<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div align="center"><img alt="<if you turned on HTML email you'd
see a nice picture here>"
src="cid:part1.05080509.07040104@immunityinc.com" height="316"
width="236"><br>
</div>
<br>
So what you do when you make a HIDS is you first have a nice
userspace engine, which does simple things as Local/SYSTEM. At some
point you want to protect it or potentially, you want to hook more
things than a fishing boat with no license in the Everglades, so you
move a piece of your HIDS into the Kernel. You still do a lot of
stuff in userspace though because it's impossible to do the complex
stuff in the kernel and your sales team has read a couple
whitepapers somewhere and promised heuristics and generic exploit
protection to your customer base by this time. This is painful since
Microsoft really doesn't want anyone else in the Kernel, and of
course, you have to interoperate with everyone else who wants to
shove themselves in there, which is half the RSAC booth floor. That
means if you're CrowdStrike or Mandiant, you get to test your kernel
hooks against Kaspersky and Symantec. The rule is: Any bluescreens
are the smaller company's fault, as far as your financial customers
are concerned.<br>
<br>
All of this means your testing and development cycle is more
expensive than a Ferrari factory and slower than a two legged dingo.
This is why CrowdStrike has a version for Windows 7 and 2008R2, but
not Windows XP, Windows Vista, Windows 8.1, etc. <br>
<br>
To make things worse, playing corewars against hackers in the Kernel
AT SCALE isn't truly effective. At any point if they manage to
purchase your system, they'll reach into the kernel and flip enough
bits with their local priv esc to turn it off completely long before
you have a chance to send any data on them back to home base. And
then they'll turn it back on, just with a smaller view of reality.
So you've added a race-condition-type barrier, but only against
people who can't afford to buy your system. Or, in many cases, steal
it. Or borrow it as it goes through customs in PVG. Or get someone
hired at your firm. OR DO ALL OF THESE THINGS AT ONCE AND IF YOU
DON'T THINK THEY ARE THEN "ADVERSARY PROBLEM" SHOULD MEAN MORE TO
YOU! <br>
<br>
So then, and this is where I want to put VENOM into perspective, you
think: I'm going to be in the Hypervisor. Of course, Intel already
bought McAfee exactly because this decision tree is so obvious that
it can only lead onto the silicon itself. And when you look at
modern IaaS providers they don't run one hypervisor. They run
hypervisors hosted on hypervisors. It's custom-coded turtles all the
way down! <br>
<br>
However, the only thing less fun than competing with Microsoft in
their Kernel is ALSO competing with the VMWare, Xen, and Hyper-V
teams in their micro-kernels, all at the same time. They'll expose
the API they feel like exposing WHEN they feel like exposing it,
thank you very much. But if you massage them right, you can hook
without hooking, and take memory snapshots every ten minutes and
diff them and visualize them....and wait, that Hyper-V escape has
totally screwed us, hasn't it? Building a IaaS platform that
respects data classification domains is like building a city based
on Baghdad, with ever sect walled off into a tiny container labeled
"We hate having economy of scale".<br>
<br>
As this <i>Paul Blart:Mall Cop</i> level drama evolves you think:
What if I just change the agent I put onto everyone's boxes enough
so that nobody can really target it. What if, as Dan Geer, pointed
out a thousand years go, I move every system into some level of a
heterogeneous ecosystem? What if I traded predictability for a level
of self-awareness? It'll at least work some of the time, and that
might be enough?<br>
<br>
And that, my fellow attackers, is where the offensive teams already
are. :)<br>
<br>
-dave<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>