Information Systems and Internet Security
This paper by Agrawal et al proposes a mechanism for chip designers to detect when an untrusted chip fabrication service has inserted Trojan functionality into their chip design. They do this by profiling the power consumption of a good chip and then comparing the power consumption profiles of other chips from the untrusted fabrication service against the known-good profile. The idea is that if they are all faithful realizations of the same design, they should all have similar power profiles. The difficulty is that the Trojan circuitry is much smaller than the legitimate circuitry. Detecting an anomaly in the power consumption would seem to suffer from a bad signal-to-noise ratio. Furthermore, there are chip-to-chip variations that far exceed the variations caused by the introduction of Trojan circuitry. The authors cope with this by using principal components analysis to find a subspace that captures most of the variability that is seen in the non-hacked chips. The basis vectors that span that subspace are the directions of benign variability. Variations in the power profile of a chip that are not in the directions of benign variability are considered suspicious.
The best part of this paper is that it demonstrates a nice technique for pulling tiny signals (the differential power consumption of the Trojan circuitry) from much stronger noise (the power consumption of the legitimate circuitry).
There’s been a bit of a back and forth discussion on one of our mailing lists regarding Ed Felten’s recent cold-booting attacks on software FDE (BitLocker, FileVault, dm-crypt etc.). I thought it might be worthwhile to collect some of the potential software-only modifications that would protect against his attacks.
In a recent incident a school server (not an ISIS server) was compromised. PHP code was injected that listened to and executed commands passed through a POST request with ‘www’ user privileges. Some of the commands that were run include id, pwd as well as directory searches and wgets of various files. The compromised machine also served as a hop in a pharmacy ad delivery scheme. It redirected HTTP requests for medications to a possible ‘mothership’ server. There is evidence that links to our server were posted as ads on websites like MySpace.
Seriously.
I had a very, very quick talk with someone at NYSec tonight and we highlighted the Social Responsibility panel at Shmoocon that wrapped it up as one of the biggest letdowns of the weekend. It’s a panel that should symbolize all the hopes and dreams our entire community wants to accomplish but instead time was wasted debating the meaning of the word ‘hacker’ and what constitutes “our” “community”. I think Toby summed it up best when he threw a Shmoo Ball and said (paraphrasing) “We’ve debated what the word hacker means for 20 years and we’ll do it 20 more. We need to move on to talk about more important topics.”
Toby is exactly right, but his comments didn’t prevent the conversation from getting derailed again just a few short minutes later…
ShmooCon has taken a nosedive. I don’t know where it went wrong, maybe this year was just a horrendously bad year, but the presentations did not meet my expectations. I can’t wait for the videos to go online in 60 days so I can watch myself hitting Simple Nomad in the face with a Shmoo Ball and being the first one to call him out on the poor quality of his presentation or the small businesses talk where Strat and I took turns dismantling all the presenter’s points.
This is the second time I’ve felt like this (the last time was after HOPE). I can’t sit here and complain anymore. If I disliked the presentations so much at ShmooCon, then I should present something myself to make up for it.
Who’s with me? HOPE/ISIS Con ‘08!
At ShmooCon ‘08 Simple Nomad heavily advertised the cause of forensiclicensing.com. Unknown to me and many others, many states are requiring that all practitioners of computer forensics become licensed, in this case by becoming a licensed Private Investigator. Simple Nomad described this as one of the greatest threats currently facing our community, however, I contend that this is not necessarily such a bad thing.
I think it’s safe to say that 99% of the security community believes that developing exploits and then selling them to security vendors is a Bad Thing, yet, to me, no one seems concerned enough about this activity to develop a viable, alternative model. Application developers hate it when you won’t tell them what’s wrong with their product. Application users (ie. the general public) hate that they can’t fix their software even if they wanted to. Of course, every single user of technology on the planet could just subscribe to 15+ security vendors product lines to get notice of these things… The entire idea seems antithetical to our purpose for existence, if we had one, namely to help secure every technology on the planet so that people can extend and build new ones.
Continue reading ‘A manifesto for fixing vulnerability disclosure’
Here is a set of interesting references regarding Breach Laws in the United States. I especially like the interactive map that CSO Magazine made, but I can see where having a textual list might be more useful :-).
This might be good information for any of the students taking Information Security Management this semester to include in their work.
Loading ...
Recent Comments