A Race To The Silicon
by Ivan Arce, Attack Points
Fri, 2009-05-22 21:34

As CTO at Core Security Technologies I spend a large portion of my time searching for, reading about and analyzing new vulnerability trends, attack techniques and novel security research presented at various technical venues for information security practitioners. The purpose of such activity is to identify and cross-correlate information signals that could hint at upcoming security threats within a 5 year window.

In lieu of the large network of honeypots and automatic collection sensors that the major security vendors deploy world-wide to collect vast amounts of malware and other forensic information  a company such as Core that seeks to understand, anticipate and provide a realistic model of current and future threats needs to focus on targeted collection and analysis of information. A good way of doing so is to promote attack-oriented research internally and to study as many external sources as possible. For the later, it is quite useful to look at presentations, papers and tools published at the CanSecWest, BlackHat Briefings, Chaos Computer Club and a handful of other attacker-oriented conferences.

Over the past two to three years I’ve seen an interesting divergence in the themes selected for practical attack-oriented research.
Although there has been a significant increase of work aimed at discovering new types of bugs and perfecting attack techniques for vulnerabilities at higher protocol layers, that is, closer to the user in the ancient and canonical OSI model (oh! it seems ITU is still charging 27 Swiss francs for this!) there has also been a tremendous amount of work aimed at the lower layers or closer to the hardware.

Discovery of vulnerabilities and development of attack techniques that use I/O devices for compromise through direct memory access (DMA), subverts OS security using low level virtualization technology, leverages special functionality of common microprocessors, tampers with PC BIOS firmware and infects software in embedded systems point at the fact that the old idea of inalterable hardware is no longer valid and shows the ability of modern attackers to aim low, closer to the silicon, directly at the fabric of the technologies that keep most businesses running.

This shouldn’t be very surprising if we consider the evolution over the past 5 years of the security mechanisms designed to prevent or mitigate exploitation of code injection vulnerabilities that were added to many popular off-the-shelf Linux, BSD-derived UNIXes and Windows operating systems. Like rivers changing course to find the path of least resistance to wash into the seas, attackers adapt and evolve their techniques to exploit the weakest spots of security defenses. At the moment those seem to be web applications, traditional client applications on desktop systems and their users but the entry barrier for low-level attacks has already been bypassed or, more precisely, virtually removed.

The myth of the existence of pure, unadulterated hardware has been shattered and replaced by a accelerating race towards the control of the software that runs it. The implications of this may become evident in the years to come particularly if we consider the pervasiveness of embedded systems, the increase in size and complexity of the software they run thus likely to be increasingly vulnerable and the continuously decreasing cost of getting entry level devices to discover and refine attack techniques.
A market research report published in 2005 by BCC Research Group predicted the embedded software market to reach $3.4 billion USD in 2009 with an annual growth rate of 16%. According to a recent article published in the IEEE Computer magazine in 2008 there were around 30 embedded microprocessors per person in developed countries and the volume of embedded software is increasing at 10 to 20 percent per year. High-end mobile phones and automotive software are at the top of the scale of both complexity and number of systems deployed per year, followed by RT-Linux based devices and a multitude of systems ranging from pacemakers and washing machines to airplane navigation systems.

Despite having the best expectations for the vendors to embrace secure development lifecycle practices, stricter quality controls and formal verification of embedded software and use of tamper-proof system-on-a-chip implementations, I think that security practitioners should rise awareness, devise strategies and implement plans to assess and manage the risk of low-level attacks.

How would you do it?

» read more from Ivan Arce | post a comment
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast