Exclusive Interview: Going Three Levels Beyond Kernel Rootkits

A Strategy For Protection

Alan: Unless you’re on the iPhone, where passwords are unmasked. Sorry to interrupt, go ahead…

Joanna: Hooking keyboard/USB controllers would be a bit better strategy, but that would work only for the simplest scenarios, like a banking Web site that doesn't use any tokens or OTP passwords--nothing fancy really. A much better attack, from the malware point of view, is to simply hook into the browser. The obvious drawback of this would be that kernel-mode A/V agents would be able to spot such a browser hooker (in theory at least, in practice they suck, of course).

Another problem with this approach is when the user is a bit more paranoid and uses a different browser to do daily surfing (and maybe also keeps it inside a virtual machine), and a whole new other one to do online banking. In that case it would not be so easy to hook this "banking" browser, and some other attacks would be needed.

Also, the reason we focus on deep-to-the-hardware attacks is that we believe that secure systems should be built on a solid foundation, otherwise it would all not make any sense. This is especially true if one believes in the "Security by Isolation" approach, as I do.

[See Joanna’s post at http://theinvisiblethings.blogspot.com/2008/09/three-approaches-to-computer-security.html]

Alan: But why focus on just one approach? As a software developer, shouldn’t I work on “security by design” and then install it on systems implementing “security by isolation?”

Joanna: Sure, but we should design our systems with assumption that any application can be potentially buggy, and the OS should still be able to protect other applications from this misbehaving or malicious one.

Alan: How about some practical tips? Although most of your research involves the bleeding edge of security research, the vast majority of malware currently in the wild does not operate at levels this close to the metal. How should our readers secure their own system?

Joanna: That's a very generic question and it is hard to give one answer that would fit all.

Alan: What do you do for your regular systems?

Joanna: First, as stated, I believe in the Security by Isolation approach. The problem is, however, that all current popular OSes, like Vista, Mac OS X, or even Linux, do not provide a decent isolation to its applications. This is primarily a result of all those systems using big monolithic kernels that consists of hundreds of third-party drivers that operate at the same privilege level as the rest of the kernel. As a result, it is relatively easy for a malicious application to break into the kernel and consequently to bypass any OS-provided security mechanisms.

So, I'm trying to get around this weak isolation by using virtualization. I use different virtual machines to host various types of browsers that I use for different kind of activities. So, I use a "Red" VM to do daily browsing, something totally non-sensitive like news reading, Googling, etc. I use a "Yellow" machine to do some semi-sensitive tasks, like online shopping, updating my blog on Blogger, etc. Finally, I have a "Green" machine to access my bank's account.

I totally don't care about a compromise of my "Red" machine--in fact I revert it to a known snapshot every week or so. I care much more about my "Yellow" machine. For example, I use NoScript in a browser I have there to only allow scripting from the few sites that I really want to visit (few online shops, blogger, etc). Sure, somebody might do a man-in-the-middle (MITM) attack against a plaintext HTTP connection that is whitelisted by NoScript and inject some malicious drive-by exploit, but then again, Yellow machine is only semi-sensitive and there would not be a big tragedy if somebody stole the information from it. Finally, the "Green" machine should be allowed to do only HTTPS connections to only my banking site. It is quite important to make sure only HTTPS is used for this machine to mitigate potential MITM attacks, that might occur, for example on any hotel Wi-Fi.

I've been using this setup for quite a while and it seems to work pretty well for me. My partner, who is a totally non-tech person, also uses a similar setup on her Mac, and she finds it usable. So, I guess it's not as geeky as it might sound.

There are quite a few more details one should also consider when using such a setup, for example handling updates, the use of clipboard, the transfer of files between the machines and the host, where to keep one's email client, why to use a Green machine and not just the host's browser, etc. But I guess this is not the best place to go into all of the details now, or our interview would transition into a How To.

Still, I cannot say I'm totally satisfied with my setup. To run all of my virtual machines, I use a type II hypervisor (VMWare Fusion), which is a fat application running on my host. From the theoretical point of view, there is no good reason to believe that it would be harder to find a bug in the type II hypervisor than it would be to find a bug in the OS kernel itself. Both are big and fat, and have many drivers inside them. But practically, it seems that it is more difficult. The attacker must first find a way to execute code in the guest's kernel. Remember that the attack starts from being able to execute code in the browser only, then he or she must find a way to attack the VMM (hypervisor). So, to break out of the VM and finally do something reasonable in the host's kernel, which might be a totally different OS then the guest's kernel (I use Windows in my guests and Mac OS X on the host).

  • johnbilicki
    I presume 4GB is limiting on a casual-use laptop because Joanna also runs virtual operating systems on her general purpose laptop?

    How did you two end up talking about Macs instead of something like rootkits or other things more relative to Joanna's line of work?

    As a web developer security is very important though I find it's fairly easy in most regards as attacks, bots, spammers, etc overwhelmingly (though not always) use the same approach methods so there are plenty of patterns that differentiate from normal web traffic. Easy isn't where the fun is though. I'm curious as to the parallels with software in general?
  • truehighroller
    I think she has very nice fat looking lips. xD
  • johnbilicki
    truehighrollerI think she has very nice fat looking lips. xD
    ...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.
  • Interesting interview, and kudos for treating her as a "security expert" and not as a "female security expert".

    In the majority of interviews with young female professionals the interviewer "just have to mention" their hair colour, clothes or makeup. Nice to see a break from that rather tiresome practice
  • Humans think
    I also use Macs myself (also windows systems and linux ones), but I had to say it: Alan Dang you sure are an Apple fanboy :P
    This woman knows what she is talking about, I think I am in love :)
  • thx for spending the time to discuss this complex world in easy to understand terminology. good luck with the R-3 presentations!
  • haplo602
    read the interview because I was curios about the girl on the picture. turned out to not even be interesting.

    f.e. the bluepill thing. ok you can jail the OS into a VM transparently. Now what can you do ? you have to implement a mini OS by yorself into the hypervisor to do anything usefull (i.e. data collection), you need to read the FS, interrupt the network etc. the only usefull thing is to infect the system again after it was cleaned (again you need to know the FS). but since the AV knows you are there, it knows what to do about it.

    ok AV vendors are a step behind (or 2), but once they figure out the attack vector and means, you are done and have to come up with a new attack technology. there are only limited options available on each architecture that change with each revision, so the AV companies win in the end by closing all the gaps they know about.

    these are only backdoors to break the AV protection or work in a dimension higher than the AV protection. however the usefull data is still on the same level as the AV protection (user space).
  • candide08
    Being SUCH an obvious fanboy makes me suspect many other aspects of your judgment. Please TRY to stay objective.
  • coolkev99
    Interesting... and way over my head. Yet I couldn't help but feel like they were trying to out-geek each others commments.

    She is to nerds what nerds are to normal people. Don't get me wrong, much respect and admiration!
  • A interesting and informative article but there is a lot of self praise and back slapping, seems that these folks are not the geniuses they make them selves out to be: