xcdegasp
18-07-2008, 15:30
CPU Bug Attacks: Are they really necessary?
Recently, some articles have been published after Hack in the Box Security Conference 2008 presentations have been revealed. One of the most interesting topics that will be shown at the conference will be the presentation given by Kris Kaspersky.
Kaspersky (who has nothing to do with Kaspersky Labs) will be presenting his research and proof of concepts on how to exploit Intel CPU bugs to make an attack regardless of the operating system or if applications installed are all updated or not.
As Kris Kaspersky has written on his abstract, Intel CPUs have exploitable bugs. When CPUs came out from the development cycle, some bugs can exist of course, someones have been fixed, someones have not.
Now, Kaspersky has stated that he could subvert the Operating System regardless of all security countermeasures installed by driving applications to execute specific sequences of Intel CPU instructions.
Reading on some international boards, I've seen a lot of users quite worried about this presentation and what the consequences will be after that.
I wouldn't want to minimize the problem, but at least just write down some thoughts of mine.
Everyone is worried about what Kris will release to the public and I can understand this. But every year, at every security conference, there are really interesting presentations and lot of experienced people talking about theorically serious threats. But this doesn't necessarily mean that an exposed PoC will become a serious threat in the wild. Many of these PoCs require high levels of skill (which most malware authors do not have) to actually make them work in other contexts.
And, I feel sorry to say this, but being in the security industry my thoughts are: do malware writers really need to develop highly complex stuff to get milions of pcs infected? The answer is most likely not.
There are a massive amount of PCs infected by very simple malware and a number of these infections are caused because of users being social engineered to download a file or click on a link - hardly the "highly complex" spreading or infecting mechanisms some of these PoCs use.
Has anyone heard about Shadow Walker rootkit? It was really an interesting presentation attended by Sherri Sparks and Jamie Butler at Black Hat Conference 2005 in Japan. It was really a cool rootkit in theory.
Who hasn't heard about BluePill project developed by Joanna Rutkowska and Alexander Tereshkin? A new concept of rootkit basically undetectable (let's not talk about "how to detect bluepill" dispute). A cool project in theory, even with available sources online.
Why we haven't seen any of these PoC applied to ITW threats? Because they need a lot of efforts and highly skilled people to be developed and at this moment malware writers have understood that's far easier to infect milions of pc. It's user's fault, it's maybe our fault too. The truth is that there's still a lot to work for malware writers on user's layer (no, not user mode layer, human's layer) and on the OS layer, I think they wouldn't move far from here.
All this basically to say: yes, Kris Kaspersky's presentation will be interesting and everyone - from both security industry and darkside - will listen to it carefully. But don't make the error to be worried about something that could potentially become a threat and don't realize instead that there are at the present other serious threats that are left free to do their dirty job.
Fonte: www.prevx.com ("http://www.prevx.com/blog/97/CPU-Bug-Attacks-Are-they-really-necessary.html)
Recently, some articles have been published after Hack in the Box Security Conference 2008 presentations have been revealed. One of the most interesting topics that will be shown at the conference will be the presentation given by Kris Kaspersky.
Kaspersky (who has nothing to do with Kaspersky Labs) will be presenting his research and proof of concepts on how to exploit Intel CPU bugs to make an attack regardless of the operating system or if applications installed are all updated or not.
As Kris Kaspersky has written on his abstract, Intel CPUs have exploitable bugs. When CPUs came out from the development cycle, some bugs can exist of course, someones have been fixed, someones have not.
Now, Kaspersky has stated that he could subvert the Operating System regardless of all security countermeasures installed by driving applications to execute specific sequences of Intel CPU instructions.
Reading on some international boards, I've seen a lot of users quite worried about this presentation and what the consequences will be after that.
I wouldn't want to minimize the problem, but at least just write down some thoughts of mine.
Everyone is worried about what Kris will release to the public and I can understand this. But every year, at every security conference, there are really interesting presentations and lot of experienced people talking about theorically serious threats. But this doesn't necessarily mean that an exposed PoC will become a serious threat in the wild. Many of these PoCs require high levels of skill (which most malware authors do not have) to actually make them work in other contexts.
And, I feel sorry to say this, but being in the security industry my thoughts are: do malware writers really need to develop highly complex stuff to get milions of pcs infected? The answer is most likely not.
There are a massive amount of PCs infected by very simple malware and a number of these infections are caused because of users being social engineered to download a file or click on a link - hardly the "highly complex" spreading or infecting mechanisms some of these PoCs use.
Has anyone heard about Shadow Walker rootkit? It was really an interesting presentation attended by Sherri Sparks and Jamie Butler at Black Hat Conference 2005 in Japan. It was really a cool rootkit in theory.
Who hasn't heard about BluePill project developed by Joanna Rutkowska and Alexander Tereshkin? A new concept of rootkit basically undetectable (let's not talk about "how to detect bluepill" dispute). A cool project in theory, even with available sources online.
Why we haven't seen any of these PoC applied to ITW threats? Because they need a lot of efforts and highly skilled people to be developed and at this moment malware writers have understood that's far easier to infect milions of pc. It's user's fault, it's maybe our fault too. The truth is that there's still a lot to work for malware writers on user's layer (no, not user mode layer, human's layer) and on the OS layer, I think they wouldn't move far from here.
All this basically to say: yes, Kris Kaspersky's presentation will be interesting and everyone - from both security industry and darkside - will listen to it carefully. But don't make the error to be worried about something that could potentially become a threat and don't realize instead that there are at the present other serious threats that are left free to do their dirty job.
Fonte: www.prevx.com ("http://www.prevx.com/blog/97/CPU-Bug-Attacks-Are-they-really-necessary.html)