Slashdot Mirror

← Back to Stories (view on slashdot.org)

100kb of Unusual Code Protecting Nuclear, ATC and United Nations Systems

Posted by Soulskill on from the norton-antivirus-from-1991 dept.

An anonymous reader writes: For an ex-academic security company still in the seeding round, startup Abatis has a small but interesting roster of clients, including Lockheed Martin, the Swiss military, the United Nations and customers in the civil nuclear and air traffic control sectors. The company's product, a kernel driver compatible with Windows, Linux and Unix, occupies just 100kb with no dependencies, and reportedly achieves a 100% effectiveness rate against intruders by preventing unauthorized I/O activity. The CEO of Abatis claims, "We can stop zero day malware — the known unknowns and the unknown unknowns." The software requires no use of signature files, white-listing, heuristics or sandboxing, with a separate report from Lockheed Martin confirming very significant potential for energy savings — up to £125,000 per year in a data center with 10,000 servers.

5 of 145 comments (clear)

  1. Re:'Numérotez vos abatis'... by Anonymous Coward · · Score: 5, Informative

    Litteraly : "lèche un très gros pénis" but "suce une très grosse bite" would be a more common way to say it.

  2. Sourceforge Hijacks the Nmap Sourceforge Account by johanw · · Score: 4, Informative

    Because /. editors seem to have inconvenient hollidays I'll just spam this topic with the bahaviour of their mother company:

    From http://seclists.org/nmap-dev/2...:

    From: Fyodor
    Date: Wed, 3 Jun 2015 00:56:23 -0700

    Hi Folks! You may have already read the recent news about Sourceforge.net
    hijacking the GIMP project account to distribute adware/malware.
    Previously GIMP used this Sourceforge account to distribute their Windows
    installer, but they quit after Sourceforge started tricking users with fake
    download buttons which lead to malware rather than GIMP. Then Sourceforge
    took over GIMP's account and began distributing a trojan installer which
    tries to trick users into installing various malware and adware before
    actually installing GIMP. Of course this goes directly against Sourceforge
    CEO Michael Schumacher's promise less than two years ago:

    "we want to reassure you that we will NEVER bundle offers with any project
    without the developers consent"
    --http://sourceforge.net/blog/advertising-bundling-community-and-criticism/

    So much for that promise! Anyway, the bad news is that Sourceforge has
    also hijacked the Nmap account from me. The old Nmap project page is now
    blank:

    http://sourceforge.net/project...

    Meanwhile they have moved all the Nmap content to their new page which only
    they control:

    http://sourceforge.net/project...

    You can see at the top that the owners of the Nmap page are now
    'sf-editor1', and 'sf-editor3'. You can click on those to see other
    projects they have hijacked.

    So far they seem to be providing just the official Nmap files (as long as
    you don't click on the fake download buttons) and we haven't caught them
    trojaning Nmap the way they did with GIMP. But we certainly don't trust
    them one bit! Sourceforge is pulling the same scheme that CNet
    Download.com tried back when they started circling the drain:

    http://insecure.org/news/downl...

    We will ask Sourceforge to remove the hijacked Nmap page, but more
    importantly we want to reiterate that you should only download Nmap from
    our official SSL Nmap site:

    https://nmap.org/download.html

    If you don't trust SSL by itself (and we don't blame you), you can also
    check the GPG signatures: https://nmap.org/book/install....

    Cheers,
    Fyodor

    PS: Ars Technica has a good article about the Sourceforge/GIMP fiasco:
    http://arstechnica.com/?p=6734...

    PPS: Sourceforge now claims they will stop trojaning software without the
    developer's permission, but they've broken that exact promise before.

  3. Cut the write enable line? by Sangui5 · · Score: 5, Informative

    Chris Howden and John Plumb are the author and approver (respectively) from Lockheed..... Chris and John are lousy scientists.

    The kindest way I can figure it is that the driver simply disables disk IO... hence there may be a small power savings from the lack of writes. Less kindly, they happened to measure lower power, and are reporting experimental noise as a solid result (see www-plan.cs.colorado.edu/diwan/asplos09.pdf for instance). We have no error bars (or even a # of runs), so it really isn't possible to say, but disabling disk writes could conceivably reduce power draw. The methodology section is sketchy enough to make solid conclusions impossible; the reporting of experimental details is worse.

    Of course, this doesn't (and they admit it) stop me from hacking them in RAM... nor does it stop persistent firmware attacks (e.g. http://www.wired.com/2015/02/n...), nor does it stop me from trapping to ring 0, then trapping to SMM, then just ignoring their F*ING CODE BECAUSE I"'M IN SMM MODE BITCH!!! I GOTZ MY OWNZ ATA CODEZ

    Or something.. I'd recommend just cutting the write-enable line on an old IDE drive, or rebooting periodically and running Tripwire from non-writable media (CD?). It's likely cheaper, and probably just as effective.

  4. Re:'Numérotez vos abatis'... by Mendy · · Score: 4, Informative

    I don't get the power saving thing though - that sounded very snake oil like. I mean, if your system isn't compromised, what CPU operations is it reducing exactly?

    There is a bit in the linked PDF which says...

    "Abatis Hard Disk Firewall, was also tested using the same standardised environment and shown to block applications and background processes from executing; saving energy from a baseline configuration."

    What they seem to have done in the test is taken a standard system and measured the power consumption. They've then tested that baseline with one of 3 3rd-party AV products and recorded the power consumption go up. They've then installed tested it with their kernel module that blocks I/O and unsurprisingly noticed that a system which isn't using the disks uses less power.

    It also says...

    "Between best case, HDF and worst case, AV Product 2 there is a potential annual cost saving in excess of £12 at server level, this scaling up to £125,000 in a data centre with 10,000 servers."

    I would have thought that if you had 10,000 servers and wanted to avoid power I/O costs you wouldn't have specced them with physical storage in the first place and would be network booting them instead.

  5. Re:'Numérotez vos abatis'... by TimothyLawless · · Score: 5, Informative

    Based on the exclusions, it sounds like a Rule-based anomaly detection engine with some sort of self-training module. Ironically, this is one of the first types of IDS systems created, and is counted as one of the first works by Dorthy Denning (http://webpages.cs.luc.edu/~pld/courses/447/sum08/class9/denning.intrusion_detection_model.pdf). The most successful implementations have used the Markov chain based model. Their down side is that they require a degree of 'training' before the IDS model may go active; however, in a well understood environment like that of a windows server running windows applications, its possible the training could be done in the back-end shop and shipped to customers as part of the COTS product.