Schneier on Security

Clive Robinson • October 10, 2019 4:30 PM

@ Ismar,

The question I have is how is this possible/ allowed without having admin rights on the machine where the browser is running?

Kaspersky say,

We registered two initial infection schemes: Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts.

Which suggests the users are doing it to themselves in some way via infected downloads. Thus it’s in part a “chain of trust” issue…

But there are other ways these days that don’t require getting privileged code onto a system.

Ever hear of a “reach around attack”? Overly simply the CPU level of the computing stack is where security happens. Even though lower level hardware such as the MMU and DMA do the heavy lift of such security they only checks direct read and write functions that go through them. Thus any modification to memory via another route/mechanism will not be detected.

The problem with this lack of detection is the information used to set the lower level security mechanisms up is read by the CPU from memory then coppied into those devices. Thus anything that can manipulate core memory without triggering the hardware can change it’s privilege and other security attributes.

Such memory can be altered in various ways, one is through the IO device drivers and hardware, and hardware failings is another way.

RowHammer might be long in the tooth but it can give you an idea of how an unprivileged process by rapidly writing to memory addresses that have a corelation to say the Page Table addresses that are privileged can be changed. The unprivileged process is not writing directly to privileged memory, it is simply using a fault in the way the DRAM has been designed to get bits in other memory addresses to flip.

In effect RowHammer “reached around” not just the CPU but MMU and other hardware security mechanisms.

Thus whilst a process might be unprivileged it could become privileged or do other tricks, and software will be insufficient to guaranty that such attacks fail, likewise the hardware security mechanisms.

The main point people should take away is that “core memory” is vulnerable in various ways. Thus security configuration information should not be kept in core memory.

The problem, all the general use CPU’s currently only have core memory…

I guess we are going to have to wait a little while for the full details to come out, but I’m guessing on a software fault first.

Clive Robinson • October 11, 2019 5:55 PM

@ SpaceLifeForm,

But, if Microsoft were to open source Windows, a lot of holes would be found.

They kind of did…

If you remember back to the NT4/5 days both the Chinese and Russian governments forced MicroSoft to give them the source code… Microsoft made a business decision and signed up to doing that without a blink…

I have no idea if either government went through the source looking for vulnerabilities to make exploits or not. The point is Microsoft like many corporates takes a very very short term profit view and security etc realy does not get a look in on that.

The “take away” lesson is,

All consumer / commodity OS’s from the US and other Western Nations realy are “Open Source” if you have the leverage

I kind of mention this from time to time, and as others have noted, many who develope exploits don’t bother with the “source code” as that is not the way they groove.

It is actually not hard to see why, these days as most potential attack vectors are not “basic code errors” any more but functional / business logic, protocol or standard errors. You can find these with the likes of automated fuzzing tools faster than reading through lots of high level source code.

Clive Robinson • October 15, 2019 11:02 PM

@ me,

there is no need to use some complex method like rowhammer, windows gives you the functions to edit memory.

Not with Microsoft[1], but for some other OS’s you do.

But the point I was making is that there is no way you can actually stop someone with even limited access escalating their privileges due to failings well below the ISA level in the computing stack, due to hardware failings.

These hardware failings have been around for maybe a third of a century one way or another, and it’s realy only recently people have got around to exploiting them.

The myth used to be that,

If they have front panel access…

Which caused an “inverted thinking” issue in quite a few peoples security thinking, that boiled down to “if we can just keep them away from the front panel…”. Which is just not true, hence my oft said bit about “gapping computers” not just the old “air gap” but with “energy-gapping” and properly mandated and instrumented crossing choke points.

What we don’t know is if the likes of the NSA’s tailored access bods have been exploiting low level hardware and if so for how long. All we realy know is that in the past they had a prefrence for going after routers and other non user systems, simply because it was more covert.

What we have some reason to believe[2] is that both the Dutch and Israeli SigInt entities have no qualms going onto user systems to effectively gather the nearst thing they can to HumInt, which they can only reliably do with some form of privilege elevation.

[1] Continuously kicking Microsoft, even though they right royaly deserve it, is a little like kicking a tin can down the road, it makes a lot of noise upsets some people and eventually you get bored with doing it…

[2] We have some reason to believe it because not only do we know it’s possible to do, but US politicians “flapped their gums” and in effect “burned” the method. Because, like a number of usefull ideas “it’s obvious with hindsight” so I would expect some of the more worldly wise level three attackers to “take it on board”, and make the easy countermeasures.