[Dailydave] VENOM Context in the HIDS/Implant space

Dave Aitel dave at immunityinc.com
Thu May 14 09:11:31 EDT 2015 

<if you turned on HTML email you'd see a nice picture here>

So what you do when you make a HIDS is you first have a nice userspace
engine, which does simple things as Local/SYSTEM. At some point you want
to protect it or potentially, you want to hook more things than a
fishing boat with no license in the Everglades, so you move a piece of
your HIDS into the Kernel. You still do a lot of stuff in userspace
though because it's impossible to do the complex stuff in the kernel and
your sales team has read a couple whitepapers somewhere and promised
heuristics and generic exploit protection to your customer base by this
time. This is painful since Microsoft really doesn't want anyone else in
the Kernel, and of course, you have to interoperate with everyone else
who wants to shove themselves in there, which is half the RSAC booth
floor.  That means if you're CrowdStrike or Mandiant, you get to test
your kernel hooks against Kaspersky and Symantec. The rule is: Any
bluescreens are the smaller company's fault, as far as your financial
customers are concerned.

All of this means your testing and development cycle is more expensive
than a Ferrari factory and slower than a two legged dingo. This is why
CrowdStrike has a version for Windows 7 and 2008R2, but not Windows XP,
Windows Vista, Windows 8.1, etc.

To make things worse, playing corewars against hackers in the Kernel AT
SCALE isn't truly effective. At any point if they manage to purchase
your system, they'll reach into the kernel and flip enough bits with
their local priv esc to turn it off completely long before you have a
chance to send any data on them back to home base. And then they'll turn
it back on, just with a smaller view of reality. So you've added a
race-condition-type barrier, but only against people who can't afford to
buy your system. Or, in many cases, steal it. Or borrow it as it goes
through customs in PVG. Or get someone hired at your firm. OR DO ALL OF
THESE THINGS AT ONCE AND IF YOU DON'T THINK THEY ARE THEN "ADVERSARY
PROBLEM" SHOULD MEAN MORE TO YOU!

So then, and this is where I want to put VENOM into perspective, you
think: I'm going to be in the Hypervisor. Of course, Intel already
bought McAfee exactly because this decision tree is so obvious that it
can only lead onto the silicon itself. And when you look at modern IaaS
providers they don't run one hypervisor. They run hypervisors hosted on
hypervisors. It's custom-coded turtles all the way down!

However, the only thing less fun than competing with Microsoft in their
Kernel is ALSO competing with the VMWare, Xen, and Hyper-V teams in
their micro-kernels, all at the same time. They'll expose the API they
feel like exposing WHEN they feel like exposing it, thank you very much.
But if you massage them right, you can hook without hooking, and take
memory snapshots every ten minutes and diff them and visualize
them....and wait, that Hyper-V escape has totally screwed us, hasn't it?
Building a IaaS platform that respects data classification domains is
like building a city based on Baghdad, with ever sect walled off into a
tiny container labeled "We hate having economy of scale".

As this /Paul Blart:Mall Cop/ level drama evolves you think: What if I
just change the agent I put onto everyone's boxes enough so that nobody
can really target it. What if, as Dan Geer, pointed out a thousand years
go, I move every system into some level of a heterogeneous ecosystem?
What if I traded predictability for a level of self-awareness? It'll at
least work some of the time, and that might be enough?

And that, my fellow attackers, is where the offensive teams already are. :)

-dave







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150514/87424701/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 23c8279cf4ed5b60e2b445ebbe1226ff.jpg
Type: image/jpeg
Size: 17146 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150514/87424701/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150514/87424701/attachment-0001.sig>

More information about the Dailydave mailing list