Slashdot Mirror
100kb of Unusual Code Protecting Nuclear, ATC and United Nations Systems
An anonymous reader writes: For an ex-academic security company still in the seeding round, startup Abatis has a small but interesting roster of clients, including Lockheed Martin, the Swiss military, the United Nations and customers in the civil nuclear and air traffic control sectors. The company's product, a kernel driver compatible with Windows, Linux and Unix, occupies just 100kb with no dependencies, and reportedly achieves a 100% effectiveness rate against intruders by preventing unauthorized I/O activity. The CEO of Abatis claims, "We can stop zero day malware — the known unknowns and the unknown unknowns." The software requires no use of signature files, white-listing, heuristics or sandboxing, with a separate report from Lockheed Martin confirming very significant potential for energy savings — up to £125,000 per year in a data center with 10,000 servers.
Oh yeah ? From reading the summary, it sounds like a scam. But I'd really like to know on what principles this 'security driver' is based on. BTW, the title I used means that you are going to be torn to shreds in french. An aptly chosen name for a company with such claims !
Non-Linux Penguins ?
Sounds legit.
I can protect any system against all kinds of unknowns (including the ones that are unknown by unknown unknowns) with bash one-liner:
# dd if=/dev/zero of=/dev/sda bs=512 count=1 && halt
You can patch the kernel on a running system without writing to disk. Their claims are self contradictory.
If you can read this you've gone too far.
It just automatically turns the machine off whenever you power it on! Foolproof!
"please don't hack me"?
This article has all of the classic snake oil markers.
I'd need to know a lot more about it before I'd part with even money.
"Magic" technologies like this usually under-deliver, or do not help at all. In particular, a detection rate of 100% is simply impossible, already from purely theoretical observations and even more so in practice.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
That is my only question: can I have a flying unicorn? I'm not satisfied with a mere unicorn, or a pegasus. My little girl is turning 2, and it's time she thought about both her data security and her mythical beings. For my baby girl, I won't settle for anything less than the best. Beyond a 100KB 100% effective security module, I want a horse, flying, with one horn, capable of defeating any poison, and only capable of being captured by a virgin.
And she also wants puppy.
Well, it's called Tron.
It's a security program itself, actually.
It monitors all contacts
between our system and other systems.
Finds anything going on that's
not scheduled, it shuts it down.
I have this explosives detector I'd like to know if you're interested in. It's used by the Iraqi government...
Slashdot - News for Nerds, Stuff that Matters, in ISO-8859-1 Has just realised that beta makes this signature redundant
100% effectiveness.
What they really mean is:
We have no clue how effective this really is, and are too stupid to realize it.
This goes for nearly every "100%" claim and most "99.99%" claims.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
From description, it sounds like the AppArmor.
All hope abandon ye who enter here.
I'm unsure what this offers that you can't do with SELinux or similar.
I also don't see how it can work without white listing of some kind unless they're just blocking access to everything which seems impractical and is something you could do with drive mount options anyway.
Because /. editors seem to have inconvenient hollidays I'll just spam this topic with the bahaviour of their mother company:
From http://seclists.org/nmap-dev/2...:
From: Fyodor
Date: Wed, 3 Jun 2015 00:56:23 -0700
Hi Folks! You may have already read the recent news about Sourceforge.net
hijacking the GIMP project account to distribute adware/malware.
Previously GIMP used this Sourceforge account to distribute their Windows
installer, but they quit after Sourceforge started tricking users with fake
download buttons which lead to malware rather than GIMP. Then Sourceforge
took over GIMP's account and began distributing a trojan installer which
tries to trick users into installing various malware and adware before
actually installing GIMP. Of course this goes directly against Sourceforge
CEO Michael Schumacher's promise less than two years ago:
"we want to reassure you that we will NEVER bundle offers with any project
without the developers consent"
--http://sourceforge.net/blog/advertising-bundling-community-and-criticism/
So much for that promise! Anyway, the bad news is that Sourceforge has
also hijacked the Nmap account from me. The old Nmap project page is now
blank:
http://sourceforge.net/project...
Meanwhile they have moved all the Nmap content to their new page which only
they control:
http://sourceforge.net/project...
You can see at the top that the owners of the Nmap page are now
'sf-editor1', and 'sf-editor3'. You can click on those to see other
projects they have hijacked.
So far they seem to be providing just the official Nmap files (as long as
you don't click on the fake download buttons) and we haven't caught them
trojaning Nmap the way they did with GIMP. But we certainly don't trust
them one bit! Sourceforge is pulling the same scheme that CNet
Download.com tried back when they started circling the drain:
http://insecure.org/news/downl...
We will ask Sourceforge to remove the hijacked Nmap page, but more
importantly we want to reiterate that you should only download Nmap from
our official SSL Nmap site:
https://nmap.org/download.html
If you don't trust SSL by itself (and we don't blame you), you can also
check the GPG signatures: https://nmap.org/book/install....
Cheers,
Fyodor
PS: Ars Technica has a good article about the Sourceforge/GIMP fiasco:
http://arstechnica.com/?p=6734...
PPS: Sourceforge now claims they will stop trojaning software without the
developer's permission, but they've broken that exact promise before.
Chris Howden and John Plumb are the author and approver (respectively) from Lockheed..... Chris and John are lousy scientists.
The kindest way I can figure it is that the driver simply disables disk IO... hence there may be a small power savings from the lack of writes. Less kindly, they happened to measure lower power, and are reporting experimental noise as a solid result (see www-plan.cs.colorado.edu/diwan/asplos09.pdf for instance). We have no error bars (or even a # of runs), so it really isn't possible to say, but disabling disk writes could conceivably reduce power draw. The methodology section is sketchy enough to make solid conclusions impossible; the reporting of experimental details is worse.
Of course, this doesn't (and they admit it) stop me from hacking them in RAM... nor does it stop persistent firmware attacks (e.g. http://www.wired.com/2015/02/n...), nor does it stop me from trapping to ring 0, then trapping to SMM, then just ignoring their F*ING CODE BECAUSE I"'M IN SMM MODE BITCH!!! I GOTZ MY OWNZ ATA CODEZ
Or something.. I'd recommend just cutting the write-enable line on an old IDE drive, or rebooting periodically and running Tripwire from non-writable media (CD?). It's likely cheaper, and probably just as effective.
Date check, today is April 1st ?
We used to use unidirectional ethernet cables. Basically the TX wires clipped out on the receiving end to the less secure network. You do need ethernet cards you can set to accept a link without having a full handshake going.
But it allowed us to set up the SCADA network to take the data stream we needed to get to the collection and reporting pc and UDP broadcast it. then the PC that can only receive set up to listen for and receive it, works great and is 100% hacker proof as hackers have yet to write code that can cause copper to grow back in a CAT-5e cable.
Now if we could keep the N00b SCADA programmers from bringing in their crap-tastic home laptops for programming changes and becoming the largest infection vector.
Do not look at laser with remaining good eye.
Oh come on... That isn't even bullshit.... It's horse shit!
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
On the Info security blog he mentions that it's the kernel which recognises executable files.
So, how does the kernel know which executables are legit to run?
If I want to run my CreateDancingBunniesDrawingsIn0Days.exe I would give it permission just like the new update from my office suite because I don't know any better. Unless there is a program which recognises the executable as malware and warns me. Something that gets updates hourly from a central source of known malware maybe?
Better yet, we need something where we allow programs only specific access to resources. Including a buffer for disk access that can be flushed or written to disk after confirmation.
I doubt it'll fit in 100KB though.
home
Yeah, this sounds like those magic sticks someone was selling a few years ago.
bool isThreatDetected(IoRequest req) { // Caveat: may cause false positives
return true;
}
// In practice, any claims that software is this effective require detailed, convincing explanation and proof.
John_Chalisque
to shutdown -hP now?
- http://www.milkme.co.uk
https://msdn.microsoft.com/en-...
I am very small, utmostly microscopic.
I'd really like to know on what principles this 'security driver' is based on
TFS I'm going for homeopathy.
If the marketing technobabble is correct the code is 100k but naught is said about data store, memory and persistent. Or whether the system satisfies these claims 'out of the box' or there is some training/learning period. Of course the pitch also does not indicate how often the Key Operator is called to investigate and override false alarms, and what the investigate/resolution process takes. Some ACs with experience might be useful...
You could have a 'train/run' switch that you flip to 'train' on first install during a period in which you do not reasonably expect intrusions, putting it through paces and trigger your software to check for updates, things like that, where it passively builds a profile of normal activity. Then flip it to 'run'. Then if it is a machine that does just a few things all day, the software has a pretty good idea of what to expect.
The payoff would come from how well you could parametrize the basic inputs --- stack state, communications endpoints and addresses, using directory hierarchy on disk --- and introduce a clever degree of fuzziness that also implements a sense of 'near' and 'far' on both class of operation and value.
Then maintain a pointer in some so-called 'phase space' and burn data into a sparse array to create a virtual landscape with erosion. In 'run' mode it is almost always hitting (or near) areas that have been populated. If the pointer strays from from the populated region we have an alarm.
For example, a process that has never accessed data outside its installed folders suddenly does so. Network addresses compared by closeness in the neighborhood.
<blink>down the rabbit hole</blink>
Anything that claims a 100% success rate is doomed to fail, all you need is a single case to bring it down. Doing such a thing would mean a serious step forward on security. To tell the truth, i'm quite skeptical on this making any difference, at all.
This looks like it's more of a play for the embedded systems or IoT space. Look at the examples given, nuclear reactors, IoT, etc. These are specialized systems where it's possible to say "I've monitored the system for x time, and these are the things that should be running. OK, anything new running can't use the disk IO driver to write to the disk".
There was a similar proposal for a device to work on the engine bus but focused on communications. "We monitor the bus for the first X seconds and classify the traffic on it. Then if something new starts talking or an existing player suddenly starts communicating to something it has never talked to, we declare condition red and fire the photon torps."
Hyperbole aside of 100% protection against everything, this is not a bad strategy for very specialized systems. Doesn't do crap for a general purpose computing environment, but as we leverage general purpose OS and off the shelf hardware for more embedded/IoT applications, we begin to have uses for tools that are highly restrictive because the things they're protecting are well defined.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
If I remember correctly, there was a product for Windows NT in the late 90's that seemed very similar to this announcement.
What the product basically did was wrap all of the system calls and blocked any privileged ones except if you intervened at the console -- and there wasn't any way to spoof the intervention. It was quite effective once you got it set up (obviously it is hard to boot your OS without *some* privileged system calls), and I never did look into it enough to get their definition of "privileged", although enough to get that if your web server ran at a least-privileged state the product would keep an exploiter from gaining administrator access.
Again, the product worked but never seemed to take off.
"We haven't seen any attacks work therefore it must be 100% effective."
1: A lack of evidence is not evidence of a lack.
2: I have this wonderful Ticklebang repelling charm. Nobody wearing it has ever been stolen by Ticklebangs.
Notably, no explanation of how it determines what I/O is "Authorized" versus "Unauthorized".
@Whee
The control systems for a nuclear reactor or a flight data processing system don't ever need to run CreateDancingBunniesDrawingsIn0Days.exe, or any arbitrary code for that matter.
Neither, for that matter, do 99% of modern office workers - They don't need anything beyond what amounts to a dumb terminal with a dedicated connection to their ERP system. In security-insensitive environments, we've gotten used to having a web browser and music player and Solitaire and maybe even the ability to customize our desktop and cursors and so on; but AP voucher entry doesn't require any of that.
This 100k module clearly just does old-fashioned whitelisting, albeit at several levels beyond mere code execution (I/O, memory access, etc). The only really interesting angle of it, IMO, comes from the claim that it doesn't require binary signatures, so how does it know what to allow? As my best guess, they could evaluate the use cases for each client and just compile the list right into the binary, but I doubt we have any way to confirm or deny that.
...The CEO of Abatis claims, "We can stop zero day malware — the known unknowns and the unknown unknowns."
Well, with claims like this, all I have to say is good luck offering up a viable defense if shit happens one day to your unbreakable solution.
After all, shit never just happens, right?
They should call this Kernel driver the "ADE 651"
Troll is not a replacement for I disagree.
This sounds like the good old VMS operating system - though I do not know how many bytes that occupie[sd].
So, it's like Tron and can even monitor the MCP as well?
"Then maintain a pointer in some so-called 'phase space' and burn data into a sparse array to create a virtual landscape with erosion. In 'run' mode it is almost always hitting (or near) areas that have been populated. If the pointer strays from from the populated region we have an alarm."
Could you please post a link to more information about these technologies and algorithms? I am very interested in graph analysis, including geolocation of information against a real or metaphorical landscape. I tried Googling but all I got was how to simulate erosion in a 3D image of a landscape.
Thanks
oil selfies and can fly.
Seriously.
by preventing unauthorized I/O activity
is the end already.
Logically speaking, one never knows exactly not about the authorization. Therefore, it can only be a selfie. A flying-oily-selfie.
Think hard, think fast, and within a fraction of a moment you'll agree with me as security researcher that preventing any invalid I/O is indeed a 100% safe bet. Over.
Any illegal and unauthorized bank transaction prevented makes banking 100% secure. The crux is the detection of what 'illegal' and 'unauthorized' transactions are.
In basic computational terms, as example, a write to hard disk is I/O. But no such writes come accompanied with an authorization tag issued by the CPU, as an atomic / complete instruction. Rather to the contrary: it is simply issued. Over. How would the gatekeeper software know that it is malware? Or, as I used to ask my students: which bit or byte or word is the bad one? Only to find out that none such does exist, but becomes malware only through the context, and only within its context.
Second, 'authorized' means what? All I/O must be authorized. Wow! And who authorizes a bunch of data coming in from www.site.pl? Who 'authorizes' a key stroke? Ah, keyboard is trusted. LAN?
The whole set reminds me of that old Windows Software, Zonealarm. I loved to demo it, with its enormous number of questions: Are you sure you want to accept ...? Are you sure you want to print to ...? Shall I remember this decision for you? Are you sure you want to visit google.com? Do you want me to remember this decision for you? Are you sure you want to accept logo_google.jpg? Shall I remember this decision for you? Are you sure you want to render google.html? Shall I remember ....
This one weird trick protects Nuclear, ATC, and United Nations Systems from malware attacks!
That's why I think it only works in static environments. Back when I set up the first Windows 2003 terminal server farm I used the builtin ability to restrict access to only those programs allowed to run.
Unfortunately in reality most offices have users with full access to their PC's (because they feel entitled to it) or at least their profile so they can run whatever they want. The only thing blocking their behaviour is up-to-date anti-virus software.
home
Goedel's theorem is only going to come into play if you want perfect distinction. It says that, given sufficient complexity (first-order predicate knowledge combined with integer arithmetic is sufficiently complex), a consistent system cannot be complete. If you're willing to accept incompleteness, you can get consistency, which we pretty well have for math (we know that some theorems are provable, because we've proved them). Similarly, although it's impossible to tell if an arbitrary program will terminate or not given certain input, we can construct programs that will definitely terminate, or definitely not terminate.
A system can be made to prevent a computer from executing malware (thermite comes to mind). It will not be possible to execute a lot of non-malware, but that's something the user just has to accept.
However, given that there's no whitelisting or configuration, I'm going with the idea that it's a load of hooey anyway.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Measuring code size in kilobits seems very unusual to me.
I read the paper from Lockheed Martin, and it's laughable. The Electrical savings they claim makes the assumption that a server is always running malware which is churning up processing time. They don't stop Malware, and don't stop anything in memory.. so they save absolutely nothing and do absolutely nothing.. except of course make bad claims. Even if they could block the writes, which consumes more power.. a process attempting to write repeatedly and being refused, or a process allowed to write when requesting. They can't save money, by their own pathetic assumptions..
The company doing the testing.. well they are called "NCITE". Interestingly this can be to incite, or insight. My guess is the former. Maybe the latter if they are thinking like PT Barnum.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
"We can stop zero day malware — the known unknowns and the unknown unknowns."
...another person shows up just to show them exactly how wrong they really are to think they have an end-all security system. Making claims like this is pretty much issuing a challenge to people you really don't want looking at your systems.
BeauHD. Worst editor since kdawson.
It's simple. All malware carries an approved Illuminati ID marker within it, this kit just happens to have the secret reader for such ID's and can thus immediately disable them via their built-in Illuminati kill-switch. Takes very little code to do if you happen to posses the correct algorithms.