SlideShare uma empresa Scribd logo

Halvar Flake: Why Johnny can’t tell if he is compromised

Transferir como PPTX, PDF
A
Area41

Halvar Flake - Keynote to Area41 2014

Tecnologia
1 de 49
Why Johnny can’t tell if he is compromised ...and what you can do about it. Keynote Area41 2nd of June 2014, Zurich, Switzerland thomas.dullien@googlemail.com http://goo.gl/3NphRw
Robert Morris Sr. Fundamental rules for IT security - a cynical view from more than 20 years ago: Do not own a computer Do not power it on Do not use it Situation does not seem to have gotten better
Hacking is addictive Transitive trust relationships everywhere Start to hack almost anywhere - compromise boundary grows exponentially Only limit: Size of net, admin infrastructure
The now All major nation states / global powers want to have “dominance” Almost nobody is any good at defense In the limit: Everything compromised (or on compromise boundary) by multiple parties
What does compromise mean? Somewhat fuzzy concept Installing malware is clearly a compromise Illicitly obtaining authentication credentials is also a compromise Compromise is about “control”
Ownership vs. possession Legal distinction between ownership and possession of an object I am the owner of my car, even if I have lent it to a friend and it is not in my possession Networked computing devices have a third dimension: “Control”
Possession vs. control Neither possession nor ownership of a networked computing device imply control Being hacked is loss of control without change of ownership or possession “Getting 0wned” = loss of control over your own computing infrastructure
Who is in control? Establishing who is control of your computer is nearly impossible This talk: Exploration of all the ways we can’t tell if we are in control, and how to fix it.
Given a computer ... … try to establish who is in control For the exercise: Assume Windows Where to start ? All highly-privileged code is in control Code running with user privileges is partially in control
Control and software Clearly, someone else is in control (third-party OS, various bits of third-party software) This is OK - we have decided to trust these third parties and say “yes” to their software We trust (some) software vendors to not backdoor us intentionally
Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts
Check 1: Userspace Code Problem: Vendors don’t sign their executables Problem: If they do, they don’t sign their DLLs Problem: If they sign both executables and DLLs, they don’t sign executable extensions Problem: 100+ trusted root CAs?
Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts FAILURE
Check 2: Kernel Code Number of CAs that can sign drivers much smaller than user-space Irrelevant: Attacker use signed driver with known vulnerability to bootstrap code Failure to sign userspace means failure to sign kernel space Not theoretical: Uroburos
Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts FAILURE FAILURE
Check 3: BIOS Code Per-vendor code signing (DELL, HP etc.) No public documentation or third-party analysis about the way this works No way for third parties to verify signatures Even if possible to verify, can’t read relevant regions
Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts FAILURE FAILURE FAILURE
Check 4: Device Firmwares HDD controllers: Nobody knows how to verify code inside, but we know attackers can backdoor them GPU firmware: People are flashing them for overclocking, no way to do third-party validation Completely stranded
Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts FAILURE FAILURE FAILURE FAILURE
Check 5: Intel ME ARC core on modern mainboards that can execute signed Java applets etc. Communicates with host OS via PCI shared mapped region Highly opaque, no way to verify code running in ME from host OS
Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts FAILURE FAILURE FAILURE FAILURE FAILURE
Check 6: Stolen Keys Attackers have compromised software signing keys and CAs in the past People with software signing keys can silently “lose” them without this ever being noticed There is no equivalent of “Certificate Transparency” for code signing
Check 6: Stolen Keys All PKI architecture assume an invincible CA and invincible signers Reality has shown that this is a wrong assumption No way to verify if a file signed with a key was signed by the person the key was issued to
Check 6: Stolen Keys After breaches of the last years, only safe assumption is: Code signing keys of many software vendors and CAs have been silently stolen No good way of detecting this
Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts FAILURE FAILURE FAILURE FAILURE FAILURE FAILURE
Check 7: Scripts Lots of interpreters run code with privileges on your typical host Javascript-based extensions to your browser Java-based background tasks Python and other interpreted languages
Check 7: Scripts No good infrastructure exists to tie running interpreted code back to the scripts from which it was compiled No good way to determine where the code running inside java.exe or python.exe is coming from
Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts FAILURE FAILURE FAILURE FAILURE FAILURE FAILURE FAILURE
Failure on all levels Given modern infrastructure, it is nearly impossible to determine if a machine is compromised It is also nearly impossible to “un-infect” a machine once it has been infected What needs to change?
Long-term view Proposed measures will take many years to build Fundamentally easy, though - no rocket science required Hardest things to overcome: Organisational inertia, complacency, politics, broken incentive structures, cost
Step 0: Check trust IT departments do not ask themselves enough questions about who they trust Someone well-intentioned but securitywise incompetent will be the weak link that attackers exploit This applies to vendors and suppliers !
Control and Power of attorney Giving “control” over your compute infrastructure is the same as giving a delegable power-of-attorney over your compute infrastructure to a third party This encompasses trusting a CA, allowing auto- update of software, and much more.
Control and Power of attorney Legal departments are rightfully hesitant to issue powers of attorney to third parties Delegable powers of attorney to random third parties are virtually unheard of IT industry needs to learn from this
Step 1: Undo CA proliferation Trusting a code-signing CA is equivalent to a delegable power-of-attorney over your compute assets There are way too many code-signing CAs Only trust a CA that you know very well - which at the moment will be none
Step 2: Trust by-vendor Most likely, arbitrarily delegable power-of- attorneys are a broken idea Trust for executable code should be by vendor, not by CA CA-based trust only for sandboxed web-pages / javascript
Step 3: Update transparency All software vendors roll their own update mechanism Allowing someone to update software is also a delegatable power-of-attorney Software updates need to come in standardized packages and via standardized protocols
Step 4: Signing transparency Given likelihood of stolen signing keys, “code signing transparency” is needed Vendors need to run a public ledger where they explicitly avow “yes, I have signed this binary” Ideally with information about the exact SVN tag / git hash that was used to produce the binary
Step 4: Signing transparency When signed file is encountered, public ledger can be checked “Dear Vendor, are you aware that file XYZ has been signed with your key?” Probably the only way to engineer “detectability of key theft” into our systems
Step 5: Reduce firmware opacity Firmware blobs for devices need to be readable by the main CPU without physical possibility of interference from the device firmware Purchasers of hardware need to insist on this transparency They also need to realize they have a right to demand this
Step 6: ME transparency There is no excuse for a coprocessor on your mainboard whose code can’t be validated by you from your main CPU Purchasers of hardware need to realize that they have a right to demand transparency from the code running on ME
Step 7: Signed interpreters In order to run a script with high privileges in an interpreter, the script needs to be signed and the interpreter needs to be able to tie back the executable form to the original script For non-privileged code (JS in a tight sandbox etc.) we may be able to make an exception
Transparency vs. tamperproofing Systems need to be engineered to be easily verified by the owner Centralization of trust is a failed experiment, especially given government desire to “dominate cyber” Demand systems whose integrity you can verify
Paradigm shift “Security” hardware has opted for more opacity in the past Fear of side-channel attacks, fear of physical attacks Prioritized tamperproofing, sacrificed transparency and verifiability
Paradigm shift Side-channel and physical attacks are a lesser concern than remote attacks provided you are in possession of your hardware Remote attacks that you can never tell happened are the bigger threat Re-prioritize verifiability
Will this give us security? The proposed measures will not yield 100% security Will give defenders a fighting chance to deny persistence to the attacker Will give defenders a fighting chance to detect compromised suppliers
Will this give us security? Hopefully, this will force attackers into exploiting & re-exploiting for persistence Better software engineering can then slowly root out bugs Move from cheap, stealthy mass compromise to individually tailored compromise: Costly
How to pay for it ? None of the proposed steps are “free” None are terribly costly, either Standardized software updating, better signing & verification will actually reduce IT maintenance costs
Stop buying snake oil? Huge revenues are generated in our industry with colored appliances that only work as long as the attacker hasn’t looked at them Often, these boxes want to be dropped onto privileged points in your infrastructure Just say no. Spend your money wisely.
Thank you Questions?

Recomendados

Taller casa de software
Taller casa de softwareTaller casa de software
Taller casa de softwareLuis Arellano
 
Preguntas sobre máquinas virtuales
Preguntas sobre máquinas virtualesPreguntas sobre máquinas virtuales
Preguntas sobre máquinas virtualesINÉS ARABIA DíAZ
 
Ciclo de Vida de los Sistemas de Información
Ciclo de Vida de los Sistemas de InformaciónCiclo de Vida de los Sistemas de Información
Ciclo de Vida de los Sistemas de InformaciónAlvaro Gómez Cedeño
 
Sistema de apoyo a la toma de decisiones
Sistema de apoyo a la toma de decisionesSistema de apoyo a la toma de decisiones
Sistema de apoyo a la toma de decisionesJavierMartinez702
 
Mapa conceptual apache y iis
Mapa conceptual apache y iisMapa conceptual apache y iis
Mapa conceptual apache y iismarbelys
 
дополнение
дополнениедополнение
дополнениеaviamed
 
Diseño de entraday_salida
Diseño de entraday_salidaDiseño de entraday_salida
Diseño de entraday_salidaJorge Garcia
 
Competencia emocional
Competencia emocionalCompetencia emocional
Competencia emocionalItalia Rizo
 

Recomendados

Taller casa de software
Taller casa de softwareTaller casa de software
Taller casa de softwareLuis Arellano
 
Preguntas sobre máquinas virtuales
Preguntas sobre máquinas virtualesPreguntas sobre máquinas virtuales
Preguntas sobre máquinas virtualesINÉS ARABIA DíAZ
 
Ciclo de Vida de los Sistemas de Información
Ciclo de Vida de los Sistemas de InformaciónCiclo de Vida de los Sistemas de Información
Ciclo de Vida de los Sistemas de InformaciónAlvaro Gómez Cedeño
 
Sistema de apoyo a la toma de decisiones
Sistema de apoyo a la toma de decisionesSistema de apoyo a la toma de decisiones
Sistema de apoyo a la toma de decisionesJavierMartinez702
 
Mapa conceptual apache y iis
Mapa conceptual apache y iisMapa conceptual apache y iis
Mapa conceptual apache y iismarbelys
 
дополнение
дополнениедополнение
дополнениеaviamed
 
Diseño de entraday_salida
Diseño de entraday_salidaDiseño de entraday_salida
Diseño de entraday_salidaJorge Garcia
 
Competencia emocional
Competencia emocionalCompetencia emocional
Competencia emocionalItalia Rizo
 
Preventing hard disk firmware manipulation attack and disaster recovery by Da...
Preventing hard disk firmware manipulation attack and disaster recovery by Da...Preventing hard disk firmware manipulation attack and disaster recovery by Da...
Preventing hard disk firmware manipulation attack and disaster recovery by Da...CODE BLUE
 
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...Philip Polstra
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 
Three things that rowhammer taught me by Halvar Flake
Three things that rowhammer taught me by Halvar FlakeThree things that rowhammer taught me by Halvar Flake
Three things that rowhammer taught me by Halvar Flaken|u - The Open Security Community
 
Gpu Join Presentation
Gpu Join PresentationGpu Join Presentation
Gpu Join PresentationSuman Karumuri
 
[Harvard CS264] 12 - Irregular Parallelism on the GPU: Algorithms and Data St...
[Harvard CS264] 12 - Irregular Parallelism on the GPU: Algorithms and Data St...[Harvard CS264] 12 - Irregular Parallelism on the GPU: Algorithms and Data St...
[Harvard CS264] 12 - Irregular Parallelism on the GPU: Algorithms and Data St...npinto
 
[Harvard CS264] 11b - Analysis-Driven Performance Optimization with CUDA (Cli...
[Harvard CS264] 11b - Analysis-Driven Performance Optimization with CUDA (Cli...[Harvard CS264] 11b - Analysis-Driven Performance Optimization with CUDA (Cli...
[Harvard CS264] 11b - Analysis-Driven Performance Optimization with CUDA (Cli...npinto
 
[Harvard CS264] 10a - Easy, Effective, Efficient: GPU Programming in Python w...
[Harvard CS264] 10a - Easy, Effective, Efficient: GPU Programming in Python w...[Harvard CS264] 10a - Easy, Effective, Efficient: GPU Programming in Python w...
[Harvard CS264] 10a - Easy, Effective, Efficient: GPU Programming in Python w...npinto
 
Churn Predictive Modelling
Churn Predictive ModellingChurn Predictive Modelling
Churn Predictive ModellingHugo E. Cisternas
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
Oh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdfOh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdfLibbySchulze
 
The Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.comThe Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.comKayra Obrain
 
Open Source Software Licence Compliance: Art or science?
Open Source Software Licence Compliance: Art or science? Open Source Software Licence Compliance: Art or science?
Open Source Software Licence Compliance: Art or science? Shane Coughlan
 
The Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineThe Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineRapidSSLOnline.com
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPKZhi Guan
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1bora.gungoren
 
D-Cipher
D-CipherD-Cipher
D-CipherVenkat Sandeep Manthi
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxdawitTerefe5
 
Fundamental of ethical hacking
Fundamental of ethical hackingFundamental of ethical hacking
Fundamental of ethical hackingWaseem Rauf
 

Mais conteúdo relacionado

Destaque

Preventing hard disk firmware manipulation attack and disaster recovery by Da...
Preventing hard disk firmware manipulation attack and disaster recovery by Da...Preventing hard disk firmware manipulation attack and disaster recovery by Da...
Preventing hard disk firmware manipulation attack and disaster recovery by Da...CODE BLUE
 
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...Philip Polstra
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 
[Harvard CS264] 12 - Irregular Parallelism on the GPU: Algorithms and Data St...
[Harvard CS264] 12 - Irregular Parallelism on the GPU: Algorithms and Data St...[Harvard CS264] 12 - Irregular Parallelism on the GPU: Algorithms and Data St...
[Harvard CS264] 12 - Irregular Parallelism on the GPU: Algorithms and Data St...npinto
 
[Harvard CS264] 11b - Analysis-Driven Performance Optimization with CUDA (Cli...
[Harvard CS264] 11b - Analysis-Driven Performance Optimization with CUDA (Cli...[Harvard CS264] 11b - Analysis-Driven Performance Optimization with CUDA (Cli...
[Harvard CS264] 11b - Analysis-Driven Performance Optimization with CUDA (Cli...npinto
 
[Harvard CS264] 10a - Easy, Effective, Efficient: GPU Programming in Python w...
[Harvard CS264] 10a - Easy, Effective, Efficient: GPU Programming in Python w...[Harvard CS264] 10a - Easy, Effective, Efficient: GPU Programming in Python w...
[Harvard CS264] 10a - Easy, Effective, Efficient: GPU Programming in Python w...npinto
 

Destaque (11)

Preventing hard disk firmware manipulation attack and disaster recovery by Da...
Preventing hard disk firmware manipulation attack and disaster recovery by Da...Preventing hard disk firmware manipulation attack and disaster recovery by Da...
Preventing hard disk firmware manipulation attack and disaster recovery by Da...
 
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State Machines
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 
Three things that rowhammer taught me by Halvar Flake
Three things that rowhammer taught me by Halvar FlakeThree things that rowhammer taught me by Halvar Flake
Three things that rowhammer taught me by Halvar Flake
 
Gpu Join Presentation
Gpu Join PresentationGpu Join Presentation
Gpu Join Presentation
 
[Harvard CS264] 12 - Irregular Parallelism on the GPU: Algorithms and Data St...
[Harvard CS264] 12 - Irregular Parallelism on the GPU: Algorithms and Data St...[Harvard CS264] 12 - Irregular Parallelism on the GPU: Algorithms and Data St...
[Harvard CS264] 12 - Irregular Parallelism on the GPU: Algorithms and Data St...
 
[Harvard CS264] 11b - Analysis-Driven Performance Optimization with CUDA (Cli...
[Harvard CS264] 11b - Analysis-Driven Performance Optimization with CUDA (Cli...[Harvard CS264] 11b - Analysis-Driven Performance Optimization with CUDA (Cli...
[Harvard CS264] 11b - Analysis-Driven Performance Optimization with CUDA (Cli...
 
[Harvard CS264] 10a - Easy, Effective, Efficient: GPU Programming in Python w...
[Harvard CS264] 10a - Easy, Effective, Efficient: GPU Programming in Python w...[Harvard CS264] 10a - Easy, Effective, Efficient: GPU Programming in Python w...
[Harvard CS264] 10a - Easy, Effective, Efficient: GPU Programming in Python w...
 
Churn Predictive Modelling
Churn Predictive ModellingChurn Predictive Modelling
Churn Predictive Modelling
 

Semelhante a Halvar Flake: Why Johnny can’t tell if he is compromised

Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
Oh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdfOh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdfLibbySchulze
 
The Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.comThe Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.comKayra Obrain
 
Open Source Software Licence Compliance: Art or science?
Open Source Software Licence Compliance: Art or science? Open Source Software Licence Compliance: Art or science?
Open Source Software Licence Compliance: Art or science? Shane Coughlan
 
The Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineThe Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineRapidSSLOnline.com
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPKZhi Guan
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1bora.gungoren
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxdawitTerefe5
 
Fundamental of ethical hacking
Fundamental of ethical hackingFundamental of ethical hacking
Fundamental of ethical hackingWaseem Rauf
 
Why iOS developers requires code signing certificate.?
Why iOS developers requires code signing certificate.?Why iOS developers requires code signing certificate.?
Why iOS developers requires code signing certificate.?Kayra Obrain
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Embedded Security and the IoT
Embedded Security and the IoTEmbedded Security and the IoT
Embedded Security and the IoTteam-WIBU
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfxererenhosdominaram
 
Don't Screw Up Your Licensing
Don't Screw Up Your LicensingDon't Screw Up Your Licensing
Don't Screw Up Your LicensingAnsel Halliburton
 

Semelhante a Halvar Flake: Why Johnny can’t tell if he is compromised (20)

Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
Oh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdfOh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdf
 
The Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.comThe Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.com
 
Open Source Software Licence Compliance: Art or science?
Open Source Software Licence Compliance: Art or science? Open Source Software Licence Compliance: Art or science?
Open Source Software Licence Compliance: Art or science?
 
The Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineThe Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonline
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPK
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
 
D-Cipher
D-CipherD-Cipher
D-Cipher
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
 
Fundamental of ethical hacking
Fundamental of ethical hackingFundamental of ethical hacking
Fundamental of ethical hacking
 
Why iOS developers requires code signing certificate.?
Why iOS developers requires code signing certificate.?Why iOS developers requires code signing certificate.?
Why iOS developers requires code signing certificate.?
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Safe Computing At Home And Work
Safe Computing At Home And WorkSafe Computing At Home And Work
Safe Computing At Home And Work
 
Embedded Security and the IoT
Embedded Security and the IoTEmbedded Security and the IoT
Embedded Security and the IoT
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
 
Don't Screw Up Your Licensing
Don't Screw Up Your LicensingDon't Screw Up Your Licensing
Don't Screw Up Your Licensing
 

Mais de Area41

Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...Area41
 
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old DiseaseJuriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old DiseaseArea41
 
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...Area41
 
Rob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesRob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesArea41
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...Area41
 
hashdays 2011: Mikko Hypponen - Keynote
hashdays 2011: Mikko Hypponen - Keynotehashdays 2011: Mikko Hypponen - Keynote
hashdays 2011: Mikko Hypponen - KeynoteArea41
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...Area41
 
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Treeshashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with TreesArea41
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...Area41
 
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Realityhashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. RealityArea41
 

Mais de Area41 (11)

Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
 
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old DiseaseJuriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
 
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
 
Rob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesRob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost Stories
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 
hashdays 2011: Mikko Hypponen - Keynote
hashdays 2011: Mikko Hypponen - Keynotehashdays 2011: Mikko Hypponen - Keynote
hashdays 2011: Mikko Hypponen - Keynote
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
 
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
 
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Treeshashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
 
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Realityhashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
 

Último

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Último (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Halvar Flake: Why Johnny can’t tell if he is compromised

  • 1. Why Johnny can’t tell if he is compromised ...and what you can do about it. Keynote Area41 2nd of June 2014, Zurich, Switzerland thomas.dullien@googlemail.com http://goo.gl/3NphRw
  • 2. Robert Morris Sr. Fundamental rules for IT security - a cynical view from more than 20 years ago: Do not own a computer Do not power it on Do not use it Situation does not seem to have gotten better
  • 3. Hacking is addictive Transitive trust relationships everywhere Start to hack almost anywhere - compromise boundary grows exponentially Only limit: Size of net, admin infrastructure
  • 4. The now All major nation states / global powers want to have “dominance” Almost nobody is any good at defense In the limit: Everything compromised (or on compromise boundary) by multiple parties
  • 5. What does compromise mean? Somewhat fuzzy concept Installing malware is clearly a compromise Illicitly obtaining authentication credentials is also a compromise Compromise is about “control”
  • 6. Ownership vs. possession Legal distinction between ownership and possession of an object I am the owner of my car, even if I have lent it to a friend and it is not in my possession Networked computing devices have a third dimension: “Control”
  • 7. Possession vs. control Neither possession nor ownership of a networked computing device imply control Being hacked is loss of control without change of ownership or possession “Getting 0wned” = loss of control over your own computing infrastructure
  • 8. Who is in control? Establishing who is control of your computer is nearly impossible This talk: Exploration of all the ways we can’t tell if we are in control, and how to fix it.
  • 9. Given a computer ... … try to establish who is in control For the exercise: Assume Windows Where to start ? All highly-privileged code is in control Code running with user privileges is partially in control
  • 10. Control and software Clearly, someone else is in control (third-party OS, various bits of third-party software) This is OK - we have decided to trust these third parties and say “yes” to their software We trust (some) software vendors to not backdoor us intentionally
  • 11. Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts
  • 12. Check 1: Userspace Code Problem: Vendors don’t sign their executables Problem: If they do, they don’t sign their DLLs Problem: If they sign both executables and DLLs, they don’t sign executable extensions Problem: 100+ trusted root CAs?
  • 13. Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts FAILURE
  • 14. Check 2: Kernel Code Number of CAs that can sign drivers much smaller than user-space Irrelevant: Attacker use signed driver with known vulnerability to bootstrap code Failure to sign userspace means failure to sign kernel space Not theoretical: Uroburos
  • 15. Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts FAILURE FAILURE
  • 16. Check 3: BIOS Code Per-vendor code signing (DELL, HP etc.) No public documentation or third-party analysis about the way this works No way for third parties to verify signatures Even if possible to verify, can’t read relevant regions
  • 17. Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts FAILURE FAILURE FAILURE
  • 18. Check 4: Device Firmwares HDD controllers: Nobody knows how to verify code inside, but we know attackers can backdoor them GPU firmware: People are flashing them for overclocking, no way to do third-party validation Completely stranded
  • 19. Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts FAILURE FAILURE FAILURE FAILURE
  • 20. Check 5: Intel ME ARC core on modern mainboards that can execute signed Java applets etc. Communicates with host OS via PCI shared mapped region Highly opaque, no way to verify code running in ME from host OS
  • 21. Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts FAILURE FAILURE FAILURE FAILURE FAILURE
  • 22. Check 6: Stolen Keys Attackers have compromised software signing keys and CAs in the past People with software signing keys can silently “lose” them without this ever being noticed There is no equivalent of “Certificate Transparency” for code signing
  • 23. Check 6: Stolen Keys All PKI architecture assume an invincible CA and invincible signers Reality has shown that this is a wrong assumption No way to verify if a file signed with a key was signed by the person the key was issued to
  • 24. Check 6: Stolen Keys After breaches of the last years, only safe assumption is: Code signing keys of many software vendors and CAs have been silently stolen No good way of detecting this
  • 25. Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts FAILURE FAILURE FAILURE FAILURE FAILURE FAILURE
  • 26. Check 7: Scripts Lots of interpreters run code with privileges on your typical host Javascript-based extensions to your browser Java-based background tasks Python and other interpreted languages
  • 27. Check 7: Scripts No good infrastructure exists to tie running interpreted code back to the scripts from which it was compiled No good way to determine where the code running inside java.exe or python.exe is coming from
  • 28. Baseline checks Verify signatures on all userspace binaries Verify signatures on all kernel space binaries Verify signatures on all BIOS components Verify signatures on all device firmwares Verify signatures on the Intel ME code Verify that the signers know about their signatures Verify origin of privileged scripts FAILURE FAILURE FAILURE FAILURE FAILURE FAILURE FAILURE
  • 29. Failure on all levels Given modern infrastructure, it is nearly impossible to determine if a machine is compromised It is also nearly impossible to “un-infect” a machine once it has been infected What needs to change?
  • 30. Long-term view Proposed measures will take many years to build Fundamentally easy, though - no rocket science required Hardest things to overcome: Organisational inertia, complacency, politics, broken incentive structures, cost
  • 31. Step 0: Check trust IT departments do not ask themselves enough questions about who they trust Someone well-intentioned but securitywise incompetent will be the weak link that attackers exploit This applies to vendors and suppliers !
  • 32. Control and Power of attorney Giving “control” over your compute infrastructure is the same as giving a delegable power-of-attorney over your compute infrastructure to a third party This encompasses trusting a CA, allowing auto- update of software, and much more.
  • 33. Control and Power of attorney Legal departments are rightfully hesitant to issue powers of attorney to third parties Delegable powers of attorney to random third parties are virtually unheard of IT industry needs to learn from this
  • 34. Step 1: Undo CA proliferation Trusting a code-signing CA is equivalent to a delegable power-of-attorney over your compute assets There are way too many code-signing CAs Only trust a CA that you know very well - which at the moment will be none
  • 35. Step 2: Trust by-vendor Most likely, arbitrarily delegable power-of- attorneys are a broken idea Trust for executable code should be by vendor, not by CA CA-based trust only for sandboxed web-pages / javascript
  • 36. Step 3: Update transparency All software vendors roll their own update mechanism Allowing someone to update software is also a delegatable power-of-attorney Software updates need to come in standardized packages and via standardized protocols
  • 37. Step 4: Signing transparency Given likelihood of stolen signing keys, “code signing transparency” is needed Vendors need to run a public ledger where they explicitly avow “yes, I have signed this binary” Ideally with information about the exact SVN tag / git hash that was used to produce the binary
  • 38. Step 4: Signing transparency When signed file is encountered, public ledger can be checked “Dear Vendor, are you aware that file XYZ has been signed with your key?” Probably the only way to engineer “detectability of key theft” into our systems
  • 39. Step 5: Reduce firmware opacity Firmware blobs for devices need to be readable by the main CPU without physical possibility of interference from the device firmware Purchasers of hardware need to insist on this transparency They also need to realize they have a right to demand this
  • 40. Step 6: ME transparency There is no excuse for a coprocessor on your mainboard whose code can’t be validated by you from your main CPU Purchasers of hardware need to realize that they have a right to demand transparency from the code running on ME
  • 41. Step 7: Signed interpreters In order to run a script with high privileges in an interpreter, the script needs to be signed and the interpreter needs to be able to tie back the executable form to the original script For non-privileged code (JS in a tight sandbox etc.) we may be able to make an exception
  • 42. Transparency vs. tamperproofing Systems need to be engineered to be easily verified by the owner Centralization of trust is a failed experiment, especially given government desire to “dominate cyber” Demand systems whose integrity you can verify
  • 43. Paradigm shift “Security” hardware has opted for more opacity in the past Fear of side-channel attacks, fear of physical attacks Prioritized tamperproofing, sacrificed transparency and verifiability
  • 44. Paradigm shift Side-channel and physical attacks are a lesser concern than remote attacks provided you are in possession of your hardware Remote attacks that you can never tell happened are the bigger threat Re-prioritize verifiability
  • 45. Will this give us security? The proposed measures will not yield 100% security Will give defenders a fighting chance to deny persistence to the attacker Will give defenders a fighting chance to detect compromised suppliers
  • 46. Will this give us security? Hopefully, this will force attackers into exploiting & re-exploiting for persistence Better software engineering can then slowly root out bugs Move from cheap, stealthy mass compromise to individually tailored compromise: Costly
  • 47. How to pay for it ? None of the proposed steps are “free” None are terribly costly, either Standardized software updating, better signing & verification will actually reduce IT maintenance costs
  • 48. Stop buying snake oil? Huge revenues are generated in our industry with colored appliances that only work as long as the attacker hasn’t looked at them Often, these boxes want to be dropped onto privileged points in your infrastructure Just say no. Spend your money wisely.