March 1, 2007 at 5:13 pm #1142Don DonzalKeymaster
ARLINGTON, Va.—Unless you were at Black Hat on Feb. 28, you probably woke up safe in the assumption that if a rootkit hit your system, reimaging would remove it. You probably also thought that the best way to search a PC’s volatile memory, or RAM, was by grabbing it with a PCI card or a FireWire bus.
You were wrong.
At the Black Hat Briefings here on Jan. 28, two breakthrough hardware hacks were demonstrated. One shocker was Coseinc Senior Security Researcher Joanna Rutkowska’s demonstration of a way to subvert system memory through software—in essence, the shattering of our long-held belief that “going to hardware” to secure incident response is a security failsafe.
Security professionals at the show called it the “attainment of the holy grail,” particularly since the only way to fix the system’s memory corruption is to reboot—thus erasing all tracks of the subversion.
It’s a digital forensic team’s worst nightmare. How can you figure out—and prove in court or to auditors—what people have been doing on your company’s PCs, for good or evil?
Hardware heresy didn’t stop there. John Heasman from NGSS (Next Generation Security Software) proved that rootkits can persist on a device—on firmware—rather than on disk, and can thus survive a machine being reimaged. Even reformatting won’t save us these days.
These hacks are esoteric, but they’re proving that much of what we thought of as hardware unassailability is pure folklore.
Jamie Butler, principal software engineer at security services provider Mandiant, explained the significance of Rutkowska’s hack in an interview with eWEEK at Black Hat here. “The significance of it is there’s been this folklore, this legend that if you do hardware acquisition of memory, it’s not subvertible,” Butler said. “But if you’re running software and you’re accessing memory, you can be subverted.”
For full story:
March 1, 2007 at 6:10 pm #11679oleDBParticipant
Joanna is my hero, good article
March 2, 2007 at 1:24 am #11680AnonymousParticipant
man that is totally awesome!! can wait to read about and play with it.
March 2, 2007 at 1:40 am #11681AnonymousParticipant
Hmmm, so not only will we have to reformat the hard drive when there is a rootkit, we will also need to reflash the firmware. Great, lol!
March 2, 2007 at 11:43 am #11682NegritaParticipant
Don already knows this, but this is exactly the reason I asked to have Assembly added to the present poll at the last minute.
On the morning of the poll being published I had a chat with someone who I consider “a security expert”, and he was telling me the same things that are now being published at the Black Hat convention. He then went on to say (without me mentioning the poll here) that this is the future of malware, and that he thinks that now the most important thing that security professionals can learn is Assembly.
BTW, kudos to Joanna.
- You must be logged in to reply to this topic.