this comes to me via a friend... i woulda completely missed it since i long ago ditched /. for digg...
mbr sploit
if you read the referenced article it has a fair amt of good info... the bit i don't understand (beyond the ASM) is at the very end where it says that they have a detection mechanism...
they say, do a userland api query of the mbr and compare it to a kernel level call using IRP_MJ_READ... well, earlier they say that IRP_MJ_READ is compromised, and also say that the original mbr is backed up to a diff disk sector, so why on earth would the software return different mbr results between these two calls???
anyway, other thoughts... for one, i've gotta point out that i got to see the offical debut of the referenced pagefile attack by joanna at blackhat a while back... she has got a great head on her shoulders, and it is great to listen to her talk and absorb the shit she is hacking around in... between owning the crap outta vista before it hit street, the blue-pill stuff, and now her research into hypervisor compromises (leading to loss of integrity between your VMs), i just get to feelin like i'm spinnin my wheels and not workin on stuff as important or nifty as i should be workin on... man, i'd love to be able to talk to her for an hour or two over a few beers, just to hear what she's workin on and the way she attacks problems and develops ideas...
also, i got really bummed by the fact that this mbr sploit is in the wild after being based on techniques from the DoS days, and sample code from 2005... there are just so many hosts running code which will be vulnerable to these attacks and others based on old flaws, and they aren't going to go away any time soon...
i started thinkin that i donno if there is any solution to the windows security pardigm... just don't run it. you can't secure it. it is millions upon millions of lines of shit which isn't readily reviewable by security experts due to the closed nature as well as the size and complexity.
that's pretty pecimistic i guess. but still, it is a programming philosophy that you don't try to put band-aids on PoS code. you rewrite it if it is that bad, b/c you aren't gonna be able to find and fix all of the bugs.
look at our usage habits nowadays. imo, most people use their boxes to surf the web, and watch flash videos on the web. email is on the web via gmail, along w/ all the psuedo 2.0 tech. so let's get our end-user computers thin and usable and protectable. maybe the browser based OS that has been getting kicked around. i donno. most people use their boxes for a subset of tasks which, between solid coding and more modern tech like buffer overflow protection mechanisms, can probably be reasonably protected.
give the avg user a web browser that can be used for browsing, email, and vids, and then include some basic music playing and file xfer capability (for hooking up their ipod), and that's pretty much all they will need it to do. i'll build another box so i can play games.
infosec stuff on the bound
No comments:
Post a Comment