Pwn2Own 2009 Winner Charlie Miller Interviewed

crazipper writes "Tom's Hardware interviewed Charlie Miller, winner of this year's Pwn2Own contest and formerly with the NSA. He discusses the effort it took before the contest to be able to take down a MacBook within seconds, sandboxing, and the effectiveness of the NX bit and ASLR. His outlook on end-users protecting themselves against attacks? 'Users are at the mercy of the products they buy.'"

Grandma can't run Linux?

FTFA:

Charlie: I'll leave Linux out of the equation since I know my grandma couldn't run it.

Uh, I think you're quite wrong there. I know more than a few Grandmas running Linux. The thing is, they're the ones that usually need the least amount of software. A browser, maybe e-mail if they don't do it in a browser, that's about it. Linux is perfect.

Re:Grandma can't run Linux?

[supernova_hq]

Linux is NOT perfect. Anyone who thinks so is either an idiot or lying. For a lot of people, it is the best and of much better quality and calibre than the alternatives (windows, macOS), but definitely not perfect.

Disclaimer: Proud Ubuntu user since 7.10 and have never even considered moving back to windows.

Re:Grandma can't run Linux?

Uh, I think you're quite wrong there. I know more than a few Grandmas running Linux. The thing is, they're the ones that usually need the least amount of software. A browser, maybe e-mail if they don't do it in a browser, that's about it. Linux is perfect.

You can't be serious.

Of those "more than a few" Grandmas you know running Linux, how many bought and set up their own computer? How many Grandmas do you know that enjoy compiling drivers?

I'm not a Mac user myself, but for what it's worth, my own Grandma was able to buy herself a Mac and get it plugged in and running on her own. It's similarly easy with a Windows machine as soon as you figure out where all the plugs go, Windows setup is a breeze.

Sure, they need help figuring out what to do once the thing is running, but that's OS-independent.

Re:Grandma can't run Linux?

[Idiot+with+a+gun]

I think the OP's comment about perfect was within the context of the most basic users. And I'd agree. For the vast majority of "simple" tasks (a very ambiguous statement), the setup/use of Linux (esp. Ubuntu) is exceptionally easy (also subjective).

Within the spheres of some Windows power users, who understand the ins and outs of Windows perfectly, Linux is foreign and useless. But the same could be said about Linux power users and Windows. So that is more of a statement about the difficulty users who are strongly versed in one OS have in switching to another. And that proves nothing in the Linux vs. Windows debate.

As far as security is concerned, I'd probably argue that Linux is more secure, but not completely secure. It's possible to get a Linux box completely screwed up (someone was talking about that here, where they accidentally exposed a Linux box with a very old version of OpenSSL to the web and got it compromised), but the question of which is easier to get more secure, or which will have fewer issues. No software is perfect (please no BSD comments), it's all a game of lesser of two evils.

Re:Grandma can't run Linux?

[Repossessed]

Um... how many grandmas do you know who set up their own windows machine? Plugging it in doesn't count, they have to actually install windows.

0?

thought so. Windows is just as much of a PitA as Linux, and the same people who need help setting up one need help setting up the other.

Where Linux fails is the power users, who have learned how to do things beyond email (that someone else set up) in windows, and who have to re learn a sometimes less intuitive way in Linux. (that and peripheral hardware)

Re:Users are at the mercy of the products they buy

[TheRealMindChild]

Because you would end up being able to sue almost everyone... ask the same type of question about a car and you will get the same answer "Why can't I sue a car manufacturer for a shitty design?" ... "Because you would end up being able to sue almost anyone"

pwnd & ownD

[binarybum]

Tom's Hardware
[NEXT PAGE>
  PWNs & OwnZ U
[NEXT PAGE>
  If you read
[NEXT PAGE>
  their articles
[To continue reading this comment, click here ]

He was sitting on the winning weakness

[iminplaya]

since last year.

A quote from another interview:

"Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away."

Who know what other goodies they have in store. But the browsers and the phones were hardly touched. The contestants are holding out for something better.

Re:Users are at the mercy of the products they buy

[supernova_hq]

The same reason you can't sue an alarm company when someone breaks into your house.

If your data is

• Important: back it up
• Sensitive: encrypt it
• Not yours to lose: get insurance (good for companies)

Re:Users are at the mercy of the products they buy

[MrMista_B]

I illustrate the ridiculousness of your question, I'll rephrase it "Why can't you sue the construction company that built your house if someone vandalizes oor you suffer a loss due to break and enter?"

Re:NX and ASLR

[Sycraft-fu]

ASLR is just more defense in depth. Real security, physical or virtual, comes from having multiple layers. While it is a nice theory to say "Well just make sure X is secure and nothing will ever get past it," that doesn't work in reality. Shit happens, your border security can fail. Thus real security comes in multiple levels. Not all of them are as critical or as effective as others, but they all help.

ASLR is just another level. If you find a flaw in some software connected to the network, you now have an additional problem in terms of getting code to execute. Is it insurmountable? No, but it is just more shit to get around.

The more levels of security you have, the less likely someone is to break through all of it, especially before you notice they are trying. Have a border firewall, and host based firewalls. Run a virus scanner on every computer. Enable execute disable on systems. Operate as a deprivileged user whenever possible and so on. The more you do, the more things there are to trip up an attacker. Don't say "Well we don't need this because we have this other thing."

I see that most common with firewalls. People will have a network firewall and thus assume that host based firewalls aren't worth the trouble. Well, they are. What if something gets by the network firewall? Just because it isn't supposed to doesn't mean it won't happen. Maybe someone brings in an owned laptop, maybe there's a flaw in the firewall, maybe yo just set it up wrong. Whatever, point is have multiple security layers. Make it so that just because you got by the network firewall, doesn't mean you are in.

So while I certainly wouldn't want to see a company rely on ASLR, as in say "No we don't need to fix that app bug, they can't exploit it since we randomize addresses," I do like it as another layer of defense. Not a magic bullet, but just that much harder to get in.

Re:Users are at the mercy of the products they buy

[Brian+Gordon]

Because you're not buying the software you have none of the explicit protections of a normal sale. You're licensing it. And read the license: "We don't guarantee this even does anything. It could wipe your hard drive for all you know. WE PROMISE NOTHING"

Re:Users are at the mercy of the products they buy

[Brian+Gordon]

If they left a gaping hole in your wall..

Re:Users are at the mercy of the products they buy

[99BottlesOfBeerInMyF]

Why can't you sue a software company if you suffer a loss due to poor security in their product?

You can. You are just highly unlikely to win.

Re:Obama Policies Will Bankrupt USA Tsarkon Report

You know we dont read this shit dont you troll?

Re:Users are at the mercy of the products they buy

[phantomfive]

Basically because

• No one claimed that their software is 100% secure
• Making secure software is really hard
• If you do want software that approaches optimal security, it is going to be expensive, not as expensive as making sure it has no bugs, but similar
• There would be no software companies left, and we try to avoid making laws that wipe out an entire industry.

When someone I'm working with writes a bug or leaves a security hole, I tease them, but the truth is I still have not found a way to write bug-free code myself. You can't really sue someone for not doing something that is impossible.

OK, I admit some companies could do a significantly better job of making things secure. The article gives a couple examples of what Apple could have done to make their code more secure. But if it were possible to sue someone for that, I would be quite worried personally, as a programmer, I don't trust a jury to determine what is a reasonable vulnerability and what is not, so from my point of view it is better to not make insecure software illegal. And in most non-internet code, security isn't really an issue.

Re:What's this all about "PC/Mac/Linux"?

[somebody1]

"PC" means an Intel architecture computer capable of running Windows.

Well, current Macs are Intel architecture computers and they are capable of running Windows.

Re:NX and ASLR

[Simetrical]

The NX bit should have always been there, and the fact that it wasn't is incomprehensibly stupid.

x86 was originally designed with a segmented memory model. You'd have one segment for code, one for data, one for stack. It was (and is) indeed possible to set data and stack segments non-executable. Actually, I believe this is achieved by the simple expedient of all jump instructions automatically using the CS (code segment) register, with no option to use any others -- thus you can't jump to or call the data or stack segments unless they overlap with the code segment.

The problem is, in practice people just set all three segments equal today, so that all of them fill the entire virtual address space. If you do that, everything is in the code segment, and so everything is executable. The addition of a per-page NX bit is a (very belated) acknowledgement of the fact that the old way of doing things just isn't used anymore. (But I think Google uses it for NaCl.)

Actually, Tanenbaum's Modern Operating Systems, 3e has an interesting remark about this (p. 237, emphasis added):

Since each segment forms a logical entity of which the programmer is aware . . . different segments can have different kinds of protection. A procedure segment can be specified as execute only, prohibiting attempts to read from it or store into it. A floating-point array can be specified as read/write but not execute, and attempts to jump to it will be caught. Such protection is helpful in catching programming errors.

You should try to understand why protection is sensible in a a segmented memory model but not in a one-dimensional paged memory. In a segmented memory the user is aware of what is in each segment. Normally, a segment would not contain a procedure and a stack, for example, but only one or the other, not both. Since each segment contains only a single type of object, the segment can have the protection appropriate for that particular type. . . .

The contents of a page are, in a sense, accidental. The programmer is unaware of the fact that paging is even occurring. Although putting a few bits in each entry of the page table to specify the access allowed would be possible, to utilize this feature the programmer would have to keep track of where in his address space the page boundaries were. That is precisely the sort of administration that paging was invented to eliminate. . . .

Of course, he's wrong in a sense: the NX bit is most definitely being used. (And the book is copyright 2008, too, so you'd think he'd know it.) It's an interesting remark anyway, though, and may explain why a per-page NX bit wasn't there in x86 to start with.