Slashdot Mirror
Security Threats 3 Levels Beyond Kernel Rootkits
GhostX9 writes "Tom's Hardware has a long interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this interview she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's surprising is how robust the classic BluePill proof-of-concept is: 'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill. This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'" Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization." She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.
i was gonna write something about [o]ver[k]ill but I'm not in the mood anymore. 3 VMs??? ahahahahahahahhahahahha ROFL ahahahahhahahahah (sorry, I can't help it) .. ahahahahahhahahaha
* burn karma, burn *
mov ax,4c00h
int 21h
I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization.
This seems a touch... idiotic. I could see how it could offer more. AND I don't see how it could offer less.
For what its worth, I don't use an A/V product either.
And Like her, I also have a "pretty reasonable setup" and a dose of "common sense". But I'm still balancing the increased responsiveness and hassle-free experience vs the extra security. Its a trade-off that's worth it to me, but I recognize that it is still a trade-off.
She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.
And in the article:
I totally don't care about a compromise of my "Red" machine--in fact I revert it to a known snapshot every week or so. I care much more about my "Yellow" machine. For example, I use NoScript in a browser I have there to only allow scripting from the few sites that I really want to visit (few online shops, blogger, etc). Sure, somebody might do a man-in-the-middle (MITM) attack against a plaintext HTTP connection that is whitelisted by NoScript and inject some malicious drive-by exploit, but then again, Yellow machine is only semi-sensitive and there would not be a big tragedy if somebody stole the information from it. Finally, the "Green" machine should be allowed to do only HTTPS connections to only my banking site.
And as long as your bank is never hacked and serving up malware, that probably works well...
Advice: on VPS providers
"...interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages)"
Why oh why did they split Joanna into 9 pages?! Thats so cruel!
Also, First Post
There's careful, there's paranoid, and there's three separate virtual machines.
Security is: 386 dx 40 (my first computer), BSD kernel, and Lynx non-graphical web browser. Only down side.... ascii-art porn (sigh).
It's fine if you apply all security patches, utilize good firewall hardware, don't surf the web or run random untrusted executables on said win32 or win64 box.
Or if you run said web surfing inside a robust sandbox.
> The problem is, however, that all current popular OSes, like Vista, Mac OS X, or even
> Linux, do not provide a decent isolation to its applications. This is primarily a result
> of all those systems using big monolithic kernels that consists of hundreds of
> third-party drivers that operate at the same privilege level as the rest of the kernel.
Sounds like she wants the Hurd.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
What is it you think Anti-Virus does?
Most people that run patched systems without clicking anything too silly rarely see an AV popup. Those that run a version of Flash that is two months old and are still using Adobe Reader 7 will be just as owned as if they had not been running AV at all.
AV is fine, and I myself run it, but if I ever see a detection that isn't a false-positive or bull, then that system is getting formatted within 24 hrs.
PS - Her Virtual environment might not even have a writeable virtual disk, and thus any nasties that get on-board are cleared each time she power cycles.
It is idiotic for three reasons:
1) The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.
2) Even in the case of low level root kits, they still have to get to your system in the first place. That in general means they have to get downloaded form the net or transferred from a CD or flash drive. Guess what? A virus scanner in the OS can stop that. It can scan the program coming in, before it has a chance to run, and block it. Even if the program would set itself up on a level below what the scanner could detect, the scanner can notice it as it is coming in before it can execute and do that.
3) Defense in depth is ALWAYS a good idea. In the real, physical, world you have to accept that no security is unbreakable. Anything you can make another person can unmake or circumvent. Thus security does not come from having one impassable layer, it comes from having multiple layer of different kinds. Should one layer be bypassed, security over all is not compromised. Well, a virus scanner on the system is another layer. Should be the only layer, but it helps.
Personally, I've never been impressed with her as a security researcher. She seems to be rather paranoid, and living in a theoretical world. In part this is because for all the chatter about Blue Pill, I haven't seen it made practical. Oh sure you can talk about an undetectable super rootkit on paper but does it actually work in the real world? VMWare doesn't think it would, and they do know more than a bit about virtualization.
I'm not saying this isn't an interesting line of academic research, but I'm getting tired of the "OMG I can own any system and not be detected!" doomsaying. No, really, not the case it seems.
Sorry, what a load of crap.
If my AV program does the primary job that it's designed to do, it will alert me to the fact that I've been infected. That's it. Does something about that seem totally WRONG to you? It's like saying that if the military does its primary job, they will tell us we've been invaded. Er, what's the point of that?
AV *DOES NOT* stop anything, even with all the fancy-schmancy product titles that they want to use (RootkitHunter, AVToGo, Detect&Cleanse, etc.)... it merely detects the presence of a hostile element.
Now, in my experience in IT support of Windows system (covering critical public-sector networks), 99.9% of virus infections are discovered because *WE*, the users and/or technician's notice the AV fail or something that's slipped past the AV (usually by the speed-hit on the computer concerned or the fact that it's dropped off the logs). If AV can detect something, it's ALREADY on the computer. It's *after* the event. Too late. Game over. Pointless.
Now some parts of some AV packages are actually "ANTI" virus, in that they stop them happening in the first place. These products can be variously placed into the categories of: firewalls, pre-access scanners, permission-removers. Everything else that they do is ABSOLUTE bunkum.
My own personal laptop... no AV. Hell, though, I have a firewall, a web browser that doesn't execute attachments and locked-down access to EVERYTHING on it. Why do I need a taskbar icon scanning EVERYTHING that EVER gets accessed on that computer 24 hours a day and can only pop up a box (possibly, most of the time the AV just dies with any half-decent virus infection) to say "You have a virus"? Everything past that point is worthless - "clean" shouldn't even be an OPTION, nor should "Delete" or "Quarantine" because in my own personal experiments, I've see it fail at a consistently high rate on machines with known virus infections, even with the latest signatures / program versions.
Keep your computer up to date.
Stop things executing.
Check occasionally or when suspicions arise.
On a network, sure AV is good to prevent dumb users not capable of following policy. At the network edge, essential (nobody gets a mail in my workplace without it having gone through SOMETHING to scan it or at least strip all attachments). On my own IT equipment? What a waste of time.
Use read-only media. The read-only media should have a physical write-enable switch, like an SD card or USB key, so you can do updates from a clean boot. Then disable writing and boot. For more info: Read only linux
P.S. Never "caught" a virus in fifteen years of computing, but found one once on a cover-CD for a magazine back in the DOS days. Networks I run don't get hit with virus outbreaks (and we're usually waiting for a week or two after Patch Tuesday's before we update and have a high Internet usage with completely unskilled users, on Windows XP and Server 2003 and an IT budget so low you couldn't buy floppy disks in one place!) - we get the odd virus on *personal*, standalone machines that have been taken home and brought into the network.
I have some experience with this sort of thing. Not a difficult setup, but it requires some knowledge and effort to maintain. So the cost is rather high, and hardware requirements somewhat steep. So you need a competent administrator with adequate resources.
The benefit, of course, is that it ends up being much more secure than antivirus software. Useful for when you make a living suing powerful organizations with the means to retaliate against you, while still being able to download porn on the corporate network.
Physical security is still important, though. Depending on who it is that's motivated to break into your systems, and their ability and willingness to simply "disappear" you or your employees when hacking attempts fail. I'd say it's not a setup for the faint of heart.
"I assumed blithely that there were no elves out there in the darkness"
She runs three separate virtual machines designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.
Three operating systems to maintain. Three browsers. Three filing systems? Three PDF viewers?
Where does it end?
To me, the Zero Day exploit suggests that a random choice of OS, web browser and file viewer would make more sense.
But the whole idea seems overly complex and dangerously fragile.
"Most of the time the AV just dies with any half-decent virus infection"
This is true. It is also a valuable feature.
Not for the poor bastards at home, of course, it'll just make their descent into pop-up misery and a new computer from best buy even faster. Pretty much any centrally managed AV setup, though, makes it pretty easy to check whether or not AV is running on a given client. If you have a client where the AV won't stay up, you have excellent reasons to suspect that the OS is 0wn3d. You can then inspect further, or just pave and reimage, depending.
Malware's habit of shoving an ice pick into the AV's neck at first opportunity is bad for nontechy home users; but it arguably makes that malware easier to detect in serious setups(if the AV can't detect the malware, which is likely, its blood demise will be obvious enough to draw attention).
I don't want this guy on the same planet as my corporate network.
This idea of using VMs could make for some interesting security on laptops that have TPM chips:
First, the laptop would be secured with BitLocker. This would provide two things, first, hardware and MBR tamper detection. Someone messes with the laptop while its not attended, it won't boot and ask for the recovery key. Second, BitLocker is transparant once it boots. No need to worry about an additional passphrase (though the recovery key should be kept someplace secure).
The main OS here is mainly used just as an enlighted host for the other VMs. Using Hyper-V or VMWare Workstation, one can then run several VMs, perhaps based around a similar starting OS and cloned. This way, one can have VMs focusing on tasks (document writing, browsing the naughty sites, payroll, etc.) With wise use of snapshots and isolation, if one of the VMs gets compromised, its just a click away from being rolled back to a clean state.
The only issue is getting data between the VMs, say from the payroll VM to the VM with the mail program. However, one can make a virtual hard disk that can be connected and disconnected from machines, perhaps being hooked up to a third, non Windows VM to check for tainted autorun.inf files and other stuff before it gets shuttled to a more security sensitive VM.
This is a lot of work, but compartmentalization and the ability to dump all changes in a filesystem to a known good point will go a long way in security.
If that were the case she would have no need to roll-it-back every week or so.
Just because you're paranoid doesn't mean they aren't out to get you.
I'd root her box ;)
I'd be careful. She doesn't use AV.
I understand the DEP (data execution prevention) enabled processors weren't common back in Windows XP days but what is the deal with Windows 7 even 64bit version? Why wouldn't MS enable it by default as it is said to prevent very serious attacks on CPU level, without slowing down the system at all?
While there are no real viruses on OS X yet, I try to prepare machines for "no AV needed even while viruses exist" configuration just like you with couple of extra admin prompts, that is all but I don't follow Windows scene too much.
After enabling DEP, I even gamed on Windows 7 64bit (game is even running under win2k compatibility) and I haven't seen anything bad happen. I remember some stupid HP driver on another machine crashed because of DEP but that was all, the error message was really informative too.
So, do they disable it to make couple of badly written software owners happy while 99% would benefit from it?
BTW, this is what DEP is
http://en.wikipedia.org/wiki/Data_execution_prevention
What are the vectors for these nasties that you are talking about?
I wonder because the only exploit I have ever watched try to run is some js launched pdfs, I was using a reader that was not vulnerable to the exploit, so nothing happened.
Nerd rage is the funniest rage.
I'm sure your boner means a lot to all the women in I.T.
There's no benefit to a micro-kernel in these so-called ring -1 attacks. None.
You know, the really odd thing is that that's what I just said. Microkernels are not about security, they're about internal kernel API design. That's why Hurd and Mach suck, they're taking the API design guidelines and treating them as kernel architecture.
Yet you use virtualization.
I use virtualization where it's useful. I don't run my desktop under it, I don't use it where performance is critical. I use FreeBSD jails instead of virtual machines on my colo because they've got less overhead.
So, a person who can do mad things like ring -1 and knows about -2 -3 attacks who also happens to be a professional security researcher doesn't use AV and "doesn't see need for it."
This is the most irresponsible thing I have ever heard. Does average user have knowledge of system internals like she does? Does average user can stand the torture of 3 virtual machines? Could average user get rid of "run as admin" even on upcoming Windows 7, especially if he/she is a gamer?
This is more like a Medical Doctor bragging about how he never used any pills or went to a doctor and "doesn't see need for it".
She should browse some average user troubleshooting forums and see the junk non technical people are being victim of. No, they really don't know the privilege levels or CPU rings.
A good AV will detect unknown threats and zero day attacks even before you read about them. If combined with a good firewall, they will detect any form of data leakage, at least in unencyripted form which is the most common.
There is amazing level of virtualisation, heuristics on commercial products like Kaspersky to the point of actually having a virtual machine in them and transparently launching suspicious application in that locked down machine before granting it some kind of "gray" level unless it changes.
There is also white list concept. Known products from known companies are scanned lightly and watched for things they shouldn't be doing. So, it is not like "every file scanned". File is scanned in different degrees.
Windows is so popular and known by black hats so "I don't run as admin" or "signed apps only" isn't enough anymore.
She's also a man, baby!
http://www.rutkowska.yoyo.pl/
Running three separate VMs is not only a sign of paranoia but also a delusion that as a person functioning in todays world you can realistically have so much control over information that with enough effort you can control your own security in all regards, or even that you can control it to the extent necessary to protect yourself from common threats.
Put aside for a moment that she's a security researcher and that probably invites more attacks than the rest of us face. There are a number of flaws readily apparent with this approach to security:
1 - Knowledge is power, and you just told the world critical elements of your defenses. There's a reason banks don't disclose such things. It doesn't make your system any less secure, but it raises the bar for attackers.
2 - You maintain your own VMs. In your mind nobody is better equipped to protect your systems than you are. In reality if you made a security blooper on one system you probably replicated it on all three VMs, if not the host also.
3 - I guess you assume that if you're running an app in the VM and someone decides to attack a vulnerability in your network stack that it won't actually the host system, and since the VM leverages the network stack of the host system that's not necessarily true.
4 - You may secure connections between entities like your bank by allowing only HTTPS through a browser in the VM. Reality is that in the last year major payment processors have been breached resulting in millions of people's card details being stolen. RBS WorldPay and Heartland Data Systems are two known breaches, there is one other yet unidentified from what I have read.
5 - As others have pointed out, anti-virus *will* protect you against nearly all *common* attacks. Today's anti-virus products even scan mail and http traffic for threats before your applications can process the data themselves (usually not in free versions of the AV apps). To say it adds no value at all is sending a very bad message to the majority of readers who would like to think they're better equipped to handle their own security than they really are.
The reality is that you can very easily do many simple things to help protect yourself. Install all your application updates promptly, be careful where you download software from, don't run attachments from spam e-mail, don't follow links sent to you in email without checking where they really go first, be careful where you enter your card details, run AV software, etc. etc.
However, beyond a certain point you have to spend exponentially more effort, beyond what the majority of people would consider reasonable, for very small gains in security. Chances are that you will still suffer fraud etc. during your lifetime, and it will be due to some vector completely beyond your control.
No, I didn't RTFA. 9 pages? gtfo.
Very strange... why would someone become transgendered and then turn lesbian? Wouldn't it be easier just to stay male in the first case? Maybe s/he is going for a high level of personal security through gender virtualization.
1. I always thought that bigger risk for hospital is an random virus then DDoS attack. I did heard about normal virus attacking hospital - nobody has planned so just someone opened one attachment too far or something like that - but I did not about DDoS attack. Since what would he want to achive? 2. Unfortunatly we live in the world in which there are people beliving they will get 10% for transfer of money from one country to another (usually those countries for some reason don't have good reputation). And usually having AV, not opening attachments unless expected etc. helps avoiding most of the attacks for normal people - nobody will try to DDoS them. Different matter is with companies etc. They need to be secure. I was considered paranoid whenI advised having password and not using admin account for others. 3. Yes - for most people the discovery of the next bug in IE/Fx/Opera/... does matter. I'm not interested much if there is theoretical possibility that software is safe. I'm interested in the security here and now. Numbers of bugs discovered is not the best measurement - much better is time-to-patch - but still it is important in practice. Similary - a single shifts in prices are not important for theoretical economist - but for consumers and producers they are much more important [although thay may posses much less knoledge about origin of shift etc.]. 4. Monolithic kernel does not necessary implies 3rd part drivers. OpenBSD have monolithic kernel and AFAIR does not support loading modules after boot. Linux have most of the drivers included and is perfectly operative without loading modules. There are resons why to use them but they are optional.
I've probably left my head... somewhere. Please wait untill I find it.
Homepage: http://blog.piechotka.com.pl/
I can't remember where I read this (probably on /.), but there was some speculation that Jan Rutkowska used to be Johann Rutkowska or something similar.
Of course, I guess if they really are a girl, there's not much reason to care.
Color codes for the three machines should be Red, Green and Blue. This will improve security against the bluepill attack. See bluepills cannot attack "blue" machines!
O this learning! What a thing it is - William Shakespeare
She now realizes that Ken Thompson's paper:
"Reflections on Trusting Trust"
http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
- is the basis of ANY hardware firmware or re-flashing of hardware.
I can't wait for next month and hopefully the bombshell we've been waiting for.
Brilliant Joanna indeed.
~hylas
How do you know Nod is actually doing what it claims? It's easy to boost performance by lying about tests. On the other hand, lying is not an option for free scanners.
Very strange... why would someone become transgendered and then turn lesbian?
You don't 'become' trans-gendered. Current medical opinion is that it's a brain structure thing you're born with.
And you wouldn't 'turn' lesbian either, typically you would be born with the tendency to be oriented towards men/women/both.
Gender identity (whether you 'feel' that you are male or female) and sexual orientation (whether you are attracted to men or women or both) are separate issues. It's not a question of 'what is easier', it's a fundamental identity issue.
While DEP is nice, it cannot prevent all exploits from buffer overflows. Google for return-to-libc, it's even in the wikipedia article you linked. Thus, if DEP was enabled by default exploit authors would switch to return-to-libc against Win7 instead of using "classical" exploits. Same as AV: It keeps the stupid attackers out, but the good ones will circumvent it.
A good AV will detect unknown threats and zero day attacks even before you read about them.
Really, how does that work if the malware has been tested to work against the AV before it being released into the wild?
Bugs don't have to be undetectable, they just have to be a pain in the ass to remove, very difficult to stop up-front, and quick/easy to deploy their mischief. If those criteria are met, then with a zero-day exploit (these are published all the time), the bug could potentially hit maybe 20% of computers on the Internet successfully (Assume 80/20 rule for got the patch in time, etc.). How many more millions of machines do you need to infect and run your program on than 20% of the Internet?
stuff |
Sorry, what a load of crap.
Thank you for telling it like it is.
-- $G
^^^butthead and beavis type snigger^^^
A few years ago, I set up a bunch of thin clients for general browsing, chatting and homework at a school dorm [...] upon login (LDAP authentication), the user's directory would be mounted from an individual password-protected Samba share (accessible from the users' personal computers as well), with the noexec attrubite of course.
In an environment where everything writable is noexec, how do engineering and computer science students run programming exercises that they have compiled? Or is it a Dijkstra-style "if you compile your assignments, you get an F" course?
I just don't give a damn about any stupid EULA. I have read them in the past, and disagree with half of what is printed in them. "Accepting" the EULA is a coercive exercise. Basically, it says "If you don't like ANYTHING we tell you, then you can't use our software." Bullshit. Complete and utter bullshit. I take almost all the same liberties with Microsoft and other proprietary software that I take with open source software - decompile, reverse engineer, change code, etc. The ONLY thing that I don't do with proprietary, is to redistribute. What I do INHOUSE is my business.
The day that Microsoft sits down with a panel of consumers who represent business, government, the nerd community, and average users, and hammer out a REASONABLE EULA, then I'll pay attention to the EULA again. The best "for instance" is the changing hardware deal. If I buy a Compaq, and the mainboard dies a week after the warranty dies, I insist that I have the right to replace the mainboard and any peripheral hardware, and to reinstall Windows - FOR FREE.
Corporate coercion of consumers may or may not be legal - but I will never respect it, or abide by it.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I have worked with one of them working for a quite large French IT company. She was 1.95m tall. Probably the most incredible programmers I have never worked with. A real math genius. Frankly the first day is weird, you basically see a basket ball player dressed as a woman...And then slowly you get used to it. She was a real pro and we were glad to have her in the team. That's their life and they can do whatever they want with it, not my problem.
The reason most "microkernels" have bad performance is that they are not anywhere near "micro" enough.
Indeed, and one of the ways they achieve this is by NOT performing context switches between different security domains for every message. For example, the L3 and L4 family kernels delegate security domain management to user-space programs, and L4Ka supports message passing operations entirely in user space... with no kernel intervention.
This is bringing the design back to the real-time operating systems that inspired the whole Microkernel concept.
a web browser that doesn't execute attachments
Do you actually own a computer?
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
Wait, what are you trying to sell me?
Don't put the word "browser" in the summary of an article that isn't really about them. Knowledge of a web browser represents the bare minimum level of expertise necessary to comment on /. and as such the inclusion of that word in the summary greatly increases the signal-to-noise ratio.
Your pal,
The guy who wanted to read informative comments about VM exploits rather than NoScript
Honestly.
AV is decent, and is useful is you have a large network to maintain, or users who don't know what they are doing.
If you know what you are doing, keep your OS patched and locked down, use a secure browser, keep up maintenance like looking out for odd files/processes etc, then AV is not going to add any additional protection. IN fact, the presence of AV, since it generally has to run as Administrator, adds an unnecessary attack vector. There are very few, if any scenarios where the security of a machine will be increased by the presence of an AV if the machine is well maintained and locked down and the user knows what they are doing. There are plenty of situations where having an AV could lead to a DoS, shell or false sense of security.
There is nothing wrong with a security researcher not using AV and using a more secure approach,especially given the nature of her work and the sensitive information she deals with.
If you ignore ACs because they are anonymous - you're an idiot.
Her setup is more like a fortress filled with cruise missiles that can be launched with lots of advanced warning of attack.
And atom bombs! And ninjas! In a whiny white fortress on a mountaintop. Totally sweet!
Sir, you seem to have gone a bit over top with your war-analogies, somehow implying that virtual machines can cause a digital equivalent of "cruise missile" damage to attackers. At best, such a setup would render attacks useless.
May I suggest a car analogy?:
A dirty old car you drive in the nasty neighborhoods (not really caring if it is destroyed) as well as a fancy Mercedes to drive to the places you know for certain nothing bad will happen to the car.
I lost my sig.