Slashdot Mirror
100kb of Unusual Code Protecting Nuclear, ATC and United Nations Systems
An anonymous reader writes: For an ex-academic security company still in the seeding round, startup Abatis has a small but interesting roster of clients, including Lockheed Martin, the Swiss military, the United Nations and customers in the civil nuclear and air traffic control sectors. The company's product, a kernel driver compatible with Windows, Linux and Unix, occupies just 100kb with no dependencies, and reportedly achieves a 100% effectiveness rate against intruders by preventing unauthorized I/O activity. The CEO of Abatis claims, "We can stop zero day malware — the known unknowns and the unknown unknowns." The software requires no use of signature files, white-listing, heuristics or sandboxing, with a separate report from Lockheed Martin confirming very significant potential for energy savings — up to £125,000 per year in a data center with 10,000 servers.
Oh yeah ? From reading the summary, it sounds like a scam. But I'd really like to know on what principles this 'security driver' is based on. BTW, the title I used means that you are going to be torn to shreds in french. An aptly chosen name for a company with such claims !
Non-Linux Penguins ?
Sounds legit.
Everything beautyful comes in small sizes. That just happens to have 99kb too much!
This sounds so outlandish that I'll need much persuasion before I just start to believe that.
I can protect any system against all kinds of unknowns (including the ones that are unknown by unknown unknowns) with bash one-liner:
# dd if=/dev/zero of=/dev/sda bs=512 count=1 && halt
You can patch the kernel on a running system without writing to disk. Their claims are self contradictory.
If you can read this you've gone too far.
It just automatically turns the machine off whenever you power it on! Foolproof!
"please don't hack me"?
This article has all of the classic snake oil markers.
I'd need to know a lot more about it before I'd part with even money.
Not the first to call it but I'll call it anyway:
Bovine poop.
"Magic" technologies like this usually under-deliver, or do not help at all. In particular, a detection rate of 100% is simply impossible, already from purely theoretical observations and even more so in practice.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
That is my only question: can I have a flying unicorn? I'm not satisfied with a mere unicorn, or a pegasus. My little girl is turning 2, and it's time she thought about both her data security and her mythical beings. For my baby girl, I won't settle for anything less than the best. Beyond a 100KB 100% effective security module, I want a horse, flying, with one horn, capable of defeating any poison, and only capable of being captured by a virgin.
And she also wants puppy.
Well, it's called Tron.
It's a security program itself, actually.
It monitors all contacts
between our system and other systems.
Finds anything going on that's
not scheduled, it shuts it down.
An amazing product!
I have this explosives detector I'd like to know if you're interested in. It's used by the Iraqi government...
Slashdot - News for Nerds, Stuff that Matters, in ISO-8859-1 Has just realised that beta makes this signature redundant
Sounds like on boot it verifies certain kernel drivers and authenticates them to access the drive. It then acts as a firewall, dropping any other disk I/O requests. The security is predicated on nothing else loading before it and handling drive I/O. That and no code errors will cause it to fall over.
It will work, but then that is the purpose of other forms of security like protected memory, only apps compromise this by loading external code into their memory space rather than using COM or RPC.
So, this is nothing special. It works because the code is bug free, or should I say backdoor free, unlike most commercial and open-source code at this level.
100% effectiveness.
What they really mean is:
We have no clue how effective this really is, and are too stupid to realize it.
This goes for nearly every "100%" claim and most "99.99%" claims.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
At least that would have given us some fair warning.
From description, it sounds like the AppArmor.
All hope abandon ye who enter here.
I'm unsure what this offers that you can't do with SELinux or similar.
I also don't see how it can work without white listing of some kind unless they're just blocking access to everything which seems impractical and is something you could do with drive mount options anyway.
Because /. editors seem to have inconvenient hollidays I'll just spam this topic with the bahaviour of their mother company:
From http://seclists.org/nmap-dev/2...:
From: Fyodor
Date: Wed, 3 Jun 2015 00:56:23 -0700
Hi Folks! You may have already read the recent news about Sourceforge.net
hijacking the GIMP project account to distribute adware/malware.
Previously GIMP used this Sourceforge account to distribute their Windows
installer, but they quit after Sourceforge started tricking users with fake
download buttons which lead to malware rather than GIMP. Then Sourceforge
took over GIMP's account and began distributing a trojan installer which
tries to trick users into installing various malware and adware before
actually installing GIMP. Of course this goes directly against Sourceforge
CEO Michael Schumacher's promise less than two years ago:
"we want to reassure you that we will NEVER bundle offers with any project
without the developers consent"
--http://sourceforge.net/blog/advertising-bundling-community-and-criticism/
So much for that promise! Anyway, the bad news is that Sourceforge has
also hijacked the Nmap account from me. The old Nmap project page is now
blank:
http://sourceforge.net/project...
Meanwhile they have moved all the Nmap content to their new page which only
they control:
http://sourceforge.net/project...
You can see at the top that the owners of the Nmap page are now
'sf-editor1', and 'sf-editor3'. You can click on those to see other
projects they have hijacked.
So far they seem to be providing just the official Nmap files (as long as
you don't click on the fake download buttons) and we haven't caught them
trojaning Nmap the way they did with GIMP. But we certainly don't trust
them one bit! Sourceforge is pulling the same scheme that CNet
Download.com tried back when they started circling the drain:
http://insecure.org/news/downl...
We will ask Sourceforge to remove the hijacked Nmap page, but more
importantly we want to reiterate that you should only download Nmap from
our official SSL Nmap site:
https://nmap.org/download.html
If you don't trust SSL by itself (and we don't blame you), you can also
check the GPG signatures: https://nmap.org/book/install....
Cheers,
Fyodor
PS: Ars Technica has a good article about the Sourceforge/GIMP fiasco:
http://arstechnica.com/?p=6734...
PPS: Sourceforge now claims they will stop trojaning software without the
developer's permission, but they've broken that exact promise before.
Chris Howden and John Plumb are the author and approver (respectively) from Lockheed..... Chris and John are lousy scientists.
The kindest way I can figure it is that the driver simply disables disk IO... hence there may be a small power savings from the lack of writes. Less kindly, they happened to measure lower power, and are reporting experimental noise as a solid result (see www-plan.cs.colorado.edu/diwan/asplos09.pdf for instance). We have no error bars (or even a # of runs), so it really isn't possible to say, but disabling disk writes could conceivably reduce power draw. The methodology section is sketchy enough to make solid conclusions impossible; the reporting of experimental details is worse.
Of course, this doesn't (and they admit it) stop me from hacking them in RAM... nor does it stop persistent firmware attacks (e.g. http://www.wired.com/2015/02/n...), nor does it stop me from trapping to ring 0, then trapping to SMM, then just ignoring their F*ING CODE BECAUSE I"'M IN SMM MODE BITCH!!! I GOTZ MY OWNZ ATA CODEZ
Or something.. I'd recommend just cutting the write-enable line on an old IDE drive, or rebooting periodically and running Tripwire from non-writable media (CD?). It's likely cheaper, and probably just as effective.
Date check, today is April 1st ?
We used to use unidirectional ethernet cables. Basically the TX wires clipped out on the receiving end to the less secure network. You do need ethernet cards you can set to accept a link without having a full handshake going.
But it allowed us to set up the SCADA network to take the data stream we needed to get to the collection and reporting pc and UDP broadcast it. then the PC that can only receive set up to listen for and receive it, works great and is 100% hacker proof as hackers have yet to write code that can cause copper to grow back in a CAT-5e cable.
Now if we could keep the N00b SCADA programmers from bringing in their crap-tastic home laptops for programming changes and becoming the largest infection vector.
Do not look at laser with remaining good eye.
On the Info security blog he mentions that it's the kernel which recognises executable files.
So, how does the kernel know which executables are legit to run?
If I want to run my CreateDancingBunniesDrawingsIn0Days.exe I would give it permission just like the new update from my office suite because I don't know any better. Unless there is a program which recognises the executable as malware and warns me. Something that gets updates hourly from a central source of known malware maybe?
Better yet, we need something where we allow programs only specific access to resources. Including a buffer for disk access that can be flushed or written to disk after confirmation.
I doubt it'll fit in 100KB though.
home
Yeah, this sounds like those magic sticks someone was selling a few years ago.
bool isThreatDetected(IoRequest req) { // Caveat: may cause false positives
return true;
}
// In practice, any claims that software is this effective require detailed, convincing explanation and proof.
John_Chalisque
See subject: NTFS has 'em - limits how much user entities write to disk...
Except this Abatis HDF antivirus SOUNDS like they applied the idea of quotas BY USER, as NTFS has, albeit this time to PROCESSES instead here in the Abattis HDF Anti-Virus product the article's about!
(I read it briefly, skimming only, so I hope I am not wrong on HOW it actually works as a layered filtering driver checking processes write I/O restrictions it creates, by process instead of by user like how I understand disk quotas work).
* It's much the same idea as hosts files produce blocking various online entities from "writing to the canvas" in browsers by filtering @ the IP stack level (as efficiently as it gets doing more with less moving parts, ala APK Hosts File Engine 9.0++ SR-2 32/64-bit doing so @ that level -> http://start64.com/index.php?o... )
APK
P.S.=> Well, "whaddayathink"?
to shutdown -hP now?
- http://www.milkme.co.uk
https://msdn.microsoft.com/en-...
I am very small, utmostly microscopic.
If it's a linux kernel driver then it must adhere to the GPL policy...
Thus were is the code for this magical piece of software?
I'd really like to know on what principles this 'security driver' is based on
TFS I'm going for homeopathy.
If the marketing technobabble is correct the code is 100k but naught is said about data store, memory and persistent. Or whether the system satisfies these claims 'out of the box' or there is some training/learning period. Of course the pitch also does not indicate how often the Key Operator is called to investigate and override false alarms, and what the investigate/resolution process takes. Some ACs with experience might be useful...
You could have a 'train/run' switch that you flip to 'train' on first install during a period in which you do not reasonably expect intrusions, putting it through paces and trigger your software to check for updates, things like that, where it passively builds a profile of normal activity. Then flip it to 'run'. Then if it is a machine that does just a few things all day, the software has a pretty good idea of what to expect.
The payoff would come from how well you could parametrize the basic inputs --- stack state, communications endpoints and addresses, using directory hierarchy on disk --- and introduce a clever degree of fuzziness that also implements a sense of 'near' and 'far' on both class of operation and value.
Then maintain a pointer in some so-called 'phase space' and burn data into a sparse array to create a virtual landscape with erosion. In 'run' mode it is almost always hitting (or near) areas that have been populated. If the pointer strays from from the populated region we have an alarm.
For example, a process that has never accessed data outside its installed folders suddenly does so. Network addresses compared by closeness in the neighborhood.
<blink>down the rabbit hole</blink>
> This would be something to get upset about if GIMP wasn't shit [...]
Butthurt? Don't despair! There might be a cure for that
foreach (list of running processes) {
if (process not supposed to be running) {
kill (pid);
}
}
Anything that claims a 100% success rate is doomed to fail, all you need is a single case to bring it down. Doing such a thing would mean a serious step forward on security. To tell the truth, i'm quite skeptical on this making any difference, at all.
This looks like it's more of a play for the embedded systems or IoT space. Look at the examples given, nuclear reactors, IoT, etc. These are specialized systems where it's possible to say "I've monitored the system for x time, and these are the things that should be running. OK, anything new running can't use the disk IO driver to write to the disk".
There was a similar proposal for a device to work on the engine bus but focused on communications. "We monitor the bus for the first X seconds and classify the traffic on it. Then if something new starts talking or an existing player suddenly starts communicating to something it has never talked to, we declare condition red and fire the photon torps."
Hyperbole aside of 100% protection against everything, this is not a bad strategy for very specialized systems. Doesn't do crap for a general purpose computing environment, but as we leverage general purpose OS and off the shelf hardware for more embedded/IoT applications, we begin to have uses for tools that are highly restrictive because the things they're protecting are well defined.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
> Fyodor is a fraud
Blah, blah, blah.
Q: What has Fyodor done for me?
A: I've used nmap more than once. Thank you, Fyodor!
Q: What have you done for me?
A: Who are you, again?
Moral of the story: you'll have to invest a bit in your reputation until I take your rant in consideration.
If I remember correctly, there was a product for Windows NT in the late 90's that seemed very similar to this announcement.
What the product basically did was wrap all of the system calls and blocked any privileged ones except if you intervened at the console -- and there wasn't any way to spoof the intervention. It was quite effective once you got it set up (obviously it is hard to boot your OS without *some* privileged system calls), and I never did look into it enough to get their definition of "privileged", although enough to get that if your web server ran at a least-privileged state the product would keep an exploiter from gaining administrator access.
Again, the product worked but never seemed to take off.
> Like I give a fuck what you think
Seems we are in strong agreement, then.
"We haven't seen any attacks work therefore it must be 100% effective."
1: A lack of evidence is not evidence of a lack.
2: I have this wonderful Ticklebang repelling charm. Nobody wearing it has ever been stolen by Ticklebangs.
Notably, no explanation of how it determines what I/O is "Authorized" versus "Unauthorized".
@Whee
The control systems for a nuclear reactor or a flight data processing system don't ever need to run CreateDancingBunniesDrawingsIn0Days.exe, or any arbitrary code for that matter.
Neither, for that matter, do 99% of modern office workers - They don't need anything beyond what amounts to a dumb terminal with a dedicated connection to their ERP system. In security-insensitive environments, we've gotten used to having a web browser and music player and Solitaire and maybe even the ability to customize our desktop and cursors and so on; but AP voucher entry doesn't require any of that.
This 100k module clearly just does old-fashioned whitelisting, albeit at several levels beyond mere code execution (I/O, memory access, etc). The only really interesting angle of it, IMO, comes from the claim that it doesn't require binary signatures, so how does it know what to allow? As my best guess, they could evaluate the use cases for each client and just compile the list right into the binary, but I doubt we have any way to confirm or deny that.
...The CEO of Abatis claims, "We can stop zero day malware — the known unknowns and the unknown unknowns."
Well, with claims like this, all I have to say is good luck offering up a viable defense if shit happens one day to your unbreakable solution.
After all, shit never just happens, right?
They should call this Kernel driver the "ADE 651"
Troll is not a replacement for I disagree.
This sounds like the good old VMS operating system - though I do not know how many bytes that occupie[sd].
So, it's like Tron and can even monitor the MCP as well?
"Then maintain a pointer in some so-called 'phase space' and burn data into a sparse array to create a virtual landscape with erosion. In 'run' mode it is almost always hitting (or near) areas that have been populated. If the pointer strays from from the populated region we have an alarm."
Could you please post a link to more information about these technologies and algorithms? I am very interested in graph analysis, including geolocation of information against a real or metaphorical landscape. I tried Googling but all I got was how to simulate erosion in a 3D image of a landscape.
Thanks
oil selfies and can fly.
Seriously.
by preventing unauthorized I/O activity
is the end already.
Logically speaking, one never knows exactly not about the authorization. Therefore, it can only be a selfie. A flying-oily-selfie.
Think hard, think fast, and within a fraction of a moment you'll agree with me as security researcher that preventing any invalid I/O is indeed a 100% safe bet. Over.
Any illegal and unauthorized bank transaction prevented makes banking 100% secure. The crux is the detection of what 'illegal' and 'unauthorized' transactions are.
In basic computational terms, as example, a write to hard disk is I/O. But no such writes come accompanied with an authorization tag issued by the CPU, as an atomic / complete instruction. Rather to the contrary: it is simply issued. Over. How would the gatekeeper software know that it is malware? Or, as I used to ask my students: which bit or byte or word is the bad one? Only to find out that none such does exist, but becomes malware only through the context, and only within its context.
Second, 'authorized' means what? All I/O must be authorized. Wow! And who authorizes a bunch of data coming in from www.site.pl? Who 'authorizes' a key stroke? Ah, keyboard is trusted. LAN?
The whole set reminds me of that old Windows Software, Zonealarm. I loved to demo it, with its enormous number of questions: Are you sure you want to accept ...? Are you sure you want to print to ...? Shall I remember this decision for you? Are you sure you want to visit google.com? Do you want me to remember this decision for you? Are you sure you want to accept logo_google.jpg? Shall I remember this decision for you? Are you sure you want to render google.html? Shall I remember ....
This one weird trick protects Nuclear, ATC, and United Nations Systems from malware attacks!
I don't know how to prove it but I feel intuitively that the claims made can be proved false using Goedel's theorem.
That's why I think it only works in static environments. Back when I set up the first Windows 2003 terminal server farm I used the builtin ability to restrict access to only those programs allowed to run.
Unfortunately in reality most offices have users with full access to their PC's (because they feel entitled to it) or at least their profile so they can run whatever they want. The only thing blocking their behaviour is up-to-date anti-virus software.
home
Now that you've talked about it, malware makers know about it. Incoming malwares that are made specifically to bypass this.
I have seen this claim: "We can stop zero day malware — the known unknowns and the unknown unknowns" on 15€ sharewares / software boxes long time ago.
Measuring code size in kilobits seems very unusual to me.
I read the paper from Lockheed Martin, and it's laughable. The Electrical savings they claim makes the assumption that a server is always running malware which is churning up processing time. They don't stop Malware, and don't stop anything in memory.. so they save absolutely nothing and do absolutely nothing.. except of course make bad claims. Even if they could block the writes, which consumes more power.. a process attempting to write repeatedly and being refused, or a process allowed to write when requesting. They can't save money, by their own pathetic assumptions..
The company doing the testing.. well they are called "NCITE". Interestingly this can be to incite, or insight. My guess is the former. Maybe the latter if they are thinking like PT Barnum.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
It doesn't sound like you're describing the same software.
The software requires no use of signature files, white-listing, heuristics or sandboxing
"We can stop zero day malware — the known unknowns and the unknown unknowns."
...another person shows up just to show them exactly how wrong they really are to think they have an end-all security system. Making claims like this is pretty much issuing a challenge to people you really don't want looking at your systems.
BeauHD. Worst editor since kdawson.
>> You could have a 'train/run' switch that you flip to 'train' on first install during a period in which you do not reasonably expect intrusions, putting it through paces and trigger your software to check for updates, things like that, where it passively builds a profile of normal activity. Then flip it to 'run'. Then if it is a machine that does just a few things all day, the software has a pretty good idea of what to expect.
I see "heuristics" and "white-listing" in there.
>> introduce a clever degree of fuzziness
heuristics.
Not to mention, the 100k code itself could easily have vulnerabilities, which would then open up the entire system.
It's a lot of crap, and barely worth trying to humour,
It's simple. All malware carries an approved Illuminati ID marker within it, this kit just happens to have the secret reader for such ID's and can thus immediately disable them via their built-in Illuminati kill-switch. Takes very little code to do if you happen to posses the correct algorithms.
I am no coward it is just that I have not signed up here yet ;-)
Well, I know the code is actually 68KB in size. To the comment "Unless there is a program which recognises the executable as malware and warns me", the challenge is how do you decide if something is malicious; is reading the Excel file makes it malicious other than Excel.exe, or is it malicious when it sends files over the network? If a process just read some files and drop away, and a different process sends the data outbound - are they malicious? If we do that, then the false positive rate will certainly hit the roof to the annoy of most users.
Cheers,
NoAnonymousCoward