Exclusive Interview: Going Three Levels Beyond Kernel Rootkits

How Correct Is Security By Correctness?

Alan: Running Google Chrome?

Joanna: Yes, I use it for my Red machine. The main reason for this is that I like its GUI, and that it also seems fast and supports all those scripts, flashes, and god-know-what-else--all that is needed to read a typical news Web site these days.

Still, this all should be thought as of a temporary workaround. The proper solution would be to have a very thin type I hypervisor (bare-metal), something ala Xen, being securly loaded at boot time (via something like Intel TXT), and then having this thin hypervisor to manage all the VMs. Of course, to make a hypervisor really thin, we should get rid of the drivers and I/O emulation out form the hypervisor. We need Intel VT-d (not to be confused with VT-x) or AMD IOMMU technology to do that. As far as Intel laptops are concerned, this more or less corresponds to having a Centrino 2-based laptop. Phoenix's HyperCore and Xen's Project Independence are attempts to go into this direction. But today VMWare's or Parallels' fat type II hypervisors seem to be the only option.

Alan: Moving onto the next level then, things like outgoing firewalls, anti-spyware/anti-malware software, etc. don't protect against the most sophisticated malware. Right now, we don't think any such malware is in the wild, but after all, maybe we're just ignorant. What can we do?

Joanna: It is a good design of the OS (or a hypervisor and OS) that can protect against malware, not some tricky-hacky third party additions applied on top of something that is insecure-by-design.

Alan: See?  So security by design is important!

Joanna: But it is the design of just a few core components of the system (kernel/hypervisor), not of all the software.

Alan: Are there ways to "vote with our dollars" to get companies to take a proactive stance on security?

Joanna: Unfortunately I don't see a simple way for people to do that. There simply are no good products to choose from as far as desktop OSes are considered. Whether it is Mac, or Windows, or even Linux, all those systems use those big monolithic kernels which host all those third-party developed drivers. This creates a huge attack vector against any OS-provided security isolation mechanism, such as process separation, user accounts separation, or kernel protection.

Alan:My day job is actually as an orthopaedic surgeon. With that, I come to things with a different perspective. At the end of the day, if your financial information is stolen, there's probably a way to get around it either through insurance or credit protection. At the very least, you have a chance to catch the bad guys when they try to spend the money. In medicine, we're moving to electronic medical records. Stolen information about someone's chronic illness or embarrassing diagnosis could have farther-reaching consequences.

Joanna: Very true. On the other hand, apparently many people see no objections in using Web-based services to keep their personal information, from calendars (Google Calendar) to documents (Google Docs) and even health records (Google Health). Even assuming that Google (or similar Web service provider) offers perfect security (which they don't), do we really trust the IT staff working there? But true, still most information is kept on our personal computers and not in the cloud (and thank God). Also, even if we kept all the information in the cloud, then still malware that compromised our personal computer could access all of that information from the cloud. So, yes, the security of our personal desktop computers is the most important aspect of computer security, and the implications might go way beyond just stolen credit card numbers.

Alan: Most people would argue that, while multi-layered security is critical, it always starts with a secure-by-design model. Code needs to be audited and carefully written from day one. This gives you the best chance for success rather than patching-as-you-go and reusing old code written in a pre-security era. Adding all of the other elements like randomization and isolation provide added layers. Is that a fair statement?

Joanna: I'm actually skeptical about relaying only on the "Security by Correctness" approach. I don't expect our applications and drivers, and generally a majority of software, to be bug-free anytime in the near future, if ever. We should rather focus on making very thin core components that would be bug-free, such as type I hypervisors, and then have them provide good isolation between other components to limit the possible damage they can do (for insyance, one exploited browser, used for daily Googling will not affect our secure browser used for online banking). Interestingly, the security industry seems to believe the "Security by Correctness" approach, and that developers will eventually stop introducing bugs. At least, the industry wants us to believe it.

When I read news about yet another bug in IE or Adobe Reader, or Flash Player, I cannot help but only to shrug my shoulders--so what? What does it change?

Alan: Nothing now, but we should still try to write secure code, especially when creating things from scratch. Take your exploited browser example accessing Google on your red machine versus a more protected browser on a separate machine for your bank account. What good is preventing a browser exploit when there’s a bug that will allow me to log into my own bank account, but see your financial info?

Joanna: Sure, but here we talk about security of the server-side software, while what we have been discussing so far was about security of the desktop machines--different challenges and solutions are needed in those two fields. Also, let me make it clear here that I highly respect the skills of people who find and later are capable of exploiting various bugs in browsers. This is very cool and often very beautiful. But, from the how-to-build-more-secure-desktop-systems perspective, this is usually quite irrelevant. We will never patch all the bugs in IE or Firefox--those programs are constantly being extended, new features are being added, so even if we somewhat audited IE 7 completely, then we would have to start all over again for IE8 and so on. Of course, for software vendors like Microsoft, it is much easier to simply take a reactive approach, follow each reported (or discovered) bug, and then issue a patch. This is much easier than to take its OS and totally redesign its kernel, and then also have all the ISVs redesign their drivers.

I find it odd how many security experts focus on various hardcore things, like heap-based overflow, while at the same time they have no idea about how the new, upcoming technologies that have a great potential of actually changing the landscape of desktop security--technologies such as TPM, TXT, and VT-x/VT-d--actually work. Sure, it is cool to write exploits for applications, but engaging in this endless arms race is not the best way to secure our computers. You don't secure your computer by continuously looking for bugs in all the software and then by writing exploits!

  • johnbilicki
    I presume 4GB is limiting on a casual-use laptop because Joanna also runs virtual operating systems on her general purpose laptop?

    How did you two end up talking about Macs instead of something like rootkits or other things more relative to Joanna's line of work?

    As a web developer security is very important though I find it's fairly easy in most regards as attacks, bots, spammers, etc overwhelmingly (though not always) use the same approach methods so there are plenty of patterns that differentiate from normal web traffic. Easy isn't where the fun is though. I'm curious as to the parallels with software in general?
  • truehighroller
    I think she has very nice fat looking lips. xD
  • johnbilicki
    truehighrollerI think she has very nice fat looking lips. xD
    ...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.
  • Interesting interview, and kudos for treating her as a "security expert" and not as a "female security expert".

    In the majority of interviews with young female professionals the interviewer "just have to mention" their hair colour, clothes or makeup. Nice to see a break from that rather tiresome practice
  • Humans think
    I also use Macs myself (also windows systems and linux ones), but I had to say it: Alan Dang you sure are an Apple fanboy :P
    This woman knows what she is talking about, I think I am in love :)
  • thx for spending the time to discuss this complex world in easy to understand terminology. good luck with the R-3 presentations!
  • haplo602
    read the interview because I was curios about the girl on the picture. turned out to not even be interesting.

    f.e. the bluepill thing. ok you can jail the OS into a VM transparently. Now what can you do ? you have to implement a mini OS by yorself into the hypervisor to do anything usefull (i.e. data collection), you need to read the FS, interrupt the network etc. the only usefull thing is to infect the system again after it was cleaned (again you need to know the FS). but since the AV knows you are there, it knows what to do about it.

    ok AV vendors are a step behind (or 2), but once they figure out the attack vector and means, you are done and have to come up with a new attack technology. there are only limited options available on each architecture that change with each revision, so the AV companies win in the end by closing all the gaps they know about.

    these are only backdoors to break the AV protection or work in a dimension higher than the AV protection. however the usefull data is still on the same level as the AV protection (user space).
  • candide08
    Being SUCH an obvious fanboy makes me suspect many other aspects of your judgment. Please TRY to stay objective.
  • coolkev99
    Interesting... and way over my head. Yet I couldn't help but feel like they were trying to out-geek each others commments.

    She is to nerds what nerds are to normal people. Don't get me wrong, much respect and admiration!
  • A interesting and informative article but there is a lot of self praise and back slapping, seems that these folks are not the geniuses they make them selves out to be: