tag:blogger.com,1999:blog-24586388.post6804689402512253967..comments2023-11-24T09:52:43.963+01:00Comments on The Invisible Things Lab's blog: Thoughts on DeepSafeJoanna Rutkowskahttp://www.blogger.com/profile/07657268181166351141noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-24586388.post-43512030135685777462012-02-05T12:38:18.298+01:002012-02-05T12:38:18.298+01:00@Anonymous_asking_stupid_questions:
How many? How...@Anonymous_asking_stupid_questions:<br /><br />How many? How do you count/distinguish them? By different hash value of their installer code? Or in-memory code fingerprint? In any case I can generate easily as many variants as you want...Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-46028458525167318672012-02-05T12:24:31.360+01:002012-02-05T12:24:31.360+01:00But, as every regular to this blog knows, there is...But, as every regular to this blog knows, there is also another method of accessing memory on any PC system, and this is through DMA transactions from devices.<br /><br />Good point.<br /><br />To put this in context how many rootkits exploit this method to compromise a system?<br /><br />ThanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-26498297658018099622012-01-24T20:05:45.758+01:002012-01-24T20:05:45.758+01:00Hi Joanna,
thanks for your thoughts! I too have w...Hi Joanna,<br /><br />thanks for your thoughts! I too have wondered about how Deepsafe could possibly work and add security over what is possible now. The following is just speculation and is<br />based on the assumption that Deepsafe is simply a "AV-in-a-hypervisor" solution.<br /><br />Regarding your own points, I agree that Deepsafe couldn't know how to protect all operating system vectors (see below). But it would probably at least be able to protect itself from being overwritten (even by DMA etc.) so it could stay in control (assuming it was running on the bare metal, see pt 2 below). Also,<br />other VM vendors are able to make hypervisors that can protect themselves from the guest. The real question is -- how much can Deepsafe protect the guest, even if it can guarentee that it itself can not be compromied?<br /><br />1)<br />I've been thinking of the problem more in the context of malware detection, not memory protection which you primarily discuss. However, malware detection has its own set of problems that it would seem<br />challenging for Deepsafe to address. While running at the bare metal provides ultimate power<br />to inspect I/O and memory and in principle control all software that is executed,<br />it also presents the following problem: How can Deepsafe "know" what the guest software<br />(i.e. the normal operating system/software stack) is up to? It could scan e.g. network<br />and disk I/O for viruses but what if this is encrypted? What if the user opens an <br />encrypted Truecrypt volume and executes the file from there? Deepsafe I/O monitoring <br />wouldn't be able to detect a virus flowing over the I/O in this case. Or how about if a virus is downloaded over a https:// connection? Another strategy could be for Deepsafe to do memory scanning. After all,<br />it would have unrestricted access to the physical address space. Still, this is hardly<br />fool-proof. Some viruses are known to rewrite their own x86 machine code and can produce<br />an infinity of variants. Other viruses encrypt themself and dynamically generates a <br />decoder which is only used when the virus activates - making its time in cleartext in memory very brief and unlikely to be caught by periodic memory scanning. Maybe Deepsafe could be very smart and through clever use of the paging virtualization facilities scan all pages containing code on the first access - and then every time they are rewritten (or if the page tables are updated to contain new executable pages). This<br />would still not help it catch the metamorphic viruses.<br />If Deepsafe were to implement a more behavior-based type of detection it becomes even more difficult. How can it hook into the proper vectors in Windows? It would have to, as an "outsider" look at the running Windows kernel, drivers, page tables, try to make sense of it all and do some brain surgery on it. Doesn't seem like a recipe for stability in the face of the many versions, fixes, drivers etc. It could be made more stable if it could have a piece of helper software running on the "inside" (like a kind of VMWare tools) which could help it interact with windows etc. put this immediately raises the question whether you can trust any information gathered by such<br />a helper, since he's after all running in the untrusted space you are trying to safeguard!SMInoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-54411609624930483182012-01-24T20:05:08.290+01:002012-01-24T20:05:08.290+01:00[continued]
So does Deepsafe provide any benefit ...[continued] <br />So does Deepsafe provide any benefit at all? Maybe, maybe not. If we assume a PC with a TPM, and that Deepsafe does remote attestation to the AV servers who can send an out-of-band notification to the owner in case of compromise, they could theoretically realize<br />the property of "being able to guarentee that the security software is running as a hypervisor". The server would be able to setup a secure tunnel end-to-end with the AV software to get info on how much has been scanned, how much has been found etc. All this info could be relayed to the user out-of-band. This would be a new property that was not possible before. The question is then, how much is it worth? In light of Johannas points and my own points on the difficulty of detecting viruses even if you have "full memory and I/O access", I don't think this is the panacea of antivirus software. But I still think it's nice to have this extra property since AV's are in general pretty good at detecting viruses even if they aren't perfect. So I still think this is a step in the right direction if Intel doesn't oversell the benefits.<br /><br />On a side note, as far as I've been able to read, Deepsafe doesn't rely on any new CPU features. It seems to only rely on the existing VMX etc. features. This rasises the question why McAfee (or another vendor) couldn't have done this without being bought by Intel? After all, VMX is fully documented. Intel could just have entered into a collaboration with McAfee and help them built this tech into the CPU. What is preventing<br />other AV vendors from doing this (patents? by Intel? If so, Intel could have taken out those patents and licensed them to all vendors, potentially earning more than through buying ;cAfee). This makes me think there might be more to this Deepsafe tech than we think (I had executed the collaboration to result in some sort of 'AV-features-in-the-CPU' type of thing). <br />It could also have been realized by other means than VMX, for instance through Intel AMT. If the point is to remotely inventory the antivirus, AMT seems like an excellent choice since a lot of groundwork in those respects have already been done by Intel. Another possibility could be pure software virtualization which can also be pretty low-overhead.SMInoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-3923804728581819292012-01-24T20:04:41.415+01:002012-01-24T20:04:41.415+01:00[continued]
2) Another question that comes to min...[continued] <br />2) Another question that comes to mind is how the Deepsafe software would know it is indeed running at the bare metal. A rookit could, through nested virtualization, fool Deepsafe into thinking it was in control even though it wasn't. Bluepill is a proof of this concept.<br /><br />One defence against this might be Trusted Computing technologies... such a bluepill<br />attack would leave a trace in the PCR registers. However, many/most PC's don't have TPM's so for those it wouldn't be an option. Further, even for PC's with TPM's, the rootkit could still fool Deepsafe into thinking it was running on bare metal (there are many ways, one could be to virtualize the TPM, and issuing it a certificate from a "fake vendor", and - at runtime - patching Deepsafe into trusting this certificate... or it could make Deepsafe bypass the checks altogether). The fact that the system was compromised can only be seen by an external, trusted computer who can carry out a challenge-response protocol against the host computer's TPM (using the TPM_QUOTE facility) which would ultimately be able to reveal the forgery. I guess the Deepsafe software could be made to contact a remote system (maybe as part of the regular AV signture update) which could use the TPM_QUOTE mechanism - but the rootkit could patch Deepsafe to bypass this facility also, while still ensuring the user (in the "Windows security center") that everything was fine and dandy! One way to provide some protection against this would be to make the servers sent out an email to the owner of the computer in case of missing/unsuccessful authentication from the machine in question since this would provide for an out-of-band notification of the exposure (if the user could read this from a phone etc.). However, I can see some practical problems in this mechanism but they might not be impossible to overcome.SMInoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-87029431293970805782012-01-22T22:57:52.748+01:002012-01-22T22:57:52.748+01:00There is really nothing that makes Linux or Mac (e...There is really nothing that makes Linux or Mac (except iOS) any more secure than Windows. All of those OSes are inherently insecure, architecturally. They are only <i>safer</i> than Windows, because of the much smaller user base. iOS is a different story, though -- I consider it to be significantly safer, architecturally (but not necessarily implementation-wise).Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-45361274604630603152012-01-22T17:19:01.614+01:002012-01-22T17:19:01.614+01:00Vapourware comes to mind when I look at Deepsafe. ...Vapourware comes to mind when I look at Deepsafe. <br /><br />Ross Anderson author of the classic 'Security Engineering hit the nail on the head when it come to Windows in particular in the article, 'Security and your mother's Linux box'. <br /><br />"LXF: OK then, what steps should an ordinary citizen take to improve their data security?<br /><br />RA: Buy a Linux box or a Mac. I bought my wife a Mac, last time the Windows box got filled up with loads of spyware."<br /><br />RA "While to be fair to them they have improved they have too much legacy to ever really fix themselves."<br /><br />"http://www.techradar.com/news/computing/pc/security-and-your-mother-s-linux-box-496204?artc_pg=2<br /><br />http://www.techradar.com/news/computing/pc/security-and-your-mother-s-linux-box-496204?artc_pg=2Paul Harperhttps://www.blogger.com/profile/07542509637337615962noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-22798755486791850652012-01-22T12:11:16.595+01:002012-01-22T12:11:16.595+01:00BIOS is not a useless (or obsolete) piece of code ...BIOS is not a useless (or obsolete) piece of code as most people think -- it handles essential tasks, such as DRAM initialization, which is a very complex task, requiring probably thousands lines of code on modern chipsets. This is probably the price we pay for ultra fast DRAMs we all got used so easily.<br /><br />But another thing is e.g. the SMI handler, where OEMs often put lots of USELESS CRAP, and this should definitely be somehow banned. Anybody willing to sue an OEM for putting Tetris into your SMI?Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-51392308036537551672012-01-22T11:57:49.914+01:002012-01-22T11:57:49.914+01:00Hi,
I'm a assemnbly programmer and operating ...Hi,<br />I'm a assemnbly programmer and operating systems developer , <br />I like to have full control of the hardware and i am bored and tired of all this security.<br />If governments, the military and any other institution wants<br />such assurance, Intel should produce models of processors and chipsets targeted to these needs<br />without affecting the,desktop models, where nobody want to steal the latest mp3s that you downloaded :-)<br />Much of the security of a PC is operating system dependent ... chipset and processors are becoming <br />more complicated with unnecessary things like virtualization ..<br />Before I could easily handle all the hardware<br />including SMI (System Management Interrupt), <br />now has become more difficult to take control<br />over SMI,Intel has added new MSR registers in the new chipset.<br />I spend the money for the computer to use it, <br />not to run a shit code like the bios, or stupid high level windows and linux.Anonymousnoreply@blogger.com