The Register® — Biting the hand that feeds IT

Feeds

Build malware protection into operating systems

Security guru calls for integrity

By John Leyden, 17th September 2007
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Malware protection needs to be built into operating systems rather than bolted on as an afterthought if the industry stands any chance of dealing with the evolving threat of targeted attacks, according to a senior security researcher.

Joanna Rutkowska, chief exec of Invisible Things Lab, who is best known for her research on rootkits and Vista security, told delegates to the Gartner security conference in London on Monday that user stupidity was only part of the security problem.

She said competent users who, for example, used the privilege separation features built into Vista, were still not safe from security exploits. Better auto-exploit protection technology needs to be developed. In order to work properly this needs to built into operating systems.

"Third party prevention uses tricks and hacks. And that's no good," she said.

Rutkowska has been prominent in the industry for exposing the security shortcomings of Vista's kernel protection technology.

While recognising the general importance of security protection technologies, Rutkowska also noted their shortcomings. "Current technology is not reliable in detecting stealth malware. Protection solutions fail so we need detection. The two need to go together.

"Detection technologies are currently immature and even as the approach develops it will not replace prevention technologies, which are far more mature, despite their shortcomings," she said.

"Detection can never replace prevention. It's too late to do anything if, for example, you detect that your data has been stolen. You can't do anything to make an attacker forget what he has discovered."

Anti-virus vendors have found themselves locked in a perpetual arms race with virus writers, who are increasingly looking to make money from malware. Advances in rootkit development and obfuscation are accompanied by counter-responses from security vendors. Rutkowska argues that we need to move beyond this approach and develop an "automated way to check system integrity".

"The difficulty is that operating systems are too complex. We can't even reliably read system memory," Rutkowska pointed out. "It's not exactly a question of starting from scratch, but some code will need to be rewritten from the start," she added. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (17)
Latest Comments
0D0A

Root

Well, yes and no. There are two ways to access root. One is for temporary root privileges for specific commands on a time-limited basis. The other is effectively a root shell and has full system privileges.

Logging in as root is not encouraged in Linux, but it depends on the distro. Some, like Ubuntu steers the user away from root right from the install. Others, like Debian set up a root account and a user account upon install and won't let the user log in as root (at least through the xserver). SUse allows both forms of logins.

In all of the distros, gaining root is possible if one knows the password and can spoof its way past iptables. Or if they have physical access to the pc.

And while it always comes down to the end users and how responsible they want to be, it certainly helps if that extra step needs to be taken.

*nix was always multi-user and therefore protections had to be built into the system right from the start. If a thousand people had access to a mainframe, there would have been a lot of namespace conflicts, not to mention people stepping on other peoples' apps and intellectual property.

An excellent way for MS to improve its security would be to implement a keyboard passphrase when things are being installed and get away from that reflexive double-clicking. Unless, of course, it is marketing strategy.

IThink someone has been spending too much time on the intergalactic putting greens.

0
0
David S

@Stephen Hewitt

Correct me if I'm wrong, but as I understand it a significant difference between Windows and the more popular Linux distros is that the Linux distro simply doesn't allow the users _ever_ to log in as root. They can adopt root-equivalence temporarily when they need to do something that requires that level of access (installing a new app, for example) and, to do so, they are required to enter their password.

It's therefore considerably trickier to sneak a secret something past *nix users, since by default they don't have the ability to install anything. If they click on something that claims to be a photo of their grandkids, say, and it prompts them to enter their password then alarm bells are sure to chime. If not by common sense, then at least by the most basic of training or instruction.

Windows, on the contrary, seems to have something of a "come one, come all" approach to administrator rights with the use of one of any number of exploits, many of which can be triggered from visiting the wrong website or reading the wrong email. _Reading_ the wrong _email_, in the name of all that is holy and good...

Or am I wrong?

0
0
Dave

it's the economics

Similar to my comments on the "M$ OOXML as a standard" story / thread: M$ have a "perverse economic incentive" (thanks to Bruce Schneier for that piece of terminology) NOT to think / design their products 'security first' and to do their utmost to impose their exploitable wares on the World.

The entire M$ ethos is to sell their wares based not on their technical merit, rather on their ease-of-use; to the vast majority of end users, security is (in their ignorance) uttterly irrelevant. The only mechanism that will be effective is when more people LOSE MONEY (from exploits arising from by using M$ products) and *then* we can EDUCATE them. Lessons learned from bitter experience tend to stick. Once there is a market place feeling that the M$ way is not the safe way, then - only then! - will consumers vote with their wallets.

In the interim, we need to INFORM people of the risks out there on t'internet and INVITE them to consider at least applying appropriate (prevention) bolt-ons.

Also, meanwhile, the original article presented the views of a researcher that kernels should be developed with DETECTION built-in; I am not sure that there is any merchant market OS that is developing this way. Information of my ignorance is invited!

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
133
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15