iPhone X and Science Fiction

I usually do not comment on new products, but what I read about the new iPhone X made wonder if we are finally getting closer to the infinite number of science fiction computers that can really interact directly with a human being.

I guess that everyone remembers HAL 9000 from “2001: A Space Odyssey” (1968), and it had plenty of ancestors and an infinite number of descendants.

Rowhammer, SGX and IT Security

I am following with interest the developments of the Rowhammer class of attacks and defenses, here there is one of the latest articles. (As far as I know, these are still more research subjects than real-life attacks.)

Already at the time of the Orange Book (or more correctly the “Trusted Computer System Evaluation Criteria – TCSEC”) in the ’80s, it was clear how important the hardware is in building the chain of trust on which IT Security relies.

Rowhammer attacks follow from a hardware security weakness, even if this weakness is also a hardware strength: the increase in density and decrease in size of DRAM cells, which allows to build memory banks with lower energy consumption and higher capacity. Unfortunately this allows the near-location memory bit-flipping that can give rise to a total compromise of the IT system, that is a Rowhammer attack. It is true that there exist memory banks with Error Correction Codes (ECC) which make the Rowhammer attacks quite hard, but these memory banks are more expensive, a little slower and available only on high-end server computers. One can look at it as a hardware feature which carried within an unexpected security weakness.

As it turns out, it seems very hard to find software measures which can detect, block or prevent Rowhammer attacks. Many different software defences have been proposed, but as of today none is really able to completely stop all Rowhammer types of attacks. A hardware weakness seems to require only hardware countermeasures.

To make the situation even more intriguing, the hardware-based Intel SGX security enclaves can be mixed-in in this scenario. Intel SGX is a hardware x86 instruction-set extension which allows to securely and confidentially execute programs in an isolated environment (called a “security enclave”). Nothing can directly look into a SGX security enclave, not even the Operating System, to the point that data can be computed in it even on systems controlled by an adversary (but SGX security enclaves are not immune from side-channel attacks). Rowhammer attacks cannot be performed from outside against programs running in a SGX security enclave. Vice-versa, a SGX security enclave in some conditions can run, without been detected, a Rowhammer software to attack the hardware and programs running on it. Overall it seems that Intel SGX security enclaves can provide extremely interesting IT security features but at the same time can also be abused to defeat IT security itself.

All of this becomes more worrisome when thinking of Virtual Machines and Cloud Services.

 

Complexity, abstraction and security

Reading news like this one, I wonder how we could improve managing IT security or just be able to keep up with the current development of IT. I see two main trends:

  • complexity: IT systems are getting more complex at a very high speed; every system should connect with every other, should provide an incredibile number of features to different users, should run on many different platforms, and so on
  • abstraction: to be able to manage this complexity, the approach is to abstract the programming and managing level of IT: programming can take advantage of existent modules and just connect them appropriately at the functional level, providing also functionalities to monitor and manage the IT system themselves (for example it is now possible to deploy entire applications or virtual infrastructures just with a couple of “clicks”).

But what about security? Even if each component is “secure” (according to some definition of this word), how can be evaluated the “security” of the current and future IT systems?

There is no doubt that IT security in the last years has been a difficult subject, but I believe that in the next future we’ll need some new approaches and tools to be able to tackle the management of IT security due to the ever increasing complexity of IT systems.

A Practical Look into GDPR for IT – Final Part 3

I have just published here the third and last article of my short series on the EU General Data Protection Regulation 2016/679 (GDPR) for IT.

In this final article I discuss a few points about the managing of data breaches and of the IT measures required to satisfy the citizens’ rights on their personal data managed by IT systems.

On Manufacturing, IoTs and IT Security

Since many years we are quite used to the fact that products, of any kind, contain digital and electronic components. The process of manufacturing products and integrating digital and/or electronic components is by now quite well established and robust. The most important requirements to the digital / electronic components is that they perform their tasks correctly, effortlessly and that they are reliable. Security is mostly perceived as safety for example from electric shock or from the behaviour of the product induced by the digital / electronic components. It is not important that the digital component has features which are not used by the product, or that it has been designed for other purposes as far as it performs correctly as a component of the product.

But the scenario changes dramatically if the digital component is connected to a network, in particular Internet. In this case the product becomes part of the “Internet of Things” (IoTs). Then the security perspective changes completely. For example, those unused features of the digital component, if not correctly configured and managed, can be abused and become a serious security threat. What bad can be done with a washing machine connected to Internet? Difficult to say, but if out of imagination one can always try to join the washing machine to a botnet for distributed denial of service (DDoS) attacks.

So the manufacturer should also take care of the full IT security of any digital / electronic component embedded in its products. This means that even unused features must be configured, managed and updated.

But this is not all. The interaction between components in a product can create new type of security threats, which can be considered like side-channel threats and attacks. The abuse and misuse of digital components can be quite inventive, for example recently in the news I have noticed the following:

  • how to use a scanner to communicate through a laser mounted on a drone with a malware on a PC (see eg. this article)
  • how a smartphone or laptop’s ambient light sensor can be used to steal the browsing history from the device (see eg. this article)
  • how to install malware on a Smart TVs using the DVB terrestrial radio signals (see eg. this article)

and others concerning light-bulbs, surveillance cameras etc.

Typically in IT security one has first to describe clearly what are the threat scenarios and based on these to evaluate the risks and the security measures needed to mitigate these risks. In the case of IoTs it seems very difficult to imagine all possible threat scenarios due to the interaction between embedded digital Internet-connected components and the other product’s components.

Even more difficult is to imagine how, in the current markets, manufacturers of products like lightbulbs, refrigerators, television sets and more or less anything else one can imagine, can devote time and money to the security of embedded digital components produced by someone else, which should just work, cost as little as possible and not be maintained.

PS. Products like cars, airplanes etc. in regulated sectors, should constitute a welcome exception to this, thanks to the very stringent safety concerns and rules that apply to them.

PPS. Also of interest is this, just appeared, Microsoft whitepaper on Cybersecurity Policy for IoTs.

A Practical Look into GDPR for IT – Part 2

I have just published here the second article of my short series on the EU General Data Protection Regulation 2016/679 (GDPR) for IT.

In this article I discuss a few points about the risk-based approach requested by the GDPR which introduces the Data Protection Impact Assessment (DPIA), and a few IT security measures which should often be useful to mitigate risks to the personal data.

On non-malware, fileless attacks

It is spring again, and it is time for reports on IT Security or in-Security in 2016.

One thing caught my eye this year, and I am not sure if it is a trend, just a coincidence or my susceptibility: I noticed a comeback of fileless malware, also called counter-intuitively “non-malware”. This is malware which does not install itself on the filesystem of the target machine but instead can load part of itself in memory (RAM), uses tools of the Operating System (PowerShell, WMI etc.) and local applications, hides parameters and data for example in the Widows Registry.

Actually there is nothing really new here, the very old “macros viruses” were of this type. What has changed is that today personal computers and servers run for very long time (very few people switch completely off their computers daily, usually personal computers are just set to “sleep”), which gives a much longer persistence to this type of malware. Obviously fileless malware is more difficult to write and to maintain, but it is also more difficult to identify, that is it has more chances to escape detection by anti-malware and anti-virus programs. Moreover also pure behavioural analysis can be fooled by this type of malware, since it can use standard tools of the machine performing tasks just a little bit out of the ordinary. On the other side, in case of infection the malware is anyway present on the machine, so anti-malware tools have just to look better to find it.

Is it truly impossible to separate VMs running on the same HW?

More and more results appear, like this last one, on weaknesses and vulnerabilities of Virtual Machines running on usual (commodity) hardware. The most troublesome results are not due to software vulnerabilities, but rely only on the hardware architecture which supports it. If cryptographic private keys can be stolen and covert channels can be established evading the current isolation mechanisms provided by hardware and virtualization software (see also my previous posts on Clouds), how much can we trust at least the IaaS Cloud Services?