<if you turned on HTML email you'd see a nice picture here> So what you do when you make a HIDS is you first have a nice userspace engine, which does simple things as Local/SYSTEM. At some point you want to protect it or potentially, you want to hook more things than a fishing boat with no license in the Everglades, so you move a piece of your HIDS into the Kernel. You still do a lot of stuff in userspace though because it's impossible to do the complex stuff in the kernel and your sales team has read a couple whitepapers somewhere and promised heuristics and generic exploit protection to your customer base by this time. This is painful since Microsoft really doesn't want anyone else in the Kernel, and of course, you have to interoperate with everyone else who wants to shove themselves in there, which is half the RSAC booth floor. That means if you're CrowdStrike or Mandiant, you get to test your kernel hooks against Kaspersky and Symantec. The rule is: Any bluescreens are the smaller company's fault, as far as your financial customers are concerned.
All of this means your testing and development cycle is more expensive than a Ferrari factory and slower than a two legged dingo. This is why CrowdStrike has a version for Windows 7 and 2008R2, but not Windows XP, Windows Vista, Windows 8.1, etc. To make things worse, playing corewars against hackers in the Kernel AT SCALE isn't truly effective. At any point if they manage to purchase your system, they'll reach into the kernel and flip enough bits with their local priv esc to turn it off completely long before you have a chance to send any data on them back to home base. And then they'll turn it back on, just with a smaller view of reality. So you've added a race-condition-type barrier, but only against people who can't afford to buy your system. Or, in many cases, steal it. Or borrow it as it goes through customs in PVG. Or get someone hired at your firm. OR DO ALL OF THESE THINGS AT ONCE AND IF YOU DON'T THINK THEY ARE THEN "ADVERSARY PROBLEM" SHOULD MEAN MORE TO YOU! So then, and this is where I want to put VENOM into perspective, you think: I'm going to be in the Hypervisor. Of course, Intel already bought McAfee exactly because this decision tree is so obvious that it can only lead onto the silicon itself. And when you look at modern IaaS providers they don't run one hypervisor. They run hypervisors hosted on hypervisors. It's custom-coded turtles all the way down! However, the only thing less fun than competing with Microsoft in their Kernel is ALSO competing with the VMWare, Xen, and Hyper-V teams in their micro-kernels, all at the same time. They'll expose the API they feel like exposing WHEN they feel like exposing it, thank you very much. But if you massage them right, you can hook without hooking, and take memory snapshots every ten minutes and diff them and visualize them....and wait, that Hyper-V escape has totally screwed us, hasn't it? Building a IaaS platform that respects data classification domains is like building a city based on Baghdad, with ever sect walled off into a tiny container labeled "We hate having economy of scale". As this /Paul Blart:Mall Cop/ level drama evolves you think: What if I just change the agent I put onto everyone's boxes enough so that nobody can really target it. What if, as Dan Geer, pointed out a thousand years go, I move every system into some level of a heterogeneous ecosystem? What if I traded predictability for a level of self-awareness? It'll at least work some of the time, and that might be enough? And that, my fellow attackers, is where the offensive teams already are. :) -dave
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
