Exclusive Interview: Going Three Levels Beyond Kernel Rootkits

Making Recommendations

Alan: Well, suppose some Internet worm is spreading on the Windows PCs on my network because of some unforeseen bug in the OS, hypervisor, etc. If I’m actively being attacked on one platform, but can’t afford to have a major disruption in services, it seems like having the infrastructure to roll over to a different platform quickly is helpful. Is there a better way to do this?

Joanna: Again, we talk here about DoS mitigation (reliability of the system), not information leak mitigation (information security).

Alan: If you had to make a recommendation: Mac, PC, or Linux? Or do you find them to be equally (in)secure?

Joanna: That would depend on the actual purpose for what this system is to be used. If a really paranoid person or organization asked me for advise on how to prepare a system used for some special security-critical role, then I might go into such extremes as recommending custom-configured Xen that would be making use of things like VT-d for Dom0 disaggregation, TPM and TXT for secured boot, and high isolation through customized DomU partitioning. Each DomU would be running a hardened version of Linux.

For a generic-purpose machine used by mere mortals, though, I would recommend either Windows or Mac. Linux really is behind those two systems when it comes to device support. How would you sync your iPhone on Linux? How about setting up your new 3G network card on a Linux laptop?

All the people who are aesthetically-impaired should probably go for Windows and PC hardware. Others will not want to hear about anything else than a sexy Mac--at the end of the day, it really comes down to aesthetics and nicer GUI experience in my opinion.

No matter whether you chose PC or Mac, I think the only viable solution today is to use some virtualization product in order to implement isolation between various applications (at least between various browsers), as I discussed earlier. An A/V product, at least in the form as we have them today, is a waste of money and resources in my opinion. It has also happened quite a few times in recent years that the kernel components of many A/V programs were buggy and were introducing vulnerabilities to the system they were supposed to protect! I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization.

Alan: Final question. Even in a study published by the ACM in 2009, there continues to be a gender gap in computer science. What advice do you have for young girls out there who are interested in computer science?

Joanna: I wish I knew the answer. Many research studies suggest that girls (and then women) are worse in science and technology than men because everybody (including women) believe that they should be worse. So, ultimately it comes down to the patriarchal society. Luckily, in so many parts of the world this patriarchal system ("smart and powerful men, and their beautiful and sensitive women") is becoming obsolete, so there is some hope for the future.

Alan: Well, hopefully there will be someone out there reading this interview that will be inspired to pursue her dream. Joanna, thanks a lot for spending the time to chat.

Joanna: My pleasure. And congrats to all those readers who actually managed to read through the whole interview. :)

  • johnbilicki
    I presume 4GB is limiting on a casual-use laptop because Joanna also runs virtual operating systems on her general purpose laptop?

    How did you two end up talking about Macs instead of something like rootkits or other things more relative to Joanna's line of work?

    As a web developer security is very important though I find it's fairly easy in most regards as attacks, bots, spammers, etc overwhelmingly (though not always) use the same approach methods so there are plenty of patterns that differentiate from normal web traffic. Easy isn't where the fun is though. I'm curious as to the parallels with software in general?
    Reply
  • truehighroller
    I think she has very nice fat looking lips. xD
    Reply
  • johnbilicki
    truehighrollerI think she has very nice fat looking lips. xD
    ...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.
    Reply
  • Interesting interview, and kudos for treating her as a "security expert" and not as a "female security expert".

    In the majority of interviews with young female professionals the interviewer "just have to mention" their hair colour, clothes or makeup. Nice to see a break from that rather tiresome practice
    Reply
  • Humans think
    I also use Macs myself (also windows systems and linux ones), but I had to say it: Alan Dang you sure are an Apple fanboy :P
    This woman knows what she is talking about, I think I am in love :)
    Reply
  • thx for spending the time to discuss this complex world in easy to understand terminology. good luck with the R-3 presentations!
    -austinmc
    Reply
  • haplo602
    read the interview because I was curios about the girl on the picture. turned out to not even be interesting.

    f.e. the bluepill thing. ok you can jail the OS into a VM transparently. Now what can you do ? you have to implement a mini OS by yorself into the hypervisor to do anything usefull (i.e. data collection), you need to read the FS, interrupt the network etc. the only usefull thing is to infect the system again after it was cleaned (again you need to know the FS). but since the AV knows you are there, it knows what to do about it.

    ok AV vendors are a step behind (or 2), but once they figure out the attack vector and means, you are done and have to come up with a new attack technology. there are only limited options available on each architecture that change with each revision, so the AV companies win in the end by closing all the gaps they know about.

    these are only backdoors to break the AV protection or work in a dimension higher than the AV protection. however the usefull data is still on the same level as the AV protection (user space).
    Reply
  • candide08
    Being SUCH an obvious fanboy makes me suspect many other aspects of your judgment. Please TRY to stay objective.
    Reply
  • coolkev99
    Interesting... and way over my head. Yet I couldn't help but feel like they were trying to out-geek each others commments.

    She is to nerds what nerds are to normal people. Don't get me wrong, much respect and admiration!
    Reply
  • A interesting and informative article but there is a lot of self praise and back slapping, seems that these folks are not the geniuses they make them selves out to be:
    http://en.wikipedia.org/wiki/Blue_Pill_(malware)
    Reply