Re: Death of antivirus software imminent
On Dec 31, 2007, at 4:46 PM, Bill Frantz wrote: My favorite virtual machine use is for the virus to install itself as a virtual machine, and run the OS in the virtual machine. This technique should be really good for hiding from virus scanners. It's not, and despite the press handwaving about hypervisor rootkits being the death of all security as we know it, this attack is largely uninteresting in practice. Repeat after me: it's not a real problem, and it's unlikely to become a real problem. A walkthrough with pretty pictures, courtesy of the Matasano folk: http://www.matasano.com/log/930/side-channel-detection-attacks-against-unauthorized-hypervisors/ Cheers, -- Ivan Krstić [EMAIL PROTECTED] | http://radian.org - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
virtualizaton and security cfp (was Re: Death of antivirus software imminent)
With this discussion of virtualization and security, it might be a good time to note: IEEE Security Privacy Special issue on virtualization September/October 2008 Deadline for submissions: 6 February 2008 Visit www.computer.org/portal/pages/security/author.xml to submit a manuscript Guest editors: Samuel T. King (UIUC), Sean W. Smith (Dartmouth) Virtualization has several properties that make it useful for security applications. Traditional virtual machine monitors aspire to enforce strong isolation among multiple operating systems (OSes) running on the same physical hardware, enable software services to be implemented below the OS at a layer usually only accessible by hardware, and provide low-level software with convenient abstractions of the virtual machineís hardware resources. Other approaches aspire to provide multiple virtual but isolated images of the same OS installation. These properties helped foster a new class of virtual-machine- based security services and made virtualization a staple of many enterprise computing environments. A common topic in the early days of computing, virtualization has recently seen a resurgence of commercial and research interest. Consequently, the security implications of virtualization technology are the topic of the Sept./Oct. 2008 special issue of IEEE Security Privacy magazine. We are looking for feature articles with an in-depth coverage of topics related to virtualization technology and how it applies to security. Among the potential topics are: --Virtualization for intrusion detection --Virtualization for forensic analysis of compromised computer systems --Virtualization for analyzing malicious software --Hardware support for secure virtualization --Security interfaces between VMMs and operating systems --Securing applications using virtualization --Securing attacks using virtualization --Security analysis of virtualization The above list is neither complete nor closed. Authors are encouraged to submit articles that explore other aspects of virtualization and its application to security. Submissions will be subject to the peer-review methodology for refereed papers. Articles should be understandable to a broad audience of people interested in security and privacy. The writing should be down to earth, practical, and original. Authors should not assume that the audience will have specialized experience in a particular subfield. All accepted articles will be edited according to the IEEE Computer Society style guide. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Death of antivirus software imminent
Leichter, Jerry wrote: Virtualization has become the magic pixie dust of the decade. When IBM originally developed VMM technology, security was not a primary goal. People expected the OS to provide security, and at the time it was believed that OS's would be able to solve the security problems. re: http://www.garlic.com/~lynn/aadsm28.htm#4 Death of antivirus software iminent http://www.garlic.com/~lynn/aadsm28.htm#6 Death of antivirus software iminent http://www.garlic.com/~lynn/aadsm28.htm#8 Death of antivirus software iminent the other claim was that it was assumed that basic systems were built to be secure, so it would have been quite foreign idea it would be necessary to build a secure specific system. besides the referenced fairly wide use of gov and commercial institutions requiring high integrity systems ... the early virtual machine systems (cp67 and vm370) were also used by commercial time-sharing service bureaus. most of these created cms padded cell modifications, a lot of it was to prevent users from damaging themselves (as opposed to the underlying security that prevented uses from damaging the system and/or each other). at least some of these services provided online, concurrent services to (competitive) wall street firms ... who would be using the online services for highly sensitive financial activities (as example of integrity requirements). a little related x-over from posting in this thread http://www.garlic.com/~lynn/2008.html#14 hacked TOPS-10 monitors - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Death of antivirus software imminent
Today's VMMs aren't even designed to fit the formal criteria for a VMM (at least as expressed, intelligently, by Popek and Goldberg back in the 70s). VMM-aware malware leverages this: for example, by making calls to VMware's backdoor communications channel from the guest (ie. jerry.c). If the equivalence principle were actually upheld, this wouldn't be possible-- but then again, users wouldn't have all those handy features like cut-n-paste from guest to host. Sherri Leichter, Jerry wrote: Virtualization has become the magic pixie dust of the decade. When IBM originally developed VMM technology, security was not a primary goal. People expected the OS to provide security, and at the time it was believed that OS's would be able to solve the security problems. As far as I know, the first real tie of VMM's to security was in a DEC project to build a VMM for the VAX that would be secure at the Orange Book A2 level. The primary argument for this was: Existing OS's are way too complex to verify (and in any case A2 required verified design, which is impossible to apply to an already-existing design). A VMM can be small and simple enough to have a verified design, and because it runs under the OS and can mediate all access to the hardware, it can serve as a Reference Monitor. The thing was actually built and met its requirements (actually, it far exceeded some, especially on the performance end), but died when DEC killed the VAX in favor of the Alpha. Today's VMM's are hardly the same thing. They are built for perfor- mance, power, and managability, not for security. While certainly smaller than full-blown Windows, say, they are hardly tiny any more. Further, a major requirement of the VAX VMM was isolation: The different VM's could communicate only through network protocols. No shared devices, no shared file systems. Not the kind of thing that would be practical for the typical uses of today's crop of VM's. The claim that VMM's provide high level security is trading on the reputation of work done (and published) years ago which has little if anything to do with the software actually being run. Yes, even as they stand, today's VMM's probably do provide better security than some - many? - OS's. Using a VM as resettable sandbox is a nice idea, where you can use it. (Of course, that means when you close down the sandbox, you lose all your state. Kind of hard to use when the whole point of running an application like, say, an editor is to produce long-lived state! So you start making an exception here, an exception there ... and pretty soon the sand is spilled all over the floor and is in your eyes.) The distinction between a VMM and an OS is fuzzy anyway. A VMM gives you the illusion that you have a whole machine for yourself. Go back a read a description of a 1960's multi-user OS and you'll see the very same language used. If you want to argue that a small OS *can be* made more secure than a huge OS, I'll agree. But that's a size distinction, not a VMM/OS distinction -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Death of antivirus software imminent
however, another interpretation is that the defenders have chosen extremely poor position to defend ... and are therefor at enormous disadvantage. it may be necessary to change the paradigm (and/or find the high ground) in order to successfully defend. First, it is evident that the malware writers have reached a level of sophistication where stealth is more attractive than persistence, i.e., prey are sufficiently abundant that it does not matter if your code survives reboot -- you can always get a new machine soon enough. Second, as soon as one of these guys figures out how to hook the memory manager (which may already have happened), then the ability to find the otherwise in-core-only malware goes away as your act of scanning memory will be seen by the now-corrupted memory manager and the malware will be thus relocated as you search such that you are playing blindman's bluff without knowing that you are. Third, targetted malware does not defeat the AV paradigm technically, rather it defeats the business model as no AV company can afford to craft, test, and distribute signatures for any malware that does not already have, say, 50,000 victims. Fourth, under so-called Service-Oriented-Architecture, there is no one anywhere who knows where all the moving parts are. The aspect of this that is directly relevant to this list is that while we have labored to make network comms safe in an unsafe transmission medium, the world has now reached the point where the odds favor the hypothesis that whomever you are talking to is themselves already 0wned, i.e., it does not matter if the comms are clean when the opponent already owns your counterparty. I blogged on this recently (guest for Ryan Naraine) and it made the top of Slashdot. Apologies for boring those who've already seen it. --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Question on export issues
On Sun, 2007-12-30 at 08:30 -0500, Richard Salz wrote: In my personal experience, if you are developing a mass-market item with conventional crypto (e.g., SSL, S/MIME, etc ) then it is fairly routine to get a commodity export license which lets you sell globally. Disclaimers abound, including that I'm not a lawyer and certainly don't speak for IBM. My question was more on the lines of what gets rejected, not what does it take to do it. Is there some technology that they are so afraid of that they still won't let it ship or does it just matter who you are, not what it is? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Death of antivirus software imminent
[EMAIL PROTECTED] (Jason) on Wednesday, January 2, 2008 wrote: On the other hand, writing an OS that doesn't get infected in the first place is a fundamentally winning battle: OSes are insecure because people make mistakes, not because they're fundamentally insecurable. I fully agree that a better OS would go a long way toward helping in the battle. We even know some techniques for building a better OS. Consider plash http://sourceforge.net/projects/plash/, and Polaris http://www.hpl.hp.com/techreports/2004/HPL-2004-221.html, both of which run programs for a user with less than that user's privilege. This technique helps prevent viruses from infecting computers by denying them write privileges to system files and most of the user's files. The model that any program a user runs can do anything that user is permitted to do is fundamentally broken. It is the model that all current popular OSes support, so in that sense these OSes are insecure. The only mistake users make in many cases is running software with bugs such as buffer overruns, where the virus then uses the user's privileges to take over their system. In these cases, IMHO, blaming the user is inappropriate. And in all cases, OSes should give the user more support in making sound decisions. See for example: http://www.skyhunter.com/marcs/granmaRulesPola.html Cheers - Bill - Bill Frantz| The first thing you need when | Periwinkle (408)356-8506 | using a perimeter defense is a | 16345 Englewood Ave www.pwpconsult.com | perimeter. | Los Gatos, CA 95032 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Question on export issues
Is there some technology that they are so afraid of that they still won't let it ship or does it just matter who you are, not what it is? I wouldn't know for sure, but I am sure that who is asking permission does matter. /r$, sounding like his idol dan :) -- STSM, DataPower Chief Programmer WebSphere DataPower SOA Appliances http://www.ibm.com/software/integration/datapower/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Death of antivirus software imminent
On Thu, 03 Jan 2008 11:52:21 -0500 [EMAIL PROTECTED] wrote: The aspect of this that is directly relevant to this list is that while we have labored to make network comms safe in an unsafe transmission medium, the world has now reached the point where the odds favor the hypothesis that whomever you are talking to is themselves already 0wned, i.e., it does not matter if the comms are clean when the opponent already owns your counterparty. Right -- remember Spaf's famous line about how using strong crypto on the Internet is like using an armored car to carry money between someone living in a cardboard shack and someone living on a park bench? Crypto solves certain problems very well. Against others, it's worse than useless -- worse, because it blocks out friendly IDSs as well as hostile parties. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]