Category Archives: Security

Security

Real-world Hypervisor Exploits

1 Comment

A bone of contention that keeps appearing in discussion of hypervisor compliance, especially in terms of the new PCI DSS 2.0 and NIST SP 800-37 risk-based methodologies, is that there are few real-world hypervisor exploit examples.

I have thus been compiling both quantitative and qualitative data.

Here is one of the more interesting cases I ran across: allegedly the researcher was not happy with the vendor response and so demonstrated the exploit at the 23rd Chaois Communication Congress (23C3) in late 2006.

However, the system was patched only six days after the demonstration, which suggests a fix was already underway by the time the exploit was public.

The SecurityFocus bulletin gives details on the flaw.

Unprivileged code interacts with the hypervisor via the “sc” (“syscall”) instruction, which causes the machine to enter hypervisor mode. The vulnerability is a result of incomplete checking of the parameters passed to the syscall dispatcher, as illustrated below.

The simple attack explanation is that the system inconsistently used “secure mode”. The exploit was to access untrusted memory and then push the hypervisor to access the same area as trusted.

As it is not possible to directly overwrite even non-priviledged code, existing code needs to be tricked into calling the hypervisor syscall with the desired register set. This can be done by setting up a stack frame and forcing a context switch to this stack frame.

Giving access to trusted space from untrusted paths is a good example of multi-tenant risk and a real-world hypervisor exploit.

In other words, this is like a highly secure castle that has rents out 32 of 64 inside bedrooms on weekends and holidays. The first 32 rooms are accounted for all year but there is a good chance the other bedrooms will become occupied by hostile residents who may attack when approached.

Inside the main gate of Chepstow Castle, Wales. The curtain wall on the right was breached 25 May 1648 by Isaac Ewer’s cannons and the site where Royalist commander Sir Nicholas Kemeys was killed. Photo by me.

I will speak to this and related issues in tomorrow morning’s presentation sponsored by Cisco, Savvis, HyTrust, VMWare and CoalFire:

Title: PCI-Compliant Virtualization Reference Architecture Webinar
Date and time: Wednesday, November 10, 2010 10:00 am Pacific Standard Time (San Francisco, GMT-08:00)
Program: HyTrust Webcast Series
Duration: 1 hour

Security

Facebook is lying

1 Comment

Michael Arrington, founder of TechCrunch and on Time’s list of the world’s most influential people, rattles his digital saber in a scathing review and call to arms called: Give Us Our Data, Facebook

Facebook’s statement today boiled down to this: The most important principle for Facebook is that every person owns and controls her information. Each person owns her friends list, but not her friends’ information. A person has no more right to mass export all of her friends’ private email addresses than she does to mass export all of her friends’ private photo albums.

That’s the same argument that they used two years ago with Scoble. But since then Facebook has been quite willing to allow “mass exports” of “friends’ private email addresses” if the terms are right. They did it with Microsoft, they’re doing it with Yahoo, and possibly other partners. Facebook violated their own privacy policy with the Microsoft relationship. The policy has since been updated.

Food, History, Security

Breaking the Law With High Fructose Corn Syrup

4 Comments

The Public Health Advocacy Institute has dropped a wet blanket over the high fructose corn syrup lobby. The lobby has claimed sugar is always sugar, no matter what, based on measured levels of fructose. To prove their point using propaganda they have started to pressure the government to allow corn syrup to be hidden with the label corn sugar.

While they play games with the names, actual fructose measurements are in and it does not look good for high fructose corn syrup. It turns out that it has…high fructose.

A report on October 27th from the PHAI is thus titled: Discovery of Elevated Fructose Levels in Popular Soft Drinks Raises Important Legal Questions for Regulators and Consumers

Laboratory testing revealed that bottled full-calorie Pepsi, Coca-Cola and Sprite had fructose estimates of 64-65%, well in excess of the upper-level of 55% fructose generally recognized as safe by the Food and Drug Administration

These levels not only put them in excess of safe levels, defined by others, but also at odds with their own claims to safety.

…the representation that HFCS is “compositionally equivalent” to table sugar could amount to false and misleading advertising requiring action by the Federal Trade Commission and State Attorneys General.

Fructose was isolated and extracted from corn in America during 1970s after President Nixon’s economic advisers demanded that payments for corn surplus should be put to some kind of use. Leaders of the country at that time balked at the idea of paying farmers to grow something and then do nothing with it, so they set about to manufacture demand. The very recent origin of high fructose corn syrup was thus driven by an artificial (US Patent 3,689,362 by Yoshiyuki Takasaki in 1972) urgency related to farm politics, as I have discussed before.

I could also point out the political importance of high fructose corn syrup comes from an even older issue of national concern. The reason corn syrup has been made cheaper to use in processed foods than sugar is due to import quotas that restrict America’s supply of sugar.

Before artificial corn sweeteners were made in America the US Marines were called into action to invade the state of Hawaii in 1894 and overthrow the Queen. This was to ensure access to sugar. American plantation owners feared they would lose their land to the Queen if she maintained power. They formed a “Committee of Safety to overthrow the Kingdom” and found a sympathetic ear in the US Secretary of State, James Blaine. He had suggested in 1881 that the US would be better off invading Cuba, another rich source of sugar, than to let it sit in the hands of a European power.

The sugar of Hawaii is not enough to meet demand today. This makes me wonder if Blaine had realized the safety risk present today from high fructose corn syrup in America, would he have pressed even more to annex Cuba? Alas, Cuba became independent and America continues to try and find ways to dispose of its corn surplus.

Security

PCI Forensic Investigator (PFI)

Leave a comment

The Payment Card Industry has announced an approved Forensic Investigator provider program.

The card brands will no longer list their own approved Forensic Investigators (FI) after February 2011 and instead let the PCI site manage a single centralized list.

Here is a brief overview of requirements:

FIs who wish to be considered for the PFI list (pronounced FI, silent P) will need a certification. None is offered by the Council, unlike the QSA and PA-QSA. SANS certificates are mentioned but the Council does not say SANS is recommended or required.

Also two investigations within the financial industry in the past twelve months are required for references but payment card incidents are not specified.

Finally, only QSA’s can be listed as a PFI and they must have law enforcement contacts (the good kind).


“Watson, as I perceive that these logins, although used, are by no means compromised, I can not doubt that you are at present busy enough to justify a token…for databases, the great cesspool into which all the Track Data of the Payment Card Industry are irresistibly drained.”