Slashdot Mirror
Security Threats 3 Levels Beyond Kernel Rootkits
GhostX9 writes "Tom's Hardware has a long interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this interview she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's surprising is how robust the classic BluePill proof-of-concept is: 'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill. This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'" Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization." She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.
This is something I'm wondering. Perhaps the best thing would be for the "Red" machine to be completely rolled back when done using, and have a virtual share mapped for any data that is worth saving.
"Most of the time the AV just dies with any half-decent virus infection"
This is true. It is also a valuable feature.
Not for the poor bastards at home, of course, it'll just make their descent into pop-up misery and a new computer from best buy even faster. Pretty much any centrally managed AV setup, though, makes it pretty easy to check whether or not AV is running on a given client. If you have a client where the AV won't stay up, you have excellent reasons to suspect that the OS is 0wn3d. You can then inspect further, or just pave and reimage, depending.
Malware's habit of shoving an ice pick into the AV's neck at first opportunity is bad for nontechy home users; but it arguably makes that malware easier to detect in serious setups(if the AV can't detect the malware, which is likely, its blood demise will be obvious enough to draw attention).
That's what I've got on my setup now.
After upgrading to a multi-core system where each had more processor and memory than my previous computer and noticing that 1 core was idle unless I was doing something CPU intensive, I virtualized my old machine and saved a snapshot just after bootup and opening a browser.
Then I started using that in seamless mode instead of a browser. Every time I close it, not only is the browser history/cache/etc wiped, every possible change to the entire system is wiped.
It doesn't run AV because that system just doesn't matter anymore. Instead of restarting my browser, I'm effectively wiping & re-installing whenever it feels laggy or "off".
Perhaps it is a false sense of security, but as long as it is firewalled from the rest of the network and there isn't a "Neo" virus that can "escape the simulation", I feel safer than browsing on the host system with all the AV/noscript utilities running.
Been there, done that, works great.
A few years ago, I set up a bunch of thin clients for general browsing, chatting and homework at a school dorm - they were (were, as I have no idea if they're still in use, but they were absolutely maintenance-free, so I guess they should be) running Linux, with the kernel and boot config (generated on the fly) loaded from a read-only TFTP server and / mounted from a read-only NFS share. On each boot, the init scripts would finish generating a machine-specific configuration in /etc/ and mount a few ramfses on top of some directories using unionfs to give an illusion of a read-write filesystem. Then, upon login (LDAP authentication), the user's directory would be mounted from an individual password-protected Samba share (accessible from the users' personal computers as well), with the noexec attrubite of course. /tmp/ and /var/ were also noexec. Upgrades to the client system were performed at the server, by chrooting into the exported root directory.
Such a configuration is absolutely invulnerable to users, rootkits, viruses and any other riffraff known for breaking things in computers. Even in the unlikely event that someone gained root privileges on a client, they would actually gain nothing and even that nothing would vanish after a reboot.
This is Slashdot. Common sense is futile. You will be modded down.
The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.
Absolutely agree. It's nice that she has a throwaway image because it isn't possible to proect herself from her definition of the critical threats, but those aren't the threats I'm necessarily worried about. My A/V keeps (among other things) the script kiddies out who do things that pi$$ me off and cause me to react. The bad guys/girls can have anything on my system which is why they probably won't bother with me. I'm wondering how much crap her system spews the day before she decides (la la la) to reimage. That's the stuff that's going after me.
You're serious, right? Let's assume that I have one copy of WinXP - or, Win7, legally licensed. I install a *nix as my primary OS, create a VM using VirtualBox, and I'm legal, so far, right? Get the VM all updated, then clone it 99 times. Suddenly, I'm illegal, right? But, all 99 machines are being used INSIDE of ONE BOX!!! I use one machine to browse the darknet, another machine to do torrenting, another to do my banking, one for general browsing, and one just to test malware on. The rest I may or may not ever fire up for some reason that I haven't thought of yet.
So, how much should I mail to Microsoft for all of my VM's?
Say, can I bum a dollar?
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I understand the DEP (data execution prevention) enabled processors weren't common back in Windows XP days but what is the deal with Windows 7 even 64bit version? Why wouldn't MS enable it by default as it is said to prevent very serious attacks on CPU level, without slowing down the system at all?
While there are no real viruses on OS X yet, I try to prepare machines for "no AV needed even while viruses exist" configuration just like you with couple of extra admin prompts, that is all but I don't follow Windows scene too much.
After enabling DEP, I even gamed on Windows 7 64bit (game is even running under win2k compatibility) and I haven't seen anything bad happen. I remember some stupid HP driver on another machine crashed because of DEP but that was all, the error message was really informative too.
So, do they disable it to make couple of badly written software owners happy while 99% would benefit from it?
BTW, this is what DEP is
http://en.wikipedia.org/wiki/Data_execution_prevention
She now realizes that Ken Thompson's paper:
"Reflections on Trusting Trust"
http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
- is the basis of ANY hardware firmware or re-flashing of hardware.
I can't wait for next month and hopefully the bombshell we've been waiting for.
Brilliant Joanna indeed.
~hylas