Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Threats 3 Levels Beyond Kernel Rootkits

kdawson posted about 5 years ago | from the close-to-the-machine dept.

Security 264

GhostX9 writes "Tom's Hardware has a long interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this interview she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's surprising is how robust the classic BluePill proof-of-concept is: 'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill. This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'" Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization." She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

cancel ×

264 comments

o.k. (2, Funny)

amnezick (1253408) | about 5 years ago | (#28743971)

i was gonna write something about [o]ver[k]ill but I'm not in the mood anymore. 3 VMs??? ahahahahahahahhahahahha ROFL ahahahahhahahahah (sorry, I can't help it) .. ahahahahahhahahaha

* burn karma, burn *

Re:o.k. (4, Informative)

NotBornYesterday (1093817) | about 5 years ago | (#28744013)

Come back later when you're coherent.

When 4 cores and several gigs of ram are available in inexpensive off-the-shelf systems, and VM software is freely available and easier to deploy, paranoid levels of security become more and more practical.

Re:o.k. (0)

Anonymous Coward | about 5 years ago | (#28744037)

and VM software is freely available and easier to deploy, paranoid levels of security become more and more practical.

It's only free if your time's worth nothing.

Just saying. There's always some trade-off, and while it may be worthwhile, the mere fact that you don't have to pay doesn't automatically mean it is.

Re:o.k. (4, Insightful)

NotBornYesterday (1093817) | about 5 years ago | (#28744083)

Time is only one half of the equation. What are your privacy and security worth?

Re:o.k. (4, Insightful)

rudy_wayne (414635) | about 5 years ago | (#28744517)

It's only free if your time's worth nothing.

Most of your time IS worth nothing. But people are too arrogant to admit it.

Re:o.k. (1)

amnezick (1253408) | about 5 years ago | (#28744079)

I guess it's true that what you don't know can't hurt you.
It's like being a cop and having a teen daughter. Knowing all the dangers out there you can't just let her go to this one party, can't you? I guess that's why she's so paranoid about it.
Whenever I see overprotective/overkill I don't even try to understand why. I just know that there are some people who live their lives in fear and there's us who don't mind going to the bank, paying bills the old way, you know ... socializing. I see the Internet as just another way of communication. nothing more

Re:o.k. (2, Insightful)

NotBornYesterday (1093817) | about 5 years ago | (#28744337)

I guess it's true that what you don't know can't hurt you.

I'm not sure I agree with that one. Plenty of stuff has bitten me in the ass regardless of whether I knew anything about it.

It's like being a cop and having a teen daughter. Knowing all the dangers out there you can't just let her go to this one party, can't you?

You can't shelter your kids forever; you have to build stronger, better kids and trust they can deal with the world when it is time ( Believe me, I know - I'm there right now).

In the same way, putting thought and care into building a robust, secure computer system pays dividends when it has to deal with the real world.

I guess that's why she's so paranoid about it.

She sounds like a contractor I knew who completely overbuilt his house just because he could. Paranoid? Not really. Just building the best house he reasonably could.

Whenever I see overprotective/overkill ... there are some people who live their lives in fear

What might be overkill in the hands of experts today might well be standard issue tomorrow, and no more difficult to use than personal AV and firewall apps today.

I see the Internet as just another way of communication. nothing more

Fair enough. But it sure isn't free of danger, and thinking otherwise won't change things.

Re:o.k. (5, Funny)

Starayo (989319) | about 5 years ago | (#28744431)

I guess it's true that what you don't know can't hurt you.

Okay, so, you're walking through your house, right? And you think, "I know, I think I'll make some pancakes", so you go to the kitchen. But what you don't know is there's an ANGRY GRIZZLY BEAR in your cupboard next to the flour.

Re:o.k. (0)

Anonymous Coward | about 5 years ago | (#28744097)

When 4 cores and several gigs of ram are available in inexpensive off-the-shelf systems,

Back in April my company purchased some new Dell Vostro 420 desktops, quad-core, 4 GB ram, for under $600. I'd call that inexpensive. They're even cheaper today.

and VM software is freely available

Excellent free VM software (both ESXi and VMware Server) is available from VMware. Even the paid products from VMware aren't that expensive.

Many other VM platforms from other vendors are also free.

Come back later when you're coherent.

Pot, kettle.

Re:o.k. (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#28744115)

Pot, kettle.

WTF? You clearly don't understand the parent's post. He's saying that stuff is cheap and readily available, so it's okay to be a little more paranoid/security-conscious. You then go on to prove his point that this stuff is cheap, then tell him he's not making any sense?!?

Re:o.k. (0)

Anonymous Coward | about 5 years ago | (#28744121)

You failed to understand what the GP was saying. He wasn't trying to describe some far-off future where multiple VM's are practical, he was intentionally describing present-day technology.

Re:o.k. (1)

NotBornYesterday (1093817) | about 5 years ago | (#28744291)

I'd call that inexpensive. They're even cheaper today ... Excellent free VM software ... are also free.

That was my point. Was I too subtle?

Re:o.k. (2, Interesting)

Repossessed (1117929) | about 5 years ago | (#28744171)

Not to mention the cost of 3 OSes. And I'm not sure if MS can enforce this, but right now you have to buy the more expensive version of Vista according to the license agreement.

Re:o.k. (5, Funny)

Anonymous Coward | about 5 years ago | (#28744265)

If only somebody would make a free OS! Well, I guess we can always dream.

Re:o.k. (0, Redundant)

Anonymous Coward | about 5 years ago | (#28744519)

Dude, I heard about this cool new thing this guy in Finland made. Lyniux.. Leenicks, I believe it's called. You should check it out!

Re:o.k. (3, Funny)

Anonymous Coward | about 5 years ago | (#28744787)

I hurd about something too, but that wasn't it.

Re:o.k. (4, Interesting)

Runaway1956 (1322357) | about 5 years ago | (#28744561)

You're serious, right? Let's assume that I have one copy of WinXP - or, Win7, legally licensed. I install a *nix as my primary OS, create a VM using VirtualBox, and I'm legal, so far, right? Get the VM all updated, then clone it 99 times. Suddenly, I'm illegal, right? But, all 99 machines are being used INSIDE of ONE BOX!!! I use one machine to browse the darknet, another machine to do torrenting, another to do my banking, one for general browsing, and one just to test malware on. The rest I may or may not ever fire up for some reason that I haven't thought of yet.

So, how much should I mail to Microsoft for all of my VM's?

Say, can I bum a dollar?

im am da neo (1)

CHRONOSS2008 (1226498) | about 5 years ago | (#28744257)

you will take the red pill now

Re:o.k. (1)

Ilgaz (86384) | about 5 years ago | (#28744665)

Make sure you never hang around with AIX or even worse, z/OS people.

The numbers you would hear would kill you because of excessive laughing or amazement. Yes, those numbers are really thousands, not tens.

Re:o.k. (0)

JordanL (886154) | about 5 years ago | (#28744949)

Wait... was she saying she's running a virtual machine inside a virtual machine inside a virtual machine?

Because that's ridiculously overkill.

huh? (4, Insightful)

vux984 (928602) | about 5 years ago | (#28743977)

I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization.

This seems a touch... idiotic. I could see how it could offer more. AND I don't see how it could offer less.

For what its worth, I don't use an A/V product either.

And Like her, I also have a "pretty reasonable setup" and a dose of "common sense". But I'm still balancing the increased responsiveness and hassle-free experience vs the extra security. Its a trade-off that's worth it to me, but I recognize that it is still a trade-off.

I have to agree it is idiotic (5, Insightful)

Sycraft-fu (314770) | about 5 years ago | (#28744161)

It is idiotic for three reasons:

1) The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.

2) Even in the case of low level root kits, they still have to get to your system in the first place. That in general means they have to get downloaded form the net or transferred from a CD or flash drive. Guess what? A virus scanner in the OS can stop that. It can scan the program coming in, before it has a chance to run, and block it. Even if the program would set itself up on a level below what the scanner could detect, the scanner can notice it as it is coming in before it can execute and do that.

3) Defense in depth is ALWAYS a good idea. In the real, physical, world you have to accept that no security is unbreakable. Anything you can make another person can unmake or circumvent. Thus security does not come from having one impassable layer, it comes from having multiple layer of different kinds. Should one layer be bypassed, security over all is not compromised. Well, a virus scanner on the system is another layer. Should be the only layer, but it helps.

Personally, I've never been impressed with her as a security researcher. She seems to be rather paranoid, and living in a theoretical world. In part this is because for all the chatter about Blue Pill, I haven't seen it made practical. Oh sure you can talk about an undetectable super rootkit on paper but does it actually work in the real world? VMWare doesn't think it would, and they do know more than a bit about virtualization.

I'm not saying this isn't an interesting line of academic research, but I'm getting tired of the "OMG I can own any system and not be detected!" doomsaying. No, really, not the case it seems.

Re:I have to agree it is idiotic (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#28744223)

Is she nice looking ?

I wonder how many layers of condom I would need to approach her...

Re:I have to agree it is idiotic (2, Interesting)

Anonymous Coward | about 5 years ago | (#28744435)

:-(
http://www.rutkowska.yoyo.pl/ [rutkowska.yoyo.pl]

Re:I have to agree it is idiotic (0)

Anonymous Coward | about 5 years ago | (#28744961)

Well, I'm not that surprised.

Re:I have to agree it is idiotic (0)

Anonymous Coward | about 5 years ago | (#28744733)

OK, browsing the internet, I found green, yellow and red condoms. Do you think that should please her?

Of course I will put them on in this order:

1) red
2) yellow
3) green

P.S. I just had a look at a few pictures of her. She is not bad looking according to my taste, I find she looks a little bit like the girl on the 24 TV series.

Re:I have to agree it is idiotic (2, Insightful)

Talchas (954795) | about 5 years ago | (#28744273)

It might be idiotic if A/V programs didn't totally ruin system usability for on-line protection. And if you just run random scans, or scans of known-downloaded things, you'll still lose against any sort of automated attack (which is where anyone reasonably computer savvy might get attacked through).

Re:I have to agree it is idiotic (3, Informative)

Sycraft-fu (314770) | about 5 years ago | (#28744345)

If your AV software screws over your system, then get a better one. NOD32 is exceedingly fast and thus low impact on system resources. Also, with any good one, like NOD, you can configure what it scans so you don't have to scan everything if you don't want to.

Re:I have to agree it is idiotic (3, Interesting)

PNutts (199112) | about 5 years ago | (#28744507)

The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.

Absolutely agree. It's nice that she has a throwaway image because it isn't possible to proect herself from her definition of the critical threats, but those aren't the threats I'm necessarily worried about. My A/V keeps (among other things) the script kiddies out who do things that pi$$ me off and cause me to react. The bad guys/girls can have anything on my system which is why they probably won't bother with me. I'm wondering how much crap her system spews the day before she decides (la la la) to reimage. That's the stuff that's going after me.

Re:I have to agree it is idiotic (2, Interesting)

EdIII (1114411) | about 5 years ago | (#28744883)

I'm wondering how much crap her system spews the day before she decides (la la la) to reimage.

That bothered me too. My VM does not commit any changes when I close it down, which I do at least twice a day.

ALSO, running everything through a proxy helps too.

Re:I have to agree it is idiotic (0)

Anonymous Coward | about 5 years ago | (#28744593)

But... but but you could already be infected with a BluePill! And you WOULDN'T EVEN KNOW! HA! Where's your "not practical in the real world" now?

Re:huh? (3, Funny)

Anonymous Coward | about 5 years ago | (#28744191)

I've never understood why banks have locks on both the doors to the vaults and on the safes.

Re:huh? (2, Informative)

JustOK (667959) | about 5 years ago | (#28744239)

And the building itself.

Re:huh? (5, Insightful)

benjamindees (441808) | about 5 years ago | (#28744295)

Think of it this way. Antivirus software is like the Marginot Line. It will keep out most invaders. But the really threatening ones will simply drive around it and disable it from the inside.

Her setup is more like a fortress filled with cruise missiles that can be launched with lots of advanced warning of attack.

Both have costs. One is more effective than the other. So, saying that something expensive and incomplete like the Marginot Line provides increased security may be technically true, but it's kind of a moot point.

Re:huh? (1, Insightful)

Anonymous Coward | about 5 years ago | (#28744227)

I use an A/V product for two reasons:

First, it is a last line of defense. Sometimes the AV program is updated and can catch threats before a browser or browser add-ons are patched.

Second, I use one that is certified by ICSA and other known independant labs for pure CYA issues. Its a lot easier to excuse something by saying that "oops, it got by the antivirus program that is properly updated daily" versus "I don't run AV". CYA 101, and I'm so used to it in work environments, I practice it at home on Windows boxes.

huh? (0)

Anonymous Coward | about 5 years ago | (#28744473)

Since i got absolutely sick of Norton back in 05 i have not used an a/v program, and guess what? nothing but freedom. and i surf alot and download alot. dont do stupid sh1t and you wont need an a/v prog, that includes porn and torrent sites

Re:huh? (0)

Anonymous Coward | about 5 years ago | (#28744489)

well, I don't know whether she uses A/V products or three virtual machines, but, man oh man.. she's hot.

Why does DEP come disabled in Win 7? (3, Interesting)

Ilgaz (86384) | about 5 years ago | (#28744625)

I understand the DEP (data execution prevention) enabled processors weren't common back in Windows XP days but what is the deal with Windows 7 even 64bit version? Why wouldn't MS enable it by default as it is said to prevent very serious attacks on CPU level, without slowing down the system at all?

While there are no real viruses on OS X yet, I try to prepare machines for "no AV needed even while viruses exist" configuration just like you with couple of extra admin prompts, that is all but I don't follow Windows scene too much.

After enabling DEP, I even gamed on Windows 7 64bit (game is even running under win2k compatibility) and I haven't seen anything bad happen. I remember some stupid HP driver on another machine crashed because of DEP but that was all, the error message was really informative too.

So, do they disable it to make couple of badly written software owners happy while 99% would benefit from it?

BTW, this is what DEP is
http://en.wikipedia.org/wiki/Data_execution_prevention [wikipedia.org]

Paranoid and delusional (2, Insightful)

DigitAl56K (805623) | about 5 years ago | (#28744919)

Running three separate VMs is not only a sign of paranoia but also a delusion that as a person functioning in todays world you can realistically have so much control over information that with enough effort you can control your own security in all regards, or even that you can control it to the extent necessary to protect yourself from common threats.

Put aside for a moment that she's a security researcher and that probably invites more attacks than the rest of us face. There are a number of flaws readily apparent with this approach to security:

1 - Knowledge is power, and you just told the world critical elements of your defenses. There's a reason banks don't disclose such things. It doesn't make your system any less secure, but it raises the bar for attackers.

2 - You maintain your own VMs. In your mind nobody is better equipped to protect your systems than you are. In reality if you made a security blooper on one system you probably replicated it on all three VMs, if not the host also.

3 - I guess you assume that if you're running an app in the VM and someone decides to attack a vulnerability in your network stack that it won't actually the host system, and since the VM leverages the network stack of the host system that's not necessarily true.

4 - You may secure connections between entities like your bank by allowing only HTTPS through a browser in the VM. Reality is that in the last year major payment processors have been breached resulting in millions of people's card details being stolen. RBS WorldPay and Heartland Data Systems are two known breaches, there is one other yet unidentified from what I have read.

5 - As others have pointed out, anti-virus *will* protect you against nearly all *common* attacks. Today's anti-virus products even scan mail and http traffic for threats before your applications can process the data themselves (usually not in free versions of the AV apps). To say it adds no value at all is sending a very bad message to the majority of readers who would like to think they're better equipped to handle their own security than they really are.

The reality is that you can very easily do many simple things to help protect yourself. Install all your application updates promptly, be careful where you download software from, don't run attachments from spam e-mail, don't follow links sent to you in email without checking where they really go first, be careful where you enter your card details, run AV software, etc. etc.

However, beyond a certain point you have to spend exponentially more effort, beyond what the majority of people would consider reasonable, for very small gains in security. Chances are that you will still suffer fraud etc. during your lifetime, and it will be due to some vector completely beyond your control.

No, I didn't RTFA. 9 pages? gtfo.

Well... (5, Insightful)

afabbro (33948) | about 5 years ago | (#28743983)

She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

And in the article:

I totally don't care about a compromise of my "Red" machine--in fact I revert it to a known snapshot every week or so. I care much more about my "Yellow" machine. For example, I use NoScript in a browser I have there to only allow scripting from the few sites that I really want to visit (few online shops, blogger, etc). Sure, somebody might do a man-in-the-middle (MITM) attack against a plaintext HTTP connection that is whitelisted by NoScript and inject some malicious drive-by exploit, but then again, Yellow machine is only semi-sensitive and there would not be a big tragedy if somebody stole the information from it. Finally, the "Green" machine should be allowed to do only HTTPS connections to only my banking site.

And as long as your bank is never hacked and serving up malware [youtube.com] , that probably works well...

Re:Well... (2, Informative)

Deanalator (806515) | about 5 years ago | (#28744093)

That's what the noscript is for. It does more than just blocking javascript these days.

Re:Well... (3, Insightful)

Sponge Bath (413667) | about 5 years ago | (#28744123)

If you have already set noscript to allow your bank's site (required for most banks), and that site has been hacked, how does that protect you?

Re:Well... (1)

maxume (22995) | about 5 years ago | (#28744167)

NoScript is a ninja warrior.

Re:Well... (1)

bjourne (1034822) | about 5 years ago | (#28744457)

Why do you believe most banks sites requires javascript?

Re:Well... (0)

Anonymous Coward | about 5 years ago | (#28744989)

Some time ago I tried to find a bank in UK which would not be flash-based. Either I wasn't careful or most of them is flash-based.

Re:Well... (0)

Jeff DeMaagd (2015) | about 5 years ago | (#28744263)

The problem I have with noscript is that it causes more work than it saves. If I have to manually set clearances for nearly every site I visit just so the site works properly, then it's probably just too much work, there has to be a better way.

Re:Well... (0)

Anonymous Coward | about 5 years ago | (#28744417)

That's why I switched to Chrome, which has all the resources of Google behind it to prevent you from visiting comprimised sites in the first place. Before, I was very loyal to Firefox and wrestled with NoScript all the time - it got to be awful - too much of a hastle. Now with these latest attacks on FF, I am so glad I use Chrome. Also, it boots in the blink of an eye, where Firefox takes a few seconds.

Re:Well... (2, Insightful)

Tenebrousedge (1226584) | about 5 years ago | (#28744441)

You can whitelist, you can blacklist, you can disable JS entirely, or you can live with not having that layer of security.

I suspect you need to actually use noscript and dig through the options before making that pronouncement. You can, for example, have all scripting from the top-level site be allowed by default. I don't recommend that for your porn browsing, but it should work on most other sites.

In terms of having a relatively secure JS-enabled browsing experience, NoScript is about as good as you can get; there's probably not going to be a 'better way' there. There are plenty of ways to be secure on the internet, though.

I've spent approximately 300 seconds to date fiddling with NoScript. I've spent more time than I care to remember cleaning viruses off of computers and reinstalling OS's. In point of fact, I'm doing that right now. I'm getting to the point of thinking that on a Windows machine, using the internet only in a virtual machine is a reasonable option. As is I use linux, and feel extraordinarily thankful to have that option. If you wanted to be completely nuts about it, you could run firefox in a vm in a chroot jail on OpenBSD on a non-x86 processor, building all components from scratch, etc etc. It's just up to you what you want to sacrifice for security. Myself, I don't think that a few minutes of configuration spread over a period of months-to-years is all that big of a deal. But hey, it's your call.

Re:Well... (1)

ceoyoyo (59147) | about 5 years ago | (#28744211)

And as long as you don't care that your "Red" machine spends most of it's time as a zombie sending out spam.

Re:Well... (4, Interesting)

mlts (1038732) | about 5 years ago | (#28744237)

This is something I'm wondering. Perhaps the best thing would be for the "Red" machine to be completely rolled back when done using, and have a virtual share mapped for any data that is worth saving.

Re:Well... (4, Interesting)

Zerth (26112) | about 5 years ago | (#28744379)

That's what I've got on my setup now.

After upgrading to a multi-core system where each had more processor and memory than my previous computer and noticing that 1 core was idle unless I was doing something CPU intensive, I virtualized my old machine and saved a snapshot just after bootup and opening a browser.

Then I started using that in seamless mode instead of a browser. Every time I close it, not only is the browser history/cache/etc wiped, every possible change to the entire system is wiped.

It doesn't run AV because that system just doesn't matter anymore. Instead of restarting my browser, I'm effectively wiping & re-installing whenever it feels laggy or "off".

Perhaps it is a false sense of security, but as long as it is firewalled from the rest of the network and there isn't a "Neo" virus that can "escape the simulation", I feel safer than browsing on the host system with all the AV/noscript utilities running.

Re:Well... (2, Interesting)

bill_kress (99356) | about 5 years ago | (#28744447)

I was thinking something along this line--it would be nice to have a file system where all modifications were stored on a second partition on the hard disk and the primary partition was read-only (Preferably physically through a switch), including the boot sector.

On ever boot, the data in the "writable" partition is destroyed before the first write/read ever takes place.

A specific command could copy changes over in order to update the writable partition. This would be done during the shutdown process and a list of all changes could be reviewed before flipping the switch to make your drive writable.

For normal usage, such a system would be easy to use, the only difficulty would be when you wanted it updated, and even then it's not too bad. It is somewhat vulnerable when doing a "Save state" operation to a very specific targeted attack, but even this could be mitigated.

(For instance, you could have to go through a full reboot and boot off the protected partition and have IT display the changes before actually copying them over to the protected drive. I think that would make it 100% secure if you knew how to review the change list properly)

Anti-virus would also be pretty easily replaced by code that just analyzes the change list before you are able to update your main partition.

I suppose there could even be a third partition that you could never run code off that could store cookies and stuff like that if you don't want to always lose your browser history. Might add a little hole for scripting, but still pretty close to 100% safe.

Re:Well... (1)

mr exploiter (1452969) | about 5 years ago | (#28744451)

If you are so paranoid that you worry about what would your happen to YOUR computer after your BANK was hacked, you should sell your computers and go live to a cabin in the woods.

Why? (5, Funny)

rysiek (1328591) | about 5 years ago | (#28743987)

"...interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages)"

Why oh why did they split Joanna into 9 pages?! Thats so cruel!

Also, First Post

Re:Why? (5, Funny)

Anonymous Coward | about 5 years ago | (#28744011)

Very long legs.

Re:Why? (1, Funny)

Hurricane78 (562437) | about 5 years ago | (#28744163)

Best. Centerfold. Ever?

Three Separate Virtual Machines (4, Funny)

Anonymous Coward | about 5 years ago | (#28743991)

There's careful, there's paranoid, and there's three separate virtual machines.

Re:Three Separate Virtual Machines (1)

VulpesFoxnik (1493687) | about 5 years ago | (#28744009)

All of which have kernel modules to allow host systems to run them faster. Virtual hardware has such an overhead, but the day of the Virtual machine virus is going to come sooner or later.

Re:Three Separate Virtual Machines (2, Insightful)

mysidia (191772) | about 5 years ago | (#28744069)

What happens when one of those kernel modules contains a security bug, that allows a malicious virtual machine driver to run arbitrary code on the host OS?

Or a security exploit is found that defeats the security of hardware-assisted virtualization.

Re:Three Separate Virtual Machines (0)

Anonymous Coward | about 5 years ago | (#28744409)

And I'm behind seven proxies!

Re:Three Separate Virtual Machines (0)

Anonymous Coward | about 5 years ago | (#28744549)

Some folks are more paranoid than others. I'm a geek and have a few machines at home. One of them has swappable hard drives, and I have different hard drives to boot off of depending on what I'm doing (could do it in VMs, but gaming in VMs sucks, etc).

The beyond paranoid bit? I have an old laptop I use as a bump-in-the-line OpenBSD machine with no IP address or other services running, watching/filtering traffic coming in and out of the LAN. If one of my machines gets nailed and it's virus scanner (if it's running one) doesn't catch it, I'll likely see the suspicious activity sometime on the sentinel.

security is ... (4, Funny)

eatvegetables (914186) | about 5 years ago | (#28744005)

Security is: 386 dx 40 (my first computer), BSD kernel, and Lynx non-graphical web browser. Only down side.... ascii-art porn (sigh).

Re:security is ... (1)

jra (5600) | about 5 years ago | (#28744671)

mplayer -vo aa

You don't use A/V? Are you insane? (-1, Troll)

Anonymous Coward | about 5 years ago | (#28744015)

If you run a recent, patched version of Linux or OS X, fine. But if you run a win32 or win64 variant, you shouldn't make the choice to place all of us at risk by running around without antivirus. It's irresponsible, and selfish.

Re:You don't use A/V? Are you insane? (2, Interesting)

mysidia (191772) | about 5 years ago | (#28744055)

It's fine if you apply all security patches, utilize good firewall hardware, don't surf the web or run random untrusted executables on said win32 or win64 box.

Or if you run said web surfing inside a robust sandbox.

Re:You don't use A/V? Are you insane? (1)

Manip (656104) | about 5 years ago | (#28744133)

What is it you think Anti-Virus does?

Most people that run patched systems without clicking anything too silly rarely see an AV popup. Those that run a version of Flash that is two months old and are still using Adobe Reader 7 will be just as owned as if they had not been running AV at all.

AV is fine, and I myself run it, but if I ever see a detection that isn't a false-positive or bull, then that system is getting formatted within 24 hrs.

PS - Her Virtual environment might not even have a writeable virtual disk, and thus any nasties that get on-board are cleared each time she power cycles.

Re:You don't use A/V? Are you insane? (1)

maeka (518272) | about 5 years ago | (#28744361)

PS - Her Virtual environment might not even have a writeable virtual disk, and thus any nasties that get on-board are cleared each time she power cycles.

If that were the case she would have no need to roll-it-back every week or so.

Re:You don't use A/V? Are you insane? (1)

ledow (319597) | about 5 years ago | (#28744179)

Sorry, what a load of crap.

If my AV program does the primary job that it's designed to do, it will alert me to the fact that I've been infected. That's it. Does something about that seem totally WRONG to you? It's like saying that if the military does its primary job, they will tell us we've been invaded. Er, what's the point of that?

AV *DOES NOT* stop anything, even with all the fancy-schmancy product titles that they want to use (RootkitHunter, AVToGo, Detect&Cleanse, etc.)... it merely detects the presence of a hostile element.

Now, in my experience in IT support of Windows system (covering critical public-sector networks), 99.9% of virus infections are discovered because *WE*, the users and/or technician's notice the AV fail or something that's slipped past the AV (usually by the speed-hit on the computer concerned or the fact that it's dropped off the logs). If AV can detect something, it's ALREADY on the computer. It's *after* the event. Too late. Game over. Pointless.

Now some parts of some AV packages are actually "ANTI" virus, in that they stop them happening in the first place. These products can be variously placed into the categories of: firewalls, pre-access scanners, permission-removers. Everything else that they do is ABSOLUTE bunkum.

My own personal laptop... no AV. Hell, though, I have a firewall, a web browser that doesn't execute attachments and locked-down access to EVERYTHING on it. Why do I need a taskbar icon scanning EVERYTHING that EVER gets accessed on that computer 24 hours a day and can only pop up a box (possibly, most of the time the AV just dies with any half-decent virus infection) to say "You have a virus"? Everything past that point is worthless - "clean" shouldn't even be an OPTION, nor should "Delete" or "Quarantine" because in my own personal experiments, I've see it fail at a consistently high rate on machines with known virus infections, even with the latest signatures / program versions.

Keep your computer up to date.
Stop things executing.
Check occasionally or when suspicions arise.

On a network, sure AV is good to prevent dumb users not capable of following policy. At the network edge, essential (nobody gets a mail in my workplace without it having gone through SOMETHING to scan it or at least strip all attachments). On my own IT equipment? What a waste of time.

Re:You don't use A/V? Are you insane? (1)

ledow (319597) | about 5 years ago | (#28744213)

P.S. Never "caught" a virus in fifteen years of computing, but found one once on a cover-CD for a magazine back in the DOS days. Networks I run don't get hit with virus outbreaks (and we're usually waiting for a week or two after Patch Tuesday's before we update and have a high Internet usage with completely unskilled users, on Windows XP and Server 2003 and an IT budget so low you couldn't buy floppy disks in one place!) - we get the odd virus on *personal*, standalone machines that have been taken home and brought into the network.

Re:You don't use A/V? Are you insane? (3, Interesting)

fuzzyfuzzyfungus (1223518) | about 5 years ago | (#28744253)

"Most of the time the AV just dies with any half-decent virus infection"

This is true. It is also a valuable feature.

Not for the poor bastards at home, of course, it'll just make their descent into pop-up misery and a new computer from best buy even faster. Pretty much any centrally managed AV setup, though, makes it pretty easy to check whether or not AV is running on a given client. If you have a client where the AV won't stay up, you have excellent reasons to suspect that the OS is 0wn3d. You can then inspect further, or just pave and reimage, depending.

Malware's habit of shoving an ice pick into the AV's neck at first opportunity is bad for nontechy home users; but it arguably makes that malware easier to detect in serious setups(if the AV can't detect the malware, which is likely, its blood demise will be obvious enough to draw attention).

Re:You don't use A/V? Are you insane? (1)

maxume (22995) | about 5 years ago | (#28744657)

What are the vectors for these nasties that you are talking about?

I wonder because the only exploit I have ever watched try to run is some js launched pdfs, I was using a reader that was not vulnerable to the exploit, so nothing happened.

Re:You don't use A/V? Are you insane? (1)

Ilgaz (86384) | about 5 years ago | (#28744765)

A good AV will detect unknown threats and zero day attacks even before you read about them. If combined with a good firewall, they will detect any form of data leakage, at least in unencyripted form which is the most common.

There is amazing level of virtualisation, heuristics on commercial products like Kaspersky to the point of actually having a virtual machine in them and transparently launching suspicious application in that locked down machine before granting it some kind of "gray" level unless it changes.

There is also white list concept. Known products from known companies are scanned lightly and watched for things they shouldn't be doing. So, it is not like "every file scanned". File is scanned in different degrees.

Windows is so popular and known by black hats so "I don't run as admin" or "signed apps only" isn't enough anymore.

The Hurd (1)

John Hasler (414242) | about 5 years ago | (#28744057)

> The problem is, however, that all current popular OSes, like Vista, Mac OS X, or even
> Linux, do not provide a decent isolation to its applications. This is primarily a result
> of all those systems using big monolithic kernels that consists of hundreds of
> third-party drivers that operate at the same privilege level as the rest of the kernel.

Sounds like she wants the Hurd.

Re:The Hurd (4, Insightful)

argent (18001) | about 5 years ago | (#28744089)

Microkernels that provide security boundaries between drivers have tended to have unacceptable levels of context switching in the kernel, so once you get past the theoretical stage and you're trying to push the performance to the point where you can compete with monolithic kernels... you're going to get rid of those boundaries.

Microkernels should be seen as a design model for a kernel, an abstraction of the traditional real-time kernel to a broader application area. You shouldn't demand or expect a microkernel to have actual separate processes for each component any more than you should or would demand a TCP/IP stack actually implement separate code layers and call gates for each level of the network stack.

Re:The Hurd (1)

John Hasler (414242) | about 5 years ago | (#28744335)

> Microkernels that provide security boundaries between drivers have tended to have
> unacceptable levels of context switching in the kernel, so once you get past the
> theoretical stage and you're trying to push the performance to the point where you
> can compete with monolithic kernels... you're going to get rid of those boundaries.

Yet you use virtualization.

I do? o_O (1)

argent (18001) | about 5 years ago | (#28744685)

Yet you use virtualization.

I use virtualization where it's useful. I don't run my desktop under it, I don't use it where performance is critical. I use FreeBSD jails instead of virtual machines on my colo because they've got less overhead.

Re:The Hurd (1)

MikeBabcock (65886) | about 5 years ago | (#28744527)

Blah blah blah, theoretically and all that.

There's no benefit to a micro-kernel in these so-called ring -1 attacks. None.

Feel free to read the debate [oreilly.com] , or the previous Slashdot discussions [slashdot.org] or consider Linus' previous famous quote: Microkernels are like masturbation, it feels good but it doesn't accomplish anything.

It would help if you read what I posted (2, Insightful)

argent (18001) | about 5 years ago | (#28744675)

There's no benefit to a micro-kernel in these so-called ring -1 attacks. None.

You know, the really odd thing is that that's what I just said. Microkernels are not about security, they're about internal kernel API design. That's why Hurd and Mach suck, they're taking the API design guidelines and treating them as kernel architecture.

My partner, (-1, Troll)

Anonymous Coward | about 5 years ago | (#28744137)

My partner, who is a totally non-tech person, also uses a similar setup on her Mac, and she finds it usable. So, I guess it's not as geeky as it might sound.

Better solution: read only media (1)

jeffliott (1558799) | about 5 years ago | (#28744209)

Use read-only media. The read-only media should have a physical write-enable switch, like an SD card or USB key, so you can do updates from a clean boot. Then disable writing and boot. For more info: Read only linux [logicsupply.com]

Re:Better solution: read only media (5, Interesting)

Enleth (947766) | about 5 years ago | (#28744429)

Been there, done that, works great.

A few years ago, I set up a bunch of thin clients for general browsing, chatting and homework at a school dorm - they were (were, as I have no idea if they're still in use, but they were absolutely maintenance-free, so I guess they should be) running Linux, with the kernel and boot config (generated on the fly) loaded from a read-only TFTP server and / mounted from a read-only NFS share. On each boot, the init scripts would finish generating a machine-specific configuration in /etc/ and mount a few ramfses on top of some directories using unionfs to give an illusion of a read-write filesystem. Then, upon login (LDAP authentication), the user's directory would be mounted from an individual password-protected Samba share (accessible from the users' personal computers as well), with the noexec attrubite of course. /tmp/ and /var/ were also noexec. Upgrades to the client system were performed at the server, by chrooting into the exported root directory.

Such a configuration is absolutely invulnerable to users, rootkits, viruses and any other riffraff known for breaking things in computers. Even in the unlikely event that someone gained root privileges on a client, they would actually gain nothing and even that nothing would vanish after a reboot.

Re:Better solution: read only media (3, Insightful)

ccr (168366) | about 5 years ago | (#28744901)

And what about those BIOS/EFI[1] firmware-based hypervisor rootkits? If someone is able to gain root access in a given system that is somehow "vulnerable" in such way that a permanent EFI (or similar) rootkit can installed, then you'll be fucked even with the read-only media and all.

Speaking of which, I don't understand why manufacturers are so eagerly adding all this new intelligence into the firmware. What do we need it for anyway? IMO it would be so much simpler from security perspective, if the OS would be at the bottom of it all. Added complexity adds new possibilities for exploitation.

[1] http://en.wikipedia.org/wiki/Extensible_Firmware_Interface [wikipedia.org]

Stop Tom's Hardware (0)

Anonymous Coward | about 5 years ago | (#28744221)

What is it with all these articles showing up from Tom's Hardware of late?

Its getting absurd and they are of pretty bad quality.

And they're written like an advert.

Not cheap (1)

benjamindees (441808) | about 5 years ago | (#28744231)

I have some experience with this sort of thing. Not a difficult setup, but it requires some knowledge and effort to maintain. So the cost is rather high, and hardware requirements somewhat steep. So you need a competent administrator with adequate resources.

The benefit, of course, is that it ends up being much more secure than antivirus software. Useful for when you make a living suing powerful organizations with the means to retaliate against you, while still being able to download porn on the corporate network.

Physical security is still important, though. Depending on who it is that's motivated to break into your systems, and their ability and willingness to simply "disappear" you or your employees when hacking attempts fail. I'd say it's not a setup for the faint of heart.

The nut behind the wheel. (1)

westlake (615356) | about 5 years ago | (#28744261)

Useful for when you make a living suing powerful organizations with the means to retaliate against you, while still being able to download porn on the corporate network.

I don't want this guy on the same planet as my corporate network.

This is simple? (2, Insightful)

westlake (615356) | about 5 years ago | (#28744235)

She runs three separate virtual machines designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

Three operating systems to maintain. Three browsers. Three filing systems? Three PDF viewers?

Where does it end?

To me, the Zero Day exploit suggests that a random choice of OS, web browser and file viewer would make more sense.

But the whole idea seems overly complex and dangerously fragile.

Re:This is simple? (1)

maxume (22995) | about 5 years ago | (#28744281)

If you aren't worried about locally maintaining a bunch of state in each VM (say you are paranoid about cookies and use something like delicious for bookmarks), you only need to maintain one VM (call it 'white' or something, it is essentially blank), and then when you do updates, you create three copies.

So then the paranoid nonsense lets you keep your browsing behavior separate, without a huge amount of overhead, and the three separate VMs help with security between updates.

Tnks for share (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#28744283)

Tnks for share

Porno [cdporn.info]
Sikis [porno8.info]
http://www.bedava-ligtv.com
Spiele Spielen [spieleking.info]
Bundesliga [robesonhall.com]
American Poker [spieleking.info]
porno izle [forumakil.com]

in all do respect (0)

Anonymous Coward | about 5 years ago | (#28744293)

I'd root her box ;)

Re:in all do respect (3, Funny)

Anonymous Coward | about 5 years ago | (#28744367)

I'd root her box ;)

I'd be careful. She doesn't use AV.

An interesting and secure laptop setup? (1)

mlts (1038732) | about 5 years ago | (#28744297)

This idea of using VMs could make for some interesting security on laptops that have TPM chips:

First, the laptop would be secured with BitLocker. This would provide two things, first, hardware and MBR tamper detection. Someone messes with the laptop while its not attended, it won't boot and ask for the recovery key. Second, BitLocker is transparant once it boots. No need to worry about an additional passphrase (though the recovery key should be kept someplace secure).

The main OS here is mainly used just as an enlighted host for the other VMs. Using Hyper-V or VMWare Workstation, one can then run several VMs, perhaps based around a similar starting OS and cloned. This way, one can have VMs focusing on tasks (document writing, browsing the naughty sites, payroll, etc.) With wise use of snapshots and isolation, if one of the VMs gets compromised, its just a click away from being rolled back to a clean state.

The only issue is getting data between the VMs, say from the payroll VM to the VM with the mail program. However, one can make a virtual hard disk that can be connected and disconnected from machines, perhaps being hooked up to a third, non Windows VM to check for tainted autorun.inf files and other stuff before it gets shuttled to a more security sensitive VM.

This is a lot of work, but compartmentalization and the ability to dump all changes in a filesystem to a known good point will go a long way in security.

Is it true... (1)

wampus (1932) | about 5 years ago | (#28744363)

Just because you're paranoid doesn't mean they aren't out to get you.

Women in computer security (-1, Flamebait)

thetoadwarrior (1268702) | about 5 years ago | (#28744531)

I know this is a bit sexist and yes women can do whatever men can do (in IT) but it's rare to see a woman that does this sort of thing. I'd tap pay to tap someone like Joanna Rutkowska.

Re:Women in computer security (1)

BitHive (578094) | about 5 years ago | (#28744661)

I'm sure your boner means a lot to all the women in I.T.

I would love to fcuk Joanna Rutkowska (0)

Anonymous Coward | about 5 years ago | (#28744673)

She's hot and she's a geek. Girls like her are rare.

Re:I would love to fcuk Joanna Rutkowska (2, Informative)

Anonymous Coward | about 5 years ago | (#28744813)

She's also a man, baby!

http://www.rutkowska.yoyo.pl/ [rutkowska.yoyo.pl]

Re:I would love to fcuk Joanna Rutkowska (1)

Proudrooster (580120) | about 5 years ago | (#28744971)

I've been using this setup for quite a while and it seems to work pretty well for me. My partner, who is a totally non-tech person, also uses a similar setup on her Mac, and she finds it usable. So, I guess it's not as geeky as it might sound.

Very strange... why would someone become transgendered and then turn lesbian? Wouldn't it be easier just to stay male in the first case? Maybe s/he is going for a high level of personal security through gender virtualization.

Security researchers must be responsible (1, Insightful)

Ilgaz (86384) | about 5 years ago | (#28744711)

So, a person who can do mad things like ring -1 and knows about -2 -3 attacks who also happens to be a professional security researcher doesn't use AV and "doesn't see need for it."

This is the most irresponsible thing I have ever heard. Does average user have knowledge of system internals like she does? Does average user can stand the torture of 3 virtual machines? Could average user get rid of "run as admin" even on upcoming Windows 7, especially if he/she is a gamer?

This is more like a Medical Doctor bragging about how he never used any pills or went to a doctor and "doesn't see need for it".

She should browse some average user troubleshooting forums and see the junk non technical people are being victim of. No, they really don't know the privilege levels or CPU rings.

DDoS attack on hospital (1)

uzytkownik (1104181) | about 5 years ago | (#28745061)

1. I always thought that bigger risk for hospital is an random virus then DDoS attack. I did heard about normal virus attacking hospital - nobody has planned so just someone opened one attachment too far or something like that - but I did not about DDoS attack. Since what would he want to achive? 2. Unfortunatly we live in the world in which there are people beliving they will get 10% for transfer of money from one country to another (usually those countries for some reason don't have good reputation). And usually having AV, not opening attachments unless expected etc. helps avoiding most of the attacks for normal people - nobody will try to DDoS them. Different matter is with companies etc. They need to be secure. I was considered paranoid whenI advised having password and not using admin account for others. 3. Yes - for most people the discovery of the next bug in IE/Fx/Opera/... does matter. I'm not interested much if there is theoretical possibility that software is safe. I'm interested in the security here and now. Numbers of bugs discovered is not the best measurement - much better is time-to-patch - but still it is important in practice. Similary - a single shifts in prices are not important for theoretical economist - but for consumers and producers they are much more important [although thay may posses much less knoledge about origin of shift etc.]. 4. Monolithic kernel does not necessary implies 3rd part drivers. OpenBSD have monolithic kernel and AFAIR does not support loading modules after boot. Linux have most of the drivers included and is perfectly operative without loading modules. There are resons why to use them but they are optional.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...