Tuesday, 28 August 2007

Endless suffering of the security brains

I started talking about Web2.0 security recently in fairly simple terms some time ago, on the back of something someone else said, just to explain it to myself really. I find it interesting that the Long Tail that is creating such an economic phenomenon, enabled by the web, is causing such a security issue. Then I couldn't help noticing all the attention VMWare has been getting recently, for exactly the same issues. Hoff waded in over the weekend with all sorts of new-fangled words and explanations to make my brain bleed, but the underlying message is exactly the same. Web2.0 security and hypervisor security are evidently very closely related.

Where Web2.0 (and no, I don't approve of the term, but it serves a purpose) is made up applications bringing together data and applications in new ways, to create new workings of the web as we know it, so hypervisors, virtual machines to you and me, do the same in a more localised environment. Thankfully, Mogull's back on the scene, and finished Hoff off before I even woke up this morning, with a "dump the problem to hardware". But it seems that you don't even have to be that concerned about the hardware if you have a reliable secure framework.

The guys at Matasano, more precisely Thomas Ptacek, have all the info on this, which is worth reading a few times. Slowly. And then again. I'm on at least my fifth reading by now, and I learn more each time. By now you will have seen the Black Hat presentation from MC telling how they can always detect the BluePill rootkit, and it is evident that their Samsara offering is THE thing which I said I had no idea how to create. A framework for detecting virtualised malware. How I wish I'd been at BlackHat.

[Note: I find it ironic that Samsara is a term used in Buddhism which can mean not only "cyclic existence" as I believe is the allusion which Thomas et al were aiming for, but also "endless suffering", which may be closer to the truth for them. And what's with all the buddhism/security stuff around at the moment?]

Thomas, having put in what seems like a lifetime of research from the quality of the results, comes to the conclusion that:
"Hypervisor rootkits are not a major threat."
What? Why didn't you just say that in the first place. Why on earth put all that effort into just proving Joanna Rutkowska wrong? Should we all carry on looking at something else...? Hang on!

Hypervisor rootkits may not be a major threat, but Web2.0 security is a huge problem. Can we apply what we know here to "the Internet" as described in my original post? I believe this is what Mark Curphey is trying to do with SourceClear, and I really believe it is the way forwards. I've been a believer in such frameworks for some time, but as Rich will probably point out at some stage, there's really very little in the way of business drivers for such things to be deployed in any great mass.

I'd like to see Microsoft and/or VMWare pick up Samsara/SourceClear and any number of other security frameworks, not to improve business in any way, but to improve the future of security. To make our conversations more interesting if nothing else.

As Rich says, can we talk about DLP again now, or CMF (content monitoring and filtering) as Chris has dubbed it? I've also used this term since because I like it and it seems to describe a much more specific problem. Now I'm satisfied that all of this hypervisor and Web2.0 stuff can be ignored, I'm back to playing with the data.

No comments: