As a Georgia Tech OMSCS student as well as working software professional, advanced security topics are always something I want to learn more about. Georgia Tech’s Institute for Information Security & Privacy is presenting a weekly Cybersecurity Lecture Series on Fridays this fall, and being a local I’ve started attending them. Here are my quick (albeit not necessarily complete) notes from this week’s presentation by Curtis Walker of Draper Laboratory.
Weaknesses of current “security experts” is that many of them have only shallow knowledge of exploits or vulnerabilities. Hackers are working at depth, below where most experts are working or comfortable.
These catchphrases can actually result in decreased security:
- Defense in depth
- Best practices
- Layered security
Security by Reactiveness
“Do we understand the risk vs benefit trade-offs of security software?”
Tavis Ormandy @ Google
“The worst possible outcome of installing a security program is that it will be ineffective.”
- Security tools often contain vulnerabilities.
- IDS and AV solutions identify only what they know about. If an expert recommends this as the first solution, they’re not an expert.
- These products often install device drivers in the OS, which run at kernel privilege level.
- Increase attack surface of your system. Any flaws in the software can result in Ring 0 exploits.
- Vendors are typically more concerned with profits than effectiveness.
“The best way to ensure you are secure is to remove the disk and scan/analyze files from a trusted machine or boot from a CD/DVD.”
File integrity checkers are very limited.
“If I get infected with malware I will be safe if I format my hard drive and reinstall the OS.”
This strategy fails against:
- BIOS resident rootkits
- PCI-ROM rootkits
Security by Correctness
“Formally-verified microkernels offer 100% security.”
- Formal verification has made great strides, but there are misconceptions in this area.
- Potential to benefit defense applications faster than normal users
- Potential to intro a false sense of security.
Three main issues exist with respect to formal verification:
- Certain assumptions are made when performing formal verification of code; the attack surface tested is these assumptions.
- Anything missed in the specs can result in a vulnerability.
- Not a scalable process (how do you test 10’s of millions of LOC?).
“Open source code is more secure because many eyes are looking at it.”
- “The ‘many eyes’ of the open source community are blind, uninterested, or selling to governments for profit.” — Brad Spengler (grsecurity)
- Many cases of backdoored OSS in the wild.
- Bugs are becoming more difficult to find, and the economy has shifted to selling bugs vs informing the vendor.
“Buffer overflow exploit threats are near extinction.”
- Code injection – traditional shellcode attack
- Code reuse – return to libc, ROP, JOP, etc
- Data-only – overwriting non-control data on the stack to achieve code exec
Code injection attacks – still not solved by most OS as they lack MPROECT and TPE or MAC.
Academia keeps creating subpar theoretical solutions under the name Control Flow Integrity (CFI) and then attacks to break them.
Microsoft’s Control Flow Guard (CFG) and Intel’s Control Flow Enforcement Technology (CET) implements the weakest form of CFI.
“Stack canaries are a completely effective mechanism to prevent buffer overflow attacks.”
Only protect against stack smashing, not heap or format string vulnerabilities.
“ASLR is a complete defense against code reuse attacks.”
- Entropy reduction attacks can sig lower effectiveness
- Address space info disclosure can leak known addresses
- Brute-forcing can be effective
- Heap/JIT spraying inject code at predictable locations
- Not all apps will work with ASLR.
- Many libraries are statically located/mapped, defeats ASLR.
Operating System Security
“If you’re serious about security, you should install Linux.”
- The Linux kernel devs have shown time and again they are unconcerned re security
- Huge number of kernel vulnerabilities
- Large amount of Linux kernel vulnerabilities do not get CVEs
- SELinux claims to provide fine-grained security, but ineffective against remote PHP + local kernel exploits
- No GUI-level isolation with X11.
- 99% of the kernel security progress is out-of-tree patching by 3 people (unpaid) in their free time
- Upstream security is sig weaker than out-of-tree patches
- Linus Torvalds not interested in features that don’t fit into the LSM model
“What about my phone?”
Android – based on Linux, not hardened. Vendors slow adoption of patches. Kernel self-protection is lagging.
CopperheadOS = hardened Android for Nexus devices.
IOS taking security more seriously, updates all handled by Apple.
“If you are serious about security, you should install OpenBSD.”
- No provision to lock down system beyond basic Unix perms
- Often years behind (15 years in some cases) re security mechanisms.
- BSD variants are not much better. HardenedBSD the only viable solution, but still behind other options.
“Microsoft Windows is synonymous with poor security.”
- Actually doing more than Linux in terms of improving security
- Strategic hires
- Each release more secure than previous
- Kernel self-protection
- More non-exec regions of memory
- Windows Defender actually a great tool!
“Privacy software such as TOR will increase security.”
- When you use TOR you put a certain amount of trust in its exit nodes, esp if not using SSL/TLS.
- Some exit nodes inject malicious code into binary downloads.
- Use a VPN on top of TOR to protect binary transfers.
“DHS spent $6B on a firewall. The result?”