updates and figure out how to attack systems that aren't patched yet thereby. It goes into theory and proofs of that. Thanks, everyone else knew this about Windows Update years ago, probably for about as long as there's been a Windows Update.
It then proposes some solutions which are all, on the whole, worse than the status quo for various reasons. For example, forcing all Windows machines, whether they're turned on or connected to the internet or not, to patch at the very same instant is not realistic.
They should've called this thing: "Windows Update has problems. Magic can fix them."
This is fascinating. As someone who's worked with automatic theorem proving and proof of correctness techniques, I'd never thought of using them in this way.
What they're doing works like a proof of correctness system in reverse. They difference executables before and after the patch (which in itself is impressive), then, having isolated the patch, analyze it automatically. Security patches usually consist of adding a test which constrains the valid inputs at some point. So they use a symbolic decision procedure, which is part of a theorem prover, to work back through the code and automatically derive a set of inputs that would be caught by the new test.
This is more than just an attack on Windows Update. It's true automated exploit generation.
This is potentially applicable to any security-critical code that changes over time. One could, for example, have something that watched check-ins to the Linux kernel tree and developed new exploits to current stable releases from them.
Yeah, exactly. If this is a problem with Windows, then it's a worse problem with Linux!
Not only can you reverse engineer the binary, but you have access to the source code and it's modifications. If you read bug trackers or dev mailing lists, you can even pick up security vulnerabilities before the patch is even released just by looking at bugs and diff files.
You can't put the toothpaste back in the tube, people. Arguing that that means you shouldn't brush your teeth is ridiculous.
The road to tyranny has always been paved with claims of necessity.
If you have a patch, you can diff the original and the patched file and find out what got fixed. No secret here.
So how can you close the gap between fixing and exploiting? That's nothing MS could fix. You have to. Patch early, patch often.
If any message is contained here, it's that if there is a patch out and you didn't use it, you're extremely vulnerable. That's pretty much it, nothing really new here.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1) Isn't this an old problem? Not only is this old, but it applies to any computer system, so to single out Windows Update seems naive (as others have said).
2) I think we are forgetting that the exploits still need to be distributed, and the article refers to worms, but how is this different from any other worm/virus?
Smarter viruses will attack weaknesses that are yet widely known or patched, so those that use exploits based on public patches are 1) stupider and 2) more predictable.
So this is less of an "update how" problem, and rather more of an antivirus problem. The previous might be impossible to solve, but the latter we have solutions for.
And what happens when someone who has downloaded the encrypted patch has his system compromised because you're waiting for some idiot who hasn't to do so before you'll release the key that unlocks it? In a worst case scenario, you could end up facing a class action suit for not enabling the patch. I don't know if such a suit could be successful, but I'd bet someone would try it. At present, if someone has failed to update his system with the latest patch, it's not Microsoft's fault. Under this system, if Microsoft was refusing to actually make the patch available to one until others have it, that poses ethical and legal questions. I'm not a lawyer, and can't say what the legal answer would be, but I'm sure the question would arise.
Or distribute encrypted patches over the course of a day, then when you publish the key everyone can update
Which shifts the problem from distributing the update to distributing the key.
Of course this does have another advantage: Distributing the encrypted update also distributes notification that there WILL be a key, and can tell the users when. Then it becomes a race to get the key and apply the patch before the bad guys can get the key, generate, and deploy an exploit.
And the downside: The bad guys also know the patch is coming, and when. So they can use their existing botnet(s) to grab a key as soon as possible, then DDOS the key distribution mechanism while they generate and deploy the exploit. This makes things WORSE: A much larger fraction of the machines are vulnerable when the exploit deploys.
Still worse: If the bad guys crack the encryption, or manage to break in and grab the key early, they get to automatically generate and deploy an exploit while NOBODY has the fix. Oops!
Ditto even if they don't crack the patch - but the patches exposes that a vulnerability exists and perhaps what module has it, and they find and exploit the vulnerability before the key deploys.
= = = =
In a battle between weapons and armor, weapons eventually win.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Distribute an encrypted patch, and then once all clients have downloaded it reveal the key, which is short and can be sent in a single network packet.
Which shifts the problem from distributing the update to distributing the key.
Of course this does have another advantage: Distributing the encrypted update also distributes notification that there WILL be a key, and can tell the users when. Then it becomes a race to get the key and apply the patch before the bad guys can get the key, generate, and deploy an exploit.
And the downside: The bad guys also know the patch is coming, and when. So they can use their existing botnet(s) to grab a key as soon as possible, then (or simultaneously) DDOS the key distribution mechanism while they generate and deploy the exploit. This makes things WORSE: A much larger fraction of the machines are vulnerable when the exploit deploys.
Still worse: If the bad guys crack the encryption, or manage to break in and grab the key early, they get to automatically generate and deploy an exploit while NOBODY has the fix. Oops!
Ditto even if they don't crack the patch - but the patche exposes that a vulnerability exists and perhaps what module has it, and they find and exploit the vulnerability before the key deploys.
= = = =
In a battle between weapons and armor, weapons eventually win.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Think of sysadmins as janitors. We pay you to wipe up the mess. It's not worth our while to invest in systems that don't create a mess as long as janitors are cheap enough to come with their electronic mops and buckets.
That works for small messes.
It doesn't work for somebody getting hold of the company's trade secrets, client list, bidding information, road map, and headhuntable employee names and pay scale.
It doesn't work for somebody cracking the information on the company accounts and transferring the cash reserves to themselves via untraceable paths.
It doesn't work for somebody destroying or corrupting the IT infrastructure - especially the databases - and taking the company out of business for days or forever, causing key employees to quit or be fired, etc.
It doesn't work for somebody corrupting industrial process control infrastructure and literally destroy plants and kill employees, or cause the company to build and ship defective products.
I could go on.
Cleaning up IT graffiti is one thing. Cleaning up IT nuclear strikes is quite another.
IMHO any corporate IT exec who treats malware like graffiti, rather than an early warning of something more serious, is negligent in his fiduciary duty to the shareholders and perhaps criminally negligent in his duty to protect the lives and health of the employees. (Pity that most of 'em do treat the threat in this way. B-( )
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
What's important about this is that it can quickly and automatically generate exploits given only OBJECT code - faster even than a good programmer could do it from source.
This negates the claim that hiding the source code increases security.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
But based on my reading of the paper, it isn't 100% there. You don't get "sploit.exe" dumped onto your disk when the thing is all done. Their stuff only works backwards to a certain point.
For instance, when they come up with the exploit for WMF reader vulnerability, they're not making you a new WMF file (as I understand, anyway).
One thing that interested me is the model they invented. The binary differencing was off-the-shelf stuff from eEye. But their model of the x86 machine (cpu, instruction side effects, registers, and memory) is new, and that seems like something that could have been written previously.. I'm surprised they needed to do this. They also define a space of functions that examine the model to determine if badness has happened, for each specific kindof badness they're interested in, i.e. return address changes during execution of call.
They also appear to require execution traces of P (or P') to run under a machine monitor; I don't think from the instructions in P they work backwards from P/P' difference lines and construct initial conditions of the machine state. Even if that _is_ what they were doing, they only model the salient portions of the binary, not the outside system.
Even so, what they're doing here is fantastic. The things they're not doing (automatically creating files that trigger the exploit) are all possible offshoots from this paper, if one were to have sufficient computing power and time to create models of the salient portions of the system. For each different data flow into the instruction/memory space, the model would need to describe the line of demarcation. In the case of the WMF/PNG vulnerabilities, that line is on the other side of readfile or mmap or whatever. (i.e. the bytes that trigger the exploit come from the disk). Building a file on disk in a certain way to cause a sequence of x86 instructions to produce the desired memory is a hard problem in and of itself, although I perhaps possible with the tools and techniques they've already got.
The same would be true of the ASP.NET vulnerability. I beleive they can work backwards from exploit to the in-memory representation of a URL request. At that point, knowing that URLs come from the outside hostile internet, through IIS, etc etc etc, is vuln-specific domain expertise. However, a library of injection points (file on dist, URL request from network, packet from network, etc) could be built around the analysis model. The analysis engine works backwards until it says "here is the memory precondition that leads to an exploit, now i rely on an injection plugin to acheive that memory state."
My opinions are my own, and do not necessarily represent those of my employer.
While Apple may be more secure, until you get 50% market share your not going to get 50% of the effort put into attacking you.
IranAir Flight 655 never forget!
And CRC was never designed to be in the least secure against that sort of thing in the first place. It's a good error checker, but it's not secure.
Yes, there are newer hashes that don't currently have any known vulnerability. But none of which you can be confident that they'll still have no vulnerability in half a decade's time. And if Microsoft were to build what you're suggesting into Windows, a vulnerability beign discovered in whatever hash they used would be a death-knell. How could Microsoft possibly fix it? Distribute a patch to change the hash -- over the compromised patch distribution network?
What's purple and commutes? An Abelian grape.