On 03/10/16 06:58, Dimiter_Popoff wrote:> BUT I can control the software as long as every piece of it comes > from me - from the toolchain to the end product. Leave one alien > line - one alien generated opcode - in and you are on the other side > of this line.Only if you have written all of the compiler (etc) from scratch, of course. Consider the famous Thompson login exploit http://c2.com/cgi/wiki?TheKenThompsonHack So, how paranoid do you want/need to be :)
Possible "attack surface" pre-release exploit?
Started by ●October 2, 2016
Reply by ●October 3, 20162016-10-03
Reply by ●October 3, 20162016-10-03
On Monday, October 3, 2016 at 11:10:39 AM UTC+3, Tom Gardner wrote:> On 03/10/16 06:58, Dimiter_Popoff wrote: > > BUT I can control the software as long as every piece of it comes > > from me - from the toolchain to the end product. Leave one alien > > line - one alien generated opcode - in and you are on the other side > > of this line. > > Only if you have written all of the compiler (etc) from scratch, > of course. Consider the famous Thompson login exploit > http://c2.com/cgi/wiki?TheKenThompsonHack > > So, how paranoid do you want/need to be :)Exactly my point. And yes, I have written it all, like I said earlier. No single bit of alien software involved in the software I deliver running on our macines in any form (this does not include firmware on peripherala like disks etx., just on "our" processor). I have never been doing it out of paranoia though, I could just be a lot more efficient than anyone I have known over the years doing it this way. I realize it was hard to see that from my first posts, not (m)any others who can state that of course. But it is a fact, and the security side of it comes as a nice side effect I am getting aware of in later years. Dimiter
Reply by ●October 3, 20162016-10-03
AT Monday 03 October 2016 17:24, dp wrote:> On Monday, October 3, 2016 at 11:10:39 AM UTC+3, Tom Gardner wrote: >> On 03/10/16 06:58, Dimiter_Popoff wrote: >> > BUT I can control the software as long as every piece of it comes >> > from me - from the toolchain to the end product. Leave one alien >> > line - one alien generated opcode - in and you are on the other side >> > of this line. >> >> Only if you have written all of the compiler (etc) from scratch, >> of course. Consider the famous Thompson login exploit >> http://c2.com/cgi/wiki?TheKenThompsonHack >> >> So, how paranoid do you want/need to be :) > > Exactly my point. And yes, I have written it all, like I said earlier. > No single bit of alien software involved in the software I deliver running > on our macines in any form (this does not include firmware on peripherala > like disks etx., just on "our" processor). > I have never been doing it out of paranoia though, I could just be a lot > more efficient than anyone I have known over the years doing it this way. > > I realize it was hard to see that from my first posts, not (m)any others > who can state that of course. But it is a fact, and the security side of > it comes as a nice side effect I am getting aware of in later years.And why should your customers trust _you_ ? ;-) -- Reinhardt
Reply by ●October 3, 20162016-10-03
On Monday, October 3, 2016 at 1:41:58 PM UTC+3, Reinhardt Behm wrote:> AT Monday 03 October 2016 17:24, dp wrote: > > > On Monday, October 3, 2016 at 11:10:39 AM UTC+3, Tom Gardner wrote: > >> On 03/10/16 06:58, Dimiter_Popoff wrote: > >> > BUT I can control the software as long as every piece of it comes > >> > from me - from the toolchain to the end product. Leave one alien > >> > line - one alien generated opcode - in and you are on the other side > >> > of this line. > >> > >> Only if you have written all of the compiler (etc) from scratch, > >> of course. Consider the famous Thompson login exploit > >> http://c2.com/cgi/wiki?TheKenThompsonHack > >> > >> So, how paranoid do you want/need to be :) > > > > Exactly my point. And yes, I have written it all, like I said earlier.i> > No single bit of alien software involved in the software I deliver running> > on our macines in any form (this does not include firmware on peripherala > > like disks etx., just on "our" processor). > > I have never been doing it out of paranoia though, I could just be a lot > > more efficient than anyone I have known over the years doing it this way. > > > > I realize it was hard to see that from my first posts, not (m)any others > > who can state that of course. But it is a fact, and the security side of > > it comes as a nice side effect I am getting aware of in later years. >> And why should your customers trust _you_ ? > > -- > ReinhardtIt is theor choice, between them and just ME. How many people except you do _your_ customers have to trust. Dimiter
Reply by ●October 3, 20162016-10-03
On Sun, 02 Oct 2016 23:18:36 -0700, Paul Rubin wrote:> I once bought a "random parts" box that included a number of resistors > that were accompanied by X-ray pictures of the resistors. I figured at > the time that the X-rays were to check for defects in the resistor > material, but I guess it could also have been to check for hidden > microprocessors. Of course now that X-ray machines are digital, they > can be backdoored...obChinaSyndrome: at least, they TOLD you they were X-rays of the resistors. And so on, far into the night :]
Reply by ●October 3, 20162016-10-03
AT Monday 03 October 2016 19:01, dp wrote:> On Monday, October 3, 2016 at 1:41:58 PM UTC+3, Reinhardt Behm wrote: >> AT Monday 03 October 2016 17:24, dp wrote: >> >> > On Monday, October 3, 2016 at 11:10:39 AM UTC+3, Tom Gardner wrote: >> >> On 03/10/16 06:58, Dimiter_Popoff wrote: >> >> > BUT I can control the software as long as every piece of it comes >> >> > from me - from the toolchain to the end product. Leave one alien >> >> > line - one alien generated opcode - in and you are on the other side >> >> > of this line. >> >> >> >> Only if you have written all of the compiler (etc) from scratch, >> >> of course. Consider the famous Thompson login exploit >> >> http://c2.com/cgi/wiki?TheKenThompsonHack >> >> >> >> So, how paranoid do you want/need to be :) >> > >> > Exactly my point. And yes, I have written it all, like I said earlier. > i> > No single bit of alien software involved in the software I deliver > running >> > on our macines in any form (this does not include firmware on >> > peripherala like disks etx., just on "our" processor). >> > I have never been doing it out of paranoia though, I could just be a >> > lot more efficient than anyone I have known over the years doing it >> > this way. >> > >> > I realize it was hard to see that from my first posts, not (m)any >> > others who can state that of course. But it is a fact, and the security >> > side of it comes as a nice side effect I am getting aware of in later >> > years. >> > > >> And why should your customers trust _you_ ? >> >> -- >> Reinhardt > > It is theor choice, between them and just ME. > > How many people except you do _your_ customers have to trust.Dimiter, somehow the smiley vanished in the reply. I honestly believe that you are a trustworthy person. Your products by themselves might not interesting targets. But your products could be a vector to get at your customers. So someone could just make you an "offer that you cannot refuse". In the end it is just the question how far we want to take the paranoia. I am much ore concerned about all this IoT stuff. And it is already used: <https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai- released/> and <http://www.eweek.com/security/lizardstresser-botnet-launches-400g-bps- attack-on-iot-devices.html> -- Reinhardt
Reply by ●October 3, 20162016-10-03
On 10/3/2016 12:31 AM, Dimiter_Popoff wrote:> On 03.10.2016 г. 10:15, Don Y wrote:>> Yes, but (I suspect) in practical terms (at least for toolchains), I >> doubt there is much risk. > > my point is exactly that once this line has been crossed it gets a > matter of trust vs. doubt.Of course! But, even buying silicon leaves you exposed to SOME level of "trust".> I cannot speculate on the probabilities, in fact I don't think anyone > of use here can unless directly involved in such work for some agency. > What is done there is just beyond my horizon and, frankly, beyond my > interest.I consider it important as it has the potential to represent another level of exposure that products have to hacking. "Security" is all about defining and maintaining a barrier between the threats and the "secured" system. Implicit (for bare metal developers) in that has been the idea that "pre-release" is inherently "secured"; that (short of someone deliberately targeting YOUR project) the sources "in development" can't be poisoned -- they first need to be "bound" to a particular (finished) application before they can potentially be exploited. If an adversary could leverage knowledge of something common to all such (divers!) environments (e.g., like knowing Windows users have an executable called "freecell.exe" on their computers AND that they PROBABLY invoke that executable from time to time -- hence, it being a perfect target for infestation!) and exploit it, then the illusion of pre-release security is shattered. Note that Apple has previously released binaries that were infected with malware (oops!). I've a little USB battery charger that was also released with infected SUPPORT software (the charger itself wasn't hacked but, rather, the utility that allowed the user to monitor its performance on their Windows host). No idea how many other such incidents there may have been...> I just stay on my side of the line. > >>> I think you are looking from too close at this one. Such an attack - say >>> through the network stack or through the compiler or - to be completely >>> out of our control - via the MAC and its DMA which may be smarter than >>> we are told - does not need to know what the device it is attacking is. >>> All it needs is to establish connection, just say "here I am" and let >>> the attacker people worry about it later, when they know more about it >>> through other channels (market popularity, espionage etc. etc.). >> >> But an arbitrary (infected) piece of code can't KNOW how to access the >> NIC in any "random" piece of hardware (unless it is embedded in a piece >> of code known to talk to that hardware device!). > > Uhm, yes but platform discovery becomes less and less difficult as the > choices of silicon get narrower and narrower. I would not bet a lot on > that.You can tell the processor family. And, for some, possibly construct a probe() that can give you more detailed information about the device(s) in use (esp for SoC's). But, you can't do this reliably -- esp beyond the confines of the processor (otherwise, it would be possible to write an OS that could reliably probe() EVERY hardware instance on which it is deployed). And, even if you can identify the processor and peripherals, you can't reliably coexist (co-execute) with an unknown application. So, your presence would be revealed in short order if you tried to *do* anything.
Reply by ●October 3, 20162016-10-03
On 10/3/2016 6:31 AM, Reinhardt Behm wrote:> In the end it is just the question how far we want to take the paranoia.I don't think it is paranoia. And, the examples in the Marketplace suggest folks doing these exploits consider it of some VALUE (else why bother?)> I am much ore concerned about all this IoT stuff. And it is already used: > <https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai- > released/> > > and > > <http://www.eweek.com/security/lizardstresser-botnet-launches-400g-bps- > attack-on-iot-devices.html>Exactly. And, "infested code" is patient -- it can afford to wait "forever" for an opportunity to inflict harm.
Reply by ●October 3, 20162016-10-03
On 03.10.2016 г. 16:31, Reinhardt Behm wrote:> AT Monday 03 October 2016 19:01, dp wrote: > >> On Monday, October 3, 2016 at 1:41:58 PM UTC+3, Reinhardt Behm wrote: >>> AT Monday 03 October 2016 17:24, dp wrote: >>> >>>> On Monday, October 3, 2016 at 11:10:39 AM UTC+3, Tom Gardner wrote: >>>>> On 03/10/16 06:58, Dimiter_Popoff wrote: >>>>>> BUT I can control the software as long as every piece of it comes >>>>>> from me - from the toolchain to the end product. Leave one alien >>>>>> line - one alien generated opcode - in and you are on the other side >>>>>> of this line. >>>>> >>>>> Only if you have written all of the compiler (etc) from scratch, >>>>> of course. Consider the famous Thompson login exploit >>>>> http://c2.com/cgi/wiki?TheKenThompsonHack >>>>> >>>>> So, how paranoid do you want/need to be :) >>>> >>>> Exactly my point. And yes, I have written it all, like I said earlier. >> i> > No single bit of alien software involved in the software I deliver >> running >>>> on our macines in any form (this does not include firmware on >>>> peripherala like disks etx., just on "our" processor). >>>> I have never been doing it out of paranoia though, I could just be a >>>> lot more efficient than anyone I have known over the years doing it >>>> this way. >>>> >>>> I realize it was hard to see that from my first posts, not (m)any >>>> others who can state that of course. But it is a fact, and the security >>>> side of it comes as a nice side effect I am getting aware of in later >>>> years. >>> >> >> >>> And why should your customers trust _you_ ? >>> >>> -- >>> Reinhardt >> >> It is theor choice, between them and just ME. >> >> How many people except you do _your_ customers have to trust. > > Dimiter, somehow the smiley vanished in the reply. > > I honestly believe that you are a trustworthy person. > Your products by themselves might not interesting targets. But your products > could be a vector to get at your customers. > So someone could just make you an "offer that you cannot refuse".I cannot be boughtWell if one can be bought into doing something dishonest this is not a trustworthy person in my book. I feel fine in my skin as I am, no amount of money in the world is worth damaging that. What can be done with cash is if someone buys TGI - it is not for sale and I am not sure I can be tempted to sell all of it - I'd keep DPS and the development part of it simply because I need to have something to work with/on. So this is not really an option, I won't even consider thinking on offers unless they go above say $100M. I don't think this is the place to discuss my personality though. My point in my former reply to you was that a customer trusting me will have to deal with a single person - I have all the control and I am the only one holding the secrets. Whereas a "normal" design house cannot offer that - in fact a normal design house cannot name the *number* of people carrying secrets which will be involved in their end product - people who have worked on a compiler over the years, people who have written libraries etc. etc. This was my point asking you how many people except you do your customers have to trust - you just cannot answer that, may be one may be 100, you just don't know and they have to live with that.> > In the end it is just the question how far we want to take the paranoia.Well it depends on who you are and what you want/need. The guy listening to the rail track for a coming train before crossing may strike you as paranoid; but once you see he is herding some huge flock which will cross that railroad for many minutes will you still think so. Dimiter ------------------------------------------------------ Dimiter Popoff, TGI http://www.tgi-sci.com ------------------------------------------------------ http://www.flickr.com/photos/didi_tgi/
