Glimers of hope in OS security

I hate band aids. No, not the kind you put on a scraped knee. I’m talking about the kind we’ve been layering on top of our broken software. Firewalls, intrusion detection systems, anti-virus, and perhaps the saddest of all, data loss prevention. They are all band aids we’ve invented because our underlying systems are fundamentally flawed, and will never be secure. And thus was born defense in depth.

There are times when you’ve made so many mistakes, and are in so deep, that it’s best to just start over. Of course, that’s not going to happen anytime soon. However, I still have hope that research into operating systems security can make a big impact in terms of improving end-point security, and reducing our reliance on expensive and ineffective products.

I recently came across a couple of promising projects. The first one, Qubes, is already available in a prototype form. This is an effort by Invisible Things Lab to design and implement a more secure OS. They liberally take advantage of virtual machine technology (and the latest hardware) to isolate one part of the system from all others. Even the networking subsystem runs in its own unprivileged “NetVM.” I think Qubes has a lot of potential, and I really hope it continues to mature.

The second development I read about is really just an idea at this point; it’s an academic research project, and is only now getting started. Using a hefty grant from the National Science Foundation, a professor at University of Illinois at Chicago is going to design and build a security-focused operating system called Ethos. Once again, the plan is to make use of Xen-based virtual machines to enforce isolation.

These attempts at improving the OS are still not hitting the root cause of most security issues (poorly designed software), but they are at least trying to mitigate the damage caused next time your browser’s Flash plug-in gets pwned. I think that’s a step in the right direction, at least until we’re ready to throw in the towel and start fresh with this whole “computing” thing.

  • email
  • Digg
  • Facebook
  • LinkedIn
  • Google Bookmarks
  • StumbleUpon
 

I just watched a video presentation from September’s OWASP conference. The presenter, Tyler Hudak, talked about the Truman-based hybrid sandnet he created to automate the analysis of web-based malware. He references Google’s The Ghost in the Browser paper, as well as the Honeynet Project. One tool he used to help automate things in Windows is AutoIt, something I had not heard of before, but it sounds handy. The demo also shows a tool called InCtrl5, a utility for Windows that monitors changes to your system, primarily for use when installing some new program. I guess it’s used to compliment the usual Sysinternals tools, so maybe it has some extra features that Tyler finds useful.

Some of the problems this approach is trying to solve are browser-dependent obfuscated JavaScript, plug-in dependencies (like Flash), multiple redirects, etc. All of these issues make malware analysis more complex and time consuming, so any automation you can get away with is a big help. The demo at the end is pretty cool, but he glossed over how the information from the automated analysis is presented to the user. I’m guessing it’s not (yet) in a pretty report format. Either way, you still need someone with the right knowledge to analyze the output and decide what to do with it to help defend your network.

  • email
  • Digg
  • Facebook
  • LinkedIn
  • Google Bookmarks
  • StumbleUpon
 

Virtualization Security Risks?

This article on Dark Reading presents several security risks created by virtualization – at least according to a few experts. I think they are neglecting to mention enough of the security benefits that virtualization technologies (such as VMware and Xen) can provide. In my mind, the advantages of virtual machines outweigh the few added risk areas that are listed.

Yes, the hypervisor is a “new layer that’s another opportunity for attack.” However, if you convert 10 physical servers into 10 VMs running on one hardware platform, you just decreased your exposure on the hardware and physical security side from 10 to one. That’s especially true if the servers were running on disparate hardware platforms, which is often the case. You would have fewer drivers to worry about updating, and require less floor space in a secure data center.

There is also the mention of “VM sprawl” in the article. The idea is VMs will pop up out of no where and be unmanaged and unprotected, since the proper security controls will not be in place. In my experience, I have not seen enterprise VMs created by accident or somehow without the VM administrators knowledge. Sure, someone can download VMware Server and load up a virtual machine on his laptop. But that’s no different than the problem of users downloading other unauthorized software – you have to try to prevent it with policy and technical controls on the workstation.

In fact, I believe VM technology will improve our ability to manage servers, and keep our security policy enforced. Using a product like VMware ESX, you can configure a “template” VM, and deploy it as many times as needed. For example, you can make a template for your standard Windows 2003 server, with all the patches, configuration settings, security tools, and typical applications – then deploy it 10 times, and you’ve got 10 good servers up and running. There’s one less excuse for not having time to properly setup security before deploying a server.

Overall, I’m glad this topic is making some headlines, to get those of us in the infosec world thinking about virtualization. As always, there are trade offs that need to be taken into account.

  • email
  • Digg
  • Facebook
  • LinkedIn
  • Google Bookmarks
  • StumbleUpon