convincewindowsmail

SHOWTEASE:It'stimeforSecurityNow!
withSteveGibson.
And,boy,dowehaveapropeller-headepisodeforyou.
Palantirgotowned,butinagoodway.
Two-factorisnofactorwithSMS.
Yourcamerasareprobablyspyingonyou.
AndStevepushes,pokes,andpopswithstacks.
SecurityNow!
isnext.
FATHERROBERTBALLECER:ThisisSecurityNow!
withSteveGibson,Episode565,recordedJune21st,2016:Control-FlowEnforcementTechnology.
It'stimeforSecurityNow!
.
It'sthepartoftheInternetwhereweonlytrustyouifyoutrustnoone.
AndthemanwhotruststhefewestpeopleisnoneotherthanSteveGibsonfromGRC,GibsonResearch.
SteveismypersonalsecurityguruandthebigbrainbehindGibsonResearch,SpinRite,andofcourseShieldsUP!
andthecomingnon-passwordoverlords.
Mr.
Gibson,it'ssogoodtoseeyou.
TranscriptofEpisode#565Control-FlowEnforcementTechnology(CET)Description:FatherRobertandIbeginbycatchingupwithaweekofmostlyclickbaitstoriesandcasestudiesofreal-worldinsecurity.
ThenwetakeaverydeepdiveintotheoperationofIntel'sforthcominganti-hackingchipenhancementknownas"Control-FlowEnforcementTechnology.
"Highquality(64kbps)mp3audiofileURL:http://media.
GRC.
com/sn/SN-565.
mp3Quartersize(16kbps)mp3audiofileURL:http://media.
GRC.
com/sn/sn-565-lq.
mp3SteveGibson:Well,it'sgreattoseeyouforachange.
WehaveLeoonvacationwithhisfamily,actuallysomewherearoundhereinSouthernCalifornia.
Ithinkthey'redoingthevariousamusementvenues,andalsobeinginaboatinNewportBeachorsomething.
Soyou're,Iguess,fillinginforatleastthispodcast.
Idon'tknowifyou'regoingtobedoinganyothers,butwe'redelightedtohaveyou.
Wealwaysgetalotofgreatfeedback,Father,whenyou'remyco-host.
SoI'mgladforit.
PADRE:Oh,that'sfantastic.
Ialwaysenjoyit.
Iwillsay,IlikeitthatLeo'sgettingout.
Heshouldenjoylife.
Heshouldgetoutthere.
Steve:Wewanttokeephimfresh.
PADRE:Keephimfresh.
ButIdoenjoywhenhegoesawaybecauseitmeansIgettochatwithyouforafewhours.
Steve:Well,andcoincidentally,thisendedupbeingaperfectonebecause,asIPage1of31SecurityNow!
TranscriptofEpisode#565promisedourlistenerslastweek,thiswillbeawindupyourpropellerbeanieandconcentratebecausewhatIwanttotalkaboutisforourmaintopic,afterwecovertheweek'snews,issomeforthcominghardwaretechnologywhichIntelhasadded,orwillbeadding,totheirprocessorstofinally,hopefully,meaningfullyhelpwithallofthese,likemany-well,notall.
But,well,maybeallofthebufferoverrunproblems,andmanyofthewaysthathackershavefoundtocleverlyexploitsystemsusingvulnerabilitiesincodeinordertoessentiallyarrangetogettheirownstuffexecuted.
Intelcallsthis-abbreviatesitCET,whichistheirabbreviationforControl-FlowEnforcementTechnology.
Soinordertotalkaboutthis,we'redownwhereIlive,downatthemachinelevel,withregistersandthestackandinstructionsandthings.
Butit'sunderstandable.
SoIthinkeveryone'sgoingtoenjoyspendingsometime,notupinfluffland,butaserioustechnologypodcastthisweek.
Andyou'reaperfectco-hostforit.
Soit'sperfect.
PADRE:Well,Imean,itisaninterestinglistoftopics.
It'sbasicallyeverythingisbusted.
OurCPUs,ourSMS,ourdataanalytics,ourInternetofThings,prettymucheverythingweusetodayisgoingtobekindofbeatuptoday.
Steve:SotherewasastoryaboutPalantir,theverywell-knownsortofsecuritycompanythatwasactuallyfoundedwithsomeCIAdollars,gettingowned.
SomeconfirmationofsomethingthatIhadsaidacoupleweekagowhenIwaschoosingwhatsecondfactortouse,areasonwhySMSisreallynotsomethingwecantrustasmuchaswewouldliketo.
AfrighteningtruelifeexperiencewiththeInternetofThings,perfectlyfollowingonthelasttwoweeksoftopics.
OrIguessactuallythreeweeksagowaswedidapairofepisodesthatIcalled"IoTInfancy,"talkingaboutthefactthattheInternetofThingsworldisstilltryingtogetitselfgoing.
AlsoGoToMyPChadamassivepasswordreset,buttheircoverageoftheirownproblemwasinconsistentandodd.
Andthenofcoursesomethingthatwasprobablythemosttweetedthingtomewasthestoryofahiddenrootkitcomputerunderneathourmaincomputer.
Andsowe'regoingtocoverthatandthengetintoalittlebitofmiscellany,butnotmuch,andthenagreattopic.
SoIthinkwehaveagreatpodcastforeveryoneonceagain.
PADRE:Indeedwedo.
Andthiswillbetheno-fluff,no-fatpodcast,onlythemeat.
Onlythebestofthemarrowiswhatwe'regoingtobebringingyou.
Steve,tellmeaboutPalantir.
Steve:Well,youknow,Igotallworkedupthinking,wow,howhiredhackersgotcompletecontrolofPalantir.
AndsoIdugintothestorythinkingthattherewouldbealotofmeatthere.
AndIcameawaythinkingthat,okay,thisisjustclickbait.
Firstofall,Palantirhiredagroupofhackersandthendeliberatelyletthemin.
Soitwaslike,waitaminute.
Okay.
Sowhattheydidwastheysimulatedsomebodywithinthecompany,well,thesimulationwasoftheirmakingamistake,clickingonapieceofphishingemail.
Buteveryoneknewthatwaspositionedtoallowthisso-called"redteam"ofhackerstoestablishafootholdwithinPalantir.
Whatwasannoyingwasthatthiswholeprocess,Imean,thissortofinternalsecurityreviewissomethingthatresponsiblecompaniesdoallthetime.
AndIwasannoyedbecausePalantirendedupwitheggontheirface,wherethewaythearticlecameoffwasthattheywereblunderinginsomeway,thattheyhadmadeamistake,likehackersgotcompletecontrol.
AndtherealstoryhereisthatsomehowthereportthatthesecuritycompanygeneratedunderPalantir'spayandpermissionescapedtothepressbecausethat'swhatnormallydoesn'thappen.
No,thesereportsneverlookedgood.
They'renotsomethingthatyouwantthepublictosee.
They'remeantforinternalpurposesonly.
Page2of31SecurityNow!
TranscriptofEpisode#565AndsoIsalutePalantirforbeingproactiveabouttheirsecurity.
Theysimulatedaverypossiblereal-worldeventofsomebodyinthecompanyfallingforphishingemail.
Andthenthetestwas,oncepeoplegotin,whatcouldtheydoAndverymuchaswesawinthecaseoftheSonyattack,anynetworkwhichissufficientlylargeandhasbeenaroundforawhile,stuffhasbeenboltedontothesidesbecause,oh,wedidn'trealizeweneedanotherdatabaseoverhere;andoh,look,weneedanother,bringanotherwebsiteoverthere.
Thesenetworks,inlargecorporationsespecially,justsortofgroworganically.
AndwhatwasoriginallywellplannedendsupjustnaturallyevolvingintosortofaRubeGoldbergcontraption,whichhasallkindsofexceptionsandcornersthathaven'tbeenvisitedrecently,andendsupnotreallybeingdesigned,butevolved.
Andso,yes,thebadguyswereableinareallylargecompanyto,oncetheygotin,withPalantir'spermission,tosetupshopandfindcredentialsandusesomecredentialstoelevatetheirprivilegesandbasicallytakeoverthenetwork.
Butagain,thereporttheyproducedprovidedPalantirwithreallyusefulfeedbackthatallowedthemtothenrespondbyfixingalloftheproblemsthattheemployedbenignhackerswerepermittedtocomeintofind.
SoitwasalittledisturbingtoseePalantir'sPRbranchtryingtoexplainthat,like,okay,thisisthewaytheindustryoperates.
Thisishowasecurity-consciouscompanyfunctionsisyouhirearedteamtocomeinandseewhattheycando.
So,like,okay,ononehand,yes,thesepeoplegotcompletecontrol.
Butitwasintended.
AndPalantirbenefited,andallofPalantir'scustomersbenefithugely.
PADRE:Thatwasthedisturbingpartofthestoryformebecause,likeyou,Igotalotofpeopletweetingmelinkstothis.
Andallofthelinkswere-theywerelinkbait.
Itwasdataanalysiscompanythatdoesworkforthegovernmentisbreached.
Andthatwasn'tthestory.
Thisisactuallyasecurityfirmthatdiditright,thathiredanoutsideconsultationfirmtocomeinandtesttheirsecurity.
Theyletthemin.
Sononeoftheinitialborderlinesecuritywasinplay.
Thiswasonlywhatwouldhappenifoneofouremployeesaccidentallyletyouintothenetwork.
Andalotofthe-Ireadamoredetailedwhitepaperonsomeofthehacks,anditwasalotofpivoting.
Sothat'soneofthemostdifficultthingstoaccountforrightnow.
Butifsomeonetakesoveracomputerandthenisabletopivotittobetheattackerinside,butthey'resmartaboutit,sothatitdoesn'talwaysthrowoffattacktraffic,there'snonetworkIknowthatcansurvivethat.
Itdoesn'tmatterhowsegmentedyournetworkis.
Oncetheystartpivotingontheinside,they'regoingtogetaccesstocredentials.
They'regoingtogetaccesstocertificates.
ButwhatPalantirdidwastheywereveryopenaboutwherethesecurityflawsare,andnowtheycanfixthem.
Thisiswhatwewanttoencourageintheindustry;right,SteveSteve:Right,right.
Andsothat'sexactlyright.
Ithinknooneshouldbeputoffbythis,theideathatthey'rebeingproactive.
Imean,forexample,they'reinamuchbetterpositiontoday,exceptfromaPRstandpoint,thantheywere-Ithinkthiswasdone,IthinkitwasinOctoberandSeptember,sotheendofSeptemberandintoOctoberoflastyear.
AndPalantir'scustomershaveastrongercompanytheycanrelyonasaconsequence,notaweakercompany.
PADRE:Right.
Infact,I'dgoonestepfurther.
I'dsayifyou'relookingattrustingyourdatatoadataanalyticsfirm,don'ttrustthemunlesstheyreleasetheresultsoftheirlatestbreachtest.
Imean,that'swhatI'mgoingtobelookingfor.
I'mgoingtobelookingforacompanythatisforthcomingaboutanypotentialhazardstomydatawhileIhavecontrolofit.
SoIwantouraudiencetogetoutthereandtellpeople,no,no,no,no,you'vegotthatstoryallwrong.
Thefactthatyou'rehearingaboutitisgood.
Page3of31SecurityNow!
TranscriptofEpisode#565Infact,DanGeeratBlackHattwoyearsago,hiskeynoteaddresswasallabouttransparentfailure.
Thegoalofourindustryshouldbe100%transparentfailure.
Whensomethinghappens,youshouldnotfeelashamed.
Youshouldnotfeelreluctanttoreleasethatinformationbecausethat'showthesecurityindustrygrows.
So,yeah,I'mwithyou.
Ithinkthisissomethingthat[crosstalk].
Steve:Yeah,IguesstheonlymodificationIwouldmaketothatIthattheyneverintendedthatinternalreport,whichtheypurchased,essentially,fromthesehackers,Imean,thequestionis,howdidthisleaktothepressBecausethiswasjuicyforthepress.
Andunfortunatelythespinthatgotputonit,asyoualsosaw,wasanegativespin.
Instead,itwasintendedtobeinternalandtostayinternal.
AndsoPalantirwouldsaytotheirclients,eithercurrentorfutureclients,wehireredteamstoattackournetworksonasemi-regularbasissoyoucanbeassuredthatwe'retakingourinternalsecurityseriously.
Anditjustshouldn'thavegottenloosebecausethevalueistoPalantirandtotheircustomers,nottothepublicatlarge.
PADRE:Right,right.
AndhopefullyIhearmore.
I'dlovetohearmorecompaniesreleasethefindingsoftheirpenetrationtests.
Steve:Yeah.
PADRE:Allright.
Whatabout-onmydevicerightnowIhaveasupersecure-I'msorry,didyouwantmoreonthePalantirstorySteve:No,no,no.
Thatwasperfect.
IwasjustgoingtosaythatacoupleweeksagoIwassettingsomethingup,andIdon'tremembernowwhatitwas,butItoldourpodcastlistenersandLeothatIhadachoicebetweenhavinganSMSmessagesentforsecond-factorauthentication,orusingaone-timepassword,Imean,sorry,usingatime-based,likeaGoogleAuthenticatororAuthy-stylesix-digittemporal-basedtoken.
AndIdidn'thesitatetochoosethetime-basedsolution.
AndIsaidatthetimethatthereasonIdidthatwasthatit'smuchmoresecure.
TheideathereisthatonetimeoverasecureTLSconnectiontowhatevertheserverwasIwasestablishingthiswith,Idon'tremembernowwhatitwas,itprovidedmewiththecryptographicinformationrequired,basicallythekeytokeythestandardtime-basedprotocol,TOTP,whichwouldthengenerateaseriesofsix-digitnumbers,givenanauthenticationapplication.
AndbackthenIsaidI'mnotusingSMSbecausetheproblemwith,asweknow,withourcellphonesystemisthatit'snotsecure.
SMSmessagesarenotsecure.
Andtheway,withthechoiceImadeduringatrulysecurepoint-to-pointconnection,Iobtainedonetimeasecretfromthatserverwhichwouldthen,fortherestoftime,drivethistime-basedtokengenerator.
Andsoneveragainwouldtheyneedtobeprovidingmewithasecretonthefly,whichofcourseisexactlywhatsimplemessagingsystem(SMS)messagesdoes.
It'slikeeverytimeyou'reloggingin,sendmeamessagetomyphone,whichIthenlookupandenterintothewebpage.
Soanyway,thisallkindofcameback,andIgotakickoutofthisbecauseasecuritycompany,PositiveTechnologies,putoutapressreleasethatpoppeduponmyradar.
Theywrote,andthisisinpressreleaseformat,I'lljustreadthefirstcoupleparagraphs:"PositiveTechnologiesresearchersabletocompromisemanypopularsocialmediasitesbyhackingtheSS7network,interceptingaone-timepassword,resettingpasswords,andtakingownershipofaccounts.
"Page4of31SecurityNow!
TranscriptofEpisode#565Sotheywrote:"PositiveTechnologies,aleadingproviderofvulnerabilityassessment,compliancemanagement,andthreatanalysissolutions,todayconfirmeditsresearchershaveexploitedaflawintheSS7protocoltointerceptone-timepasscodesusedbymanyonlineservicestoresetpasswords.
Facebook,WhatsApp,Telegram,TwitterandmanyotheronlineservicesofferpasswordresetsviaSMSmessage.
Butinsteadofstrengtheningsecurity,thisabilityactuallyintroducesavulnerabilityhackerscan,andwill,exploit.
PositiveTechnologiesresearchersrecordedthemselvesdemonstratingthehackagainstFacebookandWhatsAppaccountswiththeowner'spermission,provingthedangersofthisauthenticationmethod.
"AndsowehadbeentalkingabouttheSS7systemandhowolditisandcreakyitisandhow,unfortunately,it'sanotheroneofthesethingswhereitwasneverintendedtobesecure.
Itwasintendedto-itwasoriginatedtogluetogetherseparatecellularnetworkstoprovidelikeacall-forwardingtechnologyfromonenetworktothenext.
Andamongmanythingsitlacksisstrongauthentication.
Therejustisn'tstrongauthenticationaspartoftheSS7protocol.
Andweallknowthat,ifyoucan'tbesurewhoyou'retalkingto,thenyoucan'ttrustanythingtheytellyou.
Andyoudon'twanttobegivingthemanysecrets.
Sowe'veheardanecdotalreportsofSS7protocolcompromise.
ButIlovethatherewasanaffirmative,yes,justtheotherdaywedidthis.
Thesystemisstillbroken.
Andagain,itsortofputsapoint,alittlebitofpunctuationonwhatIwassayingacoupleweeksbeforewhenIsaidIchoseatime-basedauthenticatorratherthanSMSforexactlythisreason.
Idon'twantsomethingsecretconstantlygoingthroughthecellularnetworkeverytimeIneedtoauthenticate.
That'sjustnot-now,okay.
Usingitforpasswordreset,thereyourwindowofvulnerabilityisgoingtobesmaller.
Butontheotherhand,ifyou'vegotsomebodywho'ssetuplookingtosuckalloftheSMSmessagesthatgobyin,andthey'reseeingsix-digitcodesorsomethingobviouslythatismeanttobesecure,well,thenthatcreatesanopportunityforthemtograbit,sonotgood.
PADRE:Andyouknow,Steve,I'vebeentellingmyusersforthelongesttimetousemultifactorauthentication.
It'sthestandardmodel-somethingyouknow,somethingyouhave,somethingyouare.
Andmostofthemhavetriedusingsomesortof,well,Igettextedapassword.
IgettextedauniquenumberthatIcanenterin,andthat'smytwo-factor.
AndtheygetconfusedwhenI'vetoldthemdon'tdothatbecausetheythinkthat'sthesomethingyouhave.
Youhaveyourphone.
Butit'ssomethingyouhavethat'sreceivingatransmission,thereforeitkindofinvalidatesthatpartofthemultifactorauthenticationequation.
Ihaveseenacoupleofapps,though,thatwillusesecurecommunications,non-text,overTCP/IP,encrypted,thatIdotrust.
Wouldyoutrustthatmorethanlikeatime-basedRSAtokenOrareyoustillgoingwithatokenSteve:Itjustoccurredtomethatonewayyoucanexplainthisisthisisnot-ifyouuseSMS,it'snotsomethingyouhave,it'ssomethingyoublab.
PADRE:Right,exactly,yeah.
Steve:Sonotwhatyouwant.
Sotoansweryourquestion,theissueisalwaysauthentication.
Italwayscomesdowntothat.
AndthisissomethingthatLeoandIgoaroundandaroundaboutbecauselikehewasallexcitedaboutTelegramforawhile.
AndIsaid,well,yeah,butthere'snoauthentication.
Hesays,well,butit'ssecure.
It'slike,yeah,maybe.
Butifyoudon'tknowwhoyou'retalkingto,ifyoudon'tknowwhoitissecureto,thenitcouldbeamaninthemiddle.
Andfrankly,I'mevenskepticalofsystemslikeiMessage.
I'vetalkedaboutthat.
Theproblemisthey'rehandlingthekeysforyou.
Yes,it'shugelyconvenient.
Butthetradeoffforthatconvenienceisthat,sinceAppleisprovidingthekeysunderwhichthemessagesPage5of31SecurityNow!
TranscriptofEpisode#565yousendoutarebeingencrypted,theycouldtossinanNSAkey,andwhowouldknowI'mnotsayingtheyare,buttheycould.
Somessagingapps,forexample,havetohave,Imean,ifyoureallycare-andthere'saspectrumofhowmuchthisreallymattersbecauseremember,evenifyouhavesuper-securemessagingwithauthenticationandencryption,ifyou'reusingaphonewhichhasbeenrootedsothatthere'ssomethingintherewatchingyousendstuffbeforeit'sencryptedandcapturingitafterit'sdecrypted,outsideofthepoint-to-pointencryption,thenyoustilldon'thavesecurity.
Sooneofthethings,sortofoneoftheconceptswe'vebeenlookingatmoreindepthrecentlyissortofthefallacyofabsolutesecurity.
So,yes,wewantsecurity.
Butunlesswewentoutontothebeachandgotsomesandandextractedthesiliconandthendesignedourownchipandwroteallofourownsoftware,thattothedegreethatwe'retrustinganyoneelse,orasyoustartedthepodcastoffwithTrustNoOne,well,factisit'stotallyimpracticalnottotrustanyone.
Wehaveto.
Otherwisewe'dgetnothingdone.
PADRE:Right.
Iwasactuallyjustabouttoaskyouthatbecause,yes,ifwhoever'sdoingtheauthenticationforyouiscompromised,you'vegotaproblem.
Iftheenddevicethatyou'reusingtoreceiveyourauthenticationiscompromised,you'vegotaproblem.
But,Imean,evenifyou'reusingatime-basedsecurity,youstillhaveaserverthat'srunningthetime-basedequationandthenauthenticatingagainstyourtoken.
Ifthat'scompromised,thenyou'vegotaproblem.
Atsomepointyouhavetoassume,andIknowthat'sahorrible,horriblethingtodointhesecurityworld,butyouhavetoassumethatsomelevelofsecurityistrustable.
RightAnditcan'tjustbeyou.
Itcan'tjustbeyourequipment.
Steve:Correct.
PADRE:Somethingoutthereyouhavetotrust.
Steve:Correct.
And,forexample,I'vebeendeepintoSQRLnowforquiteawhile.
WhatSQRLdoesisitis,asfarasIknow,themostminimalrequirementfortrustofanythingwe'vegotsofarbecauseitisonlyacompromiseofthesecretinyourclientwhichrepresentsavulnerability.
ThebeautywithSQRListhat,becauseserversaredynamicallychallengingyoutosignasecret,andalltheyhaveisapublickeyrepresentingyou,whichisonlyvalidforthatdomainname,you'renotrequiringthemtokeepanysecrets.
Soexactlyinyourexample,Padre,theydon'thaveakeywhichthey'retryingtokeepsecretwhichgeneratestheone-time,thetime-basedtoken.
Andifthatgotloose,thenanybodyelsewouldknowwhatitwas.
Sothevulnerabilityyoupointoutisexactlycorrect.
AndSQRLdoesn'thaveit.
SoultimatelywhatIthinkisgoingtohappeniswe'llendupwithsomethinglikeSQRLforYubiKey,wherethatonemastersecretwhichwehavetokeepsecretendsupbeinginalittlepieceofeasilymanagedhardware,andthenit'sjustnotpossibleforittogetloose.
Andyoudon'twanttoloseit,though,either.
PADRE:Butthat'stherightwaytothinkaboutit.
Idon'ttrustyou;butIknowthat,evenifyouletallthisout,itdoesn'tcompromisemeentirely.
Steve:Right.
PADRE:That'skindof-Ithinkthat'sthebest-casescenario.
Steve:Right.
Sortofintermsoftrustperimeter,SQRLhas-ormaybediameter-hasPage6of31SecurityNow!
TranscriptofEpisode#565thesmallesttrustdiameterofanyofthesetechnologiesthatwe'vebeentalkingaboutsofar.
PADRE:Wait,didyoujustcoinanewphraseCanweTMthat,trademarkitSteve:Ilikethat.
PADRE:Trustdiameter.
Ilikethis.
Steve:Thetrustdiameter,yeah.
PADRE:Hmm.
Someone,oh,holdon,no,don't,don't[crosstalk]thedomain.
Steve:Mayberadius.
TrustradiusPADRE:Trust,oh,trustradius,oh,that'sevenbetter.
Trustradius.
Steve:That'sbetter.
PADRE:HowaboutatrustsphereSteve:Becauseyougetalittleradiusinthere,too.
Youwantradius.
PADRE:Ofcourse.
Allright.
Yeah,youcan'ttrustSMS.
ButyouknowwhatIcantrust,SteveIcantrustmyhomesecuritycameras.
Iknowthey'rerock-solid,designedfromthegrounduptokeepmesafeandnotletanyoneelseintothemostprivatepartsofmylife.
Steve:Okay.
Sothetimingofthiscouldnothavebeenbetter.
TheIoTInfancy-oh,bytheway,wedidcoinanacronymthere,andthatwasIDon'tIoT,whichofcourseisI-D-I-O-T.
PADRE:WeusedtocallthatanID-10-Terror.
Whenyouhadauserwhojustwasn'tthere,andyouneededtoconvincethemthatitwasn'ttheirfault,yousaid,"Oh,yeah,seethisalltime,it'sanID-10-T.
"Steve:That'sgood.
SotheoriginalIoTinfancypodcastwasgoingtobeaboutbabymonitors.
ButIendedupbreakingitupintotwopodcastsbecausetherewasjusttoomuchtotalkabout,andthedetailswerejustsojuicyoftheridiculouslackofsecuritythatthesetechnologieshad,thingsliketheURLthatyouusedtogotoawebsitetoviewyourbabycamonthe'Net.
TheURLhadaserialnumber,andyoucouldjustchangesomedigitsandviewotherpeople'sbabies.
Itwasjust,Imean,justhorrifyinglackofsecurity.
SothenwhenthispoppeduponReddit,Ithought,oh,thisiswonderful.
SothetitleofthisarticleonRedditwas"IboughtandreturnedasetofWiFi-connectedhomesecuritycameras.
Forgottodeletemyaccount,andIcannowwatchthenewowner.
"Sothisguy,oh,it'sjusthorrifying.
Thisguywrote,hewrites:"AfewmonthsbackIpurchasedaNetgearArlohomesecuritycameraset.
Isetupanonlineaccount,connectedthecameras,triedthemoutforafewdays,andultimatelychangedmymind.
Theywerereturnedtothestore,andInevergaveitanotherthought-untiltoday.
"Igotarandomemailalertingmethatthecamerahaddetectedmotion,butIdon'thavePage7of31SecurityNow!
TranscriptofEpisode#565anycameras.
SoIloggedintomyonlineaccount,andIcanseethenewowner,theirhouse,andeverythingthey'redoing.
Netgearobviouslydoesn'thaveasysteminplacetopreventcamerasonmultipleaccounts.
IfI'mnotmistaken,anyonecouldgettheserialnumberoffyourcamerasandlinkthemtotheironlineaccount,towatchandrecordeverymovewithoutyourpermission.
Acreepierdream.
DoesanyoneelseseethisasaserioussecurityflawonNetgear'sbehalf"Andthenhesays:"I'mevenhappierthatIreturnedthemnow.
"Andtheninasubsequentedithesaid:"IleftamessagewithNetgearthismorning,"whichwasyesterday,6/20.
Hesaid:"ReceivedareturncallfromaSeniorSupportEngineersayingthey'reawareofthisissue.
Sincethecamerasaren'tsupposedtoberesold,"hesays,"Isupposetheydidn'tthinkitwouldbeanissue.
"What,areyousupposedtodestroythemandgetcreditAnyway,hesays:"Iwasassuredtheywereworkingonafixwithinthenextthreeweekstopreventcamerasonmultipleaccountsandforceahardresetonthecameras,ifcameraswerepreviouslyregisteredinthesystem.
"Oh,andIshouldnotethatItweetedthisearlier,andseveralfollowerssaid,"Youknow,Ihavethosecameras,andthesamethinghappened.
Youjustplugthemin,andtheydon'taskanyquestions.
Everythingjustworks.
"And,oh.
PADRE:Here'sthesadthing,Steve.
ThisisnotjustaNetgearproblem.
Ihaveseenthisonsomanycameraswheretheonlythingthatprotectsyouiseitheraregistrationnumberthatthey'vecreatedandputintothefirmware,ormorelikelyit'stheMACaddress.
YouhavetoknowtheMACaddress.
AndI'veseenwaytoomanysupposedlysecureproductsthatuseaMACaddressasalayerofsecurity,whichitwasneverdesignedtobe.
Steve:No,you'reright.
PADRE:Infact,JammerB,ifyougobacktothescreenrealquick,thisisanactual-thisispostedonthatRedditpage.
Soifpeoplewanttogoandfindoutwhatthisownerisdoingrightnow,theycouldjustusethat.
Theinformationthat'sonthislabelrightnowyoucouldusetogetintothatcamera.
Infact,youcouldgodowntoyourlocalBestBuyandtakepicturesofallofthesetagsandthenjustwaitforthemtogetbought.
AndunfortunatelyI'veseenthis,andIwon'tnameanyoftheothermanufacturers,butalotoftheothercompaniesthatcompeteinthesamespaceasNetgeararedoingthesamelow-costauthentication,whichis-it'ssad.
Steve:Yeah.
SothisreturnstothethemeofIoTinfancy.
Theonlywaytoregardthisis,firstofall,we'reinanincrediblyearlystagewherecompaniesarerushingtogettheirproductsonthemarket.
AndI'msurethatthefrontoftheboxsays"Secureencryptedwebcamsystem.
"I'msurethat'sabulletpoint.
Andhere'stheconsequence.
Imean,here'stherealityofitisthatthearchitectureoffersnoneofthesecureencryption.
Maybetheconnectionis.
Butobviouslyanybodywho'sabletogetonthewebsiteandseewhat'sgoingoninthenewowner'shome,oh,wow.
PADRE:YouknowwhatIthink,whenIthinkaboutthis,IthinkoftheGMhackthattheydid.
WasitBlackHatandDefconlastyearIthinkitwaslastyearwheretheyfoundoutthattheonlysecuritywastheIPaddressrange.
Sotheyjustthoughtnoone'sgoingtoguesstheIPaddress.
Well,Imean,onceyouhadonedevice,youknewalltheotherdevicesareprobablygoingtobenearthat,soyoujustkeptscanningituntilsomethingresponded.
Andit'sthissortoflazysecuritythatletspeoplethinkthat,well,Ipaidalotofmoneyforthisdevice.
Therefore,itmustbesecure,whichiscompletelynotthecase.
Steve:Infact,that'sexactlythewayShieldsUP!
firstgotcreatedbecauseIhadthefirst,backintheearlydays,thefirst-itwasaDSLorIDSLconnectionforGRC.
AndIdon'tPage8of31SecurityNow!
TranscriptofEpisode#565rememberifwehadmultipleIPsorjustone,andmaybeanearlyNATrouter.
ButIhadapublicInternetProtocoladdress,anIPaddress.
AndIthought,Iwonderwhat'sintheneighborhoodAndsoIscanned,like,plusorminusahundredIPsandfoundalltheseC:drives,alltheseotherWindowsmachineswiththeirC:drivesexposed.
Anditwaslike,oh,mylord.
Someone'sgottodo-someone'sgottoraisetheflagaboutthis.
SoofcourseIcreatedShieldsUP!
.
And,boy,intheearlydaysofShieldsUP!
peoplewentthere,andIshowedthemtheirC:drive.
YoucouldbrowseyourownC:directoryonmywebpage.
Itwasjusthorrifyingbackthen.
Sotherewasanexampleofanotheraspectofinfancy.
ThatwastheinfancyofWindowsmachines'firstcontacttotheInternet,andthatwasthereality.
Now,asaconsequence,allISPsnowblockports137through139and440-isit445or443Ialwaysgetthoseconfused.
PADRE:443Steve:Oneissecureemail.
PADRE:Right,443.
Steve:Ithinkit's445,and443isemail.
PADRE:Okay,thankyou.
Steve:Anyway,soallISPsblockthatinordertoprotecttheirownclients,whomaystillsomehowhaveadriveonthe'NetnotbehindNAT,notbehindasoftwarefirewall,justexposedandflappinginthebreeze.
Butanyway,sothegoodnewsisthere'shope.
Weareatthisstagenowwithwebcamsandhomesecuritysystemsandsoforth.
Wewereonceatthatstagewithpeople'sharddrivesontheircomputers.
Andwe'refinally,ittookalongtime,butnowwe'resecure.
Unfortunately,IthinkthisisgoingtobesimilarescapadesforalongtimeonIoT,untilwefinallygetsomestandards.
Ithinkwhatwe'regoingtoneedissomesortofstandardsbodytocomeinandestablishthewaythisstuffhastoworkandcomeupwithaprotocol.
Becauserightnowit'stheWildWest.
Everymanufacturerjustdoeswhatevertheywantto,aslittleastheywantto,andthenstamps"It'ssecure"onthebox.
AndpeopleatKmartsay,"Oh,let'sgetsomecameras,"andstickitintheircart,andofftheygo,andnoweverybodyelsecanseewhatthey'redoing.
PADRE:IrememberafewyearsagoitwasAccessCommunications,whichsoldhigh-endcameras,Imean,waymoreexpensivethantheonesyouwouldbuyataconsumerBestBuy.
Butunfortunately,theloginpagewassearchable,soGooglecouldindexit.
Andyoucouldlookforaparticularpagethatwouldbypasssecurity.
SoyouwouldjustdoaGooglesearchforthisonepagename,anditwouldlistallthecameras,theAccesscameras,thatcouldbebypassed,justbyclickingonthelink.
Itwasalittlebitscary.
ButSteve,it'sfunnybecauseallofthesezero-configurationdevices-andagain,Netgear,D-Link,thinkofthelowercosthardware.
Mostofthemarebuiltoffofasingularreferencedesign.
Imean,ifyoucrackthemopen,theyvaryverylittleontheinside.
Andthereferencedesignwascreated,alongwithitsfirmware,foryoutoimproveupon.
Andsomeofthesebusinesseshavenotimproveduponit.
Allthey'vedoneisthey'veaddedtheirbranding.
Andthentheyaddapasswordscreen,whichisreallyjustacoupleoflinesofcodethatcompareonestringagainstanotherstring.
Andthat'sit.
Page9of31SecurityNow!
TranscriptofEpisode#565AndI'dlovetogetyourinputonthis.
We'vehadtalksatthelastthreeCESes,thelasttwoBlackHats,thelasttwoDefcons,fromhigh-levelofficialsintheU.
S.
governmentwhoaresaying,look,weunderstandthatyou'reinarushtogetyourcreationsoutintothemarket,butsecuritycannolongerbeanafterthought.
Becausethat'swhatitisrightnow.
It'sgetitworking,andthenI'llthinkaboutsecuritylater.
Well,unfortunately,itstopsatthe"getitworking"part,andsecurityistackedonasanafterthought.
HowdowechangethatBecauseit'ssodifficultforsomepeopletothinksecurityfirst.
Steve:Say,forexample,andwhileyouweretalkingIwastryingtocomeupwithaway,somethingthatwouldbefoolproof,thatwouldallowadevicetoknowifitshouldrandomizesomethinginitself.
Andso,forexample,imaginethat,okay,becauseweknowthere'salotoftechnologyinthesethings.
Oftenthere'salittleLinuxmicrokernel.
They'vegotfirmware.
They'vegotnonvolatilestorage.
Imagineif,whenpowercomesuponthisthing,itreachesouttowell-knownNTPserversandchecksthedate.
Andthatallowsittoknowautonomouslyhowlongit'sbeenpoweredoff.
Andifit'sbeenpoweredoffmorethansomeperiodoftime,like24hours,ithastoberepairedinsomefashion.
Itjustdecides,okay,I'mnolongergoingtotrustmyowncurrentconfiguration.
Theuser'sgoingtohavetodosomethinginordertoreassociatethecamerawiththeiraccount,somethinglikethat,sothatitcanstillbesimple,yetitcanprotectusersfromthemselvesbecausethat'swhattheyneed.
PADRE:Right.
Iwanttobringupsomethingfromthechatroomrealquickbecause[pschops]bringsupagoodpoint,somethingthatalotofusthink,whichis,andIquote:"Ifonlycompanieswereliableforlapsesinsecurity,thingswouldgetstraightprettyquickly.
"Iunderstandthat.
Iunderstandthatsentiment.
Ifeelthatwaysometimes.
However,thereistheflipsidetoit,whichisyouwanttorewardcompaniesforbeinghonest.
Andifacompanythinksit'sgoingtogetdingedforasecuritylapse,theyaremuchmorelikelytositonapotentialsecurityhole,ratherthanannounceitimmediately.
Steve:Ah,goodpoint,yes.
PADRE:SomanyofthebestpolicyexamplesI'veseenhavebeen,ifyouannounceasecurityholewithinthefirst10daysofyoulearningaboutit,thenyougetsortofablanketimmunitybecauseyouweretryingtodotherightthing.
Steve:Orhowaboutifweaddtothatconcept,iftheyopensourcethesoftware,thenthey'realsoletoffthehook.
PADRE:Right.
Precisely.
Yeah,ifyouallowittobevetted.
.
.
Steve:[Crosstalk]theability.
PADRE:Andthat's,Ithink,becausewecantalkaboutsecurityvulnerabilitiesallday,andthey'refunbecausewegetverycreativewhenwelookatwaysofgettingaroundauthentication.
Steve:It'satarget-richenvironment.
PADRE:Itisaverytarget-richenvironment.
Butultimately,assecurityprofessionals,wewantourfellowprofessionalstohaveareasontodotherightthing.
Steve:So.
.
.
Page10of31SecurityNow!
TranscriptofEpisode#565PADRE:What'snextSteve:Sothisstory,Idon'treallyknowwhatthetruthisbecauseGoToMyPC-andthey'vebeenasponsoroftheTWiTNetworkthroughtheyears.
Idon'tknowiftheyarestilltoday.
Butofcoursetheirparentcompany,Citrix,hasbeenalongtimesponsor.
Again,thisfeltlikeclickbait.
Butitlookedlikeitwasclickbait,well,itlookedlikeitwasaproblemmaybeoftheirowninitialdisclosure.
Sotheheadlineread:"Aftersufferinga'verysophisticated'attack,"whichistheirwords,"GoToMyPCforcesalluserstoresettheirpasswords.
"SoofcoursealotofpeopleuseGoToMyPC.
Iimaginealotofourlistenersdobecausethey'vebeenanadvertiserontheTWiTNetworkforalongtime.
Soeverybodyknowsthattheywouldhavegottenapasswordresetemail;or,whentheyhaveattemptedtouseGoToMyPC,theythenweretoldyoumustresetyourpasswordinordertoproceed.
Sowhat'sweirdisthat-oh,andinthecontextofmaybetherebeingareallybadbreachofalltheirpasswords,itoccurredtomethattheydidn'tmeanGoToMyPCquiteasliterallyasitwasperhapsnowbeingused.
Butwhattheywroteinanincidentreportunderstatus.
gotomypc.
comwas:"DearValuedCustomer"-now,thisistheirowndisclosure.
"Unfortunately,theGoToMyPCservicehasbeentargetedbyaverysophisticatedpasswordattack.
"It'slike,whoa.
Andofcoursethegoodnewsitwasn'tajuniorattackbecausethenthatwouldbeembarrassing.
It'saverysophisticatedattack.
Thisisbiggunswererequired.
Andcontinuing:"Toprotectyou,thesecurityteamrecommendedthatweresetallcustomerpasswordsimmediately.
Effectiveimmediately,youwillberequiredtoresetyourGoToMyPCpasswordbeforeyoucanloginagain.
"Andthenfurtherdowninthisstatusreportofincidentstheysaid:"Wehaveexperienced"-itwasunderInvestigating.
"Wehaveexperiencedanissuewhichrequiresyoutoresetyourpasswordifyouarehavingtroubleloggingintoyouraccount.
"Okay.
"PleaseresetyourpasswordthroughtheForgotPasswordlinkifyouarehavingtroubleloggingintoyouraccount.
"Okay,sothatseemsalittleinconsistentwithwhatwassaidatthebeginningofthesamepage.
Butthensubsequentlytheysay:"JohnBennett,productlinedirectoratCitrix,saidthatoncethecompanylearnedabouttheattack,ittookimmediateaction.
Butcontrarytopreviouspublishedreports"-anditwastheirownpublishedreport.
Apparentlyhesays:"ThereisnoindicationCitrixoritsplatformshavebeencompromised.
"Hesaid:"Citrixcanconfirmtherecentincidentwasapasswordreuseattack,whereattackersusedusernamesandpasswordsleakedfromotherwebsitestoaccesstheaccountsofGoToMyPCusers.
"Sonotsoverysophisticatedafterall.
PADRE:Steve,whatyoudon'tunderstandisitissosophisticatedthatnoteventheyunderstandwhat'sbeengoingon.
Sothat'show-yeah,crazysophisticated,really.
Steve:Yeah,sothenheconcludeshisemailedstatement,saying:"Atthistime,theresponseincludesamandatorypasswordresetforallGoToMyPCusers.
"AndsoIsortof-Ipushedbackfromthis;andIthought,okay,waitaminute.
Nowwe'reatastatewhere,ifothercompaniessuffermajorpubliclydisclosedbreaches,alltheothercompaniesontheInternethavetoforcealloftheiruserstoresetalloftheirpasswords,too.
PADRE:Yeah.
Page11of31SecurityNow!
TranscriptofEpisode#565Steve:Sadstateofaffairs.
PADRE:It'sasadstate.
But,Imean,ifyoulookattheNextStepspagethatCitrixputup,it'smostofthesamethingsthatwe'vebeensayingforyears.
Don'tusewordsfromthedictionary.
Selectstrongpasswordsthatcan'tbeguessed,eightcharactersormore.
Makeitcomplexwithrandomcapitalletters,punctuation,orsymbols.
Thendothewholesubstitution,zerofor"o,"threefor"e,"two-stepverification.
Sotheproblemispeoplereadthis,andtheygo,"Yeah,yeah,yeah,yeah.
"Andthentheypromptlyreusethatpasswordonanothersite.
Andthat'shumannature.
Wecan'tchangethat.
Steve:Yeah.
PADRE:Oh,my.
Andactually,thisisthesecondhigh-profilecaseofapotentialbreachthatwascausedbecausesomeothersitelosttheirpasswords.
Twitterjustsufferedthis.
Peoplesaidthat,well,there'salotofTwitterusersbeingattacked.
AndTwitterwasactuallyabletolookattheaccountsthatwereaffected.
Theyfoundout-becausetheysegmenttheirauthenticationdatabases.
Andtheyweresaying,like,afewhereandfewhereandafewhere.
Sotheysaid,look,theydidn'tgetthedatabasebecause,iftheydid,you'dhavecontiguousblocksofusers.
Steve:Ah.
PADRE:Thisisobviouslyacasethatsomeonehasbeencompilingthesepasswords,andthentheyjustthrewthemupagainstTwittertoseewhichoneswouldwork.
Steve:Right.
Well,andofcoursewetalkedabouthowZuckerbergwasoneofthepeoplewhogotcompromised.
PADRE:Right,right.
Steve:Withtheratherembarrassingpassword"dadada.
"ItwasjustD-A-D-A-D.
Soitwaslike,oh,okay.
Butitwasfroma2012,wasit,orevenolder,itwasfromanoldTwitteraccountthathehadn'tused.
Ithadbeenjustsittingidleforalongtime.
But,oh,Iamsorry,itwasfromanoldLinkedInaccount,andwebelieveitwaspartoftheLinkedInbreach.
Andthentheytriedtoreusethatbecausehe'sahigh-profileperson,andtheywereabletocompromisehisTwitteraccountwithit.
PADRE:Right.
Steve:Okay.
Sothisonewasthemosttweetedstory,withlotsofpeoplesaying,Steve,can'twaittogetyourtakeonthisonthisweek'sornextweek's,dependinguponwhentheysentthis,podcast.
Andthis,again,was-thiswasanarticleonBoingBoingthatwasreallyoverthetop,withtheheadline"Intelx86s"-andactuallyit'snotx86sbecausethosechips,ifthey'reonlyx86s,theydon'thavethis.
It'snewerprocessors,soit'sgoingtobex64s.
Andit'snotactuallyintheCPU,either,it'sinthechipset,it'sinoneoftheoutboardchips-"hideanotherCPUthatcantakeoveryourmachine.
"Andthen"(youcan'tauditit).
"Sothisisaguy,DamienZammit,whohassortofmadethishispersonalcrusade.
Andtheproblemisthisgeneratedagreatdealofconcern.
Andit'snotthatsomeconcernisn'twarranted.
WhatIwishisthattherewasalittleswitchonthemotherboardwhereyoucouldturnthisoff.
Andthat'swhatwe'relacking.
Sohere'sthebackground.
So,okay,firstofall,thestorystartsout:"RecentIntelx86processorsimplementasecret,powerful,controlmechanismthatrunsonaseparatechip,thatnooneisallowedtoauditorexamine.
WhentheseareeventuallyPage12of31SecurityNow!
TranscriptofEpisode#565compromised,"asheputsit,"they'llexposeallaffectedsystemstonearlyunkillable,undetectablerootkitattacks.
I've,"writesDamien,"madeitmymissiontoopenupthissystemandmakefree,openreplacementsbeforeit'stoolate.
"Now,firstofall,goodluckwiththat,Damien.
I'mgoingtoexplainwhyyou'regoingtohavetohavesomeseriousvoodoopowersinordertomakethatdreamcometrue.
Sohere'swhat'sgoingon.
Firstofall,thereissortofanacronymstew.
WehavesomethingknownastheIntelManagementEngine,sometimesreferredtoasIME,orsometimesME.
AndthenthisoutboardthingisknownastheARC,theA-R-Cprocessor,whichisa32-bitRISCchip.
Soit'snotlikeanotherx86Intel,well,itisanIntelprocessor.
Theyproduceachipset.
Butit'snotIntelinstructions.
It'saRISCprocessor.
Thenthere'ssomethingcalledAMT,ActiveManagementTechnology,whichIMEimplements.
AndthisallreplacesapreviousIPMI,whichistheIntelligentPlatformManagementInterface.
SoIntel'sintentionhereistocreatea-wecouldcallitsortofbaseband.
It'sonthemotherboard.
Itisbuiltin.
Itis,wherepresent,itisubiquitous,meaningthatusersdon'thaveanycontrol.
BIOSdoesn'thaveanycontrol.
Youcan'tturnitoff.
WhenIwassettingupmybignewboxacouplemonthsagowhereIputWindows7init,anditwasaHaswellchip,andIwantedtogetthatbecauseofthenewsthatfuturehardwareplatformswouldnotnecessarilybebackwardcompatibletoWindows7,thatessentiallyMicrosoftwassayingwe'renotgoingtokeepmakingournewer-Microsoftwassayingwe'renotnecessarilygoingtobeprovidingdriversfornewerhardwareonourolderOSes.
SoIsaid,okay,Ican'twaitformycurrentsystemtodie.
IneedtogetonenowthatIlikealot,thatI'llbeabletorunWindows7onit,becauseIneverwanttohavetogofurtherthanWindows7.
AndImadethecommentthatIhadremovedtheIntelManagementEngine.
WhatIhaddonewasIhaduninstalledtheWindowsdriversforit,whereitallowsWindowstointerfacewiththis.
Butitcan'titselfbedisabledorturnedoff.
Sotheconcernis,myconcernisthatnotonlyisthisthingresponsibleforsettingthebusclocks,it'saprocessorthatgetsthingsgoing.
ItsetsthevariouscountersonthemasterclocksthatrunthebusthatstartsthesystemgoingsothatthenthebigexpensiveIntelx86or64orwhateverprocessorthatyou'vegotisabletocometolife.
Soit'ssortofthepre-life,getthingsgoingprocessor.
PADRE:SteveSteve:Thereallyannoyingthingisthatithasdeliberateaccesstothemotherboard'snetworkinterfaces.
PADRE:ThatwasthequestionIwasgoingtoask,yeah.
Steve:Yes.
Andthat'sdeeplydisturbing.
Now,apparentlythisiswhatIntel-thisistechnologyIntelisprovidingforcorporateenterprise-levelmanagement,theideabeingthatusingsomeportsattheenterpriselevel,regardlessofwhetheryourcomputerisonornot-andthat'stheothercreepything.
AndI'msureanyonewho'sbeenusingorwho'slookedinsidetheirmachinesanytimeinthelast10yearsorso,evenwhenthemachineisoff,sometimesyoulookin,andthere'salittleLEDstaringbackatyou,glowing,onthemotherboard.
Andit'slike,wait.
It'soff.
Fansaren'tspinning.
Everything'squiet.
Yetthere'salittlegreenLED.
Orevenworse,ifyoulookaroundtheback,iftherearelightsonthenetworkconnector,they'resometimesonandflashing.
Likesomethingisaliveinhere,eventhoughallisquiet;noheat'sbeinggenerated;nofansarebeingspun.
Page13of31SecurityNow!
TranscriptofEpisode#565Andsothat'sthisthing.
That'stheIntelManagementEnginerunningandapparentlylisteningonthenetworkandabletorespondaffirmatively,evenwiththecomputeroff.
Andsothat'swhat'sgotDamienallworkeduphereisthatwhatifIntelhasmadeamistakeWhatiftheircodeisnotperfectAndashesays,"whentheseareeventuallycompromised,"dotdotdot.
"They'llexposeallaffectedsystemstonearlyunkillable,undetectablerootkitattacks.
"AndinfactitisthecasethatthisManagementEnginetechnologyhas,whilethesystemisrunning,completeaccesstoeverything,unrestrictedaccesstothesystem'smainmemorysothatitcan,ifitwerecompromised,snoop.
Andwedon'tevenknowhowitworks,whatitdoes.
ItiscompletelyclosedbyIntel.
Itisnotdocumented.
Itis,essentially,itisassecretasthey'reabletomakeit.
Andthepeoplewho'vebeenlookingatthisconsiderthisRing-3,likethedeepest,darkestRinglevelofaccess,likewhatwasit,someringsof-I'mtryingtothinkof.
.
.
PADRE:Ringsofhell,actually.
Steve:Theseventhring,yeah,theseventhringofhellorsomething.
Soeveryone'sfamiliarwiththenotionprobablyofRing0.
Wetalkaboutthatalotbecausethat'swherethekerneltypicallyoperates.
Thisnotionofringsistheprivilegeatwhichtheinstructionsareexecutingatthattimeontheprocessor.
AndtheIntelhardwaresupportsfourrings.
Soit'sgottwobits,twobinarybits;sothere'sfourdifferentpossibilities.
SothatgivesusRing0,Ring1,Ring2,andRing3.
Andtheoriginalarchitectssaid,yeah,thatoughttobeenough.
Well,itturnsoutthattworingswasenough.
TheycouldhavesparedthemselvesabitandjusthadonebitbecausenobodyusesRing1and2.
You'reeitherinRing3,whichIuserland,oryou'reinRing0,whichisthekernel.
Sothereisthisnotionofaringtransitionwhereyougobackandforth.
Andthat'ssomethingthat,duetotheIntelarchitecture,isalittlebitpainfulintermsofoverhead,whichis,forexample,whyMicrosoft,intheirlessthanwonderfulwisdom,movedGDI,theGraphicsDeviceInterface,fromRing3downintoRing0becausetherearesomanycallstoGDIbyWindowsthatitwasexpensivetohaveitupinRing3.
Andsotheymadethemistakeinretrospectofputtingitinthekernel.
AndthatthenallowedthingslikeJPEGstotakeoveryourcomputerbecausethegraphicsdeviceinterfacewouldbeinterpretingJPEGs,andtheymademistakes,andthatallowedyourcomputertogettakenover.
Sointhisringterminologywehavethepositiverings,Ring3,andwe'renotusing1and2,andthen0.
Andthenpeopleconsiderhypervisors,whichrununderneathmultipleRing0kernels,theyconsiderthattobeRing-1.
Andthenthere'stheSMM,theSystemManagementMode.
That'sconsideredRing-2becausethat'sevendeeperthanthehypervisor.
Andthat'swherewegettoRing-3,whichissortofwhatthisisconsidered,thiswholemanagementenginething,becauseit'sarguablydeep-it'snotsystemmanagementmode.
It'sevendeeperthanthat,whereitreallyprovidesthelow-levelcontroloverthewholesystemand,unnervingly,isalsomonitoringthenetwork.
Now,Intelhasdonearguablyeverythingmoderndesignpermitsthemtodo.
Imean,theyunderstandtheydon'twantanybodymessingwiththis.
Sofirstofall,itcannotbedisabledonsystemsrunningtheCore2seriesprocessors.
Itiskeptabsolutelysecret.
Damiennotesthatthere'snowayforthemainCPU-there'stotalvisibilityfromit,fromthisIME,likeso-calledRing3,upintothehigherrings,butnoneinthereverse.
There'snowayforthemainCPUtodetectwhetherthismanagementenginemayhavebeencompromised-nowayforittoaccessitatall,nowayforittorepairacompromisedmanagementengine,nowaytodetectifmaliciousentitieshavebeenabletocompromisePage14of31SecurityNow!
TranscriptofEpisode#565itorinfectit.
Ontheotherhand,Intelhasdoneeverythingtolockitdown,everythingpossible.
There'sapublickeyinthehardware,noteveninthefirmware.
Imean,there'sapublickeyinthesiliconofthismanagementengine.
AndthereisanSHA-256hashwhichistakenofthepublickeytoverifythatithasn'tbeenchanged.
Andmaybethepublickeyisinthefirmware,andthehashisinthesilicon.
Again,detailsaresketchybecauseInteldoesn'twanttoshareanyofthis.
Theonlythingweknowisfromdeepreverse-engineering.
Andagain,it'slikealmostpopthelidonthechipinordertoreverse-engineerthis.
There'slittleknownaboutit.
ButsothepublickeyisverifiedwithanSHA-256hashinawaythatfirmwarecan'tchangeit.
Somecomponentsareinthesiliconatmanufacture.
Thenthesignatureofwhatisinthefirmware,becauseitisfirmwareupdateable,whichisaconcern,thesignatureofthefirmwareisverifiedusingthatpublickey.
SoweknowthatonlyIntelwillhavethematchingprivatekeytoallowthemtocreatefirmwarethatthisIMEwilleverconsiderrunning.
Andthatfirmwareimagehascustomcompressionwhichthehardwaredecompresses.
It'snotevendecompressedthroughanyknownalgorithm.
Andthere's,Iguess,11versionsofitwhichhavesubtlychangedovertime.
Sothatparthasbeenreverse-engineered.
ThepeoplehaveextractedthecompressedfirmwareandarrangedtodecompressitintotheRISCprocessor'sinstructions.
Butit'snotpossibletochangeevenasinglebitofthat,evenknowingwhatthecompressionalgorithmis,becausethenthatARC,that32-bitARCRISCprocessorwillnotrunitwhenthesystemisfirstpluggedintothewall,andthatlittlegreenLEDonthemotherboardfirstturnson,andallofthisbeginstocomealive.
Sothey'vedoneeverythingtheycan.
They'velockeditdownutterly.
Nobodycanchangeabit.
People-andthisiswhyIsayDamienwantstocomeupwithapublicdomainopensourceversionWell,okay,who'sgoingtosignitIntel'snotgoingtosignthat.
AndifInteldoesn'tsignit,thishardwarewillnotrunit.
Imean,maybeyoucangetintherewithyoursolderingironandfusethesilicon.
Butit'snotgoingtobeawidelyapplicable,downloadthisupdatedIMEfirmwaresortofthing.
Andbelieveme,Imean,itisaconcernthatthisthingisonournetworkinterfaces.
AndapparentlyindependentofIPaddressorMACaddressoranythingelse,it'stheresniffingtrafficcominginandout.
Butitcomesalongwiththehardware.
Soagain,it'slike,yes,it'salittleannoying.
Butallyoucandoispulltheplug.
AndImeanliterallytheplug,eitherthepowerplugorthenetworkplug,outofthebackofyourmachine.
Ifboththepowerplugispluggedin,andthenetworkisthere,there'salinkup,andthisthingiswaitingtoreceiveinstructionsfromthemothership.
PADRE:Now,asanenterpriseguy,Iunderstandwhytheybuiltthis,because.
.
.
Steve:Good,tellus.
PADRE:.
.
.
we'vebeendealingwithout-of-bandmanagementforever.
That'showI'vealwaysbeentaughttobuild.
Soyouhavethemainnetwork,andthenyoualwayshaveawaytogetintoyourdevices,evenwhenthemainnetworkisbrokenornotworkingproperly.
SothisisawayforyoutogetmanagementthatbypasseseventhehypervisorinsideofanIntelchip.
Soespeciallyifyou'rerunningaserverthat'srunningalotofVMs,oryou'rerunningitasacontainerbox,thisgivesyoutheabilitytogetinevenbelowthatincasesomethinggoestragicallywrong.
Soratherthanwalkingtothebox,youactuallyhavetheabilitytogetinthereandnotjustpowercycle,becausewecanalreadydothatwithpowerdistributionunits,buttoactuallyfigureoutwhatstateacomputerisPage15of31SecurityNow!
TranscriptofEpisode#565in.
Sothat's,fromtheenterpriseguy,that'sincrediblyfantastic.
Ilovethissolution.
However,andIthinkthisisthesameconcernyouhave,theproblemIhaveisthatithasnoaudit.
There'snowaytofindoutwhat'sgoingoninside.
Iwouldneverletthatonmynetworkbecauseitmeans,well,Inowhaveanunknown,analwaysunknownonthenetwork.
Ijusthavetoassumethatnoonehasbrokentheirwayintooneoftheseprocessors.
Now,asyoudescribe,itisaverydifficult,complextechnicaltasktodoso.
RightnowIcan'tthinkofawaytodoit.
Butwe'veseeninthepastthathardwaresecurityprotection,whereit'sbakedin,isalwaysthemostsecureuntilthefirsttimethatit'sbroken,andthenit'sabsolutelyworthlessandahugesecurityrisk.
Steve:Okay.
Sonowwehavethis32-bitARCRISCprocessor,andtheseguyshavefiguredout,theyreverse-engineeredthehardware-baseddecompressor.
Sothey'renowable-andthenthroughthe11versionsofthis,soobviouslyInteltryingtochangeit.
That'snotgoingtohelp.
Imean,itmaybethecasethatnobodycanchangethefirmware,nothirdpartycanchangethefirmware.
Butnowlookwhatwe'vegot.
Nowwe'vegotagroupthatarefiguringoutwhatthecodeis.
Weknowthat,onceyouknowwhatthecodeis,youcanthen-youdisassemblethatandcomeupwiththe,whatisthischipdoingwiththeNICWhatisitdoingonthenetworkMypointis,ifithaspreemptivecontroloverthesystem,thatis,ifit'snotjustread-only,ifit'snotjustamonitoringtool,Imean,that'sbadenough,dependinguponhowdeepandwhatitmonitors.
ButwhatthismeansisthatthirdpartieswillknoweverythingIntelknowsaboutthisthing'scapabilities.
Theywillreverse-engineerthelanguage.
Theywillreverse-engineertheinstructionset,thatis,thehigh-level,network-levelinstructionsthatthisthingusesforcommunicating.
Sonowyou'vegotthepossibilitythatsomethingmaliciousthatknowsthisgetsontoalargeenterprisenetworkandhasthefreereinoftheplace,evenat2:00a.
m.
whenallthecomputersareoff.
Itjustseemslikeabadidea.
PADRE:Itdoes.
Steve:Tohavesomethingthatisin-weareintheprocessofreverse-engineeringit.
SoanythingIntelhasenabledthattodo,wewillknow.
Andifanyoneknowsit,everyoneknowsit,justexactlyasyousaid.
Anditjustseemstroublesome.
PADRE:Iwouldactuallyliketogetoneoftheseprocessors,soaprocessorthatIcanconfirmhasthisbuiltintoit,andthenrunitonanOSthatIstripoutallnetworkcontrols.
Soyoutakeoutallthestacks,soitdoesn'thavetheabilitytocommunicatewiththenetworkadapter,andthenjustsitonthelineandlisten.
Iwanttoseeifthisisactuallytalkingtosomething,ratherthanjustwaiting,becauseIbelievethearticlementionedthat,inorderforthistobeuseful,therehastobesomesortofTCP/IPservicerunningonthatlittleprocessor.
Therehastobe.
.
.
Steve:Yes,infactthearticledidsaywhat'smostcreepyisthatitrunsafullTCP/IPserveronthenetworkinterface,andpacketsenteringandleavingthemachineoncertainportsbypassanyfirewallrunningonthesystem.
Ofcourse,becauseit'shardware.
ThefirewallisinyourOS.
Andsoreallytheonlywaytoprotectyourselfwouldbetouseanoutboardphysicalfirewallthatisdropall,andthenwhereyouspecificallyallowyourownhigherlayertraffictogetthrough.
PADRE:Attheveryleastthiscouldbeacoupleofinterestingweekends,justsniffingaround.
Actually,I'dsnifffirst.
I'mbettingit'sprobablynotsendingoutanytraffic.
It'sprobablyjustwaiting.
ButthenI'dstartbombardingitwithtraffic,justtoseewhatitlistensto.
Andthatiskindoffascinating.
IlookforwardtoseeinghowthisdevelopsoverPage16of31SecurityNow!
TranscriptofEpisode#565thenextcoupleofmonths.
Steve:Sothere'sthebehavioralapproach,whichyoutalkabout.
Andifyoucangetthefirmware,andyoucandecompressit,andyoucandecompileitordisassembleit,thenyoujustworkyourwaythroughit,andyouendupwithacompletelexiconofexactlywhatthisthingdoes.
Andsoatsomepointwe'regoingtoknow.
And,Imean,maybeit'salreadyknown.
WhoknowsImean,again,it'salittleannoyingthatthisthingissittinginourmachines.
Ijusthope,Imean,so,forexample,isitEthernetlevelItsaysTCP/IP,whichpresumesthatit'sgotaTCP/IPstack.
AndTCP/IP,asweknow,isInternetprotocol,soit'sroutable.
SowhatIPdoesituseYeah,itreally,Imean,itraisesalotofreallyintriguingquestions.
PADRE:IsthereaneasywayformetofindoutwhichprocessorsareaffectedSteve:There'smoredetailinthestory.
TherewassomethingcalledavPro,andIthinkithastobevProprocessors,andnon-vProprocessorsarenot.
PADRE:Igotit.
Okay.
ButarecentvProprocessor.
Steve:Yes.
Well,becauseolderoneshadtheprevious,theIMwhateverthatwas,theoldertechnology.
Intel'sbeendoingthisforawhile.
They'vebeenuptothis.
TheIPMIwastheIntel-theIntelligentPlatformManagementInterfacewastheirearlierone.
AndIthinkI'vegotservers,IthinkmyserversatLevel3,thosearefrom'04,andthey'vegotthatinit.
Soagain,there's12yearsagoIntelwaslike,oh,we'vegottocreatethis.
So,Imean,youknow,maybeifit'sforinventorymanagement,likethecorporationisabletoscantheirnetworkandget-becauseIknowthatthere'slikeallkindsoffunkyserialnumbersandthingsintheBIOSoftheseolderserversthatIhave,wherethereareFRUsandallkindsofstrangestuffthatIneverbotheredwithbecauseitwasn'taboutrunningmystuff.
Butitseemedthattherewasalotofenterprise-classmanagementstuff.
Andthat'sapparentlywhatIntel'sdoing.
ButthequestiontheniswhoelseknowsaboutthisThisisn'tofvalueifIntelistheonlyonewhoknows.
Itmustbethattheyprovidesomeenterprise-levelinterconnectivitythatallowscorporationstodosomethingwiththeirfleetsofmachinesthatareallenabledwiththis.
PADRE:Right.
But,Imean,likeforassetmanagement,whichisoneofthebiggestthingsthatwehavetodoinenterprise,IcandothatjustbylookingattheNICbecauseallNICswillstayinlowpowerstateaslongasthemachineisstillpluggedintopowersomewhere,whichwillallowmetoseeifit'sstillconnectedtomynetwork.
AndIcanevengetawarningifadevicesuddenlyisremovedfromthenetwork.
SoIdon'tneedasecondprocessortodothat.
Steve:Right,right.
PADRE:Which,Imean,again,Idon'tthinkit'sanefariousthing.
Ithinkit'ssomethingtheythoughtwasafeature.
Maybetheydidn'tthinkitallthewaythrough.
Butlikeyou,IwouldloveforInteltocomeoutandsay,okay,thisisexactlywhatitdoes.
Thisishowweaccessit.
Thisishowit'ssecured.
Andthisiswhywethinkit'sstillausefulfeatureforenterprise.
Steve:Andwhycan'tI,astheownerofmysystem,turnitoffPADRE:Exactly.
Page17of31SecurityNow!
TranscriptofEpisode#565Steve:OratleastturnofftheCOMpart.
TurnofftheNICinterface.
Likegosetupthebus,geteverythinggoing,butstop,youknow,don'teventhinkabouttalkingonmynetworkinterfacewithoutmypermission.
PADRE:Steve,we'vebeentalkingaboutthisalot,butIcouldseethisasbecomingathingpastIntel.
Moreandmoreofthedevicesthatweusearealwayson,alwaysconnected.
AndIcouldseerealbenefittohavingamanagementlayerofhardwarethatIasanITpersoncouldaccessthatnobodyelsecould.
I'mactuallyprettyfirminmybeliefthatthisisgoingtostartspreadingtootherproductcategories.
Sowhenitdoes,isthereasafewaytodothisSteve:TheproblemwehavewiththewholeIoTconcern,thereasonitcausessomuchtrouble,isthetradeoffbetweeneaseofuseandsecurity.
Obviously,whatNetgearwasdoingwithArlomadeitextremelysimplefortheiruserstohookuptheirwebcamsystems.
Look,oh,justplugitin,andgotothewebsite,anditfindsyou.
Sowhatwe'regoingtohavetocomeupwithisingeneralthisInternetofconnectedthingsissomesortofcompromisesolutionthatgivesussecurityandalsoeaseofuse.
Wedon'thaveityet.
PADRE:Oh,isthatall.
Oh,soIjustwantitsecure,butIalsowanttomakeitdeadsimpletouse.
Steve:That'sright.
PADRE:That'sthecryofeverysecurityprofessionalfromthedawnofsecurity.
Steve:Sojustacouplelastthings.
IdidgetanicenotefromaCoreyGrant,who'sinLivingston,Texas,wherethesubjectwas"Testimony.
"AndIthought,whatAndhekindofmeanttestimonial,butthankyou,Corey.
Hesaid:"Greetings.
I'manetworkengineerinruralEastTexasandmoonlightonthesideforafewlocalbusinesses.
IgotadistresscallaboutaPCthatwouldnotboot.
"Andofcourseweallknowwherethisisgoing.
"Thismachinehadlotsoftaxdatafrompreviousyearsthat"-andhejustwrote"she,"meaningthepersonwhocalledhim,Iguess-"wasactivelyusingforresearch.
"Hesays:"IhaveusedSpinRitemanytimestoincreaseperformanceoflaggingdesktops,butthiswasthefirsttimeitactuallyresurrectedadeadmachine.
Sheishappy,andIamahero,thankstoyou.
"SoCorey,Ireallyappreciateyousharingthatwithmeandlettingmeshareitwithourlisteners.
SoanotherSpinRitebringsthedrive,andinthiscaseapparentlyyearsandyearsoftaxdata,backfromthegrave.
PADRE:Thosestoriesaren'tevenreallysurprisinganymore.
We'veheardthemsooftenthatweknow.
Actually,Igot.
.
.
Steve:Yeah,yeah,yeah,another-soit'slike,howdoImakethismoredramaticYeah,yeah,yeah,SpinRitefixedthedrive,okay,fine.
PADRE:Well,I'vegotoneforyou.
Steve:Oh.
PADRE:TWiT.
tvwascoveringtheElectronicEntertainmentExpositiondowninLosAngelesattheStaplesCenter.
AndIwasatabooth.
Iwon'tsaywhichbooth.
Iwilljustsayit'sacompanythatmakesoperatingsystemsaswellasgamingconsoles.
Butwegotaninviteintothelounge,thissortofsecond-floortypething.
AndtherewereacoupleofworkstationsuptherethatwerecontrollingsomeofthemajordisplaysthataregoingonPage18of31SecurityNow!
TranscriptofEpisode#565aroundthebooth.
Andoneofthemwasdown.
Andaswewererecording,Ikeptsortofglancingover.
AndthenIrealizeditwasrunningSpinRite,andtheywererunningSpinRiteontheinternalSSD.
Iguesstheyhadhadsomeissuesrightbeforetheshowstarted.
Andthenbythetimemyinterviewwasdone,itwasbootedbackup.
SoI'mlike,oh,okay,well,evidentlythiscompanythatmakesoperatingsystemsandgameconsoleshasgottenthewordthatthisisthesoftwaretouse.
Steve:Interesting.
Verynice.
PADRE:SoyousavedE3.
SteveGibsonsavedE3.
Steve:Well,andwhat'sfunnyisthatwe'veheardanecdotallythatcompaniesthatareprofessionaldatarecoveryfirms,theyuseSpinRiteasthefirstthingtheydobecausemostcustomersdon'tknow,andthebillisgoingtobeoftennorthofathousanddollars,right,forlikeaprofessionaldatarecoveryfirm.
Buttheydon'twanttoputtheirgoodguysonitifSpinRite'llfixit.
SotheyjustrunSpinRite.
Andtheystillchargethecustomeranarmandaleg,buttheydidn'thavetoexpendtheexpensiveheavy-gunresourcestodoplatterchangeorPCboardswap-outorallthethingsthatcanberequiredif,well,ifthehardware'sreallydead,andthenSpinRitecan'tdoanythingtofixit.
PADRE:AllIknowisthatit'sbeeninmytoolkitforthelasttwodecades,justabout.
Steve:Yes.
Thankyou.
PADRE:Soifit'saharddrive,ifit'sanSSD,there'sareasonforyoutohaveSpinRite,folks.
AndthatreasonisSteveGibson.
ShallwegetintosomemiscellanySteve:Yes.
Well,Ijusthaveonepiece.
ThisissomethingI'vementionedbefore,butitwastriggeredbysomebodytweetingmeanddidn'trememberwhatitwas.
Hesaid,whatwasthatthingyourecommendedyearsagoforarchivingallyouremailAndwhathappenedwastherewassomeevent,IthinkitwasjustthatIhad-I'mstillusingoldEudorav7.
1,whichkeepsongoing.
IliketheUI.
I'vetriedotheremailclients.
Theyjust-they'renotthesame.
SoI'vestayedwithit.
ButIrealizedEudorawashavingahorribleproblemwithamillionyears,oratleasttwodecades,worthofemailthatIwasjustdraggingalongbehindit.
SoIwentlookingforasolution,andIfoundafreesolution.
Itisstillfree.
Thecompany'scalledMailStore,andit'scalledMailStoreHome.
Now,Iwasusingv8,andthey'renowat9.
7.
1.
Anditisfreeforpersonaluse.
AndsoIwantedtorenewmyrecommendation.
I'mstillusingit.
Istillloveit.
Anditisamazing.
Itnowhas2.
5GBofmypastemailarchived.
Icanputin-infact,Iusedittofindyou,Robert,acoupledaysago,whenIfirstsentyoumail,orIguessitwaslastweekwhenIknewthatyouweregoingtobemyco-host.
Ididn'tstillhaveyouinEudora.
SoIfiredupMailStore,andIputin"FatherRobert,"andbang,itfoundallofourpreviouscommunication,andthenIgrabbedyouremailaddressandaddressedapieceofemail.
Soitisitselfapop3and/orIMAPclient,soyoucanjustaimitatyourserver,andit'llsuckthingsinandindexthem.
Itcanbeacentralarchiveforallyouremail.
ItcandoGmail,YahooMail.
ItknowsaboutallversionsofMicrosoftOutlook,WindowsMail,WindowsLiveMail,ExchangeServer,Officethrough365,MozillaThunderbird,SeaMonkey,alsoPST,EML,andotherfiles.
Itcansuckthosein,aswell.
AnditrunsperfectlynexttomycreakyoldEudorav7.
1.
It'sfunny,too,becausewhenIfireditup,itnotedthattherewasanewversion.
OrPage19of31SecurityNow!
TranscriptofEpisode#565maybeIchecked.
Idon'tremember.
Butit'slike,oh,yeah,there'sav9.
7.
1.
AndsoIthought,okay,fine.
SoItriedtoupdate,butitsaidno,notcompatiblewithyourOS.
Soit'slike,oh,okay.
SoI'musing8.
AndIdidnote,whenIwenttotheirsiteinordertobringitup-bytheway,it'sjustMailStore.
com,M-A-I-L-S-T-O-R-Edotcom-that9.
7.
1isWindows7,8,and10.
OfcourseI'mstillonXP,soI'mgoingtostaywith8,whichworksperfectly.
Soanyway,IjustwantedtoremindpeopleaboutitbecauseIdidgetalotofpositivefeedbackfromthosewhoadopteditafterIfirstmentionedit.
SoIthoughtitwasusefultosay,hey,I'mstillusingit.
I'mstilllovingit.
Andit'shardtobeattheprice.
PADRE:IstillhaveafewoldversionsofEudorathatwillwork.
Theyactuallyconnectandworkjustfine.
ButI'mdoingitthemoreadvancedwaynow,Steve.
Ihaveabout30GBworthofoldOutlookPSTfilesjustsittingonaSkyDrive,aOneDrivesomewhere.
Notquiteasefficient,really.
Gofigure.
SoMailStoreThat'smynewjointI'mgoingtobedoingthatoneSteve:IthinkyououghttocheckitoutbecauseyoucouldfeeditthosePSTfiles.
It'llsucktheminandindexthem.
AndthenyoucanreallygivethemtheDeepSix.
Maybekeepthemaround.
Butthisgivesyoutotalaccesstotheircontents.
AndasIsaid,Idon'thaveasmuchasyou.
I'mat2.
5GB.
Butagain,instantaneousindexkeywordsearchofallofmybackemail,whichisreallyhandy.
PADRE:Ihavealotofattachments.
Alotofattachments.
Now,actually,letmeaskyouaboutthat.
Becausemyoldpolicy,backwhenIwasstillusingEudora,wasnothinggetsdeleted.
Everythinggetssaved.
Imightrefertoitlateron.
Butit'sgottentothesheervolumeofmail,andit'snotallspam,someofit'sactuallydecent,meansIdeleteprobablyabout96,97%ofit,andIsaveabout3%.
What'sthatratioforyouSteve:Idon'tkeepanyattachments,butIdokeepallthetext.
Well,becauseI'vejustgotitsetupasautomatednow.
It'sjustit'sallhappeninginthebackground.
Anymailtomeendsupbeingarchived.
SofromEudoraIjustdeletethingswheneverIwantto.
Ihavenoproblematallnowwithjustwipingthingsout.
Likesometimes,forexample,IlostafewmonthsagoaneighborwhomImetbecausewewerebothontheassociationboard,andhedied.
Hewasinhislate'70s.
AndsoIsortedbynameandmarkedthemallandjustdeletedthembecausetherewasjustnopointinkeepingitaround.
ButIdidsoknowingthat,ifanythingevercameupinthefuturewhereIneededtorefertosomeconversationthatI'dhadwithLeonard,itwasinMailStore,andI'dbeabletograbit.
ButtherewasjustnoneedtokeepitonlineinEudorabecauseatsomepointEudoradoesseemtogetalittlechokedupwhenthingsgettoobig.
PADRE:Ijustchecked.
JammerB,ifyoulookattheotherscreen,I'mreallyclosetozeroinbox,onthelowerleft-handcorner.
I'veonlygot1,516itemsinthemaininbox.
SoI'mprettygood,actually.
Thisisagooddayforme.
Oh,no.
Steve:No,I'mthesameway.
There'sjusttoomuchincomingfromalldifferentdirections.
AndsoIdealwithwhatIcan.
PADRE:Allright.
Nowlet'sgetintotherealmeat.
Anditwasfuntalkingaboutbreaches,funtalkingaboutSMS.
ItwasfuntalkingaboutIntel'slittlehiddenprocessor.
Butnowweneedtolearnallaboutcontrol-flowenforcementtechnology.
Whatisthat,SteveSteve:SoI'mexcitedaboutthisbecausethisrepresentsanevolutionof-asimpleandcompatibleevolutionofthearchitectureoftheIntelprocessorstodirectlyaddresstwoofthebiggestproblemsthatwecurrentlyhavewithwhathackersareabletodotoabusecodethathaserrors.
We'reclosinginontheendofYear11ofthispodcast.
AndforthePage20of31SecurityNow!
TranscriptofEpisode#565entiredurationofthattime,we'vebeentalkingaboutthefamousbufferoverrunerrors.
Andthenalsomorerecentlytheso-calledROP(Return-OrientedProgramming)hackswhere-andinfactI'msureitwasapodcastyouandIweredoing.
WeweretalkingaboutanAdobeFlashexploit.
Andtheyusedareturn-orientedprogramminghackinordertorunsomecodeinordertogetlooseoftheircontainmentandrunsomecodethatwasinFlashthatallowedthemthentoessentiallybootstrapthemselvestofullsystemprivileges.
Okay.
SoIntelhasadded,orwillbeadding,twonewfeaturestoallfutureprocessors.
There'ssomethingcalled-they'readdinganewinstructioncalledtheENDBRANCHinstruction,andanewfeatureofthearchitectureknownasthe"shadowstack.
"Andofcourse,again,theseproblemshavebeenplaguingtheindustryfor,well,forever.
AndIremembertalkingaboutonceSteveBallmerhadameltdownduringsomesortofMicrosoftsecuritysummit-Idon'tthinkitwasapublicevent,butitendedupbeingpublic-wherehewasranting,askinghowitwas-IthinkitwasafterXP'slaunchbecauseofcoursehewasveryvocalintalkingabouthowXPwasgoingtobeabsolutelythemostsecureoperatingsystemever.
AndofcourseitwasafterXPandduetoXPthatwehadCodeRedandNimdaand,Imean,thosewerereallythelasthighlyprevalentwormsthatgotlooseontheInternetbecauseWindowsXPwassuchacatastrophe.
Andsohewasfamouslyranting,askinghowcanitbepossiblethatwe'restillhavingtheseproblemsHejustdidn'tunderstand.
Andofcoursewhatwe'vebeentalkingaboutrecentlyisthatoldersoftware,whichyouleavealone,thatyoufindtheproblemsin,butyouresisttouching,endsupbeingmoresecurethannewersoftware,evenifthenewersoftwareisimplementingnewsecurityfeatures,becausethesoftwareitselfistheproblem,ratherthanthefeaturesthatit'stryingtooffer.
Whatwefindis,intherealworld,anynewcodegenerallyhasproblems.
Andsowhatthatarguesforis,ifit'snotbroke,don'tfixit.
Leaveitalone.
SoIgotabigkickoutofthisbecauseItalkedaboutlastweekhowthiswillbethesubjectofthisweek'spodcast.
AndIgotatweetfromsomebodyfromIntel,hisnameisSteveFintel.
Iguessthat'shisrealname.
Maybeit'sSteveF.
atIntel.
Idon'tknow.
Butanyway,hetweetedme,hesaid:"IseeyourSecurityNow!
topicfornextweekisIntel'sCET.
I,"writesSteve,"wastheAtomProcessorCPUplannerwhenwegotapprovaltointegrateCETintoAtom,aheadofCoreonXeon.
WhenIwaspreparingthematerialtopitchCETtomanagement,IpointedpeopletoSecurityNow!
Episode211toexplainwhatROPwas.
"SoIgotabigkickoutofthefactthatthispodcastwasusedtoexplaintomanagementwhyreturn-orientedprogrammingwasaproblem,andthattheywereusingthisCET,thiscontrol-flowenforcementtechnology,todealwithit.
Okay.
So,asIsaid,therearetwocomponentstoCET.
We'lltacklethemseparately.
ThefirstisENDBRANCH,andthesecondoneistheshadowstack.
Sotheproblemwithreturn-orientedprogrammingisthatit'sacleverwaythathackershavefiguredouttogetcodeexecutedthatalreadyhasprivilegetoexecute.
WhatImeanisthatoneofthewaysthat-sotherehavebeenpreviousefforts,sortofanongoingeffortovertime,tobettersecureandlockdownoursystemsusinghardware,thatis,usingarchitecturalimprovements.
Oneofthemistheso-calledNXbit,theNo-eXecutebit.
Andthatwasaddedtosystemsafternoticingthatafrequentlyoccurringproblemwithsecurity,thatis,thathackerswereabletoleverage,isthattheywereabletoprovidedatatothetargetsystem,theexploittarget,andgetthatdatatoexecute.
Thatis,therewasnodifferentiation,therewasnoseparationbetweenthedataandtheinstructions.
Andinfact,inclassicarchitecture,standardvonNeumanncomputerarchitecture,youdohaveamixeddataandinstructionspace.
Youhaveasinglememoryspace,asopposedtoaHarvardPage21of31SecurityNow!
TranscriptofEpisode#565architecture,whereinstructionsareseparatedfromdata.
They'recompletelyseparate.
Thearchitecturethathasgenerallysucceededhasdatainstructionsexistinginthesamememoryenvironment.
Well,thatcreatesaninherentproblembecauseitmeansthat,ifyoucansomehowgetthechip,gettheprocessortoexecuteajumpinstructionintothedata,itwillexecutedataasifit'sinstructions.
Sotheso-calledNX,theNo-eXecutebit,it'saflagwhichwasaddedtothehardware,soit'senforcedbyhardware,whichsaysthisregionofmemorycannotbeexecuted.
SoanytimetheinstructionpointerintheprocessorisjumpedintoaregionofmemorywiththeNo-eXecutebitset,itjustcausesanabort.
Basically,itsafelyterminatestheprogram,andwithoutexecutingeventhatonesingleinstructionthatitwasaimedat.
Sothatwasthefirstcountermeasureagainstbadguysbeingabletouseabufferoverruntoprovidethedatathatwouldbethenexecuted.
Butthey'reveryclever,thesehackers.
Andsotheysaid,okay,nowthedataismarkedasnon-executable.
SowhatarewegoingtodoAndtheysaid,well,wherecanwefindsomeexecutableinstructionsAndit'slike,well,thecomputer'sfullofthem.
Lookatthatoperatingsystem.
It'sgotallkindsofinstructions,allovertheplace.
Sowhattheycleverlyfiguredoutwasitwaspossibletoexecuteinstructionsalreadythere,thatis,littlesnippetsofcode,typicallyattheendofasubroutine,becausetheygenerallydon'twanttodoallofwhatanexistingsubroutinedoes.
That'snotgoingtobewhattheywant.
Typically,they'llfindsomeinstructionsthatalreadyexistinRing0inthekernelthatareprivileged,whichwhenexecuteddosomethingtheyneed.
Andtypicallyit'sliftanyotherrestrictionsonthem.
Thatis,theycan'tdotoomuch.
Butiftheycansimplyfindalittlesnippetofcodethat,forexample,turnsofftheNXbit,thensuddenlytheycanexecutewhatevertheywanttointhedataspace.
Sowhatthehackersdoistheyarrangetojumptoneartheendofanexistingsubroutineofcode,whichnaturallyisexecutablebecauseit'sinthekernel.
Itisexecutablebydefinition.
Andthosefewinstructionswillbeexecuted,andthenthereturninstructionattheendofthesubroutineisreached,whichreturnscontroltothem-andnormally,withwhatevertheywantedtogetdone,done.
MaybetheNXbithasbeenflippedoff,ortherangeofmemorytheycanaccesshasbeenextendedtotheentirerange,sothey'renolongerrestrictedbythememorymapofthesystem.
Whatever.
SoIntelwassaying,okay.
HowcanwefixthisproblemAndtheycameupwithjustthecleverestsolution.
PADRE:WouldthisbeASLRSteve:Well,okay.
Sogoodpoint.
Thatwasthefirstmitigation,wasaddressspacelayoutrandomization.
Soherewehadthisproblemofpeoplejumpingintoknownlocationsinthekernelandjust,like,doingthatwithabandon.
Sothefirstmitigation,well,okay.
ThefirstwasDEP,dataexecutionpreventionthatwetalkedabout,withtheNXbit.
Thesecondonewas,afterthatsortofdidn'tsolvethewholeproblem,theyaddedASLR,addressspacelayoutrandomization,wheretheoperatingsystematboottime,asit'sloading,woulddeliberatelyrandomizewherethevariousblocksofitsowncodewereloadedinmemory.
There'sawholeprocesscalled"fixup,"wheretheaddressesofallthedifferentmodulesaresortofestablished.
Buttheloadingorderwasnormallyfixed,thatitwasjustsortofdefault.
Itdidn'thavetobethatway.
Itwasjustthatwaybecausenoonebotheredtoscrambleitup.
Sotheysaid,well,let'sscrambleituponpurpose.
Sothat'saddressspacelayoutrandomization.
Itturnsout,though,thatforarchitecturalreasons,thegranularityoftheirabilitytoplacethingsinrandomplacesisn'tverygood.
Andit'spossibleformaliciouscodetoprobeforthelocationofcodeinthekernel,orjusttonotworkaswell.
Page22of31SecurityNow!
TranscriptofEpisode#565Forexample,oftentimesthegranularityisjusteightbits,so256possiblelocationsforthevariousmodules.
Soifitjustguessesoneofthelocations,it'sgoingtobewrong255outof256times.
Butit'sgoingtoberightoneoutof256times.
Andsothat'salowprobabilityofsuccessexploit,butit'sbetterthanzero.
Andifyou'vegotenoughmachinesinahugeenvironmentontheInternet,andifyoujust-ifsomehowyoucantryagain,evenonthesamemachine,you'regoingtogetluckysoonerorlater.
PADRE:Steve,ifitguesseswrong,ifit'soneofthoseinthe256thatitdidn'tget,doesitjustcrashthatthreadDoesitcrashthemachineWhatwouldauserseeifitwasanunsuccessfulattempttoaccesscodewhereitthoughtitwasinmemorySteve:Itwouldbebad.
PADRE:Okay.
Itwouldbeabadthing.
Igotit.
Okay.
Steve:Yeah.
ItwouldbelikeIdon'tknowwhymycomputerjustfroze.
PADRE:Allright.
Steve:Idon'tknowwhymymousestoppedworking.
IgotaBlueScreenofDeath.
Soyougo,oh,shoot.
Andsoyoureboot,anditdoesn'thappenagain.
It'slike,huh.
Thatwasweird.
IwonderwhathappenedAndsoyoudon'tknowthatsomethingjusttriedtoownyou,butguessedwrong.
PADRE:Right,right.
Steve:Allyouknowisthatyoursystemwentwonky,butnowitseemsfine.
Sookay.
PADRE:LetmebackmypropellerhatoffalittlebitbecauseIlovetheexecutionofthis.
Imean,ofcourseitcanbeusedfornefariousreasons.
Butwhenwetypicallytalkaboutexploits,wetalkalotaboutbufferoverflowsbecauseitallowsforarbitrarycodeexecution,whichI'vealwaysenjoyed.
Butthisideaofbeingabletodowhatamountstoarbitrarycodeexecution,usingcodethat'salreadyloadedintomemory,that'sfarmoreelegant.
Imean,thisseemslikesomethingthatwouldbeincrediblydifficulttofigureoutbecauseit'snotyourcodethatyou'rerunning.
You'rerunningsnippetsofotherpeople,othercompanies'codes,togetittodowhatyouwantittodo.
Steve:Right.
AndI'velookedatwhatthey'veactuallydone.
Andinsomecasesit'sascleveras-okay.
Soinstructionsaretypicallymulti-bytethings.
Sotheopcode,someopcodesarejust,likeoperationcodes,arejusteightbits.
ButIntelisavariableinstruction-lengtharchitecture,whereinstructionsthataremorecomplexorusedlessoftenwillhaveaprefixthatsaystheinstructionisamemberofthisgroup,andthenthesucceedingbytesprovidemoredefinition.
Andthenyouoftenhaveargumentstothatinstruction.
Sotheseguys,thehackers,aresogoodthatthey'renotevenjumpingintothebeginningofaninstruction.
Insomecasesthey'rejumpingintothemiddleofasingleinstruction'smultiplebytesandrealizingthattheywantthisopcode,whichhappenstobethethirdbyteofamulti-byteinstruction,butit'sgoingtodowhattheywant.
Imean,it'sjust,whenyoulookatit,youthink,wow.
Imean,we'retalkingseriousdeepvoodooinordertomakethiswork.
PADRE:See,Idon'tevengetthatbecause-especiallywithASLR.
Sosinceit'spseudorandomized,wherethoselittlebitsandsnippetswillbeplacedinsideofmemory,Page23of31SecurityNow!
TranscriptofEpisode#565itonlyhastoguesswrongonceinthatentirestringofbytesthatit'spulingoutofdifferentavailablespacesofmemory.
Itseemsasiftheoddsarenotjuststackedagainstthisworking,butthey'reincrediblystackedagainstitworking.
Andyet,asyou'redescribingit,itseemstowork.
HowdotheydothatCantheyjustnaturallyassumethatsomespacesinmemoryaregoingtobesafelywheretheythinkthey'llbeSteve:Oftenit'spossible-well,forone,yes.
Butoftenit'spossibletoprobewheretheselargeblockmodulesarelocated.
So,forexample,whenyoureturnfromasubroutine,thestack-andwe'llbetalkingaboutthestackwhenwetalkaboutthesecondpartofthis,theso-called"shadowstack.
"Theexecutionstackiswherethereturnaddressisstoredwhenyougotoasubroutine.
Andsoitusesthereturnaddressonthestacktogetbacktoyou.
Butit'softenthecasethatyou'reabletolookatthecodethatcalledthesubroutine,andthatcompletelydecloaksit.
Ifyou'reabletoseeacalltothesubroutine,nowyouknowexactlywhereatleastthatlargemoduleislocated.
Andthenyouuseanoffsetfromthatinordertoexecutethecodeyouwant.
PADRE:Soonceyougettheproperresponse,youknowhowlongthatcodesnippetis,andyouknowexactlywhereyouneedtojumpintogettheopcodeyouwant.
Steve:Exactly.
PADRE:SohowdeeparewegettingArewetalkingaboutlikeassemblytypecodesatthatpointSteve:Oh,yeah,yeah.
PADRE:Aretheypulling,like,pushesandpopsSteve:Yes.
PADRE:Really.
Steve:Wearedownat,forexample,areturn-okay.
There'sano-opandareturn.
They'reeither60or90,andIdon'trememberwhichiswhich.
But,Imean,thisisthewayIcode.
SoIdon'tactuallyalwayslookatthemachinelanguage,butI'musedtoseeing90sand60s,eitherasno-opsorreturns.
Andsoit'sliterallythatpatternofbitsisthecomputerinterpretsitthatway.
Sohere'sthebrillianceofwhatIntel's-thefirstpartofthis.
TheycreatedandtheydefinedanewinstructioncalledtheENDBRANCHinstruction.
Anditissimplythis.
Thatinstructionmustbethetargetofacallorajumpinstruction.
Thatis,inthisnewarchitecture,whenthisisenabled,thatinstruction,ENDBRANCH,istheonlyvaliddestinationforacallorajump.
PADRE:Okay.
Steve:SowhatthatwouldmeanisthebeginningofeverysubroutinewouldstartwithanENDBRANCH.
PADRE:Gotit.
Steve:Andwhat'ssocleverabouttheimplementation,Ijustlovethis,iswetalkedaboutthearchitectureofprocessorsyearsago,didawholeseries,followedtheevolutionofarchitecturesallthewayup.
Andatsomepointinanyprocessor,youhaveaninstructionpipeline.
Thatis,youhaveaseriesofinstructions,oneaftertheother,thattheprocessorisexecuting.
AndthebrillianceofthisENDBRANCHisthatthewayIntelPage24of31SecurityNow!
TranscriptofEpisode#565implementedit,astheprocessorisreadingthroughinstructions,there'salittle-ithasatinylittlestatemachine.
Whenitencountersacallorajump,whicharethetwoinstructions-acallsaysI'mgoingtocallthisfunctionandexpectittoreturntome.
AjumpisI'mgoingtojumpsomewhere,andthenwhateverhappens,happens.
ButeitherofthosehavetohaveandhavetolandonanENDBRANCH.
Butthinkaboutwhatthatmeansintermsoftheinstructionpipeline.
Itmeans,inthepipeline,thereisgoingtobeacallorajumpinstruction.
AndtheimmediatelyfollowinginstructionhastobeENDBRANCH.
Thatis,thethingfetchinginstructionsonbehalfoftheprocessor,afteritfetchesacallorajumpandexecutesit,thenextthingitfetchesisanENDBRANCHbecausethat'swherethecallorjumphavetojumpto.
PADRE:IthandsoffcontroltothatENDBRANCH.
Steve:Exactly.
AndsotheInteldesign,theyaddedatinylittlestatemachinethatjustsortofsupervisestheexecutionstream.
Andifiteverseesajumporacall,itlookstoverifythattheimmediatelysucceedinginstructionisENDBRANCH.
Ifnot,itraisesanexceptionandabortstheprocess.
PADRE:Okay.
Steve:SothiscompletelysolvestheROP,thereturn-orientedprogrammingproblem.
Youcannolongerjump.
Nobody,notevengoodcode,butgoodcodedoesn't.
Goodcodehasnoreasontodoafarjumporcallintothemiddleofsomesubroutinesomewhere.
Italwayswantstocomeinatthetop.
Soessentiallywhatthisdoesis,byputtingENDBRANCHinstructionsasthefirstinstructionofallofyoursubroutines,itdefinesthesinglelegalentrypointforsubroutines.
Andanyattempttojumpintothemiddleorneartheend,whichisthewaytheROPtypicallyoccurs,immediatelyabortstheprocess,andnothingbadcanhappentoyoursystem.
PADRE:Ilovethat.
That'sabsolutelyelegant.
Steve:Soelegant.
Oh,andIntelalsochosethespecificENDBRANCHinstructionsothatitisano-op,ano-operation,onallcurrentandpastgenerationsofchips.
It'sanunused,do-nothingbytesequence.
Whichmeansthat,whencompilersbegincompilingcodewithENDBRANCHawarenessturnedon,sothatthey'restickingtheselittleENDBRANCHinstructionsatthebeginningofallthesubroutinesinthesystem,thatsamecodecanrunperfectlyonoldersystemsthatdon'thaveENDBRANCH.
Theprocessorsarejustgoingtosay,gee,that'sweird.
Iwonderwhyallofthesubroutinesstartwithano-operationOh,well.
WhocaresThere'snothingheretodo,sowe'lljustgoontothenextone.
Soit'sbeautifullybackward-compatibletopreviousarchitectures.
PADRE:Theonlywayyoucouldexploitthisisifsomehowyouexploitedthatstatelessmachinethat'slookingfortheENDBRANCH.
Steve:That'sinthehardware.
PADRE:That'sinthehardware,sogoodluckwiththat.
Steve:It'sbuilt,it'slike,rightdownintheinstructionset.
TheonlythingIcouldthinkisthat,iftherewasafullfunctionthatyoucoulduse,thatis,notjustafewinstructionsattheendofasubroutine,butifsomehowthewholefunctionwasusable,butthat'sgenerallynotdoingwhatyouwant.
Normallyit'sacleverre-useofexistingcode,verymuchnearjustbeforeareturninstruction,iswhatthebadguyshavebeenusing.
AndPage25of31SecurityNow!
TranscriptofEpisode#565thisendsthat.
PADRE:Besides,callingonafullfunction,ifitwillbeallowedbytheENDBRANCHstatefulprocessor,that'sgoingtohandoffcontroltowhateverthatfunctionhadoriginallybeenconnectedto.
It'snotgoingtocomebacktoyouastheattacker.
Icouldn'tthinkofacompletefunctionthatyouwouldbeabletousetobypassauthentication.
Steve:Yeah.
Itwouldbeunexpected.
ButPart2:TheShadowStackfixesthat.
PADRE:No.
Whycan'twejustendwiththehappynews,SteveWhydowehavetogettothedepressingstuffAllright.
You'veheardaboutthebrilliantwaytostopROP,thebrilliantuseofENDBRANCH,andnowSteveGibsonisgoingtoletitcrashdownallaroundus.
Steve:Okay.
SothesecondpartofthisisanothernewfeaturethatIntelputintothisCETtechnology.
Tounderstandthisweneedtogobackalittlebitandlookattheconceptofasoftware-accessiblestack.
Iwouldarguethattheconceptofastackisprobablyoneofthegreatestinnovationsincomputerscience.
Oldmachinesdidn'thaveastack.
ThesethreePDP-8shavenostack.
Therewasnoconceptofastackinthem.
There'saninstructiontoallowajumptoasubroutine.
Butthewayitworksis-sotheproblemis,ifyoujumptosomewherebecauseyouwantasubroutinetobeexecuted,howdoyougetbackIfyoujustdoajumpinstruction,thenyou'resomewhereelse.
ButhowdoesthatplacewhereyouareknowwhereyouwereSoontheseoldermachines,onthese12-bitPDP-8s,thereisajumptosubroutine.
Thewayitworksisthebesttheycoulddoatthetime,andthatistheinstructionthatyoujumptoiswheretheaddressisstoredofwhereyouwere.
Andthenexecutionbeginswiththeinstructionafterwards.
Soonthoseoldmachines,thefirstinstructionofasubroutineisblankbecausethat'sgoingtoactuallybewherethecomputerstorestheaddressthatyoucamefromsothat,attheendofthesubroutine,you'reabletogoback.
Now,that'scool,butit'sgotaproblem.
Andthatisthatitdoesn'tallowrecursion.
Thatis,forexample,thatsubroutineitself,noranyothersubroutineitmightcall,couldevercallitbecause,iftheydid,theywouldoverwritethatreturnaddressthatwasstoredatthetop.
Inotherwords,thatsystemitworks,butyouhavetobeverycarefulthatnowayforthecodetoexecutewouldeverallowthesubroutinetobecalledagainbeforeithadreturnedtoitscaller.
Sothatoldersystemdoesnotsupportanykindofrecursion.
Wesolvedthatproblemnotlongafterthat,actually,byimplementingastackarchitectureinthemachine.
And,Imean,it'ssuchawinthatyoudon't-therejustarenoneanylonger,unlessthey'reoperatingonmybookshelf,thatdon'thavestacks.
SowhatisastackEveryone'ssortoffamiliarwiththisnotionofpushingandpopping.
Youpushsomethingonthestack;youpopsomethingfromthestack.
Toreallyunderstanditsvaluewehavetogoalittlebitbeyondthat.
Butjustlookingatthat,andusingtheexampleIwasjustgivingwithanon-stackmachine,imaginethatthere'sthisthing,whichwe'llsortofleaveundefinedforamoment,calleda"stack,"whereyoucanpushandpop.
Thatis,andyoudon'thavetoworryaboutanyofthedetails.
Soinastacksystem,whenyou'rejumpingtoasubroutine,youpushonthestacktypicallytheaddressofthenextinstruction,andthenyoujumptowhereveryouwanttogo.
Andthenthatsubroutineisexecuted.
Andthenthewaythatsubroutinegetsbacktowhocalleditisthestackispopped,whichrevealstheaddressoftheinstructionPage26of31SecurityNow!
TranscriptofEpisode#565underneaththeonethatcalledthesubroutine.
Andsoyoudowhat'sknownasanindirectjump,thatis,youjumptotheaddressonthestack,whichbringsyouhome,bringsyouback.
Now,oneofthebeautiesofthatisnowyoucandorecursionbecause,forexample,thatsubroutinethatyoujumpto,itcouldcallitself,ifitwantedto,becauseitwould,ifitcalleditself,itwouldpushtheinstructionnextinlineforwhereit'scallingitselfonthestackandthencallitself.
Andthenifthatsubroutinethenreturned,itwouldpopthestack,whichwouldrevealtheinstructioninthatsubroutine,returningtowhereitcamefrom.
Andthenifthatreturned,itwouldpopthestackagainandcomebacktotheoriginalcaller.
Inotherwords,it'sthisincrediblyconvenientscratchpad,butitisstrictlysequence-based.
Thatis,theorderinwhichyoupushthings,theyarepoppedoffinthereverseorder.
Andsothat'soneofthebrilliantinsightstothisconceptofastack.
Andwiththat,forexample,yougetthisamazingconvenienceofhavingsubroutinesabletocall,youknow,prettymuchdoanythingtheywantto.
Theycancallthemselves;theycancallotherpeoplethatcallthem.
Andfinallyitallsortofunwindsitselfbacktotheoriginalcallerbyremovingthingsinthereverseorderthattheywereputonthestack.
Well,there'ssomethingmoreyoucandowithitthatisevenmoreclever.
Andthatisyoucanuseittopassparameterstofunctions.
Sosaythatyouwantedtoputacircleonthescreenatacertaincoordinatewheretheupperleftcornerandthelowerrightcornerwereattwocoordinates.
Andsoyouhadasubroutinethatcoulddrawcircles.
Butitdidn'tknowwhereyouwantedtodrawthem.
Sowhatyoudoisyoupushonthestackthecoordinatesfortheupperleftandthelowerright.
Andthenyoucallthecirclefunction.
Thecirclefunctionknowstoexpectitsparameterstobeonthestack.
Soinallthesesystemsthere'ssomethingknownasthe"stackpointer.
"It'saregisterthatpointstothetopofthestack.
Well,sinceseveraloftheseparameterswerepusheddownonthestack,thenthereturnaddresswaspushedonthestack,thissubroutineisabletolookatanoffsetfromwherethestackpointercurrentlyis.
Thatis,it'sabletosortoflookdownintothestack,intothehistory,andfinditsparametersthere.
Soitgoesandlooksdeeperinthestack,findsitsparameters,drawsthecircle.
Thenitreturns,andthefunctionwhichcalledit,whichpushedthosethingsonthestack,typicallyremovesthemfromthestack.
Sothecallingfunctionpushedsomethingsonthestack;calledthecircledraw,whichknewwheretolookforthem.
Thenitreturned,andthenthecallersays,oh,Iputsomestuffonthestackwhichtheotherguyused.
NowI'mgoingtofreethem.
Soessentiallythesamenumberofthingsitpushedonthestack,itpops,inordertodiscardthem,essentially.
Sothishasbeenvery,veryclever.
Now,there'sonemorethingthatthestackistypicallyusedfor.
Andthat'slocalvariables.
Wejusttalkedaboutpassingparametersonthestack.
Thefinalthingis,saythatthiscircledrawsubroutineneedstousesomememorytodoitswork.
Itneedssomescratchpadmemory.
Itcanusethestack,too.
Itessentiallycandotheequivalentofpushingsomeblanks,someblankspaceonthestack.
Anditknowswherethoseblankspacesare.
Soit'sfreelyabletousethemasscratchmemory.
Ifitcallssomeotherfunction,that'sfine.
Itmightpushthoseparametersonthestack,thencallthefunction,andsoforth.
Thefunctioncomesback.
Itpopsthoseparameters,andeverythingissortofundone.
Soagain,wehavethisincrediblyconvenientscratchpadfacilitywherewe'reabletoputparametersonthestack.
Thestackisabletostorewherewecamefromsowecangetbackthere,andwe'reabletousethatstackaslocalscratchpad.
Page27of31SecurityNow!
TranscriptofEpisode#565Now,itturnsoutthisis,cleverasitis,convenientasitis,thisisthecauseformoreofthepain.
ThisiswhySteveBallmerhadameltdown.
Thisisthebufferoverrunproblem.
WhyBecause,thinkaboutit,wearemixinginoneplacebothdataandexecutionpointers.
Thosereturnaddressesthatareonthestackthatgetusbacktowherewecamefrom,theprocessorjustassumesthey'revalid.
Itdoesn'tknow.
Whenyouhitareturninstruction,itpopsitoffthestackandgoeswherethatsays.
Butthatreturninstructionwaslivingrightnexttodata,scratchpaddata,thattheprogrammayhavebeenusingforitsownpurposes.
WhatiftheprogramallocatesabufferonthestackandthenfillsitwithdatathatitreceivesfromtheInternetAndwhatifthat.
.
.
PADRE:Oh,no.
Steve:Yes,yes.
Andit'ssoconvenient.
Thestackisthere.
Itgrowsandshrinksasyouneedit.
Everybodyusesitbecauseit'sjust-it'sself-serve.
It'slike,oh,Ineedabuffer.
Allocateablockofmemoryonthestack.
It'salwaysgoingtobeinmemorybecauseit'snotgoingtogetswappedout.
It'slocal.
It'sfasttoaccess.
It'sbrilliant.
Butyouhavetouseitperfectly.
Otherwiseyougetintrouble.
Andsohackershaveexploitedmistakesincodetowritetheirowndataandevenoverwritelikefourbytespastwhereyoushould.
That'sthereturninstructionfromthatsubroutine,whichtheprocessorisgoingtobelieve.
Andsoifabadguycansupplydataandmanageabufferoverrun,thatwipesouttheproperreturninstruction.
Sowhentheprocessortriestoreturnfromthatsubroutine,itgoessomewhereelse.
PADRE:AndthiswouldgetthempastENDBRANCH;rightBecause,Imean.
.
.
Steve:Precisely.
PADRE:It'sjustcheckingfortheENDBRANCH.
It'snotactuallyverifyingthatit'sreturningtowhattheENDBRANCHsaiditshouldreturnto.
Steve:Right.
PADRE:Great.
Steve:Right.
Soitprovidesawayformaliciouspartiestodisrupttheproperexecutionofthecode.
So,andwheredoestheproblemcomefromTheproblemcomesfromthefactthatwearemixingdataandexecution.
We'remixinglikeprogramdataandprocessorinstructiondata,mixingitallupinthesamestructureonthestack.
SowhatInteldidisanotherpieceofbrilliance.
Theysaid,we'regoingtocreateashadowstack.
Theproblemwiththemainstackisthat,Imean,thebeautyisit'ssohandy.
Youpushparametersonit.
Youcallafunction.
Thefunctioncanallocateitsownlocalvariables,andthey'llbediscardedwhenthefunctionexitsbecausethestackwillbepopped.
Andthenthereturninstructionreturnstowhereitcamefrom,andthecallerpopsitsparametersthatithadpushedforthecallee,popsthem,Imean,it'sbrilliant.
Buttheproblemisit'sunderprogramcontrol,anditmixesdataandexecution.
SoIntelwithCETiscreatingashadowstackthattheprogrammer,thenormalsystem,hasnocontrolover.
Andtheonlydatathatarepushedandpoppedaretheonesthathaveimplieduseofthestack.
Thatis,acallinstructionhasanimplieduseofthestackbecausethereturnfromthecallisautomaticallypushedonthestack.
Similarly,thereturninstructionfromasubroutinehasimplieduseofthestackbecausethereturninstructionalwaysgetstheaddressit'sgoingtoreturntofromthestack.
Page28of31SecurityNow!
TranscriptofEpisode#565Sowhattheshadowstackdoesisitobeysthesameimpliedactivitiesforcallsandreturns.
Buttheprogrammerhasnoaccesstoit.
Thatis,whenyou'repushingthingsonthestack,you'reonlypushingthemonthevisiblestack.
Whenyoupopthem,you'reonlypoppingthemfromthevisiblestack.
Butwhenyoudoacall,thevisiblestackandtheshadowstackbothstorethereturnaddress.
Andhere'sthekey.
Whenyoudoareturn,thesystemverifiesthattheshadowstack'sreturnaddressmatchesthevisiblestack'sreturnaddress.
PADRE:Ah,therewego.
Steve:Iftheydon'tmatch,somethingiswrong,andtheprocessisterminated.
Sothatcompletelypreventsmalicioususeorevenmistakenuse.
Thiswillcatchbugsfasterthananyone'sbusiness,immediatelycatchthebug.
Butitwillalsoimmediatelyshutdownanyonetryingtousestackmanipulation,bufferoverruns,inordertogettheirowncodetoexecute,todisruptthefunctionofareturninstruction,tohavethatreturninstructiongosomewhereelsebecauseitwon'tmatchwhattheshadowstackhasbecausetheshadowstacktheyhavenocontrolover,anditwillalwayshavetheoriginaltrueandcorrectreturnaddress.
Ifthesystemtriestoreturntoanaddressthattheshadowstackdoesn'tagreewith,itimmediatelyproducesasystemexceptionandstopsrunning.
Soit'sjustbeautiful.
PADRE:Iseehowthisworks,Steve.
ButamIgoingtogetaperformancehitfromcheckingtwostacksSteve:No,it'sallinthehardware.
PADRE:Oh,nice.
Steve:Yup.
Noeffectwhatsoever.
Theburden'sonIntel.
Thechipsaregoingtogetbigger.
Thewattageisgoingtogoup.
They'regoingtoburnmorepower.
There'sgoingtobeanotherbazillionlittletransistors.
Butitjustallhappensbymagic.
SoIjustthinkit'sverycool.
PADRE:[Vetman]inthechatroomasksifthisrequiresOSsupport.
Itshouldn't,though.
It'shardwarecontrol;correctImean,theOSjustwouldbetoldit'saninvalidinstruction.
Steve:No,Ithinkitwouldrequireatleastadriver.
Somethinginthekernelwouldneedtoturnthison.
AndIntelwillbedefiningsomenewexceptionerrors.
Andsotheoperatingsystemwouldgaincontrolandthendecidewhattodowithit.
Sotherewouldbenewfeaturesinthechip.
Butitwouldprobablybeamatterofjustaddingakerneldrivertoitinsteadoflikeawholenewoperatingsystem.
PADRE:Okay,sothenthat'swhattheywouldgoafter.
Theywouldgoafterthedriverandbasicallyjusttellthedrivertokeepsayingit'sokay,it'sokay,it'sokay.
Steve:Inordertodisabletheshadowstack.
PADRE:Allright.
SothatwillbeonafutureepisodeofSecurityNow!
.
Oncethisgetsimplementedperfectly,someonewillhaveinfiltratedthedriver,andtheshadowstackwillnolongerwork.
Ilovethegameofcatandmouse,Steve,andnooneplaysitbetterthanyou.
We'veheardaboutSpinRite.
Weknowthatit'sthetoolthatneedstobeinallofourtoolkits.
CanyoutellthemwheretheycanfindyouWheretheycanfindyourworkPage29of31SecurityNow!
TranscriptofEpisode#565Steve:Well,after1.
26millionpeople,Ithinkitis,downloadedNever10,everybodyprettymuchknows:GRC.
com.
PADRE:IdidnotdownloadNever10.
AndIactuallyhadthreedifferentmachinesthatwerehitbyjustweirdWindows10updates.
Steve:Yeah,1.
266411milliondownloads.
PADRE:Wow.
AndhowlongdidthattakeSteve:TodowhatPADRE:Togetthat1.
2Steve:Actually,IthinkthisbeganinApril.
Anditsortof-itcruisedalongforawhile.
Butitwasonlylikeinthepreviousmonth,whenMicrosoftreallyputthescrewsonandreallybegantogetmoredesperate,wesawahugesurgeindownloads.
Butitisthefastest,mostpopularpieceoffreewareinthehistoryofGRC.
Wehavethingsthatovertwodecades,thingslike-whatwasthatlittlefirewalltesterLeaktest.
Idon'tknow,likesevenmilliondownloadsorsomething.
Butit'sbeendecades.
Thisthingisafewmonthsold,andit'sat1.
266milliondownloads.
There'sneverbeenamorepopularpieceoffreewarethatI'vewritten.
PADRE:Itjustgoestoshowyou,we'vegotempiricalevidenceonhowmanypeopleareannoyedbyMicrosoft'ssuper-aggressiveWin10upgrade.
Steve:Exactly.
PADRE:SteveGibson,ofcourse,thebrainbehindtheGRC.
com.
Heismypersonalguruforallthingssecurity.
Andmorethanthat,Steve,itisalwaysapleasuretobeabletochatwithyou,justtositbackandletthepropeller-headgo.
Sir,please,please,nexttimeLeogoesaway,pleaseputinagoodwordforme.
Steve:It'sbeenmypleasure,Padre,asalways.
PADRE:Ofcourse,thatdoesitforthisepisodeofSecurityNow!
Don'tforgetthatwe'relivehereonTWiT.
tv,live.
twit.
tv,everyTuesdayat13:30Pacifictime.
Stevewillalwaysbeheretoinjectyouwithsomehealthyparanoiaandkeepyousafeinthewonderfulworldofinsecurity.
Now,youcanfindallofourshowsontheTWiTshowpageatTWiT.
tv/sn,that'sforSecurityNow!
,aswellasoniTunes,Stitcher,andwhereverfinepodcastsareaggregated.
Youcanalsofindhigh-qualityaudiodownloadsonGRC.
com,whichisalsowhereyou'llfindallthegoodnessthatisSpinRite,ShieldsUP!
,andcomingsoonSQRL.
Oh,anddon'tforgetNever10.
I'mFatherRobertBallecer,theDigitalJesuit,inforLeoLaporte,sayingthat,ifyouwanttokeepyourdataintothefuture,you'vegottorememberSecurityNow!
.
Copyright(c)2014bySteveGibsonandLeoLaporte.
SOMERIGHTSRESERVEDThisworkislicensedforthegoodoftheInternetCommunityundertheCreativeCommonsLicensev2.
5.
SeethefollowingWebpagefordetails:Page30of31SecurityNow!
TranscriptofEpisode#565http://creativecommons.
org/licenses/by-nc-sa/2.
5/Page31of31SecurityNow!
TranscriptofEpisode#565