How to Defeat Advanced Malware: New Tools for Protection and Forensics (2015)

Chapter 3. The Proposed Solution

Abstract

Several concepts are introduced, including “the principle of least privilege”, “trust domains,” and “defense by design.” Unfortunately, today’s operating systems and applications (e.g., web browsers) are incapable of providing granularity, or effective embodiment of trust domains, or confinement to apply the concept of least privilege. And as a result, a call for defense to be an intrinsic element of computer system design is made.

Keywords

cloud computing

bring your own device (BYOD)

access controls

trust domains

least privilege

Computing has changed dramatically over the past decade. Even the most prophetic among us could not have foreseen how cloud computing was going to shift and “even out” the playing field, specifically as it relates to computer storage and networking. Pay-as-you-go cloud infrastructure for application developers and affordable, powerful, touch-enabled mobile devices have transformed client computing forever.

The future of computing continues to be reshaped by powerful forces: cloud-based applications continue to grow in popularity, accessed in the main by personally owned mobile telephones, tablets and computers, via an inherently unsafe internet. And as a result, operating systems, networks, and applications will continue to be susceptible to attack, and although we can expect this challenge to be met head-on by cloud service providers, clearly the sheer scale of the bring your own device (BYOD) phenomenon would indicate that the same cannot be said for client devices. So it stands to reason that computer systems must defend themselves “by design.” Significant infrastructural and trust-related changes are needed in this “cloud-mobile” era. Defense must be an intrinsic element of computer system design.

At the heart of this issue is “Trustworthy Computing.”¹ Our goal is to propose a new systems architecture solution that not only answers the security needs of future systems, to combat, for example, the zero-day exploits outlined above, but more importantly, a system architecture that deals with our existing “leaky” end-point legacy systems (which continue to be the front line), and offer up the most vulnerable operating systems and applications to attack. Although the concepts we discuss could also be applied to server-class systems, our main focus here is on client devices.

3.1. The principle of least privilege

Humans are inherently social, and our notion of trust is innate. In fact, trust has always been closely associated to survival. We routinely limit the amount of information that we share with others on the basis of what we feel they needs to know. Information, if one were to apply a digital analogy, is shared on a “policy of least privilege.”

Although we can understand this instinctively, one of the inherent challenges in cyber security is accommodating the fact that humans also expect their computer systems to have the same ability, to switch between trust domains, and decide what information should be shared, how it should be shared, and what level of access somebody should have to it. We see no issue with using the same mobile device to chat via Twitter, for example, whereas moments later, check our personal bank balances. Phishing attacks continue to grow in popularity, and the consequences of an uninformed user clicking what looks to be a legitimate link in an e-mail, only to see their action invite malware that attacks vulnerability in an operating system, are all too familiar.

The challenge security teams face is both to protect their networks and simultaneously allow their employees to leverage the productivity benefits afforded by, for example, social media and cloud-based applications.

This reality is further complicated by the very business model the “free” Internet has been built around. Online advertising companies and search engines benefit from compromised security. For example, many sites require personal information from users, and make money by selling that information to marketing firms and vendors. A user may be persuaded that a site will respect the user’s right to privacy, even when the implicit exchange is free service for the right to sell your data.

That instinctive ability to determine the level of privilege somebody should have in a social relationship is dependent upon “granularity.” Unfortunately, today’s operating systems (OSes) and applications (e.g., web browsers) are incapable of providing either a similar degree of granularity, or effective embodiment of trust domains, or confinement to apply the concept of least privilege. Critical OS design concepts come from a pre-internet age, where designers did not have to take into account targeted attacks that exploit unpatched weaknesses within the operating system or software, or deliberate monitoring systems that jeopardize individual privacy.

Although all operating systems utilize some kind of software isolation (e.g., sandboxing), access controls, and hardware defense (e.g., user and kernel modes) to segment applications, OS services and data, with the objective of applying least privilege, they cannot manage their inherent, latent vulnerability.

Operating systems offer hackers an enormous attack surface (e.g., the Windows operating system and Android mobile operating systems have approximately 50,000,000 and 10,000,000 lines of code respectively²). Mobile device market differentiation boils down to a constantly growing feature list, but it is exactly those features that expose the consumers mobile device to vulnerabilities – approximately 1 significant defect/KLOC that can allow an attacker to increase execution rights and compromise the computer to get into both local and remote resources.³

Consumers are also susceptible to the existence of applications that allow websites and search engines to monitor their behavior and betray privacy. Often these applications (e.g., Google Chrome) come from companies whose very aim is to profit from their monitoring of consumers, while apparently offering value (functionality, or claims of security) within their applications. Although privacy is a sophisticated subject that requires an extensive attention on its own, it likewise utilizes a solid implementation of least privilege. Both security and privacy necessitate that our computers are trustworthy.

3.2. Detection’s folly

Even if the battle between attackers and security vendors is heavily weighted in the attackers favor, the $70 BN cyber security industry hinges its livelihood on identifying malicious behavior. It is our contributing editor’s belief (Bromium Labs), however, that this premise is not only flawed, but mathematically impossible.⁴ Simply put, vendors will never be able to reliably detect polymorphic malware in order to block it.

We must recognize that, much like us, our computer systems cannot efficiently differentiate good from bad. Antivirus and other security products that boast of being capable of detecting malware, put simply, cannot keep up to date. In reality, detection rates for today’s advanced threats are generally around 5–10%.