Exclusive Interview: Going Three Levels Beyond Kernel Rootkits

How Correct Is Security By Correctness?

Alan: Running Google Chrome?

Joanna: Yes, I use it for my Red machine. The main reason for this is that I like its GUI, and that it also seems fast and supports all those scripts, flashes, and god-know-what-else--all that is needed to read a typical news Web site these days.

Still, this all should be thought as of a temporary workaround. The proper solution would be to have a very thin type I hypervisor (bare-metal), something ala Xen, being securly loaded at boot time (via something like Intel TXT), and then having this thin hypervisor to manage all the VMs. Of course, to make a hypervisor really thin, we should get rid of the drivers and I/O emulation out form the hypervisor. We need Intel VT-d (not to be confused with VT-x) or AMD IOMMU technology to do that. As far as Intel laptops are concerned, this more or less corresponds to having a Centrino 2-based laptop. Phoenix's HyperCore and Xen's Project Independence are attempts to go into this direction. But today VMWare's or Parallels' fat type II hypervisors seem to be the only option.

Alan: Moving onto the next level then, things like outgoing firewalls, anti-spyware/anti-malware software, etc. don't protect against the most sophisticated malware. Right now, we don't think any such malware is in the wild, but after all, maybe we're just ignorant. What can we do?

Joanna: It is a good design of the OS (or a hypervisor and OS) that can protect against malware, not some tricky-hacky third party additions applied on top of something that is insecure-by-design.

Alan: See?  So security by design is important!

Joanna: But it is the design of just a few core components of the system (kernel/hypervisor), not of all the software.

Alan: Are there ways to "vote with our dollars" to get companies to take a proactive stance on security?

Joanna: Unfortunately I don't see a simple way for people to do that. There simply are no good products to choose from as far as desktop OSes are considered. Whether it is Mac, or Windows, or even Linux, all those systems use those big monolithic kernels which host all those third-party developed drivers. This creates a huge attack vector against any OS-provided security isolation mechanism, such as process separation, user accounts separation, or kernel protection.

Alan:My day job is actually as an orthopaedic surgeon. With that, I come to things with a different perspective. At the end of the day, if your financial information is stolen, there's probably a way to get around it either through insurance or credit protection. At the very least, you have a chance to catch the bad guys when they try to spend the money. In medicine, we're moving to electronic medical records. Stolen information about someone's chronic illness or embarrassing diagnosis could have farther-reaching consequences.

Joanna: Very true. On the other hand, apparently many people see no objections in using Web-based services to keep their personal information, from calendars (Google Calendar) to documents (Google Docs) and even health records (Google Health). Even assuming that Google (or similar Web service provider) offers perfect security (which they don't), do we really trust the IT staff working there? But true, still most information is kept on our personal computers and not in the cloud (and thank God). Also, even if we kept all the information in the cloud, then still malware that compromised our personal computer could access all of that information from the cloud. So, yes, the security of our personal desktop computers is the most important aspect of computer security, and the implications might go way beyond just stolen credit card numbers.

Alan: Most people would argue that, while multi-layered security is critical, it always starts with a secure-by-design model. Code needs to be audited and carefully written from day one. This gives you the best chance for success rather than patching-as-you-go and reusing old code written in a pre-security era. Adding all of the other elements like randomization and isolation provide added layers. Is that a fair statement?

Joanna: I'm actually skeptical about relaying only on the "Security by Correctness" approach. I don't expect our applications and drivers, and generally a majority of software, to be bug-free anytime in the near future, if ever. We should rather focus on making very thin core components that would be bug-free, such as type I hypervisors, and then have them provide good isolation between other components to limit the possible damage they can do (for insyance, one exploited browser, used for daily Googling will not affect our secure browser used for online banking). Interestingly, the security industry seems to believe the "Security by Correctness" approach, and that developers will eventually stop introducing bugs. At least, the industry wants us to believe it.

When I read news about yet another bug in IE or Adobe Reader, or Flash Player, I cannot help but only to shrug my shoulders--so what? What does it change?

Alan: Nothing now, but we should still try to write secure code, especially when creating things from scratch. Take your exploited browser example accessing Google on your red machine versus a more protected browser on a separate machine for your bank account. What good is preventing a browser exploit when there’s a bug that will allow me to log into my own bank account, but see your financial info?

Joanna: Sure, but here we talk about security of the server-side software, while what we have been discussing so far was about security of the desktop machines--different challenges and solutions are needed in those two fields. Also, let me make it clear here that I highly respect the skills of people who find and later are capable of exploiting various bugs in browsers. This is very cool and often very beautiful. But, from the how-to-build-more-secure-desktop-systems perspective, this is usually quite irrelevant. We will never patch all the bugs in IE or Firefox--those programs are constantly being extended, new features are being added, so even if we somewhat audited IE 7 completely, then we would have to start all over again for IE8 and so on. Of course, for software vendors like Microsoft, it is much easier to simply take a reactive approach, follow each reported (or discovered) bug, and then issue a patch. This is much easier than to take its OS and totally redesign its kernel, and then also have all the ISVs redesign their drivers.

I find it odd how many security experts focus on various hardcore things, like heap-based overflow, while at the same time they have no idea about how the new, upcoming technologies that have a great potential of actually changing the landscape of desktop security--technologies such as TPM, TXT, and VT-x/VT-d--actually work. Sure, it is cool to write exploits for applications, but engaging in this endless arms race is not the best way to secure our computers. You don't secure your computer by continuously looking for bugs in all the software and then by writing exploits!

Create a new thread in the US Reviews comments forum about this subject
This thread is closed for comments
65 comments
    Your comment
    Top Comments
  • johnbilicki
    truehighrollerI think she has very nice fat looking lips. xD


    ...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.
    11
  • Anonymous
    Interesting interview, and kudos for treating her as a "security expert" and not as a "female security expert".

    In the majority of interviews with young female professionals the interviewer "just have to mention" their hair colour, clothes or makeup. Nice to see a break from that rather tiresome practice
    11
  • Other Comments
  • johnbilicki
    I presume 4GB is limiting on a casual-use laptop because Joanna also runs virtual operating systems on her general purpose laptop?

    How did you two end up talking about Macs instead of something like rootkits or other things more relative to Joanna's line of work?

    As a web developer security is very important though I find it's fairly easy in most regards as attacks, bots, spammers, etc overwhelmingly (though not always) use the same approach methods so there are plenty of patterns that differentiate from normal web traffic. Easy isn't where the fun is though. I'm curious as to the parallels with software in general?
    6
  • truehighroller
    I think she has very nice fat looking lips. xD
    -15
  • johnbilicki
    truehighrollerI think she has very nice fat looking lips. xD


    ...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.
    11
  • Anonymous
    Interesting interview, and kudos for treating her as a "security expert" and not as a "female security expert".

    In the majority of interviews with young female professionals the interviewer "just have to mention" their hair colour, clothes or makeup. Nice to see a break from that rather tiresome practice
    11
  • Humans think
    I also use Macs myself (also windows systems and linux ones), but I had to say it: Alan Dang you sure are an Apple fanboy :P
    This woman knows what she is talking about, I think I am in love :)
    7
  • Anonymous
    thx for spending the time to discuss this complex world in easy to understand terminology. good luck with the R-3 presentations!
    -austinmc
    3
  • haplo602
    read the interview because I was curios about the girl on the picture. turned out to not even be interesting.

    f.e. the bluepill thing. ok you can jail the OS into a VM transparently. Now what can you do ? you have to implement a mini OS by yorself into the hypervisor to do anything usefull (i.e. data collection), you need to read the FS, interrupt the network etc. the only usefull thing is to infect the system again after it was cleaned (again you need to know the FS). but since the AV knows you are there, it knows what to do about it.

    ok AV vendors are a step behind (or 2), but once they figure out the attack vector and means, you are done and have to come up with a new attack technology. there are only limited options available on each architecture that change with each revision, so the AV companies win in the end by closing all the gaps they know about.

    these are only backdoors to break the AV protection or work in a dimension higher than the AV protection. however the usefull data is still on the same level as the AV protection (user space).
    -1
  • candide08
    Being SUCH an obvious fanboy makes me suspect many other aspects of your judgment. Please TRY to stay objective.
    6
  • coolkev99
    Interesting... and way over my head. Yet I couldn't help but feel like they were trying to out-geek each others commments.

    She is to nerds what nerds are to normal people. Don't get me wrong, much respect and admiration!
    5
  • Anonymous
    A interesting and informative article but there is a lot of self praise and back slapping, seems that these folks are not the geniuses they make them selves out to be:
    http://en.wikipedia.org/wiki/Blue_Pill_(malware)
    -1
  • bounty
    Wayne963, I'm not sure I get your point. They also made red pill and discussed at length in the interview about being able to detect a hypervisor, but that fingerprinting it would be a bitch.

    haplo602, that's like arguing that taking control of the memory doesn't get you anywhere, you still have to read the FS, implement sniffing routines etc. While the AV may know it's there, it doesn't have final say. VM says remove kav.exe, kav.exe says 'nooooooooooooooo' as it's being deleted. kav.exe stops bothering VM.
    0
  • redeye
    I find her hot!, but I have no chance (of course); that body was/now only satisfied by a girl!...
    -7
  • haplo602
    bountyhaplo602, that's like arguing that taking control of the memory doesn't get you anywhere, you still have to read the FS, implement sniffing routines etc. While the AV may know it's there, it doesn't have final say. VM says remove kav.exe, kav.exe says 'nooooooooooooooo' as it's being deleted. kav.exe stops bothering VM.


    well the issue is as I described. you cannot delete anything from outside the OS unless you ask the OS to do so. and once you do, the AV will catch it.

    taking control of the memory only enables you to see what others see. it's like network man-in-the-middle attacks. they too are not detectable (or very hard to do), yet you still have to decode the data you are capturing to use it and you have to interrupt the data stream with very accurate data to alter it. this only leads to content encryption being your last stop.

    look at DRM in Vista and expand it to all the data. what you get is a virtualised OS that is a blackbox for the rootkit. so you have control of the memory, but it's no use to you. simple and effective. of course there are performance hits etc., but this we already get with each new windows version :-))
    0
  • thejerk
    I lost interest in the entire article as soon as she began speaking of how pretty her Mac is... seriously. I don't care how talented she is, now. I'm annoyed.

    I just bought my girlfriend a Kate Spade baby bag. I bet Joanna thinks it's beautiful, too.
    -3
  • DarkMantle
    thejerk +1 hahahaha, it was the same for me. I lost interest after that too.
    -3
  • Shadow703793
    This is so ironic. Talking of security, I spent the last 2 hours getting Bastille to work on SUSE. (lol, it should have been only 10 minutes, but my perl install went to dependency hell).

    For those that tun Linux, it's a very good idea to get Bastill up and rnning. Also read: Hacking Linux Exposed 2nd ed

    Bastille: http://bastille-linux.sourceforge.net/
    2
  • Shadow703793
    *damn the submit button and the lack of editing*

    Anyways, good to know a few people actually know what the hell they are talinkg about. These people should help the gov't because unlike most at the gov't these people have knowledge. (Cybersecurity any one? :lol: Any one who uses that term should be wiped with CAT5e cable :P).

    @Author: WTH is up with the Mac stuff?
    4
  • 222222
    In 2006 she claimed she created the 100% undetectable rootkit, Blue Pill. When invited to challenge, she rejected unless she is paid 400,000$ to do its rootkit better claiming this is "funny challenge".

    So she lied in order to get some publicity.

    - stupid claims
    - arrogant behavior
    2
  • maximiza
    222222 did she dump you or something? probably 400 g's is chump change to her. Look at D.C. I think in general if you have enough resources any I/O system can be compromised. Since people are imperfect there designs will always be imperfect. I had a Ti99/4a too, the speech programing was a blast.
    0
  • Marcus52
    thejerkI lost interest in the entire article as soon as she began speaking of how pretty her Mac is... seriously. I don't care how talented she is, now. I'm annoyed.I just bought my girlfriend a Kate Spade baby bag. I bet Joanna thinks it's beautiful, too.


    If that's all you got from her talk, then you are too clueless to get what she was talking about to begin with. It's good you didn't read the article because it clearly would have been a waste of your time.

    The important parts you missed were 1) OS X is no more secure than Windows, and both are more secure than Linux distros, and 2) She'd go with Windows and PC hardware over OS X and Apple's hardware choices unless aesthetics are more important to you than what Windows provides.

    If you are out to burst Apple's bubble, as I am, this article is an indictment of Apple's claims, not a fan-girl advertisement.
    0