Dailydave mailing list archives
Re: Staying on the treadmill.
From: Matthew Wollenweber <mjw () cyberwart com>
Date: Wed, 15 Jul 2009 11:16:59 -0400
I actually read recently an interview with a well know researcher, who I actually respect myself, who happily announced that he's protecting his laptop using an FDE software, and, to make it more secure, he's powering it down as often as possible (in order to mitigate possibility of cold-boot attacks). Interestingly, he didn't realize he actually makes it much easier for even a hotel maid to get his encryption key... This is so basic and yet have nothing to do with advanced exploit understanding.
Several years ago I was an intern at nasa. One of the things they like to do to interns is give them senseless tours. During one such tour I learned that they were very excited about updating computers going into space with a 386 processor. It had taken them more than 10 years to evaluate and reduce risk to acceptable levels. Even then, I was told there were 2 backups -- just in case. My point is that you can have a fetish for esoteric attacks where the hotel maid is stealing fde passwords and spend years developing mitigations. You can even go further trying to build 'secure systems' or 'trusted computing', but if you can do it within a time period applicable to people or before the uses cases and attack vectors completely shift, I'd be truly surprised. Building something that will withstand anything that goes wrong is exponentially more complicated and time consuming than refining systems that minimizes evolving known risks. The much more probable attacks are that the researchers laptop is lost, stolen, or that while online it's compromised be a heap-overflow ninja with an IE/Firefox/whatever exploit. So with FDE and understanding heap-overflow ninjitsu he's probably better off than waiting for trusted computing. Then again, I much preferred the portion of the tour with the room size speaker that shook satellites to see what would fall off and break. When it did, they determined the problem and fixed it... much like the exploit writers. When an exploit is part of a process then it's much more than simply demonstrating a problem -- it's iteratively finding and fixing the weak spots. On Tue, Jul 14, 2009 at 11:29 AM, Joanna Rutkowska < joanna () invisiblethingslab com> wrote:
nnp wrote:Protection mechanisms being written by people who don't understand exploits is surely the reason many are broken within about 43 seconds of being released.Sure, but there is a difference between "understanding exploits" and being an exploit fetishist. Some time ago I attended a security conference well known for having very technical audience. I was told the majority of those people are up to date with all the recent advances in exploitation techniques -- heap overflows, getting around ASRL/NX, etc. But when I started my lecture, which was about Trusted Computing, it turned the number of people who knew how TPM works was... close to zero! And we're talking about some real basic stuff here, nothing fancy like TXT. Just what a PCR register is, and what are the advantages of trusted boot. I actually read recently an interview with a well know researcher, who I actually respect myself, who happily announced that he's protecting his laptop using an FDE software, and, to make it more secure, he's powering it down as often as possible (in order to mitigate possibility of cold-boot attacks). Interestingly, he didn't realize he actually makes it much easier for even a hotel maid to get his encryption key... This is so basic and yet have nothing to do with advanced exploit understanding. Now, who do you think can provide more security into an organization, like e.g. a bank -- a heap-overflow ninja that can bypass ASLR on the most recent Vista, or a person who would realize that maybe it is worth buying a trusted-boot-supported full disk encryption (FDE) software, as otherwise it would be trivial for the *real* adversary to get around it? Or a person that can tell you that your employees should use 2 different desktop computers and would be able to decide how to split tasks and activities between the two? Sure, experience in exploit writing is sometimes crucial. Probably it is of the utmost important to e.g. OS kernel architects, who might attempt to build in all the anti-exploitation technologies into the OS (which is what they do in fact). Or to processor and chipset vendors. This requires great understanding of possible workarounds. It is also important for governments for obvious reasons. But very few people are OS kernel architects and governments offensive teams. And the further you go, the less you need those extreme skills, which is exploit writing as it is today. If you are only a *consumer* of computer products (e.g. a bank, or an airport), then I really see no reason why you should even be able to understand the difference between a heap overflow vs. stack overflow. You just need to understand what a shellcode is and what it can potentially do (i.e. everything). You should understand that SELinux will not provide you all the promised features, because it has big monolithic TCB (the Linux kernel) that represents a huge attack vector. But you don't need to know how to write an exploit for SELinux. etc. joanna.On Tue, Jul 14, 2009 at 3:07 PM, Joanna Rutkowska<joanna () invisiblethingslab com> wrote:dave wrote:People (this means you) like to think hard about game changing eventsinthe world of hacking. But just staying on the treadmill of exploitafterexploit can be a game changing event. For example, today you may have noticed that Intevydis (http://www.intevydis.com/vulndisco.shtml) released as part of their latest exploit pack, some exploits for all the major access point/mini-router firmwares. Not CSRF "exploits" or XSS "exploits". I mean "Here's a shell, now you get to install new programs and muck with the router's configuration" exploits. For a lot of people (not you) it's hard to care about such things. The inevitable ennui sets in: "oh, not another one", "that one is similartoone I found in 1992AD", "well, if you had good patch management that's the best you can do!", etc. etc. The magic is in finding each one of these things unique and special and worth of attention.... or, instead of being an exploit fetishist, one might try to designtheirnetwork in such a way that a compromise of your network devices is notfatal.Same for PDF viewers, browsers, etc. and how you design your computersystem.Sure, it's cool to write exploits -- that always impresses people. Wealso dothat at ITL. E.g. we will be showing a couple of VM escape exploitsduring ourupcoming virtualization training (and we really are excited about those exploits!), but the whole point is to illustrate how a good design (inthatparticular case of your hypervisor) and new technologies (e.g. VT-d orTXT) canmitigate a problem of exploits, even if we cannot find and patch themall.I think one should not forget that an exploit, no matter how cool, isonly anillustration of a problem. The actual solutions often have nothing to dowithhow exploits are written. Do you really think VT-d designers wereheap-overflowninjas? I doubt. joanna. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave-- Joanna Rutkowska Founder/CEO Invisible Things Lab http://invisiblethingslab.com/ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-- Matthew Wollenweber mjw () cyberwart com 703-395-5036
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Staying on the treadmill. dave (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. nnp (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. Don Bailey (Jul 14)
- Re: Staying on the treadmill. Matthew Wollenweber (Jul 15)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 15)
- Message not available
- Message not available
- Re: Staying on the treadmill. Halvar Flake (Jul 15)
- Re: Staying on the treadmill. nnp (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. Halvar Flake (Jul 14)