Palladium, Memory Forensics, Clouds.

[Dave Aitel <dave () kof immunityinc com>]

A few things stand out from my thoughts here, as I pack up to return from
Hong Kong.

The first thing is that Microsoft's best hope for Windows is to make it the
only platform you can trust with your identity. If you have "end to end
trust" then your ISP can say "only machines signed to your identity are
allowed on the Internet". They can sell you internet where only IE can
access it. How cool is that? See, not cool at all. Consumers hate it and
people don't trust Microsoft as a company, which is why the people excited
about it are DRM focused or just evil in general.

But having the whole stack be "trusted" with a global PKI system is
something your bank wants so that it can lower fraud rates. Having every
email you send and recieve encrypted and signed (obviously the default will
be signed only, for political reasons) will eliminate spam as a matter of
due course. There's just so many good things that come with "end to end
trust". You could send an email from a trojaned box securely to someone else
with a trojaned box. The title bar of your window would say "signed to
Microsoft Outlook" and the hypervisor would encrypt the whole transaction
from your keyboard presses to the pixel display in a process space no other
process or kernel task can access.

If this comes to pass, Windows is literally your wallet, and gets cemented
in the ecosystem as the only thing that can hold your money and identity.
It's a good play and it's still a primary focus for Microsoft - still their
best hope for regaining prominance. It might even work.

And of course, there was a lot of chatter at SyScan about cloud computing.
The smart money is bearish on it. Google and the other cloud providers want
to convince businesses that no matter how sensitive their data is, you can
store it on a shared infrastructure. This is not even close to true. Shared
infrastructures are the next generation of shared hosting providers -
they're for students and open source projects. Not businesses and definately
not governments. Eventually we'll see the cloud providers move towards
offering private clouds with better security guarantees, which is when
adoption will start really accellarating.

It used to be banks were becoming IT companies, but now it's IT companies
that are becoming banks, all asking us to trust them more than their
competition.

The other thing that keeps coming up is memory forensics. You can do a lot
with it today to find trojan .sys's that hackers are using - but it has a
low ceiling I think. Most rootkits "hide processes", or "hide sockets". But
it's an insane thing to do in the kernel. If you're in the kernel, why do
you need a process at all? For the GUI? What are we writing here, MFC
trojans? There's not a ton of entropy in the kernel, but there's enough that
the next generation of rootkits is going to be able to avoid memory
forensics as a problem they even have to think about. The gradient here is
against memory forensics tools - they have to do a ton of work to counteract
every tiny thing a rootkit writer does.

With exploits it's similar. Conducting memory forensics on userspace in
order to find traces of CANVAS shellcode is a losing game in even the medium
run. Anything thorough enough to catch shellcode is going to have too many
false positives to be useful. Doesn't mean there isn't work to be done here,
but it's not a game changer.

Anyways, a fun SyScan. Next stop Miami!

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave