Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Threats 3 Levels Beyond Kernel Rootkits

Posted by kdawson on from the close-to-the-machine dept.

GhostX9 writes "Tom's Hardware has a long interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this interview she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's surprising is how robust the classic BluePill proof-of-concept is: 'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill. This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'" Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization." She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

9 of 264 comments (clear)

  1. Well... by afabbro · · Score: 5, Insightful

    She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

    And in the article:

    I totally don't care about a compromise of my "Red" machine--in fact I revert it to a known snapshot every week or so. I care much more about my "Yellow" machine. For example, I use NoScript in a browser I have there to only allow scripting from the few sites that I really want to visit (few online shops, blogger, etc). Sure, somebody might do a man-in-the-middle (MITM) attack against a plaintext HTTP connection that is whitelisted by NoScript and inject some malicious drive-by exploit, but then again, Yellow machine is only semi-sensitive and there would not be a big tragedy if somebody stole the information from it. Finally, the "Green" machine should be allowed to do only HTTPS connections to only my banking site.

    And as long as your bank is never hacked and serving up malware, that probably works well...

    --
    Advice: on VPS providers
  2. Why? by rysiek · · Score: 5, Funny

    "...interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages)"

    Why oh why did they split Joanna into 9 pages?! Thats so cruel!

    Also, First Post

    1. Re:Why? by Anonymous Coward · · Score: 5, Funny

      Very long legs.

  3. I have to agree it is idiotic by Sycraft-fu · · Score: 5, Insightful

    It is idiotic for three reasons:

    1) The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.

    2) Even in the case of low level root kits, they still have to get to your system in the first place. That in general means they have to get downloaded form the net or transferred from a CD or flash drive. Guess what? A virus scanner in the OS can stop that. It can scan the program coming in, before it has a chance to run, and block it. Even if the program would set itself up on a level below what the scanner could detect, the scanner can notice it as it is coming in before it can execute and do that.

    3) Defense in depth is ALWAYS a good idea. In the real, physical, world you have to accept that no security is unbreakable. Anything you can make another person can unmake or circumvent. Thus security does not come from having one impassable layer, it comes from having multiple layer of different kinds. Should one layer be bypassed, security over all is not compromised. Well, a virus scanner on the system is another layer. Should be the only layer, but it helps.

    Personally, I've never been impressed with her as a security researcher. She seems to be rather paranoid, and living in a theoretical world. In part this is because for all the chatter about Blue Pill, I haven't seen it made practical. Oh sure you can talk about an undetectable super rootkit on paper but does it actually work in the real world? VMWare doesn't think it would, and they do know more than a bit about virtualization.

    I'm not saying this isn't an interesting line of academic research, but I'm getting tired of the "OMG I can own any system and not be detected!" doomsaying. No, really, not the case it seems.

  4. Re:o.k. by Anonymous Coward · · Score: 5, Funny

    If only somebody would make a free OS! Well, I guess we can always dream.

  5. Re:huh? by benjamindees · · Score: 5, Insightful

    Think of it this way. Antivirus software is like the Marginot Line. It will keep out most invaders. But the really threatening ones will simply drive around it and disable it from the inside.

    Her setup is more like a fortress filled with cruise missiles that can be launched with lots of advanced warning of attack.

    Both have costs. One is more effective than the other. So, saying that something expensive and incomplete like the Marginot Line provides increased security may be technically true, but it's kind of a moot point.

    --
    "I assumed blithely that there were no elves out there in the darkness"
  6. Re:Better solution: read only media by Enleth · · Score: 5, Interesting

    Been there, done that, works great.

    A few years ago, I set up a bunch of thin clients for general browsing, chatting and homework at a school dorm - they were (were, as I have no idea if they're still in use, but they were absolutely maintenance-free, so I guess they should be) running Linux, with the kernel and boot config (generated on the fly) loaded from a read-only TFTP server and / mounted from a read-only NFS share. On each boot, the init scripts would finish generating a machine-specific configuration in /etc/ and mount a few ramfses on top of some directories using unionfs to give an illusion of a read-write filesystem. Then, upon login (LDAP authentication), the user's directory would be mounted from an individual password-protected Samba share (accessible from the users' personal computers as well), with the noexec attrubite of course. /tmp/ and /var/ were also noexec. Upgrades to the client system were performed at the server, by chrooting into the exported root directory.

    Such a configuration is absolutely invulnerable to users, rootkits, viruses and any other riffraff known for breaking things in computers. Even in the unlikely event that someone gained root privileges on a client, they would actually gain nothing and even that nothing would vanish after a reboot.

    --
    This is Slashdot. Common sense is futile. You will be modded down.
  7. Re:o.k. by Starayo · · Score: 5, Funny

    I guess it's true that what you don't know can't hurt you.

    Okay, so, you're walking through your house, right? And you think, "I know, I think I'll make some pancakes", so you go to the kitchen. But what you don't know is there's an ANGRY GRIZZLY BEAR in your cupboard next to the flour.

    --
    Ezekiel 23:20
  8. Re:o.k. by Anonymous Coward · · Score: 5, Funny

    Okay so at my school we have faculty advisers that are assigned to students according to their last names. The faculty advisers help students with scheduling conflicts, general questions, help with internships/employment, etc. My adviser is named Jess Depew and she's pretty hot. I don't have a picture that could do her justice at the moment. She's like 25 and she's only been at the school a few years. Anyway, I have been looking into getting an internship at a TV station or something over the summer, and the school helps coordinate these things with an internship database that's maintained by the advisers. You log on with your school ID and password and you can browse internships and stuff. I was having trouble logging on to mine so I went to go see Ms. Depew. That's where all the trouble started.

    Firstly, I walked into office like 15 minutes early like an idiot and she's in the middle of lunch. So I awkwardly make stupid stall talk until she's finished.

    "Oh, hey, what are you eating?"
    "Salmon. I love it. I eat it practically everyday."
    "Just salmon? That's pretty weird." Why the hell did I say this?
    "Oh, well, I don't know. I try to eat healthy, natural foods...you know, like wild berries and honey and stuff."
    "Yeah, I like food too." *facepalm*

    Man, I was so nervous. Anyway, we finally begin squaring my stuff away. She looks up what I registered with in the beginning of the year. This is when the crap really hit the fan. This is how the conversation went:

    "Okay, your account name is [my name] and your password is ...'depewissexy'..."

    Oh damn. I completely forgot that I put that as my password in the beginning of the year. What the hell was I thinking? It was probably the longest 20 seconds of my life before I finally got my balls together to stand up and leave. Just as I walk out the door she says,

    "In the future, you might want to bear in mind what kind of things you want keep to yourself."

    I was so freaking embarrassed I wanted to kill myself right then and there. I wanted to run the hell out of there and never, ever see her again. But something about what she just said kept me standing in her doorway. I decided to man up and apologize. I turned to her, looked her straight in the eyes, and swallowed my pride. And then, it hit me like a train full of bricks.

    She was eating Salmon.

    She tries to eat all healthy, natural foods, like wild berries and honey.

    She told me that I might want to bear in mind what kind of things I want to keep to myself.

    Ms. Depew was a bear disguised as a human.

    Immediately, the bear saw that I had seen through its charade. It roared loudly and took a menacing swipe at me. I deftly avoided its claw and sprinted out of the office. The bear was soon in chase, crashing through the walls of the office as if they were made of paper. I jumped over the receptionist desk and ran out the back entrance. The bear followed, tossing the secretary aside like a rag doll. The bear began to pursue me through the street traffic. While I fought my way through the maze of vehicles, the bear simply careened its massive force through anything standing in its way. Cars veered off the road to escape the onslaught of grizzly force that was barreling down the road. The bear was gaining fast. I had no other option but to make my way into the nearest building: a preschool. I burst through the door, startling the children from their naps. Immediately, the bear slammed through the wall, crushing a child beneath his massive paws and burying several other children in sheet rock and debris. I maneuvered my way through the chaos towards the back exit. The pre-schoolers were little more than a screaming annoyance for the bear. Its massive paws cut swaths through the sea of toddlers with each swipe. I used the precious time these children had afforded for me to make my escape into the playground. I scrambled up a ladder to a fort-like structure. My goal was to walk across the monkey bars then jump to a tree which I could climb