Emerging Web technologies - A look ahead
Martin Streicher, Software Developer, Pixel, Byte, and Comma
Summary: Few things change as quickly as technology, and Web technology seems to change faster still. Discover what you can expect from technology makers in 2010.
The PS3, like the Xbox360, depends on a hypervisor for security enforcement. Unlike the 360, the PS3 allows users to run ordinary Linux if they wish, but it still runs under management by the hypervisor. The hypervisor does not allow the Linux kernel to access various devices, such as the GPU. If a way was found to compromise the hypervisor, direct access to the hardware is possible, and other less privileged code could be monitored and controlled by the attacker.
Hacking the hypervisor is not the only step required to run pirated games. Each game has an encryption key stored in an area of the disc called ROM Mark. The drive firmware reads this key and supplies it to the hypervisor to use to decrypt the game during loading. The hypervisor would need to be subverted to reveal this key for each game. Another approach would be to compromise the Blu-ray drive firmware or skip extracting the keys and just slave the decryption code in order to decrypt each game. After this, any software protection measures in the game would need to be disabled. It is unknown what self-protection measures might be lurking beneath the encryption of a given game. Some authors might trust in the encryption alone, others might implement something like SecuROM.
The hypervisor code runs on both the main CPU (PPE) and one of its seven Cell coprocessors (SPE). The SPE thread seems to be launched in isolation mode, where access to its private code and data memory is blocked, even from the hypervisor. The root hardware keys used to decrypt the bootloader and then hypervisor are present only in the hardware, possibly through the use of eFUSEs. This could also mean that each Cell processor has some unique keys, and decryption does not depend on a single global root key (unlike some articles that claim there is a single, global root key).
George’s hack compromises the hypervisor after booting Linux via the “OtherOS” feature. He has used the exploit to add arbitrary read/write RAM access functions and dump the hypervisor. Access to lv1 is a necessary first step in order to mount other attacks against the drive firmware or games.
His approach is clever and is known as a “glitching attack“. This kind of hardware attack involves sending a carefully-timed voltage pulse in order to cause the hardware to misbehave in some useful way. It has long been used by smart card hackers to unlock cards. Typically, hackers would time the pulse to target a loop termination condition, causing a loop to continue forever and dump contents of the secret ROM to an accessible bus. The clock line is often glitched but some data lines are also a useful target. The pulse timing does not always have to be precise since hardware is designed to tolerate some out-of-spec conditions and the attack can usually be repeated many times until it succeeds.
George connected an FPGA to a single line on his PS3’s memory bus. He programmed the chip with very simple logic: send a 40 ns pulse via the output pin when triggered by a pushbutton. This can be done with a few lines of Verilog. While the length of the pulse is relatively short (but still about 100 memory clock cycles of the PS3), the triggering is extremely imprecise. However, he used software to setup the RAM to give a higher likelihood of success than it would first appear.
His goal was to compromise the hashed page table (HTAB) in order to get read/write access to the main segment, which maps all memory including the hypervisor. The exploit is a Linux kernel module that calls various system calls in the hypervisor dealing with memory management. It allocates, deallocates, and then tries to use the deallocated memory as the HTAB for a virtual segment. If the glitch successfully desynchronizes the hypervisor from the actual state of the RAM, it will allow the attacker to overwrite the active HTAB and thus control access to any memory region. Let’s break this down some more.
The first step is to allocate a buffer. The exploit then requests that the hypervisor create lots of duplicate HTAB mappings pointing to this buffer. Any one of these mappings can be used to read or write to the buffer, which is fine since the kernel owns it. In Unix terms, think of these as multiple file handles to a single temporary file. Any file handle can be closed, but as long as one open file handle remains, the file’s data can still be accessed.
The next step is to deallocate the buffer without first releasing all the mappings to it. This is ok since the hypervisor will go through and destroy each mapping before it returns. Immediately after calling lv1_release_memory(), the exploit prints a message for the user to press the glitching trigger button. Because there are so many HTAB mappings to this buffer, the user has a decent chance of triggering the glitch while the hypervisor is deallocating a mapping. The glitch probably prevents one or more of the hypervisor’s write cycles from hitting memory. These writes were intended to deallocate each mapping, but if they fail, the mapping remains intact.
At this point, the hypervisor has an HTAB with one or more read/write mappings pointing to a buffer it has deallocated. Thus, the kernel no longer owns that buffer and supposedly cannot write to it. However, the kernel still has one or more valid mappings pointing to the buffer and can actually modify its contents. But this is not yet useful since it’s just empty memory.
The exploit then creates a virtual segment and checks to see if the associated HTAB is located in a region spanning the freed buffer’s address. If not, it keeps creating virtual segments until one does. Now, the user has the ability to write directly to this HTAB instead of the hypervisor having exclusive control of it. The exploit writes some HTAB entries that will give it full access to the main segment, which maps all of memory. Once the hypervisor switches to this virtual segment, the attacker now controls all of memory and thus the hypervisor itself. The exploit installs two syscalls that give direct read/write access to any memory address, then returns back to the kernel.
It is quite possible someone will package this attack into a modchip since the glitch, while somewhat narrow, does not need to be very precisely timed. With a microcontroller and a little analog circuitry for the pulse, this could be quite reliable. However, it is more likely that a software bug will be found after reverse-engineering the dumped hypervisor and that is what will be deployed for use by the masses.
Sony appears to have done a great job with the security of the PS3. It all hangs together well, with no obvious weak points. However, the low level access given to guest OS kernels means that any bug in the hypervisor is likely to be accessible to attacker code due to the broad API it offers. One simple fix would be to read back the state of each mapping after changing it. If the write failed for some reason, the hypervisor would see this and halt.
It will be interesting to see how Sony responds with future updates to prevent this kind of attack."
O artigo completo está em:
[Com agradecimentos ao Tiago Martins]
Groundspeed é open source e esta disponível aqui: http://groundspeed.wobot.org."
"This is the coveted PS3 exploit, gives full memory space access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I'll write up how it works
I've gotten confirmation the exploit works on 3.10. Also I've heard about compile issues on Fedora. I did this in Ubuntu. I would really like someone to write up a nice tutorial :)"
Mais detalhes em:
(Com agradecimentos ao Alexandre Correia)
By Daniel Miessler on January 24th, 2010"(...)
In the beginning of Internet commerce, web-facing servers were located on the same network segment as protected internal resources, such as database servers, HR systems, etc. This was demonstrated to be a universally stupid idea, and the concept of the DMZ was born and propagated as a standard architectural practice.
The same is about to happen for web browsers within corporate networks. It will soon be considered unacceptable to have regular web clients sitting on the same network as protected systems–or even on a network with access to those systems.
In the near future, all web browser interaction with the Internet will be done virtually–from a segmented, virtualized network with multiple layers of protection between the browsing network and the Internet. Some of these will include:
- state-of-the art proxying and real-time whitelisting/blacklisting
- sandboxing to isoloate browser from OS
- application/executable whitelisting on the browser OS
- regular patching of all browsing VMs (near-immediate)
- regular snapshot restores of browsing VMs to known-best state
[Com agradecimentos ao Bruno Garrancho]
ZDNet Zero Day
Muito interessante. Só duas perguntas:
Q: How did the attack take place?
Microsoft is currently working on emergency patch, given the fact that the exploit code used in the attack is now publicly available, with the governments of Germany and France urging users to stop using Internet Explorer.
Not only did the targeted malware attack managed to bypass the malware/spam filters of the organizations (Phishing experiment sneaks through all anti-spam filters; New study details the dynamics of successful phishing), but also, managed to successfully exploit hosts within the working environment which allowed the attackers to steal intellectual property from Google.
Upon the successful exploitation of these hosts, the attackers relied on the Hydraq trojan in order to facilitate the theft of intellectual property (Trojan.Hydraq Exposed; Trojan.Hydraq - Part II), and continue maintaining access to the affected hosts.
Q: Which companies were affected in the targeted malware attacks?
According to the initial post confirming the targeted malware attacks, Google stated that “at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted.”
On the same day, actual details on who’s been targeted started to emerge, prompted by Google’s decision to go public with the incident at the first place, with Adobe being the first company to confirm the “corporate network security issue“, later on denying the initial allegations that the attacks took place through a zero day flaw in Adobe’s Reader.
According to public reports, the number of affected companies increased to 34, including Yahoo, Symantec, Northrop Grumman and Dow Chemical. Of those, only Yahoo, Juniper Networks and Symantec provided details that they’re currently investigation possible security incidents without actually confirming that their networks may have been successfully compromised in the attacks.
A day after Google’s announcement of the incident, the law firm Gipson, Hoffman and Pancione which represents CYBERsitter in a $2.2 billion lawsuit against China for pirating source code and using in Green Dam, a content filtering / censorship program, reported that “it has suffered cyber attacks originating from China“.
Ora, há poucos dias um grupo de investigadores do Weizmann Institute of Science em Israel, conseguiu demonstrar que a cifra KASUMI é mais fraca do que a cifra MISTY. Mais concretamente, em condições específicas descritas no artigo, foi possível derivar a chave (supostamente secreta) utilizada na cifra KASUMI, usando apenas um único PC durante duas horas. Este ataque não funciona quando a cifra MISTY é utilizada. Aliás nem este nem qualquer outro publicado até à data. Os investigadores do instituto israelita concluem que as modificações efectuadas na transformação MISTY->KASUMI acabaram por enfraquecer a cifra, ao contrário do pretendido.
Mais detalhes no artigo:
A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony
Network flaw causes scary Web error
"A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers' accounts with full access to troves of private information.
The glitch -- the result of a routing problem at the family's wireless carrier, AT&T -- revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users."
A new approach to China
"Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different.
First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.
Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.
Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.
We have already used information gained from this attack to make infrastructure and architectural improvements that enhance security for Google and for our users.
We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.
Tracking GhostNet: Investigating a Cyber Espionage Network
Information Warfare Monitor
March 29, 2009
O relatório está disponível em muitos sítios, p.ex.:
768-bit RSA cracked, 1024-bit safe (for now)
"With the increasing computing power available to even casual users, the security-conscious have had to move on to increasingly robust encryption, lest they find their information vulnerable to brute-force attacks. The latest milestone to fall is 768-bit RSA; in a paper posted on a cryptography preprint server, academic researchers have now announced that they factored one of these keys in early December.
Most modern cryptography relies on single large numbers that are the product of two primes. If you know the numbers, it's relatively easy to encrypt and decrypt data; if you don't, finding the numbers by brute force is a big computational challenge. But this challenge gets easier every year as processor speed and efficiency increase, making "secure" a bit of a moving target. The paper describes how the process was done with commodity hardware, albeit lots of it.
Their first step involved sieving, or identifying appropriate integers; that took the equivalent of 1,500 years on one core of a 2.2GHz Opteron; the results occupied about 5TB. Those were then uniqued and processed into a matrix; because of all the previous work, actually using the matrix to factor the RSA value only took a cluster less than half a day. Although most people aren't going to have access to these sorts of clusters, they represent a trivial amount of computing power for many organizations. As a result, the authors conclude, "The overall effort is sufficiently low that even for short-term protection of data of little value, 768-bit RSA moduli can no longer be recommended." 1024-bit values should be good for a few years still."(...)
June 28, 2010
The 4th edition of the Workshop on Recent Advances on Intrusion-Tolerant Systems aims to continue the collaborative discourse on the challenges of building intrusion-tolerant systems and innovative ideas to address them. As a technical area, Intrusion Tolerance is at the intersection of Fault Tolerance and Security. Having focused on intrusion tolerance technologies in the past workshops and having substantiated intrusion tolerance as a practical discipline that combines software engineering, adaptive system development, advanced reasoning and analyses, and coordination and control of distributed mechanisms and resources, this year’s workshop will be especially interested in “evaluating intrusion tolerance”: how to assess the assurance conferred by intrusion tolerance technologies, and “the overlap of intrusion tolerance and emerging information technologies”; how emerging technologies like Web 2.0, semantic web systems, clouds and service-oriented architectures challenge or enhance intrusion tolerance. The workshop will provide a forum for researchers and practitioners to present architectures for intrusion-tolerant systems, new defense mechanisms, recent results, discuss open problems that still need research, and survivability challenge problems in specific application and domain areas.
Authors are invited to submit papers to the workshop, which will be held in conjunction with the 40th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), June 28 - July 1, 2010. Papers can present ongoing work and/or speculative/futuristic ideas. Experimental results or other forms of validation are especially encouraged. The workshop papers will be published in a supplementary volume of the conference proceedings.
Topics of interest related to advances in intrusion-tolerant systems include, but are not limited to:
* Assessment and evaluation of intrusion-tolerant systems
* Intrusion-tolerant web-scale systems
* Intrusion tolerance in cyber-physical systems and critical infrastructure protection
* Survivability and information assurance in the Cloud
* Assurance and survivability benefits of hardware and software virtualization
* Threat of botnet herds and surviving them
* Byzantine fault-tolerant algorithms in intrusion tolerance
* Biologically inspired defenses
* Diversity and failure independence
* Theoretical limits/boundaries of intrusion tolerance
* Real world case studies
More information about the workshop can be obtained by emailing to wraits10_AT_di.fc.ul.pt
The workshop will accept two formats of papers: regular papers (maximum 6 pages) and position papers (maximum 2 pages). Position papers allow researchers to present more speculative/futuristic ideas to stimulate discussion and further work. Papers have to adhere to the IEEE Computer Society camera-ready 8.5”x11” two-column camera-ready format, like regular DSN papers. Instructions about how to submit papers can be found on the web site http://wraits10.di.fc.ul.pt/ . More information about the workshop can be obtained by email to the same address.
At least one author of an accepted paper must register at the conference and present the paper at the workshop.
Submission deadline: February 22, 2010
Author notification: March 23, 2010
Final version: April 12, 2010
PROGRAM COMMITTEESaurabh Bagchi, Purdue U., USA
Byung-Gon Chun, Intel Labs Berkeley, USA
Manuel Costa, Microsoft Research, UK
Flavio Junqueira, Yahoo! Research, Spain
Rama Kotla, Microsoft Research, USA
Patrick Kreidl, MIT, USA
Peng Liu, Penn State U., USA, USA
Jean-Phillipe Martin, Microsoft Research, UK
Nuno Neves, U. Lisboa, Portugal
Rodrigo Rodrigues, MPI-SWS, Germany
William H. Sanders, U. Illinois UC, USA
Arun Sood, George Mason U., USA
Paulo Verissimo, U. Lisboa, Portugal
Mais informação: http://wraits10.di.fc.ul.pt/