Behind Pwn2Own: Exclusive Interview With Charlie Miller

At The Mercy Of Developers...

Alan: Exactly. How many of us have landed on a cyber-squatted site when we’ve accidentally left one letter from a normal Web site? Not to mention that big sites can be hacked too (Asus' home page, or Dolphin Stadium’s Web site during the 2007 Super Bowl).

Same question then, for last year's Flash exploit that took down Windows, but theoretically also affected Linux machines running Flash. If users had turned on NX bit for all applications, were running 64-bit Vista, had outbound firewalls, and were running heuristic-based anti-malware suites, would that have limited the damage and ability for a malicious hacker to "take the next step" and cause more damage?

Charlie: Pretty much the same answer. You can do some things that make it a little harder on an attacker, but really if someone wants to nail you with that bug, they would have. 

Alan: So there really wasn’t much that end users could have done to protect themselves. We’re pretty much at the mercy of the software developers to protect us?

Charlie: Mostly, users are at the mercy of the products they buy. Of course, the vendors are at the mercy of the consumers, so if the consumers all decide only to buy secure products, that is what will be produced.

Alan: Actually, let me get back to the comment you made earlier.  When Firefox and IE8 were compromised by Nils this year, he wasn’t able to execute arbitrary code then. Without going into specifics, do all of these exploits disappear when I close the browser? That is, if I had a compromised browser, but then exited out completely and then re-launched the application to go directly to my bank’s home page, would I be safe?

Charlie: Actually, I think he did execute arbitrary code. But regardless, what you described does not help. The exploit can write files to disk, execute them, etc. Once they have any code running, you’re screwed (unless they’re in a sandbox).

Alan: What do you think about future approaches to security such as secure hypervisors or taking a dumb terminal approach (i.e. Citrix or VNC in a world with infinitely fast bandwidth and infinitely small latency)?

Charlie: I think no matter how you set it up, it’s going to boil down to complex code interacting with outside data and your own personal data. In this case, the best thing is to just focus on making exploitation harder and sandboxing the application from personal data as much as possible. Every hurdle added reduces the chance of the exploitability of a given vulnerability.

Create a new thread in the US Reviews comments forum about this subject
This thread is closed for comments
32 comments
    Your comment
  • crisisavatar
    he was born to kill
    2
  • Niva
    Blah, sad he didn't give an estimate to linux security. He said it has some method of protection but didn't expand on that much...

    As osx market share grows we'll see more exploits.
    6
  • Silluete
    Interesting thing about sandboxing, it's mean chrome more safe than other browser? or i missing something here?
    0
  • lire210
    whats up mac
    0
  • pcfxer
    Chrome uses processes instead of threads. The difference is that the memory space for each process is different--better sandboxing.

    Processes have increased headroom: they are making a copy of local variables and structures at the time of "forking".

    Threads "fork off" as functional code and work with their own memory space... in a nutshell.

    Sandboxing doesn't mean that Chrome is safer, it does mean that if sandboxing is implemented correctly Chrome CAN be safer. Security is so relative ;).
    1
  • AlanDang
    Exactly, Chrome is currently safer than any other web browser on Windows Vista or Windows 7. We have an upcoming interview that talks a little bit more about this, but we haven't made plans on a dedicated article. Is that something people are interested in?
    4
  • echdskech
    AlanDangExactly, Chrome is currently safer than any other web browser on Windows Vista or Windows 7. We have an upcoming interview that talks a little bit more about this, but we haven't made plans on a dedicated article. Is that something people are interested in?count me in A


    Count me in. Come to think of it, I spend more time on my browser than any other piece of software (except the OS ofcourse) at any given day. primarily because I use it both at work for research and for play (ie reading articles here). Also, trend these days seem indicate it becoming more and more a target rather than the OS.

    Would be extra nice if the level of detail would be like the articles you guys write when a new cpu architecture is discussed. =)
    0
  • anthony lackey
    There is less ppl attacking Mac's because they aren't the mainstream. Hackers would rather try to infect as many ppl as possible thats why they target PC users.
    0
  • Anonymous
    If Apple does not allow cloning mac os may be safe for a long while, nobody likes to be tied to a single hardware vender. I really don't see how Apple could pull more that 15% to 18% market share without clones. JMO.
    0
  • dedhorse
    Good interview. Makes up for that Mac review.
    1
  • zodiacfml
    count me in. :) i've been using chrome since it came out.
    though, in my usage, they haven't fixed the issue with auto-hide taskbar in vista.
    0
  • eddieroolz
    Great read, nice article Alan!
    0
  • 4c1dr41n1
    What if I use a virtual machine? I could

    1) copy it, open it, surf the web, close it, delete the copy.
    2) copy it again, open it, use internet bank, close it, delete copy again.

    Nice enough sandboxing?
    0
  • Herbert_HA
    It's a very nice article, indeed.

    But please, stop using so many pages! It's a pain in the ass to keep clicking every 2 questions...and that was an small article, other have more than 10 pages, unnecessarily. I guess you people are trying to keep access numbers up, so you could sell more ads, but it's surely not user-friendly to have to load the same content over and over.
    1
  • 4c1dr41n4
    What if I use a virtual machine? I could

    1) copy it, open it, surf the web, close it, delete copy.
    2) copy again, open it, use internet banking, close it, delete copy again.

    Nice enough sandboxing?
    -4
  • nukemaster
    4c1dr41n4What if I use a virtual machine? I could1) copy it, open it, surf the web, close it, delete copy. 2) copy again, open it, use internet banking, close it, delete copy again.Nice enough sandboxing?

    In that case, just mount a live linux CD image in the drive then use it. always clean, no need to del + copy.
    1
  • Anonymous
    Miller, page 4: "In neither case did I get root/admin access."

    In other words, he actually didn't hack the Mac.

    What in the world is this fraud? How can you say you 'pwned' a computer without root access?
    -4
  • TheFuzzball
    God help us when Conficker becomes cross-platform :D
    0
  • Anonymous
    I wish there was more Charlie's voice in this interview. Now Alan did the most of the talking and Charlie basically had to say yes or no. At least in the most important topics.

    Nice reading, but not perfect.
    0
  • Anonymous
    It's a little upsetting that he sidesteps the issue of linux on the grounds of granny's incompetence, does he expect granny to stay on top of vulnerabilities in all of her installed software on the windows or mac boxes, assuming she'd need more third party software sources on either of the other platforms than say ubuntu with it's repositories.
    1