The end of secure computing on

general purpose hardware

• bert.hubert@netherlabs.nl

• bert.hubert@netscout.com

• http://tinyurl.com/blackhat-ede

WhoamiLaunched in 1997, now powers around 30-40% of all domain names. Open source.Research & Development (2003-2006)Founded Fox Replay Analyst joint venture, an intercepted internet analysis solutionCybersecurity Solution Architect, new owners of Replay. Nothing to do with PowerDNS.

• NetScout (Nasdaq: NTCT) is in the ‘service delivery management’ business - effectively passive probes that measure response times, packet loss, error conditions & generally quality of services delivered

• Deployed throughout networks, and not just at the ‘edges’

• ±850 employees, worldwide presence

• Store 100TB of packets & metadata, 10Gbit/s interfaces

• Recently acquired the Fox Replay division from Fox-IT:

• "With the acquisition of Fox Replay BV, NetScout will gain critical technology and expertise that will help us continue to build on our core strategy of advanced packet-flow intelligence and accelerate our innovation to address the growing Cybersecurity concerns in our target markets.”

• I’m the new ‘Cybersecurity Solution Architect’

Agenda•The end of general purpose

hardware for secure applications

•History of (secure) systems

•How did it come to be this way?

•How bad is it?

•What can we do about it

• ‘brave’ solutions, weak solution

Doing secure things on a PC (or mac, or iPhone, or

Android)• For most people: “Forget about it”

• Or at least, ignore it..

• Would you sign a real contract online?

• The numbers are stunning - >5% of corporate desktops (which are the most locked down pcs available) are compromised

• Not even on purpose, “drive by hacks”

• We still do it because there is no alternative

So how bad is it?• People do realize there is an issue, nobody wants to

install applications anymore! Browser is preferred platform

• Including for “your mom”

• But if you do - any program you install can do nearly ‘everything’, including uploading all your private files to pastebin

• But wait! I need to give permission for network access!

• Yes, but you will ;-)

• By now, browser is an OS in its own right..

So, some theory• Limited definition of keeping things secure:

assuring that the operator of the computer is the only one that controls what the machine does. Attacker gets no screwdrivers, no physical access

• The broader definition of security is completely out of reach of a normal PC on the internet

•Tamperproof, emission controls, timing attacks..

Classic example: internet banking

• As a user, I want to control where my money goes

• Bank agrees with me and makes sure I use two-factor access control: something I know plus something I have

• For this to work:

• I must be the only one able to send instructions to the bank once logged in

• The screen should display exactly the orders I gave the website, so I can authorize them

Banking malware• Giant business, very sophisticated, whole eco-

system revolves around this

• “Crimeware”, botnets, money-mules etc

• Revolves around hijacking internet banking sessions

• Keyloggers, browser injection..

• In The Netherlands, currently being fought heavily through intensive network & transaction monitoring

• Firewall, virus scanner etc of (very) limited use in protecting

Banking malware in other countries

• In some countries, it is mandatory to run client-side software which “locks down” the browser to shield it from malware on the PC

•“Trusteer Rapport” for example

• In South Korea, mandatory ActiveX plugins serve the same function (mostly implemented for Windows and IE).

• I hear similar stories about China

Banking security: an ongoing fight

• This is an ongoing, and ultimately, unsatisfying battle

• “Arms race”

• In the UK, it is well accepted that credit cards stop working after a few days abroad

• “the scammers have won”

• Banks are, slowly, working on transferring the risk of crime to the consumer

• Pin & Chip in the UK

• Banks indicate that “the desktop is lost”

• Publicly they say that “SSL protects us”

• Sucks!

Some history• We used to have a solid “trusted computing

base” on which to build

• The transistors were fixed

• The CPU built from those transistors was fixed

• The operating system was (relatively) fixed

• There was a system library, on which we ran our programs

• These programs delivered messages (‘content’) and not code

HWHWCPUCPU

TransistorTransistor

BIOSBIOS

C LibraryC Library

OSOS

ApplicationApplication

ContentContent Javascript, macros ;-(

Plugins

“DLL Hell”

Modules, drivers

Flash it! Plus add SMM!

Update the microcode & firmware!

Reprogram the FPGA

Protective measures

• First all these ‘extensions’ or ‘upgrade possibilities’ were added

• Hard to say no. However, sometimes you wonder..

• Later on, more and mode checking & warning was implemented because things got out of and (‘Are you sure you want to..’)

• A large fraction of the ‘weekly patch cycle’ is about insufficient checking

• Goes for all operating systems

“The virtual stack of vulnerabilities”• In the mind’s eye, a vulnerability comes into

existence when it is reported (often with the patch ready)

• This is not the case

• All these vulnerabilities were around for ages and ages already!

• So the correct mental picture is: there are hundreds or thousands of vulnerabilities that STILL NEED patching!

• A patch takes some away, new software adds new problems..

But did we even START clean?

• We’ve been assuming that the computer ‘out of the box’ was safe

• It might not be for two reasons:

• There have been many cases of computers shipping ‘pre-infected’ because the guys that filled the computer with crapware had a virus already (even phones have shipped with Windows viruses on them!)

• Not everybody writing drivers, modules, plugins, firmwares and microcodes might be your friend..

Don’t firewalls and virus scanners help?• Firewalls are essentially useless unless they are

configured to be painful

• Most pass port 80 and port 443 unmolested. This does not hinder any malware significantly.

• Blocking port 80 is not an option

• Smart firewalls can do http-level filtering though

• Virus scanners run a losing battle since attackers can hone their stuff until it is perfect

• Did not stop banking malware

:-(it sucks at EVERY level!

Some examples of what can happen

• The un-wipeable disk. When discarding disks, these are often wiped using bit patterns specifically engineered to remove all magnetic traces of the original data

• Note that these patterns are mostly for very obsolete disks..

• Let’s say we modify the firmware of a disk to recognize such linear wiping, and report that the sectors are wiped - but not actually do it!

• Discarded disk gets new firmware upgrade and all data is back!

• Including passwords..

Some examples of what can happen

• The “Window on your RAM”. Ethernet adaptors on the PCI bus have full view of your memory, and are (by definition!) connected to the network.

• There is even a helpful standard for sharing RAM over IP: RDMA

• A firmware upgrade for the ethernet card could add RDMA support

• Remote parties sending the right packets can read & write all your RAM

• Thanks!

• Oh, and did you know most wifi cards run a whole operating system? RDMA over air!

Infect the very mother board

• Mother boards come with a very unhelpful featured called System Management Mode

• This allows the mother board to take over the CPU, and have it execute code in its behalf

• For example to manage fans and temperature

• SMM has full and complete control over all aspects of the computer, and can be triggered at any time

• Nice trick, update the SMM to ‘reinfect’ a cleaned PC!

• SMM is “invisible” to virus scanners

Kill the crypto• Cryptography always relies on strong random to

generate secure (session) keys

• "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin." - John von Neumann

• A computer always needs hardware assistance to generate random (would not be a computer otherwise)

• Modern Intel CPUs offer the RdRand opcode to deliver ‘true hardware random’ at high speeds

• Upgrade the microcode to turn RdRand into a predictable stream -> break into SSL/RSA because of known (ECDH session) keys!

Bend the router• Find a customer with a known router/modem -

easy to do, pick a large ISP

• Send email with a piece of javascript that makes the browser log in to the router @192.168.1.1

• The password might be default, might be cached!

• Change the DNS settings of the router to malicious servers

• Reroute select traffic for fun and profit!

The trusted computing base.. can’t be trusted

Violence may be required to root out all possible vectors of infection!

So how did this happen?

• Hardware basically sucks and is incredibly inflexible (changes take months!)

• Updating ROM requires physical action and possibly a soldering iron

• Operating systems and applications are also hard things to change

• So, everywhere where this is possible, helpful developers have added ways to update the hardware behavior or modules to the application

• The end result is that we have thousands of fundamental holes in our security!

• Physical ROM is not even easily available anymore..

What is the result?• Security professionals I know feel really scared

about doing internet banking

• Often have a separate machine for that purpose

• Bankers I speak to have ‘given up on the desktop’

• This very rich array of holes enable ‘spear phishing’ and many other attacks

• We now need IDS, IPS, Virus Scanners, Network Access Control, SIEM, Lockdown desktops, Sandboxes and constant monitoring to spot security problems!

What is the result?

•There are now things that we fear to do with computers (online banking), but we have to

•There are things we are not considering doing electronically right now, like medical files or voting

Some solutions• We could make our hardware and software ‘read

only’ again.

• Perhaps using cryptography - history is not promising though

• However, software is already considered ‘inflexible’. Turning off Javascript in email, disallowing plugins, stopping programs from installing is not overly acceptable.

• We should still try though. Rop Gonggrijp reminded us of this at GOVCERT 2011 “don’t give up, write secure code”.

Reintroduce trusted hardware

•On a scale from least trusted to most trusted:

•Windows PC, Linux PC, Mac PC

• iPhone / Android

•Kindle

•Old school “stupid” phones

•We could envision a limited purpose trusted platform

Trusted platform• Might look like a Kindle, with built-in GSM &

Wifi for connectivity

• Heavily restricted hardware platform, non-PC based. All hardware firmware upgrade possibilities are disabled.

• “Every time you turn it on, it is new”

• Unattractive target to hack that way

• Limited internet browser, no Javascript

• Do authentication via built-in smartcard

Shared trusted platform

•This platform might be expanded to support multiple applications

•Your bank, taxes, medical files

• Find signed way of loading different applications

•Would need very strict control to prevent ‘slide back into generic insecure PC’ territory!

• “beat people up”

Further thoughts• Banks already verify big transactions

manually. Issuing ‘high value’ customers with such a dedicated device might save them money from day 1

• And not just add security

• iPad and various tables IN THEORY come quite close to this ideal, and have a lot of the cool hardware that makes it possible

• However, the incentives are all wrong, as is the track record of the devices

Other solutions• Attackers overcome any security barrier

eventually

• They have unlimited attempts to try it.

• Also, there are thousands of ways to do so, and this is because of the ‘flexibility push’ described earlier

• One solution: add barriers they can’t see and can’t try to work around

• Like the current banking anomaly monitoring

Summarizing• Generic PC+OS security is riddled with loopholes in

the name of flexibility

• All lower layers can be taken over

• To the point that is has become a joke to regard a PC (or a Mac) as a trusted platform

• Makes banking scary..

• Solutions are:

• ‘man up’ and fix our computers,

• move to dedicated devices, or

• very heavy monitoring

More information•Cybersecurity:

bert.hubert@netscout.com

•DNSSEC: bert.hubert@netherlabs.nl

•+31-6-22440095

• http://tinyurl.com/blackhat-ede