Printers

Collective Intelligence: Can it save anti-virus apps?

No, it's not the "Borg" from Star Trek. But, Collective Intelligence uses the same concept and could revolutionize the way anti-virus applications work.

I have been following a University of Michigan project called CloudAV Architecture: N-Version Anti-Virus (pdf). Like most of us, researchers at the University of Michigan realize traditional anti-virus applications are not deterrents. Let's take a look at why.

Computer-based anti-virus

Typical anti-virus programs reside on the local computer and consist of two parts, an intercept driver and a detection engine. The intercept driver tests objects using signature files, heuristics, and behavioral analysis. If something questionable is found, the driver sends pertinent information to the detection engine, which then checks for matches in the signature database.

The signature database is the weak link. Whether the detection engine finds a match or not depends on how up-to-date the database is. Which is dependent on how fast the threat researchers produce a signature file and when the application updates.

On-line anti-virus scanners

On-line anti-virus scanners are being touted as an improvement over resident anti-virus applications. But, they have several problems as well:

  • No real-time protection, only on-demand scanning.
  • No protection if the computer is disconnected from the Internet.
  • A semi-static signature database is still used, with accuracy depending on the last time it was updated.
CloudAV

Understanding the problems with traditional approaches as well as on-line scanners, the University of Michigan research team determined a new approach was needed. Why not make anti-virus, an intelligent Software as a Service (SaaS) and gain the following benefits:

  • Improved detection of malware: This model increases the likelihood of malware being found, because multiple detection engines working in parallel can be used.
  • Local anti-virus vulnerabilities are not a problem: Moving the anti-virus engine to the cloud eliminates the ability of malware to manipulate the client anti-virus application.
  • Real-time signature definitions: Data from client computers are continually uploaded to the detection engine's database, providing real-time answers to queries from other host computers that may be encountering the same malware.
  • Small footprint on host: Moving malware detection off the client and into the cloud simplifies client software, extending anti-virus protection to devices with limited processing power (smart phones).

Besides being different from traditional anti-virus applications, CloudAV is not a cloud-based anti-virus scanner. Unlike scanners, CloudAV creates an active and continuing relationship between client computers and servers that house the CloudAV detection engines.

The theory sounds good, but I can't test it. It seems CloudAV is only in use on the University of Michigan campus.

Panda Security

Last week, Panda Security introduced Panda Cloud Anti-virus for consumers and Panda Cloud Protection for small-to-medium businesses. Juan Santana, CEO of Panda Security mentions:

"The launch of Panda Cloud Protection and Panda Cloud Antivirus represents an evolutionary step in our ability to combat cybercrime, and one we're confident the industry will follow. Panda's new and improved security services leverage our extensive R&D in cloud computing to keep our business and home users protected with as little effort and investment as possible."

On the surface, both programs appear similar to CloudAV. They use cloud-based anti-virus detection engines and thin clients on the host computers. For this article, I would like to focus on Cloud Anti-virus.

Thin client

After installation, the Cloud Anti-virus thin client immediately runs a complete scan of the computer, making an inventory of existing processes. If questionable objects are found, the thin client defers to the Panda Security database for removal instructions.

Once the catalogue is established, the thin client uses the following three types of scans to maintain an accurate inventory and check out new objects:

  • On-access scan: The maximum-priority scan applied to objects right before they are executed. The files are intercepted, prevented from running, and disinfected if found to be malicious.
  • Pre-fetch scan: A joint local and cloud scan of a file that is currently idle, but is expected to be executed shortly. This type of scan only takes place when performance is not impacted.
  • Background Scan: The lowest priority scan that only runs when the computer is idle, so as not to impair performance.

The following slide shows the results of a scan:

Collective Intelligence

Collective Intelligence is Panda Security's term for the servers that provide the anti-virus detection engines. As information is uploaded from the thin clients, it is analyzed and categorized by the Collective Intelligence technology.

If a new malware strain or a variant of an existing strain is discovered, the servers will create and send detection/removal instructions to each client node. To get an idea as to what is happening with Collective Intelligence, Panda Security has created a real-time monitor on their Web site.

What information is being uploaded

I asked Sean-Paul Correll, a threat researcher for Panda Security, what exactly is uploaded to the Collective Intelligence. Mr. Correll explained that the thin client builds what they call a "reverse signature". A small file comprised of data needed to recognize malware signatures, specifically:

  • Cloud heuristics
  • How the executable file interacts with the operating system
  • Alterations to the system's inventory fingerprint

Before the data is sent to the Collective Intelligence servers, it is hashed to ensure privacy and authenticity of the message.

Off-line operation

I was concerned if computers would be protected adequately when off-line. Mr. Correll explained that:

"Computers are still protected while not connected to the Internet. Cloud Anti-virus keeps a local copy of the Collective Intelligence cache for off-line operation."

I then asked if it wasn't redundant to have the thin client check the Collective Intelligence, when there was a local copy of the cache. Mr. Correll clarified it for me:

"The number of new malware signatures amounts to approximately 150,000 a day. That many can be processed by the Collective Intelligence servers, allowing real-time queries by the thin clients. But, it would be near-impossible to keep the local cache of every thin client that up to date."

Initial testing

Awhile back, I posted about a ComputerWorld article that was trying to determine if using free anti-virus software was worthwhile or not. At that time, Panda Security's Cloud Anti-virus was also tested, but not written about. AV-Test.org, the company selected by ComputerWorld to run the tests disclosed why:

"The program's (Cloud Anti-virus) design also meant that it could not work with our current method of proactive-protection testing, which requires us to use two- and four-week-old signature databases to simulate how well an antivirus tool performs."

In a later ComputerWorld article, AV-Test.org offered these results:

"If its excellent showing at detecting malware in AV-Test.org's zoo of half a million samples is any indication, the approach works. Panda's app produced an impressive 99.4 percent overall detection rate."

The next best performance, 98.9, was achieved by Avira AntiVir Personal.

Final thoughts

It appears using Collective Intelligence will give anti-virus applications better tools for fighting malware. Let's hope so.

I would like to thank Ms. Amy Ziari of Bateman Group and Mr. Sean-Paul Correll of Panda Security for their patience and help with this article.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

105 comments
Ocie3
Ocie3

First, I think that "cloud AV" certainly could be the future of anti-malware systems. However, in this post, I will play the Devil's Advocate. :-) The article lists four benefits of Cloud AV (which are also described in the U.Michigan .PDF): [b]"* Improved detection of malware: This model increases the likelihood of malware being found, because multiple detection engines working in parallel can be used."[/b] Ahhh, Virus Total on steroids! ;-) Has anyone attempted to create an enterprise to implement this as a commercial "Software as a Service" (SaaS)? What is the revenue model? Currently, I pay an annual license fee for the AV program which I have been using. The license expires in 13 days, so maybe I should give Panda Security's free Cloud AV a trial -- but then again, the old programmer's adage about that is: "Don't install and run Version 1 of anything!" Also, I doubt that Panda Cloud AV is using multiple detection engines that have different designs, methods, processes and procedures, etc. They have a set of servers that endeavor to detect and identify malware in files that are sent by the client running on customer host computers, but Panda does not say whether all of them are running the same software to effect their mission. [b]"* Local anti-virus vulnerabilities are not a problem: Moving the anti-virus engine to the cloud eliminates the ability of malware to manipulate the client anti-virus application."[/b] Actually, moving the AV engine to the cloud just changes the location of the problem. Malware attacks servers, too, especially those that host web sites. Some malware tries to compromise DNS servers. Yet other malware specializes in penetrating networks, and, when it succeeds, it then transfers other malware from a black-hat server into the network and installs it on servers and clients. If Cloud AV becomes common, malware will be seeking the "detection engine" servers, too. If a vulnerability is known to the black-hats before the detection engine is withdrawn from public distribution, they can still exploit it. If the white-hats do not know about it, they cannot remove it. The result of exploiting a vulnerability of any AV detection engine could be, potentially, catastrophic for each and every customer of the cloud AV SaaS. [b]"* Real-time signature definitions: Data from client computers are continually uploaded to the detection engine's database, providing real-time answers to queries from other host computers that may be encountering the same malware."[/b] It is not clear how that arrangement allows the creation of "real time signature definitions". The first challenge is detecting the presence of malware as it intrudes into, or it is installed on, one or more customer computers. The next is verifying whether a suspect file contains only malware, or perhaps contains other executable software too, or perhaps contains data as well as malware. The third is creating a "signature" for the file that is unlikely to result in "false positives". How much of that process can be "automated", I do not profess to know, but I suspect that the process itself is more complex than just the three challenges that I have described. [b]"* Small footprint on host: Moving malware detection off the client and into the cloud simplifies client software, extending anti-virus protection to devices with limited processing power (smart phones)."[/b] That would certainly be an advantage, but it only works if the client on the host can detect files and identify processes. Which is to ask: can the Cloud AV architecture detect [i]rootkits[/i] which hide files from file systems and even their own processes from some elements of the operating system? Rootkits that install a kernel-mode driver can have the capability of hiding themselves from anything looking for them, as well as their persistent executable files which they store somewhere (usually on a HDD, but not necessarily within a partition). Another challenge: will the "thin client" detect malicious JavaScript? Can it send "summaries" of web site pages to the central detection engines (which, of course, would have to be able to recognize malicious JS)? JS on a web site page, or sometimes in a .HTML file or in a .PDF, has become a very common method for installing malware on a targeted computer. That is one reason that Firefox NoScript has become so commonly-used. (BTW, the architecture of a 64-bit Intel CPU does not allow kernel-mode drivers of any kind. Whether this affects virtual machines, it prevents undetectable rootkits and the use of sandboxes.)

bboyd
bboyd

One infected server and instant botnet. Almost as good as iTunes and similar services. Gave it enough control to penetrate 20%+ of the computers in the US within a short span. Maybe someone will combine this with hi frequency trading to really "make a difference".

jkameleon
jkameleon

From purely technical point of view, AV is fundamentally flawed. It's basic strategy is enumeration of evil, therefore it's never going to work. From business point of view, though, 100% solutions (like writing the OS & apps properly, getting rid of unnecessary features...) are bad, because there is no obsolesence. From this point of view, AV is ideal solution, because it requires constant maintenance and consequently provides constant cash flow. Looking from this perspective, marriage of AV with the latest fashion fad, cloud computing, is pretty logical course of events. AV is not the answer, no matter how it's implemented. It's not even supposed to be.

seanferd
seanferd

Cloud AV scanning will one day outstrip spam as the highest amount of traffic on the internet. It still sounds like a useful addition to the anti-malware scene (which company was on the cloud AV thing last year?) but it seems like people with lower bandwidth connections won't have as easy a time with these services as others.

santeewelding
santeewelding

Ms. Ziari, Mr. Corr, and Mr. Michael Kassner for a damned good rundown.

Michael Kassner
Michael Kassner

Of which, most can only be answered by Panda Security. I apologize, as I had hoped for more response from them. You may misunderstand the multiple detection engine concept introduced by the U of Michigan. They were indeed going to use several different vendor's detection engines. Which would then work as they suggested. As for the real-time concept, I still feel that has significant merit. Most AV applications update only a few times a day. Heck, Avira updates once a day. A lot can happen in an hour, let alone a day. Maybe real-time was not the proper term, but I feel intelligent detection engine technology in the cloud approaches that mark.

Michael Kassner
Michael Kassner

A few servers controlled by professionals that are security-oriented or thousands of clients that aren't. I submit that the existing method is not working, why not step outside the box?

santeewelding
santeewelding

Shhh. Don't tip them all off. I, for one, enjoy all their activity. Gives them something to do besides think.

Michael Kassner
Michael Kassner

But, until we resolve that is there any other answer?

Michael Kassner
Michael Kassner

The traffic between the thin client and the Collective Intelligence is minimal. No files are up-loaded. Only the reverse signature and response are passed. I have been watching and it's minimal.

jvbrown
jvbrown

Please recognize ... heuristics and patterns have been in use by the industry as a whole for quite a long time. The exposure posed by an exponential explosion of web-threats now makes it more important to combine the cloud with these existing techniques. Some vendors have recognized this, and are working to help avert the potential issue caused by excessive DAT updates. Panda is among them.

Ocie3
Ocie3

Quote: "You may misunderstand the multiple detection engine concept introduced by the U of Michigan. They were indeed going to use several different vendor's detection engines. Which would then work as they suggested." From reading the study (although I read only a bit more than the first half of the document), it certainly appeared to me that they did use detection engines from multiple vendors, which they named in some of the tables. Regardless, that leads to the question of the revenue model. And it seems clear that Panda Cloud AntiVirus is not using multiple engines from different developers. Perhaps I should look at the study again, but I do [i]not[/i] recall that they discussed, or attempted to use, "real time definition creation". They did assert that, at the time they did the study, an average of 48 days passed between the time that a malware process was identified "in the wild" and the time that all of the AV vendors who were included in their study developed a signature to detect it. They showed that "response time" for 10 or 11 vendors in a table and on a graph. It was not clear to me how they thought that a Cloud AV system would shorten the amount of time necessary to create a "signature" for newly-detected malware. The system that they described would, though, certainly make it easier to evaluate how widespread the malware has become (among the customers of the Cloud AV SaaS). Something that piqued my interest is that the MD-5 and SHA-1 "cryptographic" hashes will create an entirely different hash if two files differ by only [i]one byte[/i]. The remark was that using such hashes makes it difficult to identify "polymorphic" malware. Which leads to whether MD-5 and/or SHA-1 hashes can be used instead of the traditional "signature". But I digress. With regard to "signature" updates, the advantage of the Cloud AV system is making each new definition available "immediately" to the detection engines. So there should not be much delay between finishing creation of the signature and its usage to identify instances of the malware.

bboyd
bboyd

Dam building usually for flood control. Do you not build it and every few years have property damage and the occasional loss of life? Then if you do build, your failure mode is so severe that many people will likely die during the event, and it is very susceptible to intentional action. Not saying that you should not build a strong safe dam, just better take in the reality that you are adding a wider scale failure mode to the equation. And no I don't really trust the "professional" entirely. My wife has her PII in a government database that been penetrated and insecure for several months now. Just revealed to the public this morning and still not shutdown.

RU_Trustified
RU_Trustified

You still have inherently insecure systems and ANY insider can be compromised. Only trusted operating systems take the option of unauthorized behavior away from authorized users whether it is voluntary or coerced upon them. Bboyd makes a good point. What is guarding the client list? It is an instant target for the one piece of malware that is removed from the database by an inside saboteur.

JCitizen
JCitizen

Evil doesn't really think; I like and agree with that concept. They think they are though. Oh! Well! I subscribe to the old theory that they are weaker than they realize.

JCitizen
JCitizen

like steady state; I guarantee you won't get NEW viruses on the OS partition/drive. But then you have to unlock the drive and update malware definitions and scan everytime you do admin tasks. I must admit, I've become lazy on Vista restricted accounts, in that I like to log an application on to do any admin task I want, instead of logging off and doing it as an administrator like I did on XP. I'm probably wrong, but then I like a street fight!

jkameleon
jkameleon

PCs will always be susceptible to virus infection for number of reasons - they are too complex to plug all possible security holes as it is, and their complexity is constantly growing. - there is no commercial interest to make PC 100% virus proof. - even with 100% virus proof PC, there is always human factor, social engineering, "install to see dancing bunnies" stuff. The only answer is to reconcile with the fact, that PCs are inherently insecure, and move critical functions to separate equipment, designed specifically for security- smart cards, firewalls, routers, and so on. A nice example of such piece of equipment is home network router. They run bulletproof open source OS, usually NetBSD. The only way to get inside is cross site scripting, and even that is preventable simply by changing password. They have simple, unnatractive UI, which means no social engineering or dancing bunnies. Last, but not least, they have clearly defined, limited set of functionalities. That's the only way of making computer secure, but that doesn't sell well as PC. EDIT: Whoops, just crossed my mind... Sophisticaded enough malware could contact router through HTML, and open it to outside traffic. In order to be secure, routers would have to have their own UI hardware.

seanferd
seanferd

might become pretty heavy. (More correctly, the reverse-signature traffic.) Interesting that the traffic can be kept so low.

R.C.D.
R.C.D.

From your title it sounds like your post will attack the author and when one opens your post you are essentially agreeing with what was posted in the article. So, please, what is your point?

santeewelding
santeewelding

And more, are present and accounted for in my awareness. Thank you. Comparing his rundown with yours, yours sucks.

Michael Kassner
Michael Kassner

I refer to those techniques, when I write about traditional anti-virus applications. Those are the ones that have been around.

JCitizen
JCitizen

Panda doesn't mention this, and if they did, I think they would be required to by the Threat Work alliance to divulge this fact. None-the-less, I am still interested in this concept as it looks like another fight fire with fire exercise! I've noticed for some time that right clicking the LAN connection icon in the systray during scans,and disabling the NIC card, always enhances detection by whatever scanner is in vogue. Malware uses the same command and control techniques to hide in alternate data streams in my little theory; feel free to criticize as I know you will anyway. Malware and bot nets use the same techniques to remain lite on the host PC. Panda has obviously noticed this and decided it works very well; especially since the host user hardly notices the bandwidth hit. It would seem to me the HIPS part of the mechanism, if this is a proper description, would be the light weight client, the signatures would be unnecessary, as they could be sent by data stream to the detection servers and let them hold the gobs of data necessary to make reliable identification. Only files that violate the encrypted system "snapshot" would be dealt with. Much like a checksum validation. If the scanning tech were properly designed, it would only look at enough of the file to ID it, and that is all. Almost all malware have related code snippets, just like the RNA strings real viruses have. Questionable files would be compressed and sent in their entirety to the "cloud" for analysis. I really don't think my little story here is actually how they do it, but I see similar behavior in malware all the time. Hopefully it is at least representative to what Panda is actually doing. Seems logical to me.

Michael Kassner
Michael Kassner

I had hoped they would be more active in answering questions. I am somewhat disappointed by their response. I am not getting any more correspondence either. I guess I am drawing certain conclusions that may change what AV app I use.

Ocie3
Ocie3

aspect of Panda's Collective Intelligence is Mr. Bustamante's remarks that their system only obtains data about, and responds to, malware that is actually found on the computers that use Panda Cloud AV. He asserts that they do not really need to know about malware that is, for example, being found on Symantec Norton AV user's computers. So, just what does he think will happen if someone whose computer runs Norton AV carries an infected USB drive to a computer that uses the Panda Clound AV and plugs it in? The computer using Panda Cloud AV would, apparently, be completely defenseless since there would probably not be a signature for it (i.e. unless it has already been identified as present on computers that use Panda Cloud AV). Bustamente mentioned malware sample exchanges as one way that AV developers obtain malware for which they can make signatures. I wonder if they will discontinue doing that if Panda Cloud AV seems to be "enough".

Ocie3
Ocie3

it should be interesting.

Ocie3
Ocie3

challenge is obtaining sample files that may or may not be, or contain, malware executables. I have often wondered how the various vendors obtain the malware samples that they use to create "signatures". Many use "honeypots", which are computers that are deliberately left "unsecured" to attract real-time crackers and "web crawlers" or "spiders" that return data to malware distributors. As far as I know, the various anti-malware vendors ordinarily do [i]not[/i] share data and other information. There have been a few exceptions, when a worm or virus has quickly become widespread. But as a rule, there is no vendor's AV which can identify all of the malware that is known to at least one other AV vendor.

Michael Kassner
Michael Kassner

The more I think you may be correct about the only advantage being the distribution network. Still, I remember Panda said their signature process is highly automated. That is another way they get closer to real time.

JCitizen
JCitizen

but I'll let it mature and watch for carnage with interest! I've never been a Panda fan, but this is still interesting to me. In some ways the whole future of cloud computing could depend on it. I'll bet Google may be uncomfortable with this, maybe Microsoft too. Perhaps they should get together and buy Panda and shut it down! HA!

RU_Trustified
RU_Trustified

As Eugene Spafford wrote on a recent Cerias blog post, people spend too much time trying to fix systems rather than fix the problem. He decries the declining knowledge of security personnel who should know better. What good is collective intelligence for AV if the idea of AV itself is not intelligent? People should not settle for relative gains in a point solution now when there will always be other threat vectors for atackers, or be back in the same position we are in now in a few short years. There are alternatives. The whitelisting approach a la Ranum school of thought is a better approach because there can be a billion new malware a day and it won't matter if they are not allowed to execute.

Michael Kassner
Michael Kassner

You made me see it as the age-old question that it is. I have no real answer for it. Way smarter people than me have been grappling with this one for a long time.

JCitizen
JCitizen

all they have to do is wait for the IP 192.168.0.1 or any other standard IP in the cache to either control the administrative phase of the router session, or flash it and take it over completely. In 2003 cisco routers were even easier to pwn, by simply modifying the backup file to the version 12 image saved on the maintenance file on your LAN or maintenance server, and wait for someone to import it to the router. They seemed to need constant refresh at that time, and it would easily happen! I am not a cracker, just intensely aware how the bastards do their nefarious deeds, and seek to foil them at every juncture.

JCitizen
JCitizen

Too bad you guys didn't have this on the 60 minutes episode a few days ago! They showed how a generator at a electrical utility service could be destroyed by internet attack!! It was exciting as watching a Military.com shock and awe video!! I use to work in the robotic control industry for units bigger than that machine, and it made the hairs on the back of my neck stand up! YeeeHawww!

jkameleon
jkameleon

Once the malware makes its way into PC, it can do pretty much anything. It can even interfere with OS's TCP/IP stack. Keylogging your router password entry is pretty trivial matter. Once it has your router password, malware can then log into your router itself, and alter its settings. By installing itself into browser as add-in, for example, or by some other method, malware can also filter the incoming HTTP traffic. This way it can hide its router setting from you. People don't log into their routers very often, so I'd imagine some malware would want to speed things up by faking a router problem.

Ocie3
Ocie3

You remark: " .... If router doesn't have it's own UI hardware, which is usually the case, it uses potentially treacherous PC for that purpose. Malware can then hook itself into browser, and let user enter the router password." In the Cisco Linksys WRT54G router, which I use, and in other NAT routers like it which are marketed to "home network" users, the HTML interface is created by a DHCP server that is embedded in the router's firmware and launched when the router is turned on. The PC runs the browser, which accesses the router [i]via[/i] the network with the IP address 168.192.1.1. When I enter that address in the browser location field, the DHCP server running in the router returns a HTML "page" that has a log-in dialog. I do not use the User Name field (for whatever reason, the User Guide says to leave it blank). But I must enter the password which I previously specified while I did the setup configuration for the router by using the browser to correspond with the same internal DHCP server of the router. The default password is "admin", which, of course, the system administrator (me) should change. It is not clear to me what you mean by "Malware can hook itself into the browser" in order to capture each and every password (among a lot of other data), which the user enters. It is more likely, I think, to install a keystroke logger. Malware could intercept the password during the router setup, or it could do that afterward by establishing itself as a man-in-the-middle that intercepts traffic into and out of the computer [i]via[/i] the Ethernet adapter. It would capture packets and look for the IP address 192.168.1.1 to see what is being sent to and received from the router. It is possible to prevent a man-in-the-middle by initiating a SSL connection to the router (enter http[b]s[/b]://198.162.1.1 in the browser location field). In my experience, it has functioned the same as the normal HTTP connection, but Firefox complains because the router's certificate is "self signed" by Cisco.

Ocie3
Ocie3

to presume that the "PC" is always a "weak link" in the chain of security, but I would never presume that it is the only weak link, or that it is the weakest link. We must always look at the system as a whole.

RU_Trustified
RU_Trustified

Remember, I said a simple definition. The main goal of such a system is to enforce proper access privileges. A second goal is to enforce that the data is not misused, modified or destroyed by authorized users. Integrity ranking can ensure that data remains untampered with. Immutable audit logs can connect to any doc owner or creator, so there is a chain of accountability possible. The security sub-system is there to protect the data that is there, not decide if it is correct. That should be part of a QA process during development. If an application/processs produces information that has errors, the system will protect it. However, it can safeguard the integrity of data being used for such purposes. As an example, field devices such as sensors for the electric grid really require integrity controls to ensure that false information is not forwarded to control systems to induce an incorrect action.

jkameleon
jkameleon

The last time I used these things in my previous job, the hardware we made had switch or jumper hooked to Write Protect pin, to prevent accidental erasing or programming. It was a measure against our own software bugs, not malware. It's a good practice from security point of view, but it's not very suitable for consumer products. It's too costly to impose yet another pesky switch on the mass of technology weary consumers. We programmed Flash eproms mostly through microcontroller hardware debugging. We considered writing into Flash by the software running from the very same Flash too risky, but times had changed since then. > Do you think that malware can bypass or break a strong password in order to gain access to an HTML interface for the router? Once you got the malware infested PC on the wrong side of the router, there's no need to break its password. Such PC is like enemy inside perimeter, a 5th column. If router doesn't have it's own UI hardware, which is usually the case, it uses potentially treacherous PC for that purpose. Malware can then hook itself into browser, and let user enter the router password. Once it has the password, it can do pretty much anything.

Ocie3
Ocie3

If it is your users and/or applications that often process, if not also create, your data, then you cannot trust your data if you cannot trust them.

Ocie3
Ocie3

when you wrote: ".... In order to be secure, routers would have to have their own UI hardware."? If the UI firmware is on a memory chip for which the contents cannot be changed, it should not be possible for malware to compromise it. We had BIOS chips like that in the beginning, then someone invented "flash" EPROM (? - my memory fails me, I think) so that the BIOS could be upgraded without opening the computer's hardware case. Which means that malware can change it, too. Do you think that malware can bypass or break a strong password in order to gain access to an HTML interface for the router?

RU_Trustified
RU_Trustified

going into the event for the benefit of the various militaries or agencies attending and for the public record afterwards. I believe DISA is behind the event report that is imminent for release. It is my understanding that we should be receiving a DIACAP scorecard or or functional cert from this exercise.

santeewelding
santeewelding

That the red team did experience difficulty, if not failure. No doubt, either, that Page 34 comes from you and not USJF.

RU_Trustified
RU_Trustified

Just a few days ago I received permission to talk publicly about an event that took place last June at a DOD event for Coalition and NATO allies. The purpose of the event was to learn about new technologies and discuss their interoperability with each other's technologies. We are on page 34 of this guide if you are interested. The diagram pertains to the military version more but many components are the same. http://www.cwid.org/2009-Orientation-Guide.pdf We presented a mini-cross domain solution which was a Linux server, a Mac and some windows clients. Scalable MLS has not been achievable ever, but to do it with commonly used commercial systems would seem unbelievable to many. At this event the leading representative DISA/DOD red Team, or ethical hacking team went up against our solution. We were told that this team had never failed to breach in over 8,000 attempts and had never taken more than 25 minutes.(average 15 mins) This Red Team were not able to penetrate via external attack in about 30 minutes. They were signed in as regular users and were not able to escalate privileges over another 60 minutes. Finally, they were given admin privileges and passwords and were asked to open a target file with sensitive information. They were unable to do so over the next 2 hours. At one time our CTO actually let the attackers in for a few minutes and then shut the door on them in real time to demonstate to the observers how it powerfully it could be done. On that day we handed that Red Team their first ever fails on 3 levels. This is the best test of our counter-espionage technology that it has ever had; our CTO said that the attack was extremely fierce. You require domain separation to be able to separate special users from the system itself. In this way, IT staff can be given what they need to maintain systems, but not be allowed to access information on them. Does anybody else see the implications for cloud security? Obviously, the key is to be able to prevent privilege escalation. This is where reference monitor capability comes in in order to self-protect. I expect that we have permission to talk about it now because the report of the event must be due for imminent release. I hope that you will take accept this account as evidence of the effectiveness of an authorization engine.

Michael Kassner
Michael Kassner

You edited. I was just about to jump all over that. I know lots of vulnerable single-function devices.

santeewelding
santeewelding

About your veracity, or the worth of what you do. And, I have enjoyed your contributions here. Please continue. You may yet turn over an unenumerated stone and astound everyone.

RU_Trustified
RU_Trustified

A basic definition of one that when you must trust your data, but you can not trust your users or applications, you require a trusted operating system. Likewise, how much do you know about separation kernels, reference monitors, MLS, mandatory access controls, role based access controls, etc? Most people only have exposure to them in the military or intelligence field because the high cost of ownership (hoop jumping) had to be justified. Our approach, 10 years in the making, has had as its mission the removal of the hoop jumping requirement to make this cost effective for the mainstream. To say that no one could ever find a technology that worked is correct only in the context that your statement only applies to the current broken security model.

RU_Trustified
RU_Trustified

You have said it yourself. It is the opposite of enumeration of evil. It is whitelisting, least privilege, default deny whatever you want to call it, but it works, even against zero day attacks. I suggest you look at my post above (Psst) because the technology that I am talking about uses this.

JCitizen
JCitizen

that they might use snapshot techniques. The client would only check changes to the snap shot first, and use this as a comparator. The only thing is, can the malware fool with this snapshot. It is a never ending game of course, but I love the challenge!

Michael Kassner
Michael Kassner

I am trying to get someone from Panda Security to answer great questions like yours. We will see if they respond or not. That will tell us a lot in of itself.

JCitizen
JCitizen

at how you are able to set people off with simple pronouncements. I bow down to your greatness my lord! :^0 :^0 :^0

mathew.gauvin
mathew.gauvin

I find very little wrong with Mr. Kassner's article if it is taken within the scope it was presented. I'm not entirely sure what your problem is or what point you are attempting to make. Is it possible for you to clarify your response?

Editor's Picks