Exclusive Interview: Going Three Levels Beyond Kernel Rootkits

How Viable Are Heterogeneous Computing Environments?

Alan: Maybe the right approach is application security by isolation and services security by design. The servers running the cloud should have many of its applications secured by isolation, but you still have to rely on some security by design?

Joanna: Sure. As said, security of server-side software is a different field than security of desktop systems.

Alan: Along those lines, thinking as a biologist, it seems as if we, as a community, should avoid standardization along any single piece of hardware of software. When a hospital buys new computers, it ends up choosing hundreds of the same model. If the motherboard or CPU is found to have a flaw, the entire hospital is at risk for attack. Should big organizations, going into the future, consider a heterogeneous computing environment? Some Intel PCs and some AMD PCs? Some Windows, some Mac, and some Linux?

Joanna: Well, that is actually a "Security by Obscurity" approach. If we care about DoS attacks, then surely it is helpful. If we, however, are afraid of information being stolen, which implies a somewhat more targeted attack, then I guess it only provides a false sense of security--I assume the hospital would still use some popular OS, not a home-brew, recompiled Linux, right?

Alan: Depends on how sophisticated the hospital is. A lot of infrastructure is run in hospitals on *nix machines, while most user machines are Windows or Mac. Many hospitals rely on Citrix-based terminals and the like.

Joanna: But there would still be some mainstream Linux distros, not recompiled, customized OSes. The CEO would still use a specific OS (either Windows or Mac or maybe even some Linux, but a popular distro). For the attacker that is going after data records, it would be irrelevant what the other computers are using.

Alan: Well, it’s the layered approach. You can go for the information directly that is stored somewhere in some cloud. Or you can go for the end-user systems that access the information from the cloud. So, if a bug in Windows was discovered that allowed full compromise of the system, an organization with the capabilities of heterogenous computing could quickly take all Windows machines off the network and still operate using the Linux/OS X machines.

Joanna: As I said earlier, this is good in mitigating DoS attacks, but not information leak attacks.

Interestingly a variant of this "Security by Obscurity" approach has been widely adopted in the recent years on most mainstream OSes. For example, the memory layout randomization technique (ASLR) first introduced on Linux by the PaX patch, later brought to Vista, and now also coming to Mac OS X. This ASLR is nothing else then Security by Obscurity, when we think about it.

Another anti-exploitation technique is stack protection through so-called "canaries," which are magic values placed on the stack to detect stack overflow. That’s, again, nothing else but Security by Obscurity. It was been introduced by the Stack Guard on Linux a decade ago, and now, for quite a few years, it has been present in Microsoft's Visual Studio compiler.

So, I'd rather recommend using those dedicated anti-exploitation approaches that are also based on this concept of providing somewhat heterogeneous environment rather than investing lots of money and effort into buying heterogeneous systems for a corporation, which likely will provide no additional security.

Alan: Unless you were paranoid and used all of those dedicated anti-exploitation approaches on multiple machines.

Joanna: And what benefit would it offer, besides DoS protection?

  • johnbilicki
    I presume 4GB is limiting on a casual-use laptop because Joanna also runs virtual operating systems on her general purpose laptop?

    How did you two end up talking about Macs instead of something like rootkits or other things more relative to Joanna's line of work?

    As a web developer security is very important though I find it's fairly easy in most regards as attacks, bots, spammers, etc overwhelmingly (though not always) use the same approach methods so there are plenty of patterns that differentiate from normal web traffic. Easy isn't where the fun is though. I'm curious as to the parallels with software in general?
  • truehighroller
    I think she has very nice fat looking lips. xD
  • johnbilicki
    truehighrollerI think she has very nice fat looking lips. xD
    ...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.
  • Interesting interview, and kudos for treating her as a "security expert" and not as a "female security expert".

    In the majority of interviews with young female professionals the interviewer "just have to mention" their hair colour, clothes or makeup. Nice to see a break from that rather tiresome practice
  • Humans think
    I also use Macs myself (also windows systems and linux ones), but I had to say it: Alan Dang you sure are an Apple fanboy :P
    This woman knows what she is talking about, I think I am in love :)
  • thx for spending the time to discuss this complex world in easy to understand terminology. good luck with the R-3 presentations!
  • haplo602
    read the interview because I was curios about the girl on the picture. turned out to not even be interesting.

    f.e. the bluepill thing. ok you can jail the OS into a VM transparently. Now what can you do ? you have to implement a mini OS by yorself into the hypervisor to do anything usefull (i.e. data collection), you need to read the FS, interrupt the network etc. the only usefull thing is to infect the system again after it was cleaned (again you need to know the FS). but since the AV knows you are there, it knows what to do about it.

    ok AV vendors are a step behind (or 2), but once they figure out the attack vector and means, you are done and have to come up with a new attack technology. there are only limited options available on each architecture that change with each revision, so the AV companies win in the end by closing all the gaps they know about.

    these are only backdoors to break the AV protection or work in a dimension higher than the AV protection. however the usefull data is still on the same level as the AV protection (user space).
  • candide08
    Being SUCH an obvious fanboy makes me suspect many other aspects of your judgment. Please TRY to stay objective.
  • coolkev99
    Interesting... and way over my head. Yet I couldn't help but feel like they were trying to out-geek each others commments.

    She is to nerds what nerds are to normal people. Don't get me wrong, much respect and admiration!
  • A interesting and informative article but there is a lot of self praise and back slapping, seems that these folks are not the geniuses they make them selves out to be: